- Deploy and Configure Ops Manager Resources >
- Secure Application Database using TLS
Secure Application Database using TLS¶
On this page
The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt connections between members of the application database replica set.
Prerequisites¶
Before you secure your application database using TLS encryption, complete the following:
Deploy the Ops Manager application that you want to secure.
Create a TLS certificate for each member of the Application Database’s replica set.
These TLS certificates require two attributes:
DNS Names Each certificate must include a SAN or Subject Name with the name of the Pod in Kubernetes. These names must resemble this format:
Key Usages MongoDB requires the TLS certs to include two specific key-usages (5280):
- “server auth”
- “client auth”
Procedure¶
Verify your new TLS certificates.¶
Verify that each member of the Replica Set has one TLS certificate named with the following format:
<resource-name>-db-<index>-pem
Where <index>
is a 0-based index number to the total amount of
members minus one. (0
to n-1
)
Create a Secret with your new TLS certificates.¶
Create a new Secret from these files:
kubectl
creates one Secret containing the three certificates.
Optional: Create a ConfigMap containing the Certificate Authority.¶
You must provide a CA certificate when the CA that signed the certificates might be not “recognized” as an official authority. Recognized and valid certificates can be created with cert-manager or HashiCorp Vault.
If you signed the certificates using a Kubernetes certificate management tool like cert-manager or HashiCorp Vault, you must create a ConfigMap containing the CA’s certificate file.
If you output the certificate as a file, name this file ca-pem
.
This simplifies creating the ConfigMap.
Warning
You must concatenate your custom CA file and the entire
TLS certificate chain from downloads.mongodb.com
to prevent
Ops Manager from becoming inoperable if the application database
restarts.
Obtain the entire TLS certificate chain from
downloads.mongodb.com
. The followingopenssl
command outputs each certificate in the chain to your current working directory, in.crt
format:Concatenate your CA’s certificate file with the entire TLS certificate chain from
downloads.mongodb.com
that you obtained in the previous step:Create the ConfigMap:
This creates a ConfigMap named ca
. This
ConfigMap contains one entry called ca-pem
with the
contents of the CA file and the certificate chain for
downloads.mongodb.com
.
Specify the Secret with certs to the Ops Manager yaml definition.¶
Note
The Kubernetes Operator mounts the CA you add using the
spec.applicationDatabase.security.tls.ca
setting to
both the Ops Manager and the Application Database pods.
Apply changes to your Ops Manager deployment.¶
Invoke the following kubectl
command on the filename of the
Ops Manager resource definition:
Track the status of your Ops Manager instance.¶
To check the status of your Ops Manager resource, invoke the following command:
When Ops Manager is running, the command returns the following
output under the status
field:
See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.