Esta seção fornece orientações sobre a criação de certificados TLS para cada componente do MongoDB e a criação de segredos do Kubernetes em cada um dos seus clusters do Kubernetes para montar os certificados TLS com segurança nos pods do Kubernetes apropriados.
The process outlined below utilizes Cert Manager for creating the TLS certificates. However, please note that this is an opinionated guide, and CertManager is not supported by MongoDB. Moreover, CertManager is only one of many ways in which you can add TLS certificates to your Kubernetes clusters. Additionally, self-signed certificates may not be suitable for production deployments, depending on the security requirements of your organization. If you require publicly trusted certificates please configure your Issuer accordingly or provide the TLS certificate directly. To learn more, see Set Up a cert-manager Integration.
Pré-requisitos
Antes de começar, execute as seguintes tarefas:
Instale o
kubectl.Instale o Helm.
Defina as variáveis de ambiente do
K8S_CLUSTER_*_CONTEXT_NAMEconforme explicado no guia Clusters GKE.
código fonte
Você pode encontrar todo o código-fonte incluído no repositório do MongoDB Kubernetes Operator.
Procedimento
Crie um emissor de certificado.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: ClusterIssuer 4 metadata: 5 name: selfsigned-cluster-issuer 6 spec: 7 selfSigned: {} 8 EOF 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer 11 12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 13 apiVersion: cert-manager.io/v1 14 kind: Certificate 15 metadata: 16 name: my-selfsigned-ca 17 namespace: cert-manager 18 spec: 19 isCA: true 20 commonName: my-selfsigned-ca 21 secretName: root-secret 22 privateKey: 23 algorithm: ECDSA 24 size: 256 25 issuerRef: 26 name: selfsigned-cluster-issuer 27 kind: ClusterIssuer 28 EOF 29 30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca 31 32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 33 apiVersion: cert-manager.io/v1 34 kind: ClusterIssuer 35 metadata: 36 name: my-ca-issuer 37 spec: 38 ca: 39 secretName: root-secret 40 EOF 41 42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer
Verifique a criação do emissor.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5 name: test-selfsigned-cert 6 namespace: cert-manager 7 spec: 8 dnsNames: 9 - example.com 10 secretName: test-selfsigned-cert-tls 11 issuerRef: 12 name: my-ca-issuer 13 kind: ClusterIssuer 14 EOF 15 16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert 17 18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert
Criar CA configMap.
1 mkdir -p certs 2 3 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt 4 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/ca.crt --from-file=mms-ca.crt=certs/ca.crt 5 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/ca.crt --from-file=mms-ca.crt=certs/ca.crt