Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes ์—ฐ์‚ฐ์ž
/ /

LDAP๋ฅผ ์‚ฌ์šฉํ•œ ๋ณด์•ˆ ํด๋ผ์ด์–ธํŠธ ์ธ์ฆ

์ด ํŽ˜์ด์ง€์˜ ๋‚ด์šฉ

MongoDB Enterprise ๋Š” ๋‹ค์Œ์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

  • ์ธ์ฆ ์š”์ฒญ์„ LDAP(Lightweight Directory Access Protocol) ์„œ๋น„์Šค๋กœ ํ”„๋ก์‹œํ•ฉ๋‹ˆ๋‹ค.

  • LDAP ์„œ๋ฒ„์— ๋Œ€ํ•œ ๋‹จ์ˆœ ๋ฐ SASL ๋ฐ”์ธ๋”ฉ. MongoDB Enterprise๋Š” saslauthd ๋˜๋Š” ์šด์˜ ์ฒด์ œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ํ†ตํ•ด LDAP ์„œ๋ฒ„์— ๋ฐ”์ธ๋”ฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ž์„ธํ•œ ๋‚ด์šฉ์€ MongoDB Server ์„ค๋ช…์„œ์˜ LDAP ํ”„๋ก์‹œ ์ธ์ฆ ๋ฐ LDAP ๊ถŒํ•œ ๋ถ€์—ฌ ์„น์…˜์„ ์ฐธ์กฐํ•˜์„ธ์š”.

Kubernetes ์—ฐ์‚ฐ์ž๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ MongoDB ๋ฐฐํฌ์— ์—ฐ๊ฒฐํ•˜๋Š” ํด๋ผ์ด์–ธํŠธ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์ธ์ฆํ•˜๋„๋ก LDAP๋ฅผ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๊ฐ€์ด๋“œ์—์„œ๋Š” ํด๋ผ์ด์–ธํŠธ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ MongoDB ๋ฐฐํฌ๋กœ LDAP ์ธ์ฆ์„ ๊ตฌ์„ฑํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค.

์ฐธ๊ณ 

Kubernetes cluster์—์„œ MongoDB์˜ ๋…๋ฆฝํ˜• ์ธ์Šคํ„ด์Šค๋ฅผ ๋ณดํ˜ธํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

  • CustomResourceDefinitions ์—์„œ LDAP ๋ฅผ ๊ตฌ์„ฑํ•˜๋ ค๋ฉด Kubernetes Operatorspec.security.authentication.ldap MongoDB ๋ฆฌ์†Œ์Šค ์‚ฌ์–‘์˜ ๋ฐ MongoDB Agent ๊ด€๋ จ ๊ธฐํƒ€ ๋ณด์•ˆ LDAP ์„ค์ • ์•„๋ž˜์˜ ๋งค๊ฐœ ๋ณ€์ˆ˜๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ์ด ์„น์…˜์˜ ์ ˆ์ฐจ์—์„œ๋Š” ํ•„์š”ํ•œ ์„ค์ •์„ ์„ค๋ช…ํ•˜๊ณ  LDAP ๊ตฌ์„ฑ์˜ ์˜ˆ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค.

  • ๋ณด์•ˆ์„ ๊ฐ•ํ™”ํ•˜๋ ค๋ฉด TLS๋กœ ์•”ํ˜ธํ™”๋œ ๋ณต์ œ๋ณธ ์„ธํŠธ ๋˜๋Š” TLS๋กœ ์•”ํ˜ธํ™”๋œ ์ƒค๋“œ cluster ๋ฅผ ๋ฐฐํฌํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. TLS ๋ฅผ ์‚ฌ์šฉํ•œ ์•”ํ˜ธํ™”๋Š” ์„ ํƒ ์‚ฌํ•ญ์ž…๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ LDAP ํŠธ๋ž˜ํ”ฝ์€ ์ผ๋ฐ˜ ํ…์ŠคํŠธ๋กœ ์ „์†ก๋ฉ๋‹ˆ๋‹ค. ์ด๋Š” ์‚ฌ์šฉ์ž ์ด๋ฆ„๊ณผ ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ๋„คํŠธ์›Œํฌ ์œ„ํ—˜์— ๋…ธ์ถœ๋˜์—ˆ์Œ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. Microsoft Active Directory์™€ ๊ฐ™์€ ๋งŽ์€ ์ตœ์‹  ๋””๋ ‰ํ† ๋ฆฌ ์„œ๋น„์Šค์—๋Š” ์•”ํ˜ธํ™”๋œ ์—ฐ๊ฒฐ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. Kubernetes ์—ฐ์‚ฐ์ž MongoDB deployment์—์„œ ์ธ์ฆ ์š”์ฒญ์„ ์•”ํ˜ธํ™”ํ•˜๋ ค๋ฉด TLS /SSL์„ ํ†ตํ•œ LDAP ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

