This section provides guidance on the creation of TLS certificates for each component of MongoDB, and the creation of Kubernetes Secrets in each of your Kubernetes clusters to mount the TLS certificates securely into the appropriate Kubernetes Pods.
The process outlined below utilizes Cert Manager for creating the TLS certificates. However, please note that this is an opinionated guide, and CertManager is not supported by MongoDB. Moreover, CertManager is only one of many ways in which you can add TLS certificates to your Kubernetes clusters. Additionally, self-signed certificates may not be suitable for production deployments, depending on the security requirements of your organization. If you require publicly trusted certificates please configure your Issuer accordingly or provide the TLS certificate directly. To learn more, see Set Up a cert-manager Integration.
Prerequisites
Before you begin, perform the following tasks:
Install
kubectl.Install Helm.
Set the
K8S_CLUSTER_*_CONTEXT_NAMEenvironment variables as explained in the GKE Clusters guide.
Source Code
You can find all included source code in the MongoDB Kubernetes Operator repository.
Procedure
Create a certificate issuer.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: ClusterIssuer 4 metadata: 5 name: selfsigned-cluster-issuer 6 spec: 7 selfSigned: {} 8 EOF 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer 11 12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 13 apiVersion: cert-manager.io/v1 14 kind: Certificate 15 metadata: 16 name: my-selfsigned-ca 17 namespace: cert-manager 18 spec: 19 isCA: true 20 commonName: my-selfsigned-ca 21 secretName: root-secret 22 privateKey: 23 algorithm: ECDSA 24 size: 256 25 issuerRef: 26 name: selfsigned-cluster-issuer 27 kind: ClusterIssuer 28 EOF 29 30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca 31 32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 33 apiVersion: cert-manager.io/v1 34 kind: ClusterIssuer 35 metadata: 36 name: my-ca-issuer 37 spec: 38 ca: 39 secretName: root-secret 40 EOF 41 42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer
Verify creation of the issuer.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5 name: test-selfsigned-cert 6 namespace: cert-manager 7 spec: 8 dnsNames: 9 - example.com 10 secretName: test-selfsigned-cert-tls 11 issuerRef: 12 name: my-ca-issuer 13 kind: ClusterIssuer 14 EOF 15 16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert 17 18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert
Create CA configMap.
1 mkdir -p certs 2 3 openssl s_client -showcerts -verify 2 \ 4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ 5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}' 6 7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt 8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt 11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt