Navigation

Set Up a cert-manager Integration

cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.

Procedure

1

Configure a cert-manager CA issuer

Note

The following steps assume that you have already created a custom CA along with the corresponding tls.key private key and tls.crt signed certificate.

  1. Create a secret to store your CA data:

    apiVersion: v1
    kind: Secret
    metadata:
      name: ca-key-pair
      namespace: <namespace>
    data:
      tls.crt: <your-CA-certificate>
      tls.key: <your-CA-private-key>
    
  2. Create a CA issuer that references this secret:

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: ca-issuer
      namespace: <namespace>
    spec:
      ca:
        secretName: ca-key-pair
    
  3. Verify that the issuer is ready:

    kubectl get issuer ca-issuer
    

    The READY field in the output should have a value of True.

2

Create a CA ConfigMap

Create a ConfigMap containing your CA. It must have two fields, ca-pem and mms-ca.crt, both pointing to your CA certificate.

kubectl create cm issuer-ca --from-literal=ca-pem=<CA-certificate> \
--from-literal=mms-ca.crt=<CA-certificate>
3

Create certificates for your MongoDB resources

To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.

  1. Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: my-replica-set-certificate
      namespace: mongodb
    spec:
      dnsNames:
      - my-replica-set-0
      - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local
      - my-replica-set-1
      - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local
      - my-replica-set-2
      - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local
      duration: 240h0m0s
      issuerRef:
        name: ca-issuer
      renewBefore: 120h0m0s
      secretName: mdb-my-replica-set-cert
      usages:
      - server auth
      - client auth
    

For sharded clusters, you must create one certificate for each statefulset. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.

  1. Create the MongoDB agent certificate:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: agent-certs
      namespace: mongodb
    spec:
      commonName: automation
      dnsNames:
      - automation
      duration: 240h0m0s
      issuerRef:
        name: ca-issuer
      renewBefore: 120h0m0s
      secretName: agent-certs
      subject:
        countries:
        - US
        localities:
        - NY
        organizationalUnits:
        - a-1635241837-m5yb81lfnrz
        organizations:
        - cluster.local-agent
        provinces:
        - NY
        usages:
        - digital signature
        - key encipherment
        - client auth
    
  2. Create the MongoDB resource:

    apiVersion: mongodb.com/v1
    kind: MongoDB
    metadata:
      name: my-replica-set
      namespace: mongodb
    spec:
      type: ReplicaSet
    
      members: 3
      version: 4.0.4-ent
    
      opsManager:
        configMapRef:
          name: my-project
      credentials: my-credentials
    
      security:
        certsSecretPrefix: mdb
        authentication:
          enabled: true
          modes:
          - X509
      tls:
        ca: issuer-ca
        enabled: true
    
4

Create certificates for Ops Manager and AppDB with TLS

To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.

  1. Create the Ops Manager certificate:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cert-for-ops-manager
      namespace: mongodb
    spec:
      dnsNames:
      - om-with-https-svc.mongodb.svc.cluster.local
      duration: 240h0m0s
      issuerRef:
        name: ca-issuer
      renewBefore: 120h0m0s
      secretName: mdb-op-with-https-cert
      usages:
      - server auth
      - client auth
    
  2. Create the AppDB certificate:

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: appdb-om-with-https-db-cert
      namespace: mongodb
    spec:
      dnsNames:
      - om-with-https-db-0
      - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local
      - om-with-https-db-1
      - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local
      - om-with-https-db-2
      - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local
      duration: 240h0m0s
      issuerRef:
        name: ca-issuer
      renewBefore: 120h0m0s
      secretName: appdb-om-with-https-db-cert
      usages:
      - server auth
      - client auth
    
  3. Create the Ops Manager resource:

    apiVersion: mongodb.com/v1
    kind: MongoDBOpsManager
    metadata:
      name: om-with-https
      namespace: mongodb
    spec:
      adminCredentials: ops-manager-admin-secret
      applicationDatabase:
        members: 3
        security:
          certsSecretPrefix: appdb
          tls:
            ca: issuer-ca
        version: 4.4.0-ent
      replicas: 1
      security:
        certsSecretPrefix: mdb
        tls:
          ca: issuer-ca
    

Renewing Certificates

cert-manager will renew certificates under the following circumstances:

  • The certificate expires according to its spec.duration and spec.renewBefore fields.
  • You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
  • You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.