- Deploy and Configure MongoDB Database Resources >
- Secure Client Connections >
- Secure Client Authentication with X.509
Secure Client Authentication with X.509¶
On this page
The MongoDB Enterprise Kubernetes Operator can use X.509 certificates to authenticate your client applications to your MongoDB deployments.
This guide instructs you on how to configure X.509 authentication from clients to your MongoDB instances.
Note
You can’t secure a Standalone Instance of MongoDB in a Kubernetes cluster.
General Prerequisites¶
Before you secure your MongoDB deployment using TLS encryption, complete the following:
Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.
X.509 client authentication requires one of the following:
- Cloud Manager
- Ops Manager 4.1.7 or later
- Ops Manager 4.0.11 or later
Configure X.509 Client Authentication for a Replica Set¶
Prerequisites¶
Before you secure your replica set using X.509, deploy a TLS-encrypted replica set.
Enable X.509 Client Authentication¶
Copy the sample replica set resource.¶
Change the settings of this YAML file to match your desired replica set configuration.
Paste the copied example section into your existing replica set resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Configure the general X.509 settings for your replica set resource.¶
To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
boolean | Required | Set this value to true to enable authentication on the
MongoDB deployment. |
true |
|
array | Conditional | Set this value to ["X509"] . |
["X509"] |
Save your replica set config file.¶
Apply your changes to your replica set deployment.¶
Invoke the following Kubernetes command to update your replica set:
Track the status of your deployment.¶
To check the status of your MongoDB
resource, use the following
command:
With the -w
(watch) flag set, when the configuration changes, the output
refreshes immediately until the status phase achieves the Running
state.
To learn more about resource deployment statuses, see Troubleshoot the Kubernetes Operator.
Renew X.509 Certificates for a Replica Set¶
If you have already created certificates, we recommend that you renew them periodically using the following procedure.
Note
To automate certificate renewal for Ops Manager deployments, consider setting up the cert-manager integration.
Configure kubectl
to default to your namespace.¶
If you have not already, run the following command to execute all
kubectl
commands in the namespace you created.
Note
If you are deploying an Ops Manager resource in a multi-Kubernetes-cluster deployment:
- Set the
context
to the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME"
. - Set the
--namespace
to the same scope that you used for your multi-Kubernetes-cluster deployment, such as:kubectl config --namespace "mongodb"
.
Configure X.509 Client Authentication for a Sharded Cluster¶
Prerequisites¶
Before you secure your sharded cluster using X.509, deploy a TLS-encrypted sharded cluster.
Enable X.509 Client Authentication¶
Copy the sample sharded cluster resource.¶
Change the settings of this YAML file to match your desired sharded cluster configuration.
Paste the copied example section into your existing sharded cluster resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Configure the general X.509 settings for your sharded cluster resource.¶
To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
boolean | Required | Set this value to true to enable authentication on the
MongoDB deployment. |
true |
|
array | Conditional | Set this value to ["X509"] . |
["X509"] |
Save your sharded cluster config file.¶
Update and restart your sharded cluster deployment.¶
In any directory, invoke the following Kubernetes command to update and restart your sharded cluster:
Track the status of your deployment.¶
To check the status of your MongoDB
resource, use the following
command:
With the -w
(watch) flag set, when the configuration changes, the output
refreshes immediately until the status phase achieves the Running
state.
To learn more about resource deployment statuses, see Troubleshoot the Kubernetes Operator.
Renew X.509 Certificates for a Sharded Cluster¶
If you have already created certificates, we recommend that you renew them periodically using the following procedure.
Note
To automate certificate renewal for Ops Manager deployments, consider setting up the cert-manager integration.
Configure kubectl
to default to your namespace.¶
If you have not already, run the following command to execute all
kubectl
commands in the namespace you created.
Note
If you are deploying an Ops Manager resource in a multi-Kubernetes-cluster deployment:
- Set the
context
to the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME"
. - Set the
--namespace
to the same scope that you used for your multi-Kubernetes-cluster deployment, such as:kubectl config --namespace "mongodb"
.