- Deploy and Configure Ops Manager Resources >
- Set Up a cert-manager Integration
Set Up a cert-manager Integration¶
On this page
cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.
Procedure¶
Configure a cert-manager CA issuer¶
Note
The following steps assume that you have already created a custom
CA along with the corresponding tls.key
private key
and tls.crt
signed certificate.
Create a secret to store your CA data:
Create a CA issuer that references this secret:
Verify that the issuer is ready:
The
READY
field in the output should have a value ofTrue
.
Create a CA ConfigMap¶
Create a ConfigMap containing your CA. It must have two
fields, ca-pem
and mms-ca.crt
, both pointing to your
CA certificate.
Create certificates for your MongoDB resources¶
To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.
Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:
For sharded clusters, you must create one certificate for each statefulset. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.
Create the MongoDB agent certificate:
Create the MongoDB resource:
Create certificates for Ops Manager and AppDB with TLS¶
To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.
Create the Ops Manager certificate:
Create the AppDB certificate:
Create the Ops Manager resource:
Renewing Certificates¶
cert-manager will renew certificates under the following circumstances:
- The certificate expires according to its
spec.duration
andspec.renewBefore
fields. - You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
- You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.