配置 TLS 证书

本节将指导您为MongoDB的每个组件创建 TLS 证书，以及在每个Kubernetes集群中创建Kubernetes密钥，以便将 TLS 证书安全地挂载到相应的Kubernetes Pod 中。

The process outlined below utilizes Cert Manager for creating the TLS certificates. However, please note that this is an opinionated guide, and CertManager is not supported by MongoDB. Moreover, CertManager is only one of many ways in which you can add TLS certificates to your Kubernetes clusters. Additionally, self-signed certificates may not be suitable for production deployments, depending on the security requirements of your organization. If you require publicly trusted certificates please configure your Issuer accordingly or provide the TLS certificate directly. To learn more, see Set Up a cert-manager Integration.

先决条件

开始之前，请执行以下任务：

安装 kubectl。
安装 Helm。
按照 GKE 集群指南中的说明设置 K8S_CLUSTER_*_CONTEXT_NAME 环境变量。

源代码

您可以在MongoDB Kubernetes Operator存储库中找到所有包含的源代码。

步骤

添加 Helm Charts 存储库。

1 helm repo add jetstack https://charts.jetstack.io --force-update

使用 Helm 安装 cert-manager。

1 helm upgrade --install \
2   cert-manager jetstack/cert-manager \
3   --kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4   --namespace cert-manager \
5   --create-namespace \
6   --set crds.enabled=true

创建证书颁发者。

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: ClusterIssuer
4 metadata:
5   name: selfsigned-cluster-issuer
6 spec:
7   selfSigned: {}
8 EOF
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11 
12 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13 apiVersion: cert-manager.io/v1
14 kind: Certificate
15 metadata:
16   name: my-selfsigned-ca
17   namespace: cert-manager
18 spec:
19   isCA: true
20   commonName: my-selfsigned-ca
21   secretName: root-secret
22   privateKey:
23     algorithm: ECDSA
24     size: 256
25   issuerRef:
26     name: selfsigned-cluster-issuer
27     kind: ClusterIssuer
28 EOF
29 
30 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31 
32 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33 apiVersion: cert-manager.io/v1
34 kind: ClusterIssuer
35 metadata:
36   name: my-ca-issuer
37 spec:
38   ca:
39     secretName: root-secret
40 EOF
41 
42 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

验证发行者的创建。

1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2 apiVersion: cert-manager.io/v1
3 kind: Certificate
4 metadata:
5   name: test-selfsigned-cert
6   namespace: cert-manager
7 spec:
8   dnsNames:
9     - example.com
10   secretName: test-selfsigned-cert-tls
11   issuerRef:
12     name: my-ca-issuer
13     kind: ClusterIssuer
14 EOF
15 
16 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait -n cert-manager --for=condition=Ready certificate test-selfsigned-cert
17 
18 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" delete -n cert-manager certificate test-selfsigned-cert

创建 CA configMap。

1 mkdir -p certs
2 
3 openssl s_client -showcerts -verify 2 \
4 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5 | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6 
7 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" | base64 --decode > certs/ca.crt
8 cat certs/ca.crt certs/cert2.crt certs/cert3.crt  >> certs/mms-ca.crt
9 
10 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt

后退

Istio 服务网格

来年

部署 Operator

1	helm upgrade --install \
2	cert-manager jetstack/cert-manager \
3	--kube-context "${K8S_CLUSTER_0_CONTEXT_NAME}" \
4	--namespace cert-manager \
5	--create-namespace \
6	--set crds.enabled=true

1	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
2	apiVersion: cert-manager.io/v1
3	kind: ClusterIssuer
4	metadata:
5	name: selfsigned-cluster-issuer
6	spec:
7	selfSigned: {}
8	EOF
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer selfsigned-cluster-issuer
11
12	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
13	apiVersion: cert-manager.io/v1
14	kind: Certificate
15	metadata:
16	name: my-selfsigned-ca
17	namespace: cert-manager
18	spec:
19	isCA: true
20	commonName: my-selfsigned-ca
21	secretName: root-secret
22	privateKey:
23	algorithm: ECDSA
24	size: 256
25	issuerRef:
26	name: selfsigned-cluster-issuer
27	kind: ClusterIssuer
28	EOF
29
30	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready -n cert-manager certificate my-selfsigned-ca
31
32	kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -f - <<EOF
33	apiVersion: cert-manager.io/v1
34	kind: ClusterIssuer
35	metadata:
36	name: my-ca-issuer
37	spec:
38	ca:
39	secretName: root-secret
40	EOF
41
42	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=condition=Ready clusterissuer my-ca-issuer

1	mkdir -p certs
2
3	openssl s_client -showcerts -verify 2 \
4	-connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
5	\| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="certs/cert"a".crt"; print >out}'
6
7	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" get secret root-secret -n cert-manager -o jsonpath="{.data['ca\.crt']}" \| base64 --decode > certs/ca.crt
8	cat certs/ca.crt certs/cert2.crt certs/cert3.crt >> certs/mms-ca.crt
9
10	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${MDB_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt
11	kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" create cm ca-issuer -n "${OM_NAMESPACE}" --from-file=ca-pem=certs/mms-ca.crt --from-file=mms-ca.crt=certs/mms-ca.crt