Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/

Set Up a cert-manager Integration

On this page

  • Procedure
  • Create a CA secret.
  • Add additional certificates to custom CA certificates.
  • Configure a cert-manager CA issuer
  • Create a CA ConfigMap
  • Create certificates for your MongoDB resources
  • Create certificates for Ops Manager and AppDB with TLS
  • Renewing Certificates

cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.

1

Note

The following steps assume that you have already created a custom CA along with the corresponding tls.key private key and tls.crt signed certificate.

Create a secret to store your CA data:

apiVersion: v1
kind: Secret
metadata:
name: ca-key-pair
namespace: <namespace>
data:
tls.crt: <your-CA-certificate>
tls.key: <your-CA-private-key>
2

If your Ops Manager TLS certificate is signed by a custom CA, the CA certificate must also contain additional certificates that allow Ops Manager Backup Daemon to download MongoDB binaries from the internet. To create the TLS certificate(s), create a ConfigMap to hold the CA certificate:

Important

The Kubernetes Operator requires that your Ops Manager certificate is named mms-ca.crt in the ConfigMap.

  1. Obtain the entire TLS certificate chain for Ops Manager from downloads.mongodb.com. The following openssl command outputs the certificate in the chain to your current working directory, in .crt format:

    openssl s_client -showcerts -verify 2 \
    -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
    | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
  2. Concatenate your CA's certificate file for Ops Manager with the entire TLS certificate chain from downloads.mongodb.com that you obtained in the previous step:

    cat cert2.crt cert3.crt cert4.crt >> mms-ca.crt
  3. Create the ConfigMap for Ops Manager:

    kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"
3
  1. Create a CA issuer that references your CA secret:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
    name: ca-issuer
    namespace: <namespace>
    spec:
    ca:
    secretName: ca-key-pair
  2. Verify that the issuer is ready:

    kubectl get issuer ca-issuer

    The READY field in the output should have a value of True.

4

Create a ConfigMap containing your CA. It must have two fields, ca-pem and mms-ca.crt, both pointing to your CA certificate. Replace <CA-certificate> with the path to your CA certificate.

kubectl create cm ca-issuer --from-file=ca-pem=<CA-certificate> \
--from-file=mms-ca.crt=<CA-certificate>
5

To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.

  1. Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:

    Note

    The spec.issuerRef.name parameter references the previously created CA ConfigMap.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: my-replica-set-certificate
    namespace: mongodb
    spec:
    dnsNames:
    - my-replica-set-0
    - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local
    - my-replica-set-1
    - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local
    - my-replica-set-2
    - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local
    duration: 240h0m0s
    issuerRef:
    name: ca-issuer
    renewBefore: 120h0m0s
    secretName: mdb-my-replica-set-cert
    usages:
    - server auth
    - client auth

    For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.

  2. Create the MongoDB agent certificate:

    Note

    The spec.issuerRef.name parameter references the previously created CA ConfigMap.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: agent-certs
    namespace: mongodb
    spec:
    commonName: automation
    dnsNames:
    - automation
    duration: 240h0m0s
    issuerRef:
    name: ca-issuer
    renewBefore: 120h0m0s
    secretName: mdb-my-replica-set-agent-certs
    usages:
    - digital signature
    - key encipherment
    - client auth
    subject:
    countries:
    - US
    localities:
    - NY
    organizationalUnits:
    - a-1635241837-m5yb81lfnrz
    organizations:
    - cluster.local-agent
    provinces:
    - NY
  3. Create the MongoDB resource:

    Note

    If you leave the spec.security.tls.ca parameter unspecified, it defaults to {replica-set}-ca.

    apiVersion: mongodb.com/v1
    kind: MongoDB
    metadata:
    name: my-replica-set
    namespace: mongodb
    spec:
    type: ReplicaSet
    members: 3
    version: 4.0.4-ent
    opsManager:
    configMapRef:
    name: my-project
    credentials: my-credentials
    security:
    certsSecretPrefix: mdb
    authentication:
    enabled: true
    modes:
    - X509
    tls:
    ca: ca-issuer
    enabled: true
6

To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.

  1. Create the Ops Manager certificate:

    Note

    The spec.issuerRef.name parameter references the previously created CA ConfigMap.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: cert-for-ops-manager
    namespace: mongodb
    spec:
    dnsNames:
    - om-with-https-svc.mongodb.svc.cluster.local
    duration: 240h0m0s
    issuerRef:
    name: ca-issuer
    renewBefore: 120h0m0s
    secretName: mdb-om-with-https-cert
    usages:
    - server auth
    - client auth
  2. Create the AppDB certificate:

    Note

    The spec.issuerRef.name parameter references the previously created CA ConfigMap.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: appdb-om-with-https-db-cert
    namespace: mongodb
    spec:
    dnsNames:
    - om-with-https-db-0
    - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local
    - om-with-https-db-1
    - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local
    - om-with-https-db-2
    - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local
    duration: 240h0m0s
    issuerRef:
    name: ca-issuer
    renewBefore: 120h0m0s
    secretName: appdb-om-with-https-db-cert
    usages:
    - server auth
    - client auth
  3. Create the Ops Manager resource:

    apiVersion: mongodb.com/v1
    kind: MongoDBOpsManager
    metadata:
    name: om-with-https
    namespace: mongodb
    spec:
    adminCredentials: ops-manager-admin-secret
    applicationDatabase:
    members: 3
    security:
    certsSecretPrefix: appdb
    tls:
    ca: ca-issuer
    version: 6.0.0-ubi8
    replicas: 1
    security:
    certsSecretPrefix: mdb
    tls:
    ca: ca-issuer

cert-manager will renew certificates under the following circumstances:

  • The certificate expires according to its spec.duration and spec.renewBefore fields.

  • You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.

  • You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.

Back

Configure File System Backup Store with Kubernetes Operator