This section provides guidance on the creation of TLS certificates for each component of MongoDB, and the creation of Kubernetes Secrets in each of your Kubernetes clusters to mount the TLS certificates securely into the appropriate Kubernetes Pods.
The process outlined below utilizes Cert Manager for creating the TLS certificates. However, note that this is an opinionated guide, and CertManager is not supported by MongoDB. Moreover, CertManager is only one of many ways in which you can add TLS certificates to your Kubernetes clusters. Additionally, self-signed certificates may not be suitable for production deployments, depending on the security requirements of your organization. If you require publicly trusted certificates configure your Issuer accordingly or provide the TLS certificate directly. To learn more, see Set Up a cert-manager Integration.
Prerequisites
Before you begin, perform the following tasks:
Install
kubectl.Set the
K8S_CLUSTER_*_CONTEXT_NAMEenvironment variables as explained in the GKE Clusters guide.
Source Code
You can find all included source code in the MongoDB Kubernetes Operator repository.
Procedure
Use Helm to install cert-manager.
1 helm upgrade --install \ 2 cert-manager jetstack/cert-manager \ 3 --kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \ 4 --namespace cert-manager \ 5 --create-namespace \ 6 --set crds.enabled=true
Release "cert-manager" does not exist. Installing it now. NAME: cert-manager LAST DEPLOYED: Thu May 22 14:12:18 2025 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: cert-manager v1.17.2 has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). More information on the different types of issuers and how to configure them can be found in our documentation: https://cert-manager.io/docs/configuration/ For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation: https://cert-manager.io/docs/usage/ingress/
Create a certificate issuer.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: ClusterIssuer 4 metadata: 5 name: selfsigned-cluster-issuer 6 spec: 7 selfSigned: {} 8 EOF 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer 11 12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 13 apiVersion: cert-manager.io/v1 14 kind: Certificate 15 metadata: 16 name: my-selfsigned-ca 17 namespace: cert-manager 18 spec: 19 isCA: true 20 commonName: my-selfsigned-ca 21 secretName: root-secret 22 privateKey: 23 algorithm: ECDSA 24 size: 256 25 issuerRef: 26 name: selfsigned-cluster-issuer 27 kind: ClusterIssuer 28 EOF 29 30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca 31 32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 33 apiVersion: cert-manager.io/v1 34 kind: ClusterIssuer 35 metadata: 36 name: my-ca-issuer 37 spec: 38 ca: 39 secretName: root-secret 40 EOF 41 42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer
Verify creation of the issuer.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5 name: test-selfsigned-cert 6 namespace: cert-manager 7 spec: 8 dnsNames: 9 - example.com 10 secretName: test-selfsigned-cert-tls 11 issuerRef: 12 name: my-ca-issuer 13 kind: ClusterIssuer 14 EOF 15 16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert 17 18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert
certificate.cert-manager.io/test-selfsigned-cert created certificate.cert-manager.io/test-selfsigned-cert condition met certificate.cert-manager.io "test-selfsigned-cert" deleted
Create CA configMap.
If your Ops Manager TLS certificate is signed by a custom CA, the CA certificate must also contain additional certificates that allows the agents to download MongoDB binaries from the internet. To create the TLS certificate(s), create a ConfigMap to hold the CA certificate:
1 mkdir -p certs 2 3 openssl s_client -showcerts -verify 2 \ 4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ 5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}' 6 7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt 8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt 11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt