Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Kubernetes Operator, refer to the upgrade documentation.

Secure Internal Authentication with X.509 and TLS

This guide instructs you on how to configure:

  • X.509 internal authentication between MongoDB nodes in a cluster.
  • X.509 authentication from clients to your MongoDB instances.
  • TLS to encrypt connections between MongoDB hosts in a replica set or sharded cluster.
  • TLS to encrypt connections client applications and MongoDB deployments.

Note

You can’t secure a Standalone Instance of MongoDB in a Kubernetes cluster.

Deprecation Notice

Automatically generating TLS certificates with the Kubernetes Operator is deprecated and will be removed in a future release.

You must provide certificates from your own CA, as described in the following procedures, for production environments.

General Prerequisites

Before you secure any of your MongoDB deployments using TLS encryption, complete the following:

Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.

X.509 client authentication requires one of the following:

  • Cloud Manager
  • Ops Manager 4.1.7 or later
  • Ops Manager 4.0.11 or later

Configure X.509 Internal Authentication for a Replica Set

Prerequisites

Before you secure your replica set using TLS encryption, complete the following:

  • Create a PEM file for each of the following components:

    PEM file purpose Save File As…
    Your custom CA ca-pem
    Each member of your replica set <metadata.name>-<X>-pem
    Your project’s Automation or MongoDB Agent mms-automation-agent-pem
    Your project’s Backup Agent (if needed) mms-backup-agent-pem
    Your project’s Monitoring Agent (if needed) mms-monitoring-agent-pem

    About the example filenames

    • Name these files the exact names provided, substituting the appropriate variables. If a filename doesn’t match, deployment errors occur.
      • Replace <metadata.name> with the value of metadata.name in your deployment resource.
      • Replace <Y> with a 0-based number for the sharded cluster.
      • Replace <X> with the member of a shard or replica set.
    • End the PEM files with -pem and not .pem. These files shouldn’t have a file extension.

Procedure

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Create the secret for your TLS certificates.

Run this kubectl command to create the secret that stores the replica set’s certificates:

kubectl create secret generic <metadata.name>-cert \
  --from-file=<metadata.name>-0-pem \
  --from-file=<metadata.name>-1-pem \
  --from-file=<metadata.name>-2-pem

This example covers a three-member replica set. If you have more than three members, you can add them to the certificate using the --from-file option.

3

Create the secret for your X.509 certificates.

Run this kubectl command to create the secret that stores the replica set’s certificates:

kubectl create secret generic <metadata.name>-clusterfile \
  --from-file=<metadata.name>-0-pem \
  --from-file=<metadata.name>-1-pem \
  --from-file=<metadata.name>-2-pem

This example covers a three-member replica set. If you have more than three members, you can add them to the certificate using the --from-file option.

4
5

Copy the highlighted section of this replica set resource.

Change the highlighted settings of this YAML file to match your desired replica set configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: <my-replica-set>
spec:
  members: 3
  version: 4.2.2-ent
  opsManager:
    configMapRef:
      name: <configMap.metadata.name>
            # Must match metadata.name in ConfigMap file
  credentials: <mycredentials>
  type: ReplicaSet
  persistent: true
16
17
18
19
20
21
22
23
24
  security:
    tls:
      enabled: true
      ca: <custom-ca>
    authentication:
      enabled: true
      modes: ["X509"]
      internalCluster: "X509"
...
6

Paste the copied example section into your existing replica set resource.

Open your preferred text editor and paste the object specification at the end of your resource file in the spec section.

7

Configure the TLS settings for your replica set resource using a Custom Certificate Authority.

To enable TLS in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
boolean Optional

If this value is true, TLS is enabled on the MongoDB deployment.

By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections.

true
spec.security
string Optional If you use a custom CA and have created the secret that stores it, add the secret’s name. <custom-ca>
8

Configure the general X.509 settings for your replica set resource.

To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
.authentication
boolean Optional If this value is true, authentication is enabled on the MongoDB deployment. true
spec.security
.authentication
array Conditional If you enabled authentication, you must set an authentication mechanism. Accepted values are X509. X509
9

Configure the internal X.509 settings for your replica set resource.

To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
.authentication
string Conditional

If you enabled authentication, you can enable X.509 internal cluster authentication. Accepted values are X509.

Important

Once internal cluster authentication is enabled, it can not be disabled.

X509
10

Save your replica set config file.

11

Apply your changes to your replica set deployment.

Invoke the following Kubernetes command to updated your replica set:

kubectl apply -f <replica-set-conf>.yaml
12

Track the status of your deployment.

To check the status of your MongoDB Kubernetes resource, invoke the following command:

kubectl get mdb <resource-name> -o yaml -w

The -w flag means “watch”. With the “watch” flag set, the output refreshes immediately when something changes until the status phase achieves the Running state.

See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.

Configure X.509 Internal Authentication for a Sharded Cluster

Prerequisites

Before you secure your sharded cluster using TLS encryption, complete the following:

  • Create a PEM file for each of the following components:

    PEM file purpose Save File As…
    Your custom CA ca-pem
    Each shard in your sharded cluster <metadata.name>-<Y>-<X>-pem
    Each member of your config server replica set <metadata.name>-config-<X>-pem
    Each mongos <metadata.name>-mongos-<X>-pem
    Your project’s Automation or MongoDB Agent mms-automation-agent-pem
    Your project’s Backup Agent (if needed) mms-backup-agent-pem
    Your project’s Monitoring Agent (if needed) mms-monitoring-agent-pem

    About the example filenames

    • Name these files the exact names provided, substituting the appropriate variables. If a filename doesn’t match, deployment errors occur.
      • Replace <metadata.name> with the value of metadata.name in your deployment resource.
      • Replace <Y> with a 0-based number for the sharded cluster.
      • Replace <X> with the member of a shard or replica set.
    • End the PEM files with -pem and not .pem. These files shouldn’t have a file extension.

Procedure

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Create the secret for your Shards’ TLS certificates.

Run this kubectl command to create the secret that stores the sharded cluster shards’ certificates:

kubectl -n mongodb create secret generic <metadata.name>-0-cert \
       --from-file=<metadata.name>-0-0-pem \
       --from-file=<metadata.name>-0-1-pem \
       --from-file=<metadata.name>-0-2-pem \
       --from-file=<metadata.name>-0-3-pem \
       --from-file=<metadata.name>-0-4-pem

kubectl -n mongodb create secret generic <metadata.name>-1-cert \
       --from-file=<metadata.name>-1-0-pem \
       --from-file=<metadata.name>-1-1-pem \
       --from-file=<metadata.name>-1-2-pem \
       --from-file=<metadata.name>-1-3-pem \
       --from-file=<metadata.name>-1-4-pem

This example covers a two-shard sharded cluster with five members per shard. If you have more than two shards or five members per shard, you can add them to the certificate using the --from-file option.

3

Create the secret for your config server’s TLS certificates.

Run this kubectl command to create the secret that stores the sharded cluster config server’s certificates:

kubectl -n mongodb create secret generic <metadata.name>-config-cert \
       --from-file=<metadata.name>-config-0-pem \
       --from-file=<metadata.name>-config-1-pem \
       --from-file=<metadata.name>-config-2-pem
4

Create the secret for your mongos server’s TLS certificates.

Run this kubectl command to create the secret that stores the sharded cluster mongos certificates:

kubectl -n mongodb create secret generic <metadata.name>-mongos-cert \
       --from-file=<metadata.name>-mongos-0-pem \
       --from-file=<metadata.name>-mongos-1-pem \
       --from-file=<metadata.name>-mongos-2-pem
5

Create the secret for your Shards’ X.509 certificates.

Run this kubectl command to create the secret that stores the sharded cluster shards’ certificates:

kubectl -n mongodb create secret generic <metadata.name>-0-clusterfile \
       --from-file=<metadata.name>-0-0-pem \
       --from-file=<metadata.name>-0-1-pem \
       --from-file=<metadata.name>-0-2-pem \
       --from-file=<metadata.name>-0-3-pem \
       --from-file=<metadata.name>-0-4-pem

kubectl -n mongodb create secret generic <metadata.name>-1-clusterfile \
       --from-file=<metadata.name>-1-0-pem \
       --from-file=<metadata.name>-1-1-pem \
       --from-file=<metadata.name>-1-2-pem \
       --from-file=<metadata.name>-1-3-pem \
       --from-file=<metadata.name>-1-4-pem

This example covers a two-shard sharded cluster with five members per shard. If you have more than two shards or five members per shard, you can add them to the certificate using the --from-file option.

6

Create the secret for your config server’s X.509 certificates.

Run this kubectl command to create the secret that stores the sharded cluster config server’s certificates:

kubectl -n mongodb create secret generic <metadata.name>-config-clusterfile \
       --from-file=<metadata.name>-config-0-pem \
       --from-file=<metadata.name>-config-1-pem \
       --from-file=<metadata.name>-config-2-pem
7

Create the secret for your mongos server’s X.509 certificates.

Run this kubectl command to create the secret that stores the sharded cluster mongos certificates:

kubectl -n mongodb create secret generic <metadata.name>-mongos-clusterfile \
       --from-file=<metadata.name>-mongos-0-pem \
       --from-file=<metadata.name>-mongos-1-pem \
       --from-file=<metadata.name>-mongos-2-pem
8

Copy the highlighted section of this sharded cluster resource.

Change the highlighted settings of this YAML file to match your desired sharded cluster configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: <my-sharded-cluster>
spec:
  shardCount: 2
  mongodsPerShardCount: 3
  mongosCount: 2
  configServerCount: 3
  version: 4.2.2-ent
  opsManager:
    configMapRef:
      name: <configMap.metadata.name>
            # Must match metadata.name in ConfigMap file
  credentials: <mycredentials>
  type: ShardedCluster
  persistent: true
19
20
21
22
23
24
25
26
27
  security:
    tls:
      enabled: true
      ca: <custom-ca>
    authentication:
      enabled: true
      modes: ["X509"]
      internalCluster: "X509"
...
9

Paste the copied example section into your existing sharded cluster resource.

Open your preferred text editor and paste the object specification at the end of your resource file in the spec section.

10

Configure the TLS settings for your sharded cluster resource using a Custom Certificate Authority.

To enable TLS in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
boolean Optional

If this value is true, TLS is enabled on the MongoDB deployment.

By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections.

true
spec.security
string Optional If you use a custom CA and have created the secret that stores it, add the secret’s name. <custom-ca>
11

Configure the general X.509 settings for your sharded cluster resource.

To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
.authentication
boolean Optional If this value is true, authentication is enabled on the MongoDB deployment. true
spec.security
.authentication
array Conditional If you enabled authentication, you must set an authentication mechanism. Accepted values are X509. X509
12

Configure the internal X.509 settings for your sharded cluster resource.

To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:

Key Type Necessity Description Example
spec.security
.authentication
string Conditional

If you enabled authentication, you can enable X.509 internal cluster authentication. Accepted values are X509.

Important

Once internal cluster authentication is enabled, it can not be disabled.

X509
13

Save your sharded cluster config file.

14

Update and restart your sharded cluster deployment.

Invoke the following Kubernetes command to update and restart your sharded cluster:

kubectl apply -f <sharded-cluster-conf>.yaml
15

Track the status of your deployment.

To check the status of your MongoDB Kubernetes resource, invoke the following command:

kubectl get mdb <resource-name> -o yaml -w

The -w flag means “watch”. With the “watch” flag set, the output refreshes immediately when something changes until the status phase achieves the Running state.

See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.