TLS 인증서 구성

이 섹션에서는 MongoDB 의 각 구성 요소에 대한 TLS 인증서 생성과 각 Kubernetes 클러스터에 Kubernetes 시크릿을 생성하여 적절한 Kubernetes Pod에 TLS 인증서를 안전하게 마운트하는 방법에 대한 지침 제공합니다.

아래에 설명된 프로세스 TLS 인증서를 생성하기 위해Cert 관리자 를 사용합니다. 그러나 이는 독단적인 가이드 이며, CertManager는 MongoDB 에서 지원되지 않는다는 점에 유의하세요. 또한 CertManager는 Kubernetes 클러스터에 TLS 인증서를 추가할 수 있는 여러 방법 중 하나일 뿐입니다. 또한 자체 서명된 인증서는 조직 의 보안 요구 사항에 따라 프로덕션 배포에 적합하지 않을 수 있습니다. 공개적으로 신뢰할 수 있는 인증서가 필요한 경우 발급자를 적절히 구성하거나 TLS 인증서를 직접 제공하세요. 자세한 학습 은 cert-manager 통합 설정을 참조하세요.

전제 조건

시작하기 전에 다음 작업을 수행합니다.

kubectl를 설치합니다.
Helm을 설치합니다.
GKE 클러스터 가이드에 설명된 대로 K8S_CLUSTER_*_CONTEXT_NAME 환경 변수를 설정합니다.

소스 코드

포함된 모든 소스 코드 MongoDB Kubernetes Operator 리포지토리 에서 찾을 수 있습니다.

절차

Helm 차트 리포지토리를 추가합니다.

1 helm repo add jetstack https://charts.jetstack.io --force-update

Helm을 사용하여 cert-manager를 설치합니다.

1 helm upgrade --install \
2   cert-manager jetstack/cert-manager \
3   --kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4   --namespace cert-manager \
5   --create-namespace \
6   --set crds.enabled=true

Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Mon Sep  8 17:52:47 2025
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
⚠️  WARNING: New default private key rotation policy for Certificate resources.
The default private key rotation policy for Certificate resources was
changed to `Always` in cert-manager >= v1.18.0.
Learn more in the [1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18).
cert-manager v1.18.2 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/

인증서 발급자를 만듭니다.

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: ClusterIssuer
4 metadata:
5   name: selfsigned-cluster-issuer
6 spec:
7   selfSigned: {}
8 EOF
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11 
12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13 apiVersion: cert-manager.io/v1
14 kind: Certificate
15 metadata:
16   name: my-selfsigned-ca
17   namespace: cert-manager
18 spec:
19   isCA: true
20   commonName: my-selfsigned-ca
21   secretName: root-secret
22   privateKey:
23     algorithm: ECDSA
24     size: 256
25   issuerRef:
26     name: selfsigned-cluster-issuer
27     kind: ClusterIssuer
28 EOF
29 
30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31 
32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33 apiVersion: cert-manager.io/v1
34 kind: ClusterIssuer
35 metadata:
36   name: my-ca-issuer
37 spec:
38   ca:
39     secretName: root-secret
40 EOF
41 
42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

발급자 생성을 확인합니다.

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: Certificate
4 metadata:
5   name: test-selfsigned-cert
6   namespace: cert-manager
7 spec:
8   dnsNames:
9     - example.com
10   secretName: test-selfsigned-cert-tls
11   issuerRef:
12     name: my-ca-issuer
13     kind: ClusterIssuer
14 EOF
15 
16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert
17 
18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert

certificate.cert-manager.io/test-selfsigned-cert created
certificate.cert-manager.io/test-selfsigned-cert condition met
certificate.cert-manager.io "test-selfsigned-cert" deleted from cert-manager namespace

CA configMap을 생성합니다.

MongoDB Ops Manager TLS 인증서가 사용자 지정 CA에서 서명한 경우, CA 인증서에는 에이전트가 인터넷에서 MongoDB 바이너리를 다운로드 수 있도록 허용하는 추가 인증서도 포함되어 있어야 합니다. TLS 인증서를 만들려면 CA 인증서를 저장할 ConfigMap을 만듭니다.

1 mkdir -p certs
2 
3 openssl s_client -showcerts -verify 2 \
4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6 
7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt
8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt  >> certs/mms-ca.crt
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt

돌아가기

연산자 배포

멀티 클러스터 MongoDB Ops Manager

1	helm upgrade --install \
2	cert-manager jetstack/cert-manager \
3	--kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4	--namespace cert-manager \
5	--create-namespace \
6	--set crds.enabled=true

1	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2	apiVersion: cert-manager.io/v1
3	kind: ClusterIssuer
4	metadata:
5	name: selfsigned-cluster-issuer
6	spec:
7	selfSigned: {}
8	EOF
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11
12	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13	apiVersion: cert-manager.io/v1
14	kind: Certificate
15	metadata:
16	name: my-selfsigned-ca
17	namespace: cert-manager
18	spec:
19	isCA: true
20	commonName: my-selfsigned-ca
21	secretName: root-secret
22	privateKey:
23	algorithm: ECDSA
24	size: 256
25	issuerRef:
26	name: selfsigned-cluster-issuer
27	kind: ClusterIssuer
28	EOF
29
30	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31
32	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33	apiVersion: cert-manager.io/v1
34	kind: ClusterIssuer
35	metadata:
36	name: my-ca-issuer
37	spec:
38	ca:
39	secretName: root-secret
40	EOF
41
42	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

1	mkdir -p certs
2
3	openssl s_client -showcerts -verify 2 \
4	-connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5	\| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6
7	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" \| base64 --decode > certs/ca.crt
8	cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt