Set Up a cert-manager Integration
On this page
cert-manager simplifies and automates
the management of security certificates for Kubernetes. The following
procedure describes how to configure cert-manager
to generate
certificates for MongoDB Kubernetes Operator resources.
Procedure
Create a CA secret.
Note
The following steps assume that you have already created a custom
CA along with the corresponding tls.key
private key
and tls.crt
signed certificate.
Create a secret to store your CA data:
apiVersion: v1 kind: Secret metadata: name: ca-key-pair namespace: <namespace> data: tls.crt: <your-CA-certificate> tls.key: <your-CA-private-key>
Add additional certificates to custom CA certificates.
If your Ops Manager TLS certificate is signed by a custom CA, the CA certificate must also contain additional certificates that allow Ops Manager Backup Daemon to download MongoDB binaries from the internet. To create the TLS certificate(s), create a ConfigMap to hold the CA certificate:
Important
The Kubernetes Operator requires that your Ops Manager certificate is named
mms-ca.crt
in the ConfigMap.
Obtain the entire TLS certificate chain for Ops Manager from
downloads.mongodb.com
. The followingopenssl
command outputs the certificate in the chain to your current working directory, in.crt
format:openssl s_client -showcerts -verify 2 \ -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' Concatenate your CA's certificate file for Ops Manager with the entire TLS certificate chain from
downloads.mongodb.com
that you obtained in the previous step:cat cert2.crt cert3.crt cert4.crt >> mms-ca.crt Create the ConfigMap for Ops Manager:
kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"
Configure a cert-manager CA issuer
Create a CA issuer that references your CA secret:
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ca-issuer namespace: <namespace> spec: ca: secretName: ca-key-pair Verify that the issuer is ready:
kubectl get issuer ca-issuer The
READY
field in the output should have a value ofTrue
.
Create a CA ConfigMap
Create a ConfigMap containing your CA. It must have two
fields, ca-pem
and mms-ca.crt
, both pointing to your
CA certificate. Replace <CA-certificate>
with the path to your
CA certificate.
kubectl create cm ca-issuer --from-file=ca-pem=<CA-certificate> \ --from-file=mms-ca.crt=<CA-certificate>
Create certificates for your MongoDB resources
To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.
Create the MongoDB resource certificate. The following example assumes a replica set named
my-replica-set
with three members:Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-replica-set-certificate namespace: mongodb spec: dnsNames: - my-replica-set-0 - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local - my-replica-set-1 - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local - my-replica-set-2 - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local duration: 240h0m0s issuerRef: name: ca-issuer renewBefore: 120h0m0s secretName: mdb-my-replica-set-cert usages: - server auth - client auth For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.
Create the MongoDB agent certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: agent-certs namespace: mongodb spec: commonName: automation dnsNames: - automation duration: 240h0m0s issuerRef: name: ca-issuer renewBefore: 120h0m0s secretName: mdb-my-replica-set-agent-certs usages: - digital signature - key encipherment - client auth subject: countries: - US localities: - NY organizationalUnits: - a-1635241837-m5yb81lfnrz organizations: - cluster.local-agent provinces: - NY Create the MongoDB resource:
Note
If you leave the
spec.security.tls.ca
parameter unspecified, it defaults to{replica-set}-ca
.apiVersion: mongodb.com/v1 kind: MongoDB metadata: name: my-replica-set namespace: mongodb spec: type: ReplicaSet members: 3 version: 4.0.4-ent opsManager: configMapRef: name: my-project credentials: my-credentials security: certsSecretPrefix: mdb authentication: enabled: true modes: - X509 tls: ca: ca-issuer enabled: true
Create certificates for Ops Manager and AppDB with TLS
To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.
Create the Ops Manager certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert-for-ops-manager namespace: mongodb spec: dnsNames: - om-with-https-svc.mongodb.svc.cluster.local duration: 240h0m0s issuerRef: name: ca-issuer renewBefore: 120h0m0s secretName: mdb-om-with-https-cert usages: - server auth - client auth Create the AppDB certificate:
Note
The
spec.issuerRef.name
parameter references the previously created CA ConfigMap.apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: appdb-om-with-https-db-cert namespace: mongodb spec: dnsNames: - om-with-https-db-0 - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local - om-with-https-db-1 - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local - om-with-https-db-2 - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local duration: 240h0m0s issuerRef: name: ca-issuer renewBefore: 120h0m0s secretName: appdb-om-with-https-db-cert usages: - server auth - client auth Create the Ops Manager resource:
apiVersion: mongodb.com/v1 kind: MongoDBOpsManager metadata: name: om-with-https namespace: mongodb spec: adminCredentials: ops-manager-admin-secret applicationDatabase: members: 3 security: certsSecretPrefix: appdb tls: ca: ca-issuer version: 6.0.0-ubi8 replicas: 1 security: certsSecretPrefix: mdb tls: ca: ca-issuer
Renewing Certificates
cert-manager will renew certificates under the following circumstances:
The certificate expires according to its
spec.duration
andspec.renewBefore
fields.You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.