You can configure the MongoDB Community Kubernetes Operator to use TLS certificates to encrypt traffic between:
- MongoDB hosts in a replica set, and
- Client applications and MongoDB deployments.
Before you secure MongoDB resource connections using TLS, you must:
-
Create a PEM-encoded TLS certificate for the servers in the MongoDB resource using your own Certificate Authority (CA). The certificate must have one of the following:
-
A wildcard
Common Namethat matches the domain name of all of the replica set members:*.<metadata.name of the MongoDB resource>-svc.<namespace>.svc.cluster.local -
The domain name for each of the replica set members as
Subject Alternative Names(SAN):<metadata.name of the MongoDB resource>-0.<metadata.name of the MongoDB resource>-svc.<namespace>.svc.cluster.local <metadata.name of the MongoDB resource>-1.<metadata.name of the MongoDB resource>-svc.<namespace>.svc.cluster.local <metadata.name of the MongoDB resource>-2.<metadata.name of the MongoDB resource>-svc.<namespace>.svc.cluster.local
-
-
Create a Kubernetes ConfigMap that contains the certificate for the CA that signed your server certificate. The key in the ConfigMap that references the certificate must be named
ca.crt. Kubernetes configures this automatically if the certificate file is namedca.crt:kubectl create configmap <tls-ca-configmap-name> --from-file=ca.crt --namespace <namespace>For a certificate file with any other name, you must define the
ca.crtkey manually:kubectl create configmap <tls-ca-configmap-name> --from-file=ca.crt=<certificate-file-name>.crt --namespace <namespace> -
Create a Kubernetes secret that contains the server certificate and key for the members of your replica set. For a server certificate named
server.crtand key namedserver.key:kubectl create secret tls <tls-secret-name> --cert=server.crt --key=server.key --namespace <namespace>
To secure connections to MongoDB resources using TLS:
-
Add the following fields to the MongoDB resource definition:
-
spec.security.tls.enabled: Encrypts communications using TLS certificates between MongoDB hosts in a replica set and client applications and MongoDB deployments. Set totrue. -
spec.security.tls.optional: (Optional) Enables the members of the replica set to accept both TLS and non-TLS client connections. Equivalent to setting the MongoDBnet.tls.modesetting topreferSSL. If omitted, defaults tofalse.
NOTE
When you enable TLS on an existing replica set deployment:
a. Set
spec.security.tls.optionaltotrue.b. Apply the configuration to Kubernetes.
c. Upgrade your existing clients to use TLS.
d. Remove the
spec.security.tls.optionalfield.e. Complete the remaining steps in the procedure.
-
spec.security.tls.certificateKeySecretRef.name: Name of the Kubernetes secret that contains the server certificate and key that you created in the prerequisites. -
spec.security.tls.caConfigMapRef.name: Name of the Kubernetes ConfigMap that contains the Certificate Authority certificate used to sign the server certificate that you created in the prerequisites.
apiVersion: mongodbcommunity.mongodb.com/v1 kind: MongoDBCommunity metadata: name: example-mongodb spec: members: 3 type: ReplicaSet version: "4.2.7" security: tls: enabled: true certificateKeySecretRef: name: <tls-secret-name> caConfigMapRef: name: <tls-ca-configmap-name>
-
-
Apply the configuration to Kubernetes:
kubectl apply -f <example>.yaml --namespace <my-namespace> -
From within the Kubernetes cluster, connect to the MongoDB resource.
- If
spec.security.tls.optionalis omitted orfalse: clients must establish TLS connections to the MongoDB servers in the replica set. - If
spec.security.tls.optionalis true, clients can establish TLS or non-TLS connections to the MongoDB servers in the replica set.
See the documentation for your connection method to learn how to establish a TLS connection to a MongoDB server.
- If