Configurar certificados TLS

Esta seção fornece orientações sobre a criação de certificados TLS para cada componente do MongoDB e a criação de segredos do Kubernetes em cada um dos seus clusters do Kubernetes para montar os certificados TLS com segurança nos pods do Kubernetes apropriados.

O processo descrito abaixo utiliza o Cert Manager para criar os certificados TLS. No entanto, observe que este é um guia votado e o CertManager não é suportado pelo MongoDB. Além disso, o CertManager é apenas uma das muitas maneiras de você adicionar certificados TLS aos seus clusters Kubernetes. Além disso, certificados autoassinados podem não ser adequados para sistemas de produção, dependendo dos requisitos de segurança da sua organização. Se você precisar de certificados confiáveis publicamente, configure seu emissor de acordo ou forneça o certificado TLS diretamente. Para saber mais, consulte Configurar uma integração com o cert-manager.

Pré-requisitos

Antes de começar, execute as seguintes tarefas:

Instale o kubectl.
Instale oHelm.
Defina as variáveis de ambiente do K8S_CLUSTER_*_CONTEXT_NAME conforme explicado no guia Clusters GKE.

código fonte

Você pode encontrar todo o código-fonte incluído no repositório do MongoDB Kubernetes Operator.

Procedimento

Adicione o repositório de gráficos Helm.

1 helm repo add jetstack https://charts.jetstack.io --force-update

Use o Helm para instalar o cert-manager.

1 helm upgrade --install \
2   cert-manager jetstack/cert-manager \
3   --kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4   --namespace cert-manager \
5   --create-namespace \
6   --set crds.enabled=true

Release "cert-manager" does not exist. Installing it now.
NAME: cert-manager
LAST DEPLOYED: Tue Jul  8 07:13:38 2025
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
⚠️  WARNING: New default private key rotation policy for Certificate resources.
The default private key rotation policy for Certificate resources was
changed to `Always` in cert-manager >= v1.18.0.
Learn more in the [1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18).
cert-manager v1.18.2 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/

Crie um emissor de certificado.

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: ClusterIssuer
4 metadata:
5   name: selfsigned-cluster-issuer
6 spec:
7   selfSigned: {}
8 EOF
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11 
12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13 apiVersion: cert-manager.io/v1
14 kind: Certificate
15 metadata:
16   name: my-selfsigned-ca
17   namespace: cert-manager
18 spec:
19   isCA: true
20   commonName: my-selfsigned-ca
21   secretName: root-secret
22   privateKey:
23     algorithm: ECDSA
24     size: 256
25   issuerRef:
26     name: selfsigned-cluster-issuer
27     kind: ClusterIssuer
28 EOF
29 
30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31 
32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33 apiVersion: cert-manager.io/v1
34 kind: ClusterIssuer
35 metadata:
36   name: my-ca-issuer
37 spec:
38   ca:
39     secretName: root-secret
40 EOF
41 
42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

Verifique a criação do emissor.

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: Certificate
4 metadata:
5   name: test-selfsigned-cert
6   namespace: cert-manager
7 spec:
8   dnsNames:
9     - example.com
10   secretName: test-selfsigned-cert-tls
11   issuerRef:
12     name: my-ca-issuer
13     kind: ClusterIssuer
14 EOF
15 
16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert
17 
18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert

certificate.cert-manager.io/test-selfsigned-cert created
certificate.cert-manager.io/test-selfsigned-cert condition met
certificate.cert-manager.io "test-selfsigned-cert" deleted

Criar CA configMap.

Se o certificado TLS do Ops Manager for assinado por uma CA personalizada, o certificado de CA também deverá conter certificados adicionais que permitam aos agentes baixar binários MongoDB da Internet. Para criar o(s) certificado(s) TLS, crie um ConfigMap para manter o certificado CA:

1 mkdir -p certs
2 
3 openssl s_client -showcerts -verify 2 \
4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6 
7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt
8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt  >> certs/mms-ca.crt
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt

Voltar

Implemente o operador

Ops Manager de vários clusters

1	helm upgrade --install \
2	cert-manager jetstack/cert-manager \
3	--kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4	--namespace cert-manager \
5	--create-namespace \
6	--set crds.enabled=true

1	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2	apiVersion: cert-manager.io/v1
3	kind: ClusterIssuer
4	metadata:
5	name: selfsigned-cluster-issuer
6	spec:
7	selfSigned: {}
8	EOF
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11
12	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13	apiVersion: cert-manager.io/v1
14	kind: Certificate
15	metadata:
16	name: my-selfsigned-ca
17	namespace: cert-manager
18	spec:
19	isCA: true
20	commonName: my-selfsigned-ca
21	secretName: root-secret
22	privateKey:
23	algorithm: ECDSA
24	size: 256
25	issuerRef:
26	name: selfsigned-cluster-issuer
27	kind: ClusterIssuer
28	EOF
29
30	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31
32	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33	apiVersion: cert-manager.io/v1
34	kind: ClusterIssuer
35	metadata:
36	name: my-ca-issuer
37	spec:
38	ca:
39	secretName: root-secret
40	EOF
41
42	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

1	mkdir -p certs
2
3	openssl s_client -showcerts -verify 2 \
4	-connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5	\| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6
7	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" \| base64 --decode > certs/ca.crt
8	cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt