- Deploy and Configure Ops Manager Resources >
- Set Up a cert-manager Integration
Set Up a cert-manager Integration¶
On this page
cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.
Procedure¶
Create a CA secret.¶
Note
The following steps assume that you have already created a custom
CA along with the corresponding tls.key
private key
and tls.crt
signed certificate.
Create a secret to store your CA data:
If necessary, validate your TLS certificates.¶
If your Ops Manager TLS certificate or your application database TLS certificate is signed by a custom CA, you must provide a CA certificate to validate the TLS certificate(s). To validate the TLS certificate(s), create a ConfigMap to hold the CA certificate:
Warning
You must concatenate your custom CA file and the entire
TLS certificate chain from downloads.mongodb.com
to prevent
Ops Manager from becoming inoperable if the application database
restarts.
Important
The Kubernetes Operator requires that:
- Your Ops Manager certificate is named
mms-ca.crt
in the ConfigMap. - Your application database certficate is named
ca-pem
in the ConfigMap.
Obtain the entire TLS certificate chain for both Ops Manager and the application database from
downloads.mongodb.com
. The followingopenssl
command outputs each certificate in the chain to your current working directory, in.crt
format:Concatenate your CA’s certificate file for Ops Manager with the entire TLS certificate chain from
downloads.mongodb.com
that you obtained in the previous step:Concatenate your CA’s certificate file for the application database with the entire TLS certificate chain from
downloads.mongodb.com
that you obtained in the previous step:Create the ConfigMap for Ops Manager:
Create the ConfigMap for the application database:
Configure a cert-manager CA issuer¶
Create a CA issuer that references your CA secret:
Verify that the issuer is ready:
The
READY
field in the output should have a value ofTrue
.
Create a CA ConfigMap¶
Create a ConfigMap containing your CA. It must have two
fields, ca-pem
and mms-ca.crt
, both pointing to your
CA certificate. Replace <CA-certificate>
with the path to your
CA certificate.
Create certificates for your MongoDB resources¶
To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.
Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.
Create the MongoDB agent certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.Create the MongoDB resource:
Note
If you leave the
spec.security.tls.ca
parameter unspecified, it defaults to{replica-set}-ca
.
Create certificates for Ops Manager and AppDB with TLS¶
To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.
Create the Ops Manager certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.Create the AppDB certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.Create the Ops Manager resource:
Renewing Certificates¶
cert-manager will renew certificates under the following circumstances:
- The certificate expires according to its
spec.duration
andspec.renewBefore
fields. - You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
- You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.