Navigation

Secure Application Database using TLS

On this page

The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt connections between Ops Manager and the application database.

Prerequisites

Before you secure your application database using TLS encryption, complete the following:

  • Install the Kubernetes Operator

  • Deploy the Ops Manager application that you want to secure

  • Create a TLS certificate for each member of the Application Database’s replica set.

    These TLS certificates require two attributes:

    DNS Names

    Each certificate should include a SAN or Subject Name with the name of the pod in Kubernetes. These names should resemble this format:

    <opsmgr-name>-db-<index>.<opsmgr-name>-db-svc.<namespace>.svc.cluster.local
    
    Key Usages

    MongoDB requires the TLS certs to include two specific key-usages (RFC 5280#section-4.2.1.3):

    • “server auth”
    • “client auth”

Procedure

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Verify your new TLS certificates.

Verify that each member of the Replica Set has one TLS certificate named with the following format:

<resource-name>-db-<index>-pem

Where <index> is a 0-based index number to the total amount of members minus one. (0 to n-1)

3

Create a Secret with your new TLS certificates.

Create a new Secret from these files:

kubectl create secret generic appdb-certs \
        --from-file=om-appdb-tls-enabled-db-0-pem \
        --from-file=om-appdb-tls-enabled-db-1-pem \
        --from-file=om-appdb-tls-enabled-db-2-pem

kubectl creates one Secret containing the three certificates.

4

Create a ConfigMap containing the Certificate Authority.

If you had the certificates signed with an internal authority (like cert-manager or Vault), you must create a ConfigMap containing the CA’s Certificate file.

If you saved the certificate as a file, name this file ca-pem. This simplifies creating the ConfigMap.

kubectl create configmap appdb-ca --from-file=ca-pem

This creates a ConfigMap named appdb-ca. This ConfigMap contains one entry called ca-pem with the contents of the CA file.

5

Specify the Secret with certs to the Ops Manager yaml definition.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
---
apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-appdb-tls-enabled
spec:
  replicas: 1
  version: 4.2.6
  adminCredentials: ops-manager-admin-secret
  configuration:
    mms.fromEmailAddr: admin@example.com
    mms.security.allowCORS: "false"
  applicationDatabase:
    members: 3
    version: 4.2.2-ent
    persistent: true
    security:
      tls:
        ca: "appdb-ca" # Optional. Name of the ConfigMap
                       # containing the CA file
        secretRef:
          name: "appdb-certs" # Name of the Secret object
...

Note

The Kubernetes Operator mounts the CA you add using the spec.applicationDatabase.security.tls.ca setting to both the Ops Manager and the Application Database pods.

6

Apply changes to your Ops Manager deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <opsmgr-resource>.yaml
7

Track the status of your Ops Manager instance.

To check the status of your Ops Manager resource, invoke the following command:

kubectl get om -o yaml -w

When Ops Manager is running, the command returns the following output under the status field:

status:
  applicationDatabase:
    lastTransition: "2019-12-06T17:46:15Z"
    members: 3
    phase: Running
    type: ReplicaSet
    version: 4.2.2-ent
  opsManager:
    lastTransition: "2019-12-06T17:46:32Z"
    phase: Running
    replicas: 1
    url: https://om-appdb-tls-enabled-svc.dev.svc.cluster.local:8443
    version: 4.2.6

See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.