This page describes the connection that mongot opens to mongod (or mongos) to source data and read replication state, for a MongoDB Search and Vector Search deployment that you manage with the MongoDB Controllers for Kubernetes Operator. On this connection, mongot is the client and mongod is the server. This page covers how mongot authenticates to mongod (SCRAM or X.509), the role its identity needs, and how mongot trusts the mongod server certificate over TLS.
Application users never connect to mongot directly. For the opposite direction — the connection that mongod opens to mongot's listen server — see Secure the Connection from MongoDB to Search.
For the full schema of each MongoDBSearch setting referenced on this page, see MongoDB Search and Vector Search Settings.
How mongot Authenticates to mongod
When mongot connects to mongod, it authenticates as a database client using one of two mutually exclusive modes:
Mode | Credential | Use when |
|---|---|---|
SCRAM | Username and password | Your |
X.509 | Client certificate | Your organization provisions certificates from a PKI for cluster services, or compliance requirements favor certificate-based identity over passwords. |
You can switch modes after the fact by updating the MongoDBSearch resource and letting the Kubernetes Operator restart the mongot pods. The mongod-side identity that mongot authenticates as does not need to change if it holds the required role described in the next section.
Note
Switching from SCRAM to X.509 requires TLS on the sync source. The Kubernetes Operator rejects X.509 when the source mongod is not running TLS. Enabling search TLS for the first time is a brief but real query outage rather than a seamless restart. Plan for a short downtime when you make this switch. See Secure the Connection from MongoDB to Search for the cutover behavior.
The Role mongot Needs on mongod
Whichever mode mongot uses, the identity it authenticates as must have permission to source data and maintain the search catalog on mongod. That identity must hold the built-in searchCoordinator role, which ships with MongoDB Server 8.2 and later and grants only the privileges that mongot requires.
You always create this identity yourself; the MongoDBSearch controller never creates it for you. How you create it depends on whether the Kubernetes Operator manages the source mongod:
Operator-managed source. Declare a user that holds the
searchCoordinatorrole and reference a passwordSecret— in theuserslist of yourMongoDBCommunityresource for Community, or as a separateMongoDBUserresource for Enterprise. The Kubernetes Operator provisions that user onmongodfor you. You then reference the same user andSecreton theMongoDBSearchresource somongotcan authenticate with it.External source. Create the user and grant it the
searchCoordinatorrole directly on your ownmongoddeployment, then reference its credentials on theMongoDBSearchresource as shown below.
The rest of this page shows how to configure each authentication mode on the MongoDBSearch resource, and how to trust the mongod server certificate over TLS.
Configure SCRAM Authentication
Provide a Kubernetes Secret that contains the password that mongot should use to authenticate to mongod. Reference the secret on the MongoDBSearch resource through spec.source.passwordSecretRef, and set the username through spec.source.username.
spec: source: username: search-sync-source passwordSecretRef: name: my-mongot-password
The referenced Secret must contain the password under a key named password by default. Override the key through spec.source.passwordSecretRef.key if you store the password under a different key.
The user identified by spec.source.username must already exist on mongod and must hold the searchCoordinator role. If you omit spec.source.username, the Kubernetes Operator assumes the username is search-sync-source.
To add network-layer mTLS on top of SCRAM, provide a Kubernetes Secret containing the client certificate and private key and reference it through spec.source.tls.clientCertificateSecretRef. The Secret must contain tls.crt and tls.key. The Kubernetes Operator presents this certificate during the TLS handshake while still authenticating through username and password.
spec: source: username: search-sync-source passwordSecretRef: name: my-mongot-password tls: clientCertificateSecretRef: name: my-mongot-client-cert
If the client private key is encrypted, provide the passphrase in a separate Secret and reference it through spec.source.tls.keyFilePasswordSecretRef. The Secret must contain the passphrase at the keyFilePassword key.
Configure X.509 Authentication
X.509 authentication identifies mongot to mongod through a client certificate rather than a username and password. The subject distinguished name (DN) on the certificate becomes mongot's identity on mongod.
Note
spec.source.x509 is mutually exclusive with spec.source.username and spec.source.passwordSecretRef. If you set both, the Kubernetes Operator rejects the MongoDBSearch resource.
Provide a Kubernetes Secret that contains the client certificate and private key under the tls.crt and tls.key keys, and reference it on the MongoDBSearch resource through spec.source.x509.clientCertificateSecretRef:
spec: source: x509: clientCertificateSecretRef: name: my-mongot-x509-cert
If the client private key is encrypted, provide the passphrase in a separate Secret under the keyFilePassword key, and reference it through spec.source.x509.keyFilePasswordSecretRef:
spec: source: x509: clientCertificateSecretRef: name: my-mongot-x509-cert keyFilePasswordSecretRef: name: my-mongot-key-password
The client certificate alone does not grant access: mongod must recognize its subject DN as an authorized identity. After you create the certificate secret above, authorize that certificate's subject DN on mongod as described next.
Authorize the X.509 Subject DN on mongod
On the mongod side, create a user in the $external database whose name matches the subject DN on the client certificate you provisioned above, and grant the searchCoordinator role to that user. mongod uses the $external database to track identities that authenticate through external mechanisms such as X.509. To create an X.509 user on a deployment that the Kubernetes Operator manages, see Secure Client Authentication with X.509.
You must also enable TLS on the mongod deployment and configure it to trust the certificate authority (CA) that signed the mongot client certificate. You configure this on the mongod deployment itself through the MongoDB or MongoDBCommunity resource, not the MongoDBSearch resource. To enable TLS on a managed mongod deployment, see Secure Single Cluster Client Connections (TLS/SSL).
Trust the mongod Server Certificate
The settings above establish mongot's identity. Independently, when the source mongod uses TLS, mongot must trust the certificate that mongod presents when mongot connects to it. mongot is the TLS client on this connection; mongod presents its server certificate, and mongot validates that certificate against a CA that you supply.
When the source mongod is external to the Kubernetes Operator (that is, declared through spec.source.external), provide the CA that issued the mongod server certificate:
spec: source: external: hostAndPorts: - mongod-0.example.com:27017 tls: ca: name: my-external-mongod-ca
The spec.source.external.tls.ca.name field references a Kubernetes ConfigMap that contains the CA certificate under the ca.crt key. The CA must be the one that issued the mongod server certificate.
When the source mongod is instead managed by the Kubernetes Operator (through spec.source.mongodbResourceRef), the Kubernetes Operator handles this CA trust for you, and the spec.source.external.tls.ca.name field does not apply.
Certificate Rotation
mongot reads its client certificate at process startup. To rotate the certificate, update the Secret referenced by spec.source.x509.clientCertificateSecretRef (for X.509) or spec.source.tls.clientCertificateSecretRef (for mTLS on top of SCRAM) on the MongoDBSearch resource. The Kubernetes Operator detects the change and automatically restarts the mongot pods to load the new certificate material. The same applies to the SCRAM password Secret referenced by spec.source.passwordSecretRef.
To rotate an X.509 client certificate under MCK:
Update the Secret.
Update the Secret referenced by spec.source.x509.clientCertificateSecretRef with the new tls.crt and tls.key values. If the private key is encrypted, also update the Secret referenced by spec.source.x509.keyFilePasswordSecretRef with the new passphrase at the keyFilePassword key. The Kubernetes Operator detects the change and automatically restarts the mongot pods.
Remove the old certificate.
After all pods restart successfully, revoke the old certificate at your PKI. If the replacement certificate uses the same subject DN, you do not need to change the corresponding $external user on mongod. Remove the $external user only if you also want to retire that X.509 identity entirely.
Automated rotation is not configurable through the MongoDBSearch CRD. Update the Secret referenced by spec.source.x509.clientCertificateSecretRef to trigger the rotation; the Kubernetes Operator restarts the pods automatically.