Set Up a cert-manager Integration¶

On this page

Procedure
Renewing Certificates

cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.

Procedure¶

1

Configure a cert-manager CA issuer¶

Note

The following steps assume that you have already created a custom CA along with the corresponding tls.key private key and tls.crt signed certificate.

Create a secret to store your CA data:

copy

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: <namespace>
data:
  tls.crt: <your-CA-certificate>
  tls.key: <your-CA-private-key>

Create a CA issuer that references this secret:

copy

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: <namespace>
spec:
  ca:
    secretName: ca-key-pair

Verify that the issuer is ready:
copy
```
kubectl get issuer ca-issuer
```
The READY field in the output should have a value of True.

2

Create a CA ConfigMap¶

Create a ConfigMap containing your CA. It must have two fields, ca-pem and mms-ca.crt, both pointing to your CA certificate.

copy

kubectl create cm issuer-ca --from-literal=ca-pem=<CA-certificate> \
--from-literal=mms-ca.crt=<CA-certificate>

3

Create certificates for your MongoDB resources¶

To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.

Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-replica-set-certificate
  namespace: mongodb
spec:
  dnsNames:
  - my-replica-set-0
  - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-1
  - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-2
  - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-my-replica-set-cert
  usages:
  - server auth
  - client auth

For sharded clusters, you must create one certificate for each statefulset. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.

Create the MongoDB agent certificate:

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: agent-certs
  namespace: mongodb
spec:
  commonName: automation
  dnsNames:
  - automation
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: agent-certs
  subject:
    countries:
    - US
    localities:
    - NY
    organizationalUnits:
    - a-1635241837-m5yb81lfnrz
    organizations:
    - cluster.local-agent
    provinces:
    - NY
    usages:
    - digital signature
    - key encipherment
    - client auth

Create the MongoDB resource:

copy

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-replica-set
  namespace: mongodb
spec:
  type: ReplicaSet

  members: 3
  version: 4.0.4-ent

  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials

  security:
    certsSecretPrefix: mdb
    authentication:
      enabled: true
      modes:
      - X509
  tls:
    ca: issuer-ca
    enabled: true

4

Create certificates for Ops Manager and AppDB with TLS¶

To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.

Create the Ops Manager certificate:

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-for-ops-manager
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-op-with-https-cert
  usages:
  - server auth
  - client auth

Create the AppDB certificate:

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: appdb-om-with-https-db-cert
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-db-0
  - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-1
  - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-2
  - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: appdb-om-with-https-db-cert
  usages:
  - server auth
  - client auth

Create the Ops Manager resource:

copy

apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-with-https
  namespace: mongodb
spec:
  adminCredentials: ops-manager-admin-secret
  applicationDatabase:
    members: 3
    security:
      certsSecretPrefix: appdb
      tls:
        ca: issuer-ca
    version: 4.4.0-ent
  replicas: 1
  security:
    certsSecretPrefix: mdb
    tls:
      ca: issuer-ca

Renewing Certificates¶

cert-manager will renew certificates under the following circumstances:

The certificate expires according to its spec.duration and spec.renewBefore fields.
You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.

← Configure File System Backup Store with Kubernetes Operator Deploy and Configure MongoDB Database Resources →