On this page
- Generate an X.509 client certificate.
kubectlto default to your namespace.
- Copy and save the following example ConfigMap.
- Create the X.509 MongoDB user.
- Verify your newly created user
- Find the mount location of the CA.
- Use your X.509 user to connect to the MongoDB deployment
The MongoDB Enterprise Kubernetes Operator can deploy MongoDB instances with X.509 authentication enabled. If X.509 authentication has been enabled for the deployment, you must generate and use an X.509 certificate to connect to the deployment. This new client certificate must be signed by the same CA that signs the server certificates for the MongoDB deployment to accept it.
Use the procedure outlined in this document to use an X.509 certificate to connect to your X.509-enabled MongoDB deployment.
To automate certificate renewal for Ops Manager deployments, consider setting up the cert-manager integration.
A full description of Transport Layer Security (TLS), Public Key Infrastructure (PKI) certificates, and Certificate Authorities is beyond the scope of this document. This page assumes prior knowledge of TLS and X.509 authentication.
To complete this tutorial, you must have the MongoDB Enterprise Kubernetes Operator installed. For instructions on installing the Kubernetes Operator, see Install the MongoDB Enterprise Kubernetes Operator.
This tutorial assumes you have a MongoDB deployment which requires X.509 authentication. For instructions on deploying MongoDB resources, see Deploy a MongoDB Database Resource.
First create the client certificate. Then create a MongoDB user and connect to the X.509-enabled deployment.
For production use, your MongoDB deployment should use valid certificates generated and signed by a CA. You or your organization can generate and maintain an independent CA using Kubernetes-native tools such as cert-manager.
Obtaining and managing certificates is beyond the scope of this documentation.
You must concatenate your client's TLS certificate and the
certificate's key in a
.pem file. You must present this
.pem file when you connect to your X.509-enabled MongoDB
To learn about the properties that your client certificates must have, see Client Certificate Requirements in the MongoDB Manual.
If you have not already, run the following command to execute all
kubectl commands in the namespace you created.
If you are deploying an Ops Manager resource in a multi-Kubernetes-cluster deployment:
contextto the name of the central cluster, such as:
kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME".
--namespaceto the same scope that you used for your multi-Kubernetes-cluster deployment, such as:
kubectl config --namespace "mongodb".
kubectl config set-context $(kubectl config current-context) --namespace=<metadata.namespace>
Copy and save the following example ConfigMap.
Save the following ConfigMap as
1 --- 2 apiVersion: mongodb.com/v1 3 kind: MongoDBUser 4 metadata: 5 name: new-x509-user 6 spec: 7 username: "CN=my-x509-authenticated-user,OU=organizationalunit,O=organization" 8 db: "$external" 9 mongodbResourceRef: 10 name: '<name of the MongoDB resource>' 11 roles: 12 - db: "admin" 13 name: "readWriteAnyDatabase"
.yaml file describes a
MongoDBUser custom object. You
can use these custom objects to create MongoDB users. To learn more, see MongoDB User Resource Specification.
In this example, the ConfigMap describes the user as an X.509 user that the client can use to connect to MongoDB with the corresponding X.509 certificate.
Run the following command to find where in each pod the Kubernetes Operator mounted the CA secret:
kubectl get statefulset <metadata.name> -o yaml
In the output, find the
volumeMounts: - mountPath: /opt/scripts name: database-scripts readOnly: true - mountPath: /var/lib/mongodb-automation/secrets/ca name: secret-ca readOnly: true - mountPath: /var/lib/mongodb-automation/secrets/certs name: secret-certs readOnly: true
In the following step when you connect to your database deployment,
secret-ca to the
mountPath, which forms the full path: