Is my understanding correct that we need two certificates to properly secure a MongoDB replicaset for client access (assuming we use SCRAM for authentication) from outside of a cluster deployed in Kubernetes:
- One certificate is used for encrypting all traffic between replica set members
- Another certificate is used for external clients connecting into the database
All the examples I can find on the internet use the same certificate for both. As a result, the SAN field contains internal cluster names. No CA (as of approximately 2015) will issue any public certificate that secures internal domain names which leaves me in a quandary if my assumption above is incorrect.