Set Up a cert-manager Integration

On this page

Procedure

Create a CA secret.
Add additional certificates to custom CA certificates.
Configure a cert-manager CA issuer
Create a CA ConfigMap
Create certificates for your MongoDB resources
Create certificates for Ops Manager and AppDB with TLS
Renewing Certificates

cert-manager simplifies and automates the management of security certificates for Kubernetes. The following procedure describes how to configure cert-manager to generate certificates for MongoDB Kubernetes Operator resources.

Procedure

Create a CA secret.

Note

The following steps assume that you have already created a custom CA along with the corresponding tls.key private key and tls.crt signed certificate.

Create a secret to store your CA data:

apiVersion: v1
kind: Secret
metadata:
  name: ca-key-pair
  namespace: <namespace>
data:
  tls.crt: <your-CA-certificate>
  tls.key: <your-CA-private-key>

Add additional certificates to custom CA certificates.

If your Ops Manager TLS certificate is signed by a custom CA, the CA certificate must also contain additional certificates that allow Ops Manager Backup Daemon to download MongoDB binaries from the internet. To create the TLS certificate(s), create a ConfigMap to hold the CA certificate:

Important

The Kubernetes Operator requires that your Ops Manager certificate is named mms-ca.crt in the ConfigMap.

Obtain the entire TLS certificate chain for Ops Manager from downloads.mongodb.com. The following openssl command outputs the certificate in the chain to your current working directory, in .crt format:
```
openssl s_client -showcerts -verify 2 \
-connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
```
Concatenate your CA's certificate file for Ops Manager with the entire TLS certificate chain from downloads.mongodb.com that you obtained in the previous step:
```
cat cert2.crt cert3.crt cert4.crt  >> mms-ca.crt
```
Create the ConfigMap for Ops Manager:
```
kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"
```

Configure a cert-manager CA issuer

Create a CA issuer that references your CA secret:
```
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: <namespace>
spec:
  ca:
    secretName: ca-key-pair
```
Verify that the issuer is ready:
```
kubectl get issuer ca-issuer
```
The READY field in the output should have a value of True.

Create a CA ConfigMap

Create a ConfigMap containing your CA. It must have two fields, ca-pem and mms-ca.crt, both pointing to your CA certificate. Replace <CA-certificate> with the path to your CA certificate.

kubectl create cm ca-issuer --from-file=ca-pem=<CA-certificate> \
--from-file=mms-ca.crt=<CA-certificate>

Create certificates for your MongoDB resources

To secure a MongoDB resource with your generated certification, you must create certificates for both the resource itself and the MongoDB agent.

Create the MongoDB resource certificate. The following example assumes a replica set named my-replica-set with three members:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-replica-set-certificate
  namespace: mongodb
spec:
  dnsNames:
  - my-replica-set-0
  - my-replica-set-0.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-1
  - my-replica-set-1.my-replica-set-svc.mongodb.svc.cluster.local
  - my-replica-set-2
  - my-replica-set-2.my-replica-set-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-my-replica-set-cert
  usages:
  - server auth
  - client auth

For sharded clusters, you must create one certificate for each StatefulSet. To learn more about sharded cluster configuration, see Deploy a Sharded Cluster.

Create the MongoDB agent certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: agent-certs
  namespace: mongodb
spec:
  commonName: automation
  dnsNames:
  - automation
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-my-replica-set-agent-certs
  usages:
  - digital signature
  - key encipherment
  - client auth
  subject:
    countries:
    - US
    localities:
    - NY
    organizationalUnits:
    - a-1635241837-m5yb81lfnrz
    organizations:
    - cluster.local-agent
    provinces:
    - NY

Create the MongoDB resource:

Note

If you leave the spec.security.tls.ca parameter unspecified, it defaults to {replica-set}-ca.

apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-replica-set
  namespace: mongodb
spec:
  type: ReplicaSet
  members: 3
  version: 4.0.4-ent
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  security:
    certsSecretPrefix: mdb
    authentication:
      enabled: true
      modes:
      - X509
    tls:
      ca: ca-issuer
      enabled: true

Create certificates for Ops Manager and AppDB with TLS

To secure an Ops Manager resource, you must first create certificates for Ops Manager and AppDB, then create the Ops Manager resource.

Create the Ops Manager certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-for-ops-manager
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: mdb-om-with-https-cert
  usages:
  - server auth
  - client auth

Create the AppDB certificate:

Note

The spec.issuerRef.name parameter references the previously created CA ConfigMap.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: appdb-om-with-https-db-cert
  namespace: mongodb
spec:
  dnsNames:
  - om-with-https-db-0
  - om-with-https-db-0.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-1
  - om-with-https-db-1.om-with-https-db-svc.mongodb.svc.cluster.local
  - om-with-https-db-2
  - om-with-https-db-2.om-with-https-db-svc.mongodb.svc.cluster.local
  duration: 240h0m0s
  issuerRef:
    name: ca-issuer
  renewBefore: 120h0m0s
  secretName: appdb-om-with-https-db-cert
  usages:
  - server auth
  - client auth

Create the Ops Manager resource:

apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: om-with-https
  namespace: mongodb
spec:
  adminCredentials: ops-manager-admin-secret
  applicationDatabase:
    members: 3
    security:
      certsSecretPrefix: appdb
      tls:
        ca: ca-issuer
    version: 6.0.0-ubi8
  replicas: 1
  security:
    certsSecretPrefix: mdb
    tls:
      ca: ca-issuer

Renewing Certificates

cert-manager will renew certificates under the following circumstances:

The certificate expires according to its spec.duration and spec.renewBefore fields.
You delete the secret holding a certificate. In this case, cert-manager recreates the secret according to the configuration in your certificate custom resource.
You alter the configuration of the certificate custom resource. In this case, cert-manager recreates the secret that contains the certificate when it detects the changes to its configuration.

Back

Configure File System Backup

Disaster Recovery