Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/
Deploy Ops Manager

Configure KMIP Backup Encryption for Ops Manager

Ops Manager can encrypt backup jobs. You can use the Kubernetes Operator to configure KMIP backup encryption for Ops Manager. To learn more, see Encrypted Backup Snapshots.

Limitations

For deployments where the same Kubernetes Operator instance is not managing both the MongoDBOpsManager and MongoDB custom resources, you must manually configure KMIP backup encryption client settings in the MongoDBOpsManager custom resource. This requirement involves including client certificates for each MongoDB database, which you can achieve by overriding the Ops Manager Pod's StatefulSet to mount the certificates. To learn more, see Manually Configure KMIP Backup Encryption.

Procedure

1

Create the ConfigMap of the CA.

Run the following command:

kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca-pem
2

Configure the Ops Manager custom resource to use KMIP backup encryption.

Configure the spec.backup.encryption.kmip settings.

1  apiVersion: mongodb.com/v1
2  kind: MongoDBOpsManager
3  metadata:
4    name: om-backup-kmip
5  spec:
6    replicas: 1
7    version: 6.0.0
8    adminCredentials: ops-manager-admin-secret
9    backup:
10      encryption:
11        kmip:
12          server:
13            url: kmip.corp.mongodb.com:5696
14            ca: mongodb-kmip-certificate-authority-pem
3

Save your Ops Manager config file.

4

Apply changes to your Ops Manager deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <opsmgr-resource>.yaml
5

Check the status of your Ops Manager resources.

Run the following command:

kubectl get om <resource-name> -o yaml -w
6

Create the secret of the client certificate and private key.

Run the following command:

kubectl -n mongodb create secret tls mongodb-kmip-client-pem-my-replica-set-client-kmip \
--cert=<path-to-cert-file> \
--key=<path-to-key-file>

The client certificate secret name has the following naming convention inferred from the MongoDB CustomResourceDefinition:

<clientCertificatePrefix>-<objectMeta.name>-client-kmip
clientCertificatePrefix
Human-readable label specified in the spec.backup.encryption.kmip.client.clientCertificatePrefix field of the MongoDB CustomResourceDefinition.
objectMeta.name
Human-readable label specified in the metadata.name field of the MongoDB CustomResourceDefinition.
client-kmip
Fixed suffix that the Kubernetes Operator assumes.

To learn more, see kubernetes.io/tls.

7

Configure your MongoDB database deployment.

Configure the spec.backup.encryption.kmip settings.

1  apiVersion: mongodb.com/v1
2  kind: MongoDB
3  metadata:
4    name: my-replica-set
5  spec:
6    members: 3
7    version: 4.0.20
8    type: ReplicaSet
9    backup:
10      encryption:
11        kmip:
12          client:
13            clientCertificatePrefix: mongodb-kmip-client-pem

To learn more, see deploy a replica set or deploy a sharded cluster.

8

Save your MongoDB database deployment config file.

9

Apply changes to your MongoDB database deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <mdb-database-deployment>.yaml
10

Check the status of your MongoDB database deployment.

Run the following command:

kubectl get mdb <resource-name> -o yaml -w

Back

Configure Queryable Backups

Next

Configure File System Backup