Secure Multi-Cluster Deployments with TLS

You can configure the Kubernetes Operator to use TLS for encrypting connections between MongoDB instances in replica sets in a multi-cluster deployment.

The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt connections between:

  • MongoDB hosts in a replica set
  • Client applications and MongoDB deployments

To secure your multi-cluster deployment with TLS encryption, you run all actions on the central cluster. The Kubernetes Operator propagates the TLS configuration to each member cluster and updates the Kubernetes Operator configuration on each member cluster.


Before you secure your multi-cluster MongoDB deployment using TLS encryption, complete the following tasks:

  • To enable internal cluster authentication, create certificates for member clusters in the multi-Kubernestes-cluster deployment.

  • Generate one TLS certificate covering the SANs of all the member clusters in the MongoDBMulti resource.

  • For each Kubernetes service that the Kubernetes Operator generates corresponding to each Pod in each member cluster, add SANs to the certificate. In your TLS certificate, the SAN for each Kubernetes service must use the following format:


    where n ranges from 0 to clusterSpecList[member_cluster_index].members - 1.

  • Generate one TLS certificate for your project’s MongoDB Agents.

    • For the MongoDB Agent TLS certificate:
      • The Common Name in the TLS certificate must not be empty.
      • The combined Organization and Organizational Unit in each TLS certificate must differ from the Organization and Organizational Unit in the TLS certificate for your replica set members.
  • You must possess the CA certificate and the key that you used to sign your TLS certificates.


The Kubernetes Operator uses secrets to store TLS certificates and private keys for Ops Manager and MongoDB resources. Starting in Kubernetes Operator version 1.17, the Kubernetes Operator doesn’t support concatenated PEM files stored as Opaque secrets.

To migrate your PEM files stored as Opaque secrets TLS secrets to secrets, see Upgrade from Kubernetes Operator 1.12 with TLS Enabled.

If you have a broken Application Database after upgrading to Kubernetes Operator version 1.14.0 or 1.15.0, see Ops Manager in Failed State.

Create TLS Certificates for a MongoDBMulti Resource


Create the secret for the TLS certificate of your MongoDBMulti custom resource.

Run the kubectl command to create a new secret that stores the MongoDB multi-cluster resource’s certificate:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
  create secret tls <prefix>-<>-cert \
  --cert=<resource-tls-cert> \


You must prefix your secrets with <prefix>-<>.


If you call your deployment my-deployment and you set the prefix to mdb, you must name the TLS secret for the client TLS communications mdb-my-deployment-cert. Also, you must name the TLS secret for internal cluster authentication (if enabled) mdb-my-deployment-clusterfile.

If you’re using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.

To learn about your options for secret storage, see Configure Secret Storage.


Update your MongoDBMulti custom resource.

Update your MongoDB multi-cluster resource with security settings from the Kubernetes Operator MongoDB resource specification. The resulting configuration should look as follows:

kind: MongoDBMulti
 name: multi-replica-set
 version: 5.0.0-ent
 type: ReplicaSet
 persistent: false
 duplicateServiceObjects: true
 credentials: my-credentials
     name: my-project
     ca: custom-ca
   certsSecretPrefix: <prefix>
   - clusterName: ${MDB_CLUSTER_1_FULL_NAME}
     members: 3
   - clusterName: ${MDB_CLUSTER_2_FULL_NAME}
     members: 2
   - clusterName: ${MDB_CLUSTER_3_FULL_NAME}
     members: 3

The Kubernetes Operator copies the ConfigMap with the CA created in the central cluster to each member cluster, generates a concatenated PEM secret, and distributes it to the member clusters.


Verify that the MDB resources are running.

  1. For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:

    kubectl get pods \
     --context=$MDB_CLUSTER_1_FULL_NAME \
     --namespace mongodb
    kubectl get pods \
     --context=$MDB_CLUSTER_2_FULL_NAME \
     --namespace mongodb
    kubectl get pods \
     --context=$MDB_CLUSTER_3_FULL_NAME \
     --namespace mongodb
  2. In the central cluster, run the following commands to verify that the MongoDBMulti custom resource is in the running state:

    kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \
      --namespace mongodb \
      get mdbm multi-replica-set -o yaml -w

Renew TLS Certificates for a MongoDBMulti Resource

If you have already created certificates, renew them periodically using the following procedure.


Renew the secret for a MongoDBMulti resource.

Run this kubectl command to renew an existing secret that stores the MongoDBMulti resource’s certificates:

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<>-cert \
--cert=<resource-tls-cert> \
--key=<resource-tls-key> \
--dry-run=client \
-o yaml |
kubectl apply -f -