Set Up a cert-manager Integration¶

On this page

Procedure
Renewing Certificates

cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.

Procedure¶

1

Create a CA secret.¶

Note

The following steps assume that you have already created a custom CA along with the corresponding tls.key private key and tls.crt signed certificate.

Create a secret to store your CA data:

copy

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: <namespace>
data:
  tls.crt: <your-CA-certificate>
  tls.key: <your-CA-private-key>

2

If necessary, validate your TLS certificates.¶

If your Ops Manager TLS certificate or your application database TLS certificate is signed by a custom CA, you must provide a CA certificate to validate the TLS certificate(s). To validate the TLS certificate(s), create a ConfigMap to hold the CA certificate:

Warning

You must concatenate your custom CA file and the entire TLS certificate chain from downloads.mongodb.com to prevent Ops Manager from becoming inoperable if the application database restarts.

Important

The Kubernetes Operator requires that:

Your Ops Manager certificate is named mms-ca.crt in the ConfigMap.
Your application database certficate is named ca-pem in the ConfigMap.

Obtain the entire TLS certificate chain for both Ops Manager and the application database from downloads.mongodb.com. The following openssl command outputs each certificate in the chain to your current working directory, in .crt format:
copy
```
openssl s_client -showcerts -verify 2 \
-connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
```
Concatenate your CA’s certificate file for Ops Manager with the entire TLS certificate chain from downloads.mongodb.com that you obtained in the previous step:
copy
```
cat cert1.crt cert2.crt cert3.crt cert4.crt  >> mms-ca.crt
```
Concatenate your CA’s certificate file for the application database with the entire TLS certificate chain from downloads.mongodb.com that you obtained in the previous step:
copy
```
cat cert1.crt cert2.crt cert3.crt cert4.crt  >> ca-pem
```

Create the ConfigMap for Ops Manager:

copy

kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"

Create the ConfigMap for the application database:
copy
```
kubectl create configmap ca --from-file="ca-pem"
```

3

Configure a cert-manager CA issuer¶

Create a CA issuer that references your CA secret:

copy

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: <namespace>
spec:
  ca:
    secretName: ca-key-pair

Verify that the issuer is ready:
copy
```
kubectl get issuer ca-issuer
```
The READY field in the output should have a value of True.

4

Create a CA ConfigMap¶

Create a ConfigMap containing your CA. It must have two fields, ca-pem and mms-ca.crt, both pointing to your CA certificate. Replace <CA-certificate> with the path to your CA certificate.

copy

kubectl create cm ca-issuer --from-file=ca-pem=<CA-certificate> \
--from-file=mms-ca.crt=<CA-certificate>

5

Create certificates for your MongoDB resources¶

To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.

Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-replica-set-certificate
  namespace: mongodb
spec:
  dnsNames:
  - my-replica-set-0
  - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-1
  - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-2
  - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-my-replica-set-cert
  usages:
  - server auth
  - client auth

For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.

Create the MongoDB agent certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: agent-certs
  namespace: mongodb
spec:
  commonName: automation
  dnsNames:
  - automation
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-my-replica-set-agent-certs
  usages:
  - digital signature
  - key encipherment
  - client auth
  subject:
    countries:
    - US
    localities:
    - NY
    organizationalUnits:
    - a-1635241837-m5yb81lfnrz
    organizations:
    - cluster.local-agent
    provinces:
    - NY

Create the MongoDB resource:

Note

If you leave the spec.security.tls.ca parameter unspecified, it defaults to {replica-set}-ca.

copy

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-replica-set
  namespace: mongodb
spec:
  type: ReplicaSet

  members: 3
  version: 4.0.4-ent

  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials

  security:
    certsSecretPrefix: mdb
    authentication:
      enabled: true
      modes:
      - X509
    tls:
      ca: ca-issuer
      enabled: true

6

Create certificates for Ops Manager and AppDB with TLS¶

To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.

Create the Ops Manager certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-for-ops-manager
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-om-with-https-cert
  usages:
  - server auth
  - client auth

Create the AppDB certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

copy

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: appdb-om-with-https-db-cert
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-db-0
  - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-1
  - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-2
  - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: appdb-om-with-https-db-cert
  usages:
  - server auth
  - client auth

Create the Ops Manager resource:

copy

apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-with-https
  namespace: mongodb
spec:
  adminCredentials: ops-manager-admin-secret
  applicationDatabase:
    members: 3
    security:
      certsSecretPrefix: appdb
      tls:
        ca: ca-issuer
    version: 6.0.0-ubi8
  replicas: 1
  security:
    certsSecretPrefix: mdb
    tls:
      ca: ca-issuer

Renewing Certificates¶

cert-manager will renew certificates under the following circumstances:

The certificate expires according to its spec.duration and spec.renewBefore fields.
You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.

← Configure File System Backup Store with Kubernetes Operator Deploy and Configure MongoDB Database Resources →