配置 KMIP 静态加密

This version of the documentation is archived and no longer supported, and the MongoDB Enterprise Kubernetes Operator is deprecated. The new MongoDB Controllers for Kubernetes Operator replaces the MongoDB Enterprise Kubernetes Operator. The first version of the Controllers for Kubernetes Operator is functionally equivalent to the last version of the Enterprise Kubernetes Operator, v1.33. For more information about this change, and guidance on migrating to the new Operator, see the release notes for the first new version. There will be no future releases of the MongoDB Enterprise Kubernetes Operator. Each version will reach end of life according to the existing one year support policy. Please migrate to the Controllers for Kubernetes Operator for continued support.

您可以使用 KMIP 服务器为Kubernetes Operator托管的MongoDB 部署静态静态加密。

Considerations

在配置静态加密之前，请考虑以下因素：

您必须有正在运行的KMIP服务器。
您无法将使用基于密钥文件的静态加密的部署转换为基于KMIP的静态加密。
如果要为已部署的 MongoDB 资源启用KMIP 静态加密，请联系MongoDB 支持部门。

步骤

以下过程介绍如何为 MongoDB 副本集配置示例KMIP配置。根据部署需要调整文件名和路径、Kubernetes 命名空间、资源名称和 MongoDB 版本。

创建 CA 的 ConfigMap。

运行以下命令以创建 ConfigMap 以保存签署 KMIP 服务器证书的 CA：

kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca.pem

为客户端证书和私钥 PEM 创建密钥。

运行以下命令创建密钥以保存连接的客户端证书和私钥，以便从KMIP服务器检出主密钥：

kubectl -n mongodb create secret generic mongodb-kmip-client-pem --from-file=cert.pem

配置部署以使用 KMIP服务器。

additionalMongodConfig在自定义资源规范中配置设置以使用 KMIP服务器。示例：

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: kmip
  namespace: mongodb
spec:
  type: ReplicaSet
  members: 3
  backup:
    encryption:
      kmip:
        client:
          clientCertificatePrefix: "mdb"
  additionalMongodConfig:
    security:
      enableEncryption: true
      kmip:
        clientCertificateFile: /kmip/cert/cert.pem
        serverCAFile: /kmip/ca/ca.pem
        serverName: pykmip-server.pymongo
        port: 5696
  featureCompatibilityVersion: '6.0'
  version: 6.0.14-ent
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  podSpec:
    podTemplate:
      spec:
        containers:
          - name: mongodb-enterprise-database
            volumeMounts:
              - name: mongodb-kmip-client-pem
                mountPath: /kmip/cert
              - name: mongodb-kmip-certificate-authority-pem
                mountPath: /kmip/ca
        volumes:
          - name: mongodb-kmip-client-pem
            secret:
              secretName: mongodb-kmip-client-pem
          - name: mongodb-kmip-certificate-authority-pem
            configMap:
              name: mongodb-kmip-certificate-authority-pem
              items:
                - key: ca.pem
                  path: ca.pem

重要

spec.backup.encryption.kmip如果您在资源中设置了设置，则与值链接的spec.credentials API 密钥必须具有Global Owner 角色。

后退

配置加密

来年

启用身份验证