cert-manager simplifies and automates
the management of security certificates for Kubernetes. The following
procedure describes how to configure cert-manager to generate
certificates for MongoDB Kubernetes Operator resources.
Procedure
Create a CA secret.
Note
The following steps assume that you have already created a custom
CA along with the corresponding tls.key private key
and tls.crt signed certificate.
Create a secret to store your CA data:
apiVersion: v1 kind: Secret metadata:   name: ca-key-pair   namespace: <namespace> data:   tls.crt: <your-CA-certificate>   tls.key: <your-CA-private-key> 
Add additional certificates to custom CA certificates.
If your Ops Manager TLS certificate is signed by a custom CA, the CA certificate must also contain additional certificates that allow Ops Manager Backup Daemon to download MongoDB binaries from the internet. To create the TLS certificate(s), create a ConfigMap to hold the CA certificate:
Important
The Kubernetes Operator requires that your Ops Manager certificate is named
mms-ca.crt in the ConfigMap.
- Obtain the entire TLS certificate chain for Ops Manager from - downloads.mongodb.com. The following- opensslcommand outputs the certificate in the chain to your current working directory, in- .crtformat:- openssl s_client -showcerts -verify 2 \ - -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ - | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' 
- Concatenate your CA's certificate file for Ops Manager with the entire TLS certificate chain from - downloads.mongodb.comthat you obtained in the previous step:- cat cert2.crt cert3.crt cert4.crt >> mms-ca.crt 
- Create the ConfigMap for Ops Manager: - kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt" 
Configure a cert-manager CA issuer
- Create a CA issuer that references your CA secret: - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: ca-issuer - namespace: <namespace> - spec: - ca: - secretName: ca-key-pair 
- Verify that the issuer is ready: - kubectl get issuer ca-issuer - The - READYfield in the output should have a value of- True.
Create a CA ConfigMap
Create a ConfigMap containing your CA. It must have two
fields, ca-pem and mms-ca.crt, both pointing to your
CA certificate. Replace <CA-certificate> with the path to your
CA certificate.
kubectl create cm ca-issuer --from-file=ca-pem=<CA-certificate> \ --from-file=mms-ca.crt=<CA-certificate> 
Create certificates for your MongoDB resources
To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.
- Create the MongoDB resource certificate. The following example assumes a replica set named - my-replica-setwith three members:- Note- The - spec.issuerRef.nameparameter references the previously created CA ConfigMap.- apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: my-replica-set-certificate - namespace: mongodb - spec: - dnsNames: - - my-replica-set-0 - - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local - - my-replica-set-1 - - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local - - my-replica-set-2 - - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local - duration: 240h0m0s - issuerRef: - name: ca-issuer - renewBefore: 120h0m0s - secretName: mdb-my-replica-set-cert - usages: - - server auth - - client auth - For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster. 
- Create the MongoDB agent certificate: - Note- The - spec.issuerRef.nameparameter references the previously created CA ConfigMap.- apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: agent-certs - namespace: mongodb - spec: - commonName: automation - dnsNames: - - automation - duration: 240h0m0s - issuerRef: - name: ca-issuer - renewBefore: 120h0m0s - secretName: mdb-my-replica-set-agent-certs - usages: - - digital signature - - key encipherment - - client auth - subject: - countries: - - US - localities: - - NY - organizationalUnits: - - a-1635241837-m5yb81lfnrz - organizations: - - cluster.local-agent - provinces: - - NY 
- Create the MongoDB resource: - Note- If you leave the - spec.security.tls.caparameter unspecified, it defaults to- {replica-set}-ca.- apiVersion: mongodb.com/v1 - kind: MongoDB - metadata: - name: my-replica-set - namespace: mongodb - spec: - type: ReplicaSet - members: 3 - version: 4.0.4-ent - opsManager: - configMapRef: - name: my-project - credentials: my-credentials - security: - certsSecretPrefix: mdb - authentication: - enabled: true - modes: - - X509 - tls: - ca: ca-issuer - enabled: true 
Create certificates for Ops Manager and AppDB with TLS
To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.
- Create the Ops Manager certificate: - Note- The - spec.issuerRef.nameparameter references the previously created CA ConfigMap.- apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: cert-for-ops-manager - namespace: mongodb - spec: - dnsNames: - - om-with-https-svc.mongodb.svc.cluster.local - duration: 240h0m0s - issuerRef: - name: ca-issuer - renewBefore: 120h0m0s - secretName: mdb-om-with-https-cert - usages: - - server auth - - client auth 
- Create the AppDB certificate: - Note- The - spec.issuerRef.nameparameter references the previously created CA ConfigMap.- apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: appdb-om-with-https-db-cert - namespace: mongodb - spec: - dnsNames: - - om-with-https-db-0 - - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local - - om-with-https-db-1 - - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local - - om-with-https-db-2 - - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local - duration: 240h0m0s - issuerRef: - name: ca-issuer - renewBefore: 120h0m0s - secretName: appdb-om-with-https-db-cert - usages: - - server auth - - client auth 
- Create the Ops Manager resource: - apiVersion: mongodb.com/v1 - kind: MongoDBOpsManager - metadata: - name: om-with-https - namespace: mongodb - spec: - adminCredentials: ops-manager-admin-secret - applicationDatabase: - members: 3 - security: - certsSecretPrefix: appdb - tls: - ca: ca-issuer - version: 6.0.0-ubi8 - replicas: 1 - security: - certsSecretPrefix: mdb - tls: - ca: ca-issuer 
Renewing Certificates
cert-manager will renew certificates under the following circumstances:
- The certificate expires according to its - spec.durationand- spec.renewBeforefields.
- You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource. 
- You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.