Deploy MongoDB Resources on Multiple Kubernetes Clusters (Beta) >
Secure Client Connections >
Secure Deployments with X.509

Secure Deployments with X.509¶

On this page

Prerequisites
Enable X.509 Authentication for a MongoDBMulti Resource
Renew X.509 Certificates for a MongoDBMulti Resource

You can configure the Kubernetes Operator to use X.509 certificates to authenticate your client applications in a multi-cluster deployment.

To secure your multi-cluster deployment with X.509 certificates, you run all actions on the central cluster. The Kubernetes Operator propagates the X.509 configuration to each member cluster and updates the Kubernetes Operator configuration on each member cluster.

Prerequisites¶

Before you secure your multi-Kubernetes-cluster deployment using TLS encryption, complete the following tasks:

Follow the steps in the Multi-Cluster Quick Start Prerequisites.
Deploy a TLS-encrypted multi-cluster.
Create credentials for the Kubernetes Operator for the Kubernetes Operator.

Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.

X.509 client authentication requires one of the following:

Cloud Manager
Ops Manager 5.0.7 or later

Enable X.509 Authentication for a MongoDBMulti Resource¶

1

Create the secret for your agent’s X.509 certificate of your `MongoDBMulti` custom resource.¶

Run the kubectl command to create a new secret that stores the agent’s X.509 certificate:

copy

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
  --cert=<agent-tls-cert> \
  --key=<agent-tls-key>

2

Update your `MongoDBMulti` custom resource to enable X509 authentication.¶

Update your MongoDB multi-cluster resource with security settings from the Kubernetes Operator MongoDB resource specification. The resulting configuration should look as follows:

copy

apiVersion: mongodb.com/v1
kind: MongoDBMulti
metadata:
 name: multi-replica-set
spec:
 version: 5.0.0-ent
 type: ReplicaSet
 persistent: false
 duplicateServiceObjects: true
 credentials: my-credentials
 opsManager:
   configMapRef:
     name: my-project
 security:
   tls:
     ca: custom-ca
   certsSecretPrefix: <prefix>
 authentication:
   enabled: true
   modes: ["X509"]
   agents:
     mode: "X509"
 clusterSpecList:
   clusterSpecs:
   - clusterName: ${MDB_CLUSTER_1_FULL_NAME}
     members: 3
   - clusterName: ${MDB_CLUSTER_2_FULL_NAME}
     members: 2
   - clusterName: ${MDB_CLUSTER_3_FULL_NAME}
     members: 3

The Kubernetes Operator copies the ConfigMap with the CA created in the central cluster to each member cluster, generates a concatenated PEM secret, and distributes it to the member clusters.

3

Verify that the MDB resources are running.¶

For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:

copy

kubectl get pods \
 --context=$MDB_CLUSTER_1_FULL_NAME \
 --namespace mongodb

copy

kubectl get pods \
 --context=$MDB_CLUSTER_2_FULL_NAME \
 --namespace mongodb

copy

kubectl get pods \
 --context=$MDB_CLUSTER_3_FULL_NAME \
 --namespace mongodb

In the central cluster, run the following commands to verify that the MongoDBMulti custom resource is in the running state:
copy
```
kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace mongodb \
  get mdbm multi-replica-set -o yaml -w
```

Renew X.509 Certificates for a MongoDBMulti Resource¶

If you have already created X.509 certificates, renew them periodically using the following procedure.

1

Renew the secret for a `MongoDBMulti` resource.¶

Run this kubectl command to renew an existing secret that stores the MongoDBMulti resource’s certificates:

copy

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-cert \
--cert=<resource-tls-cert> \
--key=<resource-tls-key> \
--dry-run=client \
-o yaml |
kubectl apply -f -

2

Renew the secret for your agent’s X.509 certificates.¶

Run the kubectl command to renew an existing secret that stores the MongoDBMulti resource’s agent certificates:

copy

kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
  --cert=<agent-tls-cert> \
  --key=<agent-tls-key> \
  --dry-run=client \
  -o yaml | kubectl apply -f -

← Secure Client Authentication with LDAP Secure Internal Authentication with X.509 →

Secure Deployments with X.509¶

Prerequisites¶

Enable X.509 Authentication for a MongoDBMulti Resource¶

Create the secret for your agent’s X.509 certificate of your MongoDBMulti custom resource.¶

Update your MongoDBMulti custom resource to enable X509 authentication.¶

Verify that the MDB resources are running.¶

Renew X.509 Certificates for a MongoDBMulti Resource¶

Renew the secret for a MongoDBMulti resource.¶

Renew the secret for your agent’s X.509 certificates.¶

Create the secret for your agent’s X.509 certificate of your `MongoDBMulti` custom resource.¶

Update your `MongoDBMulti` custom resource to enable X509 authentication.¶

Renew the secret for a `MongoDBMulti` resource.¶