이 섹션에서는 MongoDB 의 각 구성 요소에 대한 TLS 인증서 생성과 각 Kubernetes 클러스터에 Kubernetes 시크릿을 생성하여 적절한 Kubernetes Pod에 TLS 인증서를 안전하게 마운트하는 방법에 대한 지침 제공합니다.
The process outlined below utilizes Cert Manager for creating the TLS certificates. However, please note that this is an opinionated guide, and CertManager is not supported by MongoDB. Moreover, CertManager is only one of many ways in which you can add TLS certificates to your Kubernetes clusters. Additionally, self-signed certificates may not be suitable for production deployments, depending on the security requirements of your organization. If you require publicly trusted certificates please configure your Issuer accordingly or provide the TLS certificate directly. To learn more, see Set Up a cert-manager Integration.
전제 조건
시작하기 전에 다음 작업을 수행합니다.
kubectl를 설치합니다.GKE 클러스터 가이드에 설명된 대로
K8S_CLUSTER_*_CONTEXT_NAME환경 변수를 설정합니다.
소스 코드
포함된 모든 소스 코드 MongoDB Kubernetes Operator 리포지토리 에서 찾을 수 있습니다.
절차
인증서 발급자를 만듭니다.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: ClusterIssuer 4 metadata: 5 name: selfsigned-cluster-issuer 6 spec: 7 selfSigned: {} 8 EOF 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer 11 12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 13 apiVersion: cert-manager.io/v1 14 kind: Certificate 15 metadata: 16 name: my-selfsigned-ca 17 namespace: cert-manager 18 spec: 19 isCA: true 20 commonName: my-selfsigned-ca 21 secretName: root-secret 22 privateKey: 23 algorithm: ECDSA 24 size: 256 25 issuerRef: 26 name: selfsigned-cluster-issuer 27 kind: ClusterIssuer 28 EOF 29 30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca 31 32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 33 apiVersion: cert-manager.io/v1 34 kind: ClusterIssuer 35 metadata: 36 name: my-ca-issuer 37 spec: 38 ca: 39 secretName: root-secret 40 EOF 41 42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer
발급자 생성을 확인합니다.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5 name: test-selfsigned-cert 6 namespace: cert-manager 7 spec: 8 dnsNames: 9 - example.com 10 secretName: test-selfsigned-cert-tls 11 issuerRef: 12 name: my-ca-issuer 13 kind: ClusterIssuer 14 EOF 15 16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert 17 18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert
CA configMap을 생성합니다.
1 mkdir -p certs 2 3 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt 4 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/ca.crt --from-file=mms-ca.crt=certs/ca.crt 5 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/ca.crt --from-file=mms-ca.crt=certs/ca.crt