MongoDB deployment์— ๋Œ€ํ•œ LDAP ์ธ์ฆ์„ ๊ตฌ์„ฑํ•˜๊ธฐ ์ „์— ๋‹ค์Œ ์ž‘์—…์„ ์™„๋ฃŒํ•˜์„ธ์š”.

  • MongoDB Enterprise ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋ฆฌ์†Œ์Šค๋ฅผ ๋ฐฐํฌํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. MongoDB Community ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค๋Š” LDAP ์ธ์ฆ์„ ์ง€์›ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

  • ๋ณต์ œ๋ณธ ์„ธํŠธ ๋ฅผ ๋ฐฐํฌํ•˜๊ฑฐ๋‚˜ LDAP ๋กœ ๋ณดํ˜ธํ•˜๋ ค๋Š” ํด๋ผ์ด์–ธํŠธ ์ธ์ฆ์ด ์†ํ•œ cluster ๋ฅผ ๋ฐฐํฌํ•ฉ๋‹ˆ๋‹ค.

1

์›ํ•˜๋Š” ๋ณต์ œ๋ณธ ์„ธํŠธ ๊ตฌ์„ฑ๊ณผ ์ผ์น˜ํ•˜๋„๋ก ์ด YAMLํŒŒ์ผ์˜ ์„ค์ •์„ ๋ณ€๊ฒฝํ•ฉ๋‹ˆ๋‹ค.

1---
2apiVersion: mongodb.com/v1
3kind: MongoDB
4metadata:
5 name: <my-replica-set>
6spec:
7 members: 3
8 version: "4.2.2-ent"
9 opsManager:
10 configMapRef:
11 # Must match metadata.name in ConfigMap file
12 name: <configMap.metadata.name>
13 credentials: <mycredentials>
14 type: ReplicaSet
15 persistent: true
16 security:
17 tls:
18 ca: <custom-ca>
19 certsSecretPrefix: <prefix>
20...
2

์›ํ•˜๋Š” ํ…์ŠคํŠธ ํŽธ์ง‘๊ธฐ๋ฅผ ์—ด๊ณ  ๊ฐ์ฒด ๋ฅผ spec ๋ถ™์—ฌ๋„ฃ์Šต๋‹ˆ๋‹ค. ์„น์…˜์˜ ๋ฆฌ์†Œ์Šค ํŒŒ์ผ ๋์— ์žˆ์Šต๋‹ˆ๋‹ค.

3

๋ฐฐํฌ์—์„œ LDAP ๋ฅผ ํ™œ์„ฑํ™”ํ•˜๋ ค๋ฉด Kubernetes ๊ฐ์ฒด์—์„œ ๋‹ค์Œ ์„ค์ •์„ ๊ตฌ์„ฑํ•ฉ๋‹ˆ๋‹ค.

ํ‚ค
์œ ํ˜• ๋ฐ ํ•„์š”์„ฑ
์„ค๋ช…
์˜ˆ์‹œ
boolean,
required

LDAP ์ธ์ฆ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด true ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

true

string,
required

LDAP ์„œ๋ฒ„์— ์—ฐ๊ฒฐํ•  ๋•Œ MongoDB๊ฐ€ ๋ฐ”์ธ๋”ฉํ•  LDAP ๊ณ ์œ  ์ด๋ฆ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

cn=admin,dc=example,dc=org

string,
required

์‹œํฌ๋ฆฟ ์ด๋ฆ„ ์ง€์ • ์—ฌ๊ธฐ์—๋Š” LDAP ์„œ๋ฒ„์— ์—ฐ๊ฒฐํ•  ๋•Œ MongoDB๊ฐ€ ๋ฐ”์ธ๋”ฉํ•˜๋Š” LDAP ๋ฐ”์ธ๋”ฉ ๊ณ ์œ  ์ด๋ฆ„์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

<secret-name>

string,
optional

ConfigMap ์ถ”๊ฐ€ ๋ฐฐํฌ์˜ TLS ์ธ์ฆ์„œ์— ์„œ๋ช…ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉํ•œ ์‚ฌ์šฉ์ž ์ง€์ • CA ๋ฅผ ์ €์žฅํ•˜๋Š” ์˜ ์ด๋ฆ„์ž…๋‹ˆ๋‹ค.

<configmap-name>

string,
optional

LDAP ์„œ๋ฒ„์˜ TLS ์ธ์ฆ์„œ์˜ ์œ ํšจ์„ฑ์„ ๊ฒ€์‚ฌํ•˜๋Š” CA ๋ฅผ ์ €์žฅํ•˜๋Š” ํ•„๋“œ ์ด๋ฆ„์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

<configmap-key>

array of strings,
required

ํ•˜๋‚˜ ์ด์ƒ์˜ LDAP ์„œ๋ฒ„์˜ hostname:port ์กฐํ•ฉ ๋ชฉ๋ก์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ฐ ์„œ๋ฒ„์— ๋Œ€ํ•ด ๋ณ„๋„์˜ ์ค„์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

<example.com:636>

string,
optional

LDAPS( TLS ๋ฅผ ํ†ตํ•œ LDAP )๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๋ฉด tls ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. LDAP ์„œ๋ฒ„๊ฐ€ TLS๋ฅผ ํ—ˆ์šฉํ•˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ ๋น„์›Œ ๋‘ก๋‹ˆ๋‹ค. ์ด ์„ค์ •์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋ฆฌ์†Œ์Šค๋ฅผ ๋ฐฐํฌํ•  ๋•Œ TLS๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

tls

string,
required

์ธ์ฆ์„ ์œ„ํ•ด mongod ๋˜๋Š” mongos ์— ์ œ๊ณต๋œ ์‚ฌ์šฉ์ž ์ด๋ฆ„์„ LDAP DN(๊ณ ์œ  ์ด๋ฆ„)์— ๋งคํ•‘ํ•˜๋Š” ๋งคํ•‘์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

์ž์„ธํžˆ ์•Œ์•„๋ณด๋ ค๋ฉด security.ldap.userToDNMapping ์„ ์ฐธ์กฐํ•˜์„ธ์š”. ๋ฐ LDAP ์ฟผ๋ฆฌ ํ…œํ”Œ๋ฆฟ ์€ MongoDB Server ๋ฌธ์„œ์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<match: "(.+)",substitution: "uid={0},ou=groups,dc=example,dc=org">

string,
required

LDAP๋ฅผ ํ†ตํ•ด ์ธ์ฆ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด LDAP ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

LDAP

๊ฒฐ๊ณผ ๊ตฌ์„ฑ์€ ๋‹ค์Œ ์˜ˆ์‹œ์™€ ์œ ์‚ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

security:
authentication:
enabled: true
# Enabled LDAP Authentication Mode
modes:
- "LDAP"
- "SCRAM"
# LDAP related configuration
ldap:
# Specify the hostname:port combination of one or
# more LDAP servers
servers:
- "ldap1.example.com:636"
- "ldap2.example.com:636"
# Set to "tls" to use LDAP over TLS. Leave blank if
# the LDAP server doesn't accept TLS. You must enable TLS when you deploy the database resource to use this setting.
transportSecurity: "tls"
# If TLS is enabled, add a reference to a ConfigMap that
# contains a CA certificate that validates the LDAP server's
# TLS certificate.
caConfigMapRef:
name: "<configmap-name>"
key: "<configmap-entry-key>"
# Specify the LDAP Distinguished Name to which
# MongoDB binds when connecting to the LDAP server
bindQueryUser: "cn=admin,dc=example,dc=org"
# Specify the password with which MongoDB binds
# when connecting to an LDAP server. This is a
# reference to a Secret Kubernetes Object containing
# one "password" key.
bindQueryPasswordSecretRef:
name: "<secret-name>"

LDAP ์„ค์ •์˜ ์ „์ฒด ๋ชฉ๋ก์€ Kubernetes ์—ฐ์‚ฐ์ž MongoDB ๋ฆฌ์†Œ์Šค ์‚ฌ์–‘์˜ ๋ณด์•ˆ ์„ค์ • ์„ ์ฐธ์กฐํ•˜์„ธ์š”. LDAP ์ง€์› Kubernetes ์—ฐ์‚ฐ์ž ๋ฐฐํฌ์—์„œ MongoDB ์—์ด์ „ํŠธ ์‚ฌ์šฉ์ž์— ๋Œ€ํ•œ spec.security.authentication.agents.automationUserName ์„ค์ •๋„ ์ฐธ์กฐํ•˜์„ธ์š”.

4

Kubernetes ์—ฐ์‚ฐ์ž MongoDB ๋ฆฌ์†Œ์Šค ์‚ฌ์–‘์—์„œ Agent ๊ด€๋ จ ๋ณด์•ˆ ์„ค์ • ์œผ๋กœ MongoDB ๋ฆฌ์†Œ์Šค๋ฅผ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค . ๊ฒฐ๊ณผ ๊ตฌ์„ฑ์€ ๋‹ค์Œ ์˜ˆ์‹œ์™€ ์œ ์‚ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

security:
authentication:
agents:
automationPasswordSecretRef:
key: automationConfigPassword
name: automation-config-password
automationUserName: mms-automation-agent
clientCertificateSecretRef:
name: agent-client-cert
mode: LDAP
enabled: true
ldap:
bindQueryPasswordSecretRef:
name: bind-query-password
bindQueryUser: cn=admin,dc=example,dc=org
servers:
- openldap.namespace.svc.cluster.local:389
userToDNMapping: '[{match: "(.+)",substitution: "uid={0},ou=groups,dc=example,dc=org"}]'
modes:
- LDAP
- SCRAM
requireClientTLSAuthentication: false
5
6

๋‹ค์Œ Kubernetes ๋ช…๋ น์„ ํ˜ธ์ถœํ•˜์—ฌ ๋ณต์ œ๋ณธ ์„ธํŠธ๋ฅผ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค.

kubectl apply -f <replica-set-conf>.yaml
7

MongoDB ๋ฆฌ์†Œ์Šค์˜ ์ƒํƒœ๋ฅผ ํ™•์ธํ•˜๋ ค๋ฉด ๋‹ค์Œ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์„ธ์š”.

kubectl get mdb <resource-name> -o yaml -w

-w(watch) ํ”Œ๋ž˜๊ทธ ์„ค์ •์ด ์ ์šฉ๋œ ๊ฒฝ์šฐ, ๊ตฌ์„ฑ์ด ๋ณ€๊ฒฝ๋˜๋ฉด ์ƒํƒœ ๋‹จ๊ณ„๊ฐ€ Running ์ƒํƒœ๋ฅผ ๋‹ฌ์„ฑํ•  ๋•Œ๊นŒ์ง€ ์ถœ๋ ฅ์ด ์ฆ‰์‹œ ์ƒˆ๋กœ ๊ณ ์นจ ๋ฉ๋‹ˆ๋‹ค. ๋ฆฌ์†Œ์Šค ๋ฐฐํฌ ์ƒํƒœ์— ๋Œ€ํ•ด ์ž์„ธํžˆ ์•Œ์•„๋ณด๋ ค๋ฉด Kubernetes Operator ๋ฌธ์ œ ํ•ด๊ฒฐ์„ ์ฐธ์กฐํ•˜์„ธ์š”.

1

์›ํ•˜๋Š” ์ƒค๋“œ ํด๋Ÿฌ์Šคํ„ฐ๊ตฌ์„ฑ๊ณผ ์ผ์น˜ํ•˜๋„๋ก ์ด YAML ํŒŒ์ผ์˜ ์„ค์ •์„ ๋ณ€๊ฒฝํ•ฉ๋‹ˆ๋‹ค.

