- Deploy MongoDB Resources on Multiple Kubernetes Clusters (Beta) >
- Secure Client Connections >
- Secure Internal Authentication with X.509
Secure Internal Authentication with X.509¶
On this page
This guide instructs you on how to configure:
- X.509 internal authentication between MongoDB nodes in each cluster in your multi-Kubernetes-cluster deployments.
- X.509 authentication from clients to your MongoDB instances.
Prerequisites¶
Before you secure your multi-Kubernetes-cluster deployment using TLS encryption, complete the following tasks:
- Follow the steps in the Multi-Cluster Quick Start Prerequisites.
- Deploy a TLS-encrypted multi-Kubernetes-cluster.
- Create credentials for the Kubernetes Operator.
Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.
X.509 client authentication requires one of the following:
- Cloud Manager
- Ops Manager 5.0.7 or later
Configure X.509 Internal Authentication for a MongoDBMulti Resource¶
Create the secret for your agent’s X.509 certificate of your MongoDBMulti
custom resource.¶
Run the kubectl
command to create a new secret that stores the agent’s X.509 certificate:
Create the secret for the member cluster’s internal X.509 certificate.¶
Run the kubectl
command to create a new secret that stores the internal
cluster member’s X.509 certificate. The member clusters are defined in
your MongoDBMulti
custom resource.
Update your MongoDBMulti
custom resource to enable X509 authentication.¶
Update your MongoDB multi-cluster resource
with security settings from the Kubernetes Operator
MongoDB resource specification. Add the internalCluster
setting,
under spec.authentication
, and set it to "X509"
. The resulting
configuration should look as follows:
The Kubernetes Operator copies the ConfigMap with the CA created in the central cluster to each member cluster, generates a concatenated PEM secret, and distributes it to the member clusters.
Verify that the MDB resources are running.¶
For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:
In the central cluster, run the following commands to verify that the
MongoDBMulti
custom resource is in the running state:
Renew Internal Authentication X.509 Certificates for a MongoDBMulti Resource¶
If you have already created certificates, we recommend that you renew them periodically using the following procedure.
Renew the secret for your agent’s X.509 certificates.¶
Run the kubectl
command to renew an existing secret that stores
the MongoDBMulti
resource’s agent certificates:
Renew the secret for internal members’s X.509 certificates of the MongoDBMulti resource.¶
Run the kubectl
command to renew an existing secret that stores
X.509 certificates for internal members of the MongoDBMulti
resource: