Docs Menu
Docs Home
/ /
/ / /

Configure Multi-Cluster Internal Auth (X.509)

This guide instructs you on how to configure:

  • X.509 internal authentication between MongoDB nodes in each cluster in your multi-Kubernetes cluster MongoDB deployments.

  • X.509 authentication from clients to your MongoDB instances.

Before you secure your multi-Kubernetes cluster MongoDB deployment using TLS encryption, complete the following tasks:

  • Follow the steps in the Multi-Cluster Quick Start Prerequisites.

  • Deploy a TLS-encrypted multi-Kubernetes-cluster.

  • Create credentials for the Kubernetes Operator.

Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.

X.509 client authentication requires one of the following:

  • Cloud Manager

  • Ops Manager version compatible with your Kubernetes Operator version.

1

Run the kubectl command to create a new secret that stores the agent's X.509 certificate:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
--cert=<agent-tls-cert> \
--key=<agent-tls-key>
2

Run the kubectl command to create a new secret that stores the internal cluster member's X.509 certificate. The member clusters are defined in your MongoDBMultiCluster resource.

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-clusterfile \
--cert=<resource-clusterfile-tls-cert> \
--key=<resource-clusterfile-tls-key>
3

Update your MongoDBMultiCluster custom resource with security settings from the Kubernetes Operator MongoDBMultiCluster resource specification. Add the internalCluster setting, under spec.authentication, and set it to "X509". The resulting configuration may look similar to the following example:

apiVersion: mongodb.com/v1
kind: MongoDBMultiCluster
metadata:
name: multi-replica-set
spec:
version: 8.0.0
type: ReplicaSet
persistent: false
duplicateServiceObjects: true
credentials: my-credentials
opsManager:
configMapRef:
name: my-project
security:
tls:
a: custom-ca
certsSecretPrefix: <prefix>
authentication:
enabled: true
modes: ["X509"]
agents:
mode: "X509"
internalCluster: "X509"
clusterSpecList:
- clusterName: ${MDB_CLUSTER_1_FULL_NAME}
members: 3
- clusterName: ${MDB_CLUSTER_2_FULL_NAME}
members: 2
- clusterName: ${MDB_CLUSTER_3_FULL_NAME}
members: 3
The |k8s-op-short| copies the ConfigMap with the |certauth| created in
the operator cluster to each member cluster, generates a concatenated
|pem| secret, and distributes it to the member clusters.
4
  1. For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:

    kubectl get pods \
    --context=$MDB_CLUSTER_1_FULL_NAME \
    --namespace mongodb
    kubectl get pods \
    --context=$MDB_CLUSTER_2_FULL_NAME \
    --namespace mongodb
    kubectl get pods \
    --context=$MDB_CLUSTER_3_FULL_NAME \
    --namespace mongodb
  2. In the operator cluster, run the following command to verify that the MongoDBMultiCluster resource is in the running state:

    kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \
    --namespace mongodb \
    get mdbmc multi-replica-set -o yaml -w

If you have already created certificates, renew them periodically using the following procedure.

1

Run this kubectl command to renew an existing secret that stores the certificates for the MongoDBMultiCluster resource:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-cert \
--cert=<resource-tls-cert> \
--key=<resource-tls-key> \
--dry-run=client \
-o yaml |
kubectl apply -f -
2

Run the kubectl command to renew an existing secret that stores the MongoDBMultiCluster resource agent certificates:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
--cert=<agent-tls-cert> \
--key=<agent-tls-key> \
--dry-run=client \
-o yaml | kubectl apply -f -
3

Run the kubectl command to renew an existing secret that stores X.509 certificates for internal members of the MongoDBMultiCluster resource:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-clusterfile \
--cert=<resource-clusterfile-tls-cert> \
--key=<resource-clusterfile-tls-key> \
--dry-run=client \
-o yaml | kubectl apply -f -

Back

Use X.509