本节将指导您为MongoDB的每个组件创建 TLS 证书,以及在每个Kubernetes集群中创建Kubernetes密钥,以便将 TLS 证书安全地挂载到相应的Kubernetes Pod 中。
下面概述的进程利用 Cert 经理 创建 TLS 证书。但请注意,这是一份固执己见的指南, MongoDB不支持 CertManager。此外,CertManager 只是向Kubernetes集群添加 TLS 证书的众多方法之一。此外,自签名证书可能不适合生产部署,具体取决于组织的安全要求。如果您需要公开信任的证书,请相应地配置您的发行者或直接提供 TLS 证书。要学习;了解详情,请参阅 设置 cert-manager 集成。
先决条件
开始之前,请执行以下任务:
源代码
您可以在MongoDB Kubernetes Operator存储库中找到所有包含的源代码。
步骤
2
使用 Helm 安装 cert-manager。
1 helm upgrade --install \ 2 cert-manager jetstack/cert-manager \ 3 --kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \ 4 --namespace cert-manager \ 5 --create-namespace \ 6 --set crds.enabled=true
Release "cert-manager" does not exist. Installing it now. NAME: cert-manager LAST DEPLOYED: Thu May 22 14:12:18 2025 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: cert-manager v1.17.2 has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). More information on the different types of issuers and how to configure them can be found in our documentation: https://cert-manager.io/docs/configuration/ For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the `ingress-shim` documentation: https://cert-manager.io/docs/usage/ingress/
3
创建证书颁发者。
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: ClusterIssuer 4 metadata: 5 name: selfsigned-cluster-issuer 6 spec: 7 selfSigned: {} 8 EOF 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer 11 12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 13 apiVersion: cert-manager.io/v1 14 kind: Certificate 15 metadata: 16 name: my-selfsigned-ca 17 namespace: cert-manager 18 spec: 19 isCA: true 20 commonName: my-selfsigned-ca 21 secretName: root-secret 22 privateKey: 23 algorithm: ECDSA 24 size: 256 25 issuerRef: 26 name: selfsigned-cluster-issuer 27 kind: ClusterIssuer 28 EOF 29 30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca 31 32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 33 apiVersion: cert-manager.io/v1 34 kind: ClusterIssuer 35 metadata: 36 name: my-ca-issuer 37 spec: 38 ca: 39 secretName: root-secret 40 EOF 41 42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer
4
验证发行者的创建。
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5 name: test-selfsigned-cert 6 namespace: cert-manager 7 spec: 8 dnsNames: 9 - example.com 10 secretName: test-selfsigned-cert-tls 11 issuerRef: 12 name: my-ca-issuer 13 kind: ClusterIssuer 14 EOF 15 16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert 17 18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert
certificate.cert-manager.io/test-selfsigned-cert created certificate.cert-manager.io/test-selfsigned-cert condition met certificate.cert-manager.io "test-selfsigned-cert" deleted
5
创建 CA configMap。
如果您的MongoDB Ops Manager TLS 证书由自定义 CA 签名,则该 CA 证书还必须包含允许代理从互联网下载MongoDB二进制文件的其他证书。 要创建 TLS 证书,请创建 ConfigMap 来保存 CA 证书:
1 mkdir -p certs 2 3 openssl s_client -showcerts -verify 2 \ 4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ 5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}' 6 7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt 8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt 9 10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt 11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt