- Secure Kubernetes Operator Deployments >
- Secure Client Authentication with X.509
Secure Client Authentication with X.509¶
On this page
The MongoDB Enterprise Kubernetes Operator can use X.509 certificates to authenticate your client applications to your MongoDB deployments.
This guide instructs you on how to configure:
- X.509 authentication from clients to your MongoDB instances.
- TLS to encrypt connections between MongoDB hosts in a replica set or sharded cluster.
- TLS to encrypt connections client applications and MongoDB deployments.
Prerequisites¶
Before you secure your MongoDB deployment using X.509 client authentication, complete the following:
- Install the Kubernetes Operator
- Create Credentials for the Kubernetes Operator
- Deploy the Database Resource that you want to secure:
Note
You can’t secure a Standalone Instance.
Configure X.509 Client Authentication for a Replica Set¶
Copy the highlighted section of this replica set resource.¶
Change the highlighted settings of this YAML file to match your desired replica set configuration.
Paste the copied example section into your existing replica set resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Configure the TLS settings for your replica set resource.¶
To enable TLS in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.security |
boolean | Optional | If this value is By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections. |
true |
Configure the general X.509 settings for your replica set resource.¶
To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
boolean | Optional | If this value is true , authentication is enabled on the
MongoDB deployment. |
true |
|
array | Conditional | If you enabled authentication, you must set an authentication
mechanism. Accepted values are X509 . |
X509 |
Save your replica set config file.¶
Update and restart your replica set deployment.¶
Invoke the following Kubernetes command to update and restart your replica set:
Check the status of your deployment.¶
The Kubernetes Operator creates the MongoDB resources and requests the Kubernetes Certificate Authority to approve the database host’s certificates. Run the following command to verify that the certificates are pending approval:
The status
field of the output should resemble the following:
If you do not see the status.message
above, see
Troubleshooting the Kubernetes Operator to help diagnose the issue.
Retrieve the CSRs for each host and agent in your deployment.¶
Invoke the following command to retrieve the CSRs for each host:
The command’s output resembles the following:
Approve the CSR for each host in your deployment.¶
Using the values returned in the NAME
column, approve each
certificate from the previous command’s output using the following
command:
Example
The following commands approve the CSRs for the replica set example:
kubectl
prints a message to the console when a certificate is
approved.
Approve the CSR for each agent in your deployment.¶
Using the values returned in the NAME
column, approve each
certificate from the previous command’s output using the following
command:
Example
The following commands approve the CSRs for the replica set example:
kubectl
prints a message to the console when a certificate is
approved.
Track the status of your deployment.¶
To check the status of your MongoDB Kubernetes resource, invoke the following command:
The -w
flag means “watch”. With the “watch” flag set, the output
refreshes immediately when something changes until the status phase
achieves the Running
state.
See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.
Configure X.509 Client Authentication for a Sharded Cluster¶
Copy the highlighted section of this sharded cluster resource.¶
Change the highlighted settings of this YAML file to match your desired sharded cluster configuration.
Paste the copied example section into your existing sharded cluster resource.¶
Open your preferred text editor and paste the object specification
at the end of your resource file in the spec
section.
Configure the TLS settings for your sharded cluster resource.¶
To enable TLS in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.security |
boolean | Optional | If this value is By default, Kubernetes Operator requires hosts to use and accept TLS encrypted connections. |
true |
Configure the general X.509 settings for your sharded cluster resource.¶
To enable TLS and X.509 in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
boolean | Optional | If this value is true , authentication is enabled on the
MongoDB deployment. |
true |
|
array | Conditional | If you enabled authentication, you must set an authentication
mechanism. Accepted values are X509 . |
X509 |
Save your sharded cluster config file.¶
Update and restart your sharded cluster deployment.¶
Invoke the following Kubernetes command to update and restart your sharded cluster:
Check the status of your deployment.¶
The Kubernetes Operator creates the MongoDB resources and requests the Kubernetes Certificate Authority to approve the database host’s certificates. Run the following command to verify that the certificates are pending approval:
The status
field of the output should resemble the following:
If you do not see the status.message
above, see
Troubleshooting the Kubernetes Operator to help diagnose the issue.
Retrieve the CSRs for each host and agent in your deployment.¶
Invoke the following command to retrieve the CSRs for each host:
The command’s output resembles the following:
Approve the CSR for each host in your deployment.¶
Using the values returned in the NAME
column, approve each
certificate from the previous command’s output using the following
command:
Example
The following commands approve the CSRs for the sharded cluster example:
kubectl
prints a message to the console when a certificate is
approved.
Approve the CSR for each agent in your deployment.¶
Using the values returned in the NAME
column, approve each
certificate from the previous command’s output using the following
command:
Example
The following commands approve the CSRs for the sharded cluster example:
kubectl
prints a message to the console when a certificate is
approved.
Track the status of your deployment.¶
To check the status of your MongoDB Kubernetes resource, invoke the following command:
The -w
flag means “watch”. With the “watch” flag set, the output
refreshes immediately when something changes until the status phase
achieves the Running
state.
See Troubleshooting the Kubernetes Operator for information about the resource deployment statuses.