1---
2apiVersion: mongodb.com/v1
3kind: MongoDB
4metadata:
5 name: <my-sharded-cluster>
6spec:
7 shardCount: 2
8 mongodsPerShardCount: 3
9 mongosCount: 2
10 configServerCount: 3
11 version: "4.2.2-ent"
12 opsManager:
13 configMapRef:
14 name: <configMap.metadata.name>
15 # Must match metadata.name in ConfigMap file
16 credentials: <mycredentials>
17 type: ShardedCluster
18 persistent: true
19 security:
20 tls:
21 ca: <custom-ca>
22 certsSecretPrefix: <prefix>
23...
2

์›ํ•˜๋Š” ํ…์ŠคํŠธ ํŽธ์ง‘๊ธฐ๋ฅผ ์—ด๊ณ  ๊ฐ์ฒด ๋ฅผ spec ๋ถ™์—ฌ๋„ฃ์Šต๋‹ˆ๋‹ค. ์„น์…˜์˜ ๋ฆฌ์†Œ์Šค ํŒŒ์ผ ๋์— ์žˆ์Šต๋‹ˆ๋‹ค.

3

๋ฐฐํฌ์—์„œ LDAP ๋ฅผ ํ™œ์„ฑํ™”ํ•˜๋ ค๋ฉด Kubernetes ๊ฐ์ฒด์—์„œ ๋‹ค์Œ ์„ค์ •์„ ๊ตฌ์„ฑํ•ฉ๋‹ˆ๋‹ค.

ํ‚ค
์œ ํ˜• ๋ฐ ํ•„์š”์„ฑ
์„ค๋ช…
์˜ˆ์‹œ
boolean,
required

LDAP ์ธ์ฆ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด true ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

true

string,
required

LDAP ์„œ๋ฒ„์— ์—ฐ๊ฒฐํ•  ๋•Œ MongoDB๊ฐ€ ๋ฐ”์ธ๋”ฉํ•  LDAP ๊ณ ์œ  ์ด๋ฆ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

cn=admin,dc=example,dc=org

string,
required

์‹œํฌ๋ฆฟ ์ด๋ฆ„ ์ง€์ • ์—ฌ๊ธฐ์—๋Š” LDAP ์„œ๋ฒ„์— ์—ฐ๊ฒฐํ•  ๋•Œ MongoDB๊ฐ€ ๋ฐ”์ธ๋”ฉํ•˜๋Š” LDAP ๋ฐ”์ธ๋”ฉ ๊ณ ์œ  ์ด๋ฆ„์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

<secret-name>

string,
optional

ConfigMap ์ถ”๊ฐ€ ๋ฐฐํฌ์˜ TLS ์ธ์ฆ์„œ์— ์„œ๋ช…ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉํ•œ ์‚ฌ์šฉ์ž ์ง€์ • CA ๋ฅผ ์ €์žฅํ•˜๋Š” ์˜ ์ด๋ฆ„์ž…๋‹ˆ๋‹ค.

<configmap-name>

string,
optional

LDAP ์„œ๋ฒ„์˜ TLS ์ธ์ฆ์„œ์˜ ์œ ํšจ์„ฑ์„ ๊ฒ€์‚ฌํ•˜๋Š” CA ๋ฅผ ์ €์žฅํ•˜๋Š” ํ•„๋“œ ์ด๋ฆ„์„ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.

<configmap-key>

array of strings,
required

ํ•˜๋‚˜ ์ด์ƒ์˜ LDAP ์„œ๋ฒ„์˜ hostname:port ์กฐํ•ฉ ๋ชฉ๋ก์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ฐ ์„œ๋ฒ„์— ๋Œ€ํ•ด ๋ณ„๋„์˜ ์ค„์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

<example.com:636>

string,
optional

LDAPS( TLS ๋ฅผ ํ†ตํ•œ LDAP )๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๋ฉด tls ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. LDAP ์„œ๋ฒ„๊ฐ€ TLS๋ฅผ ํ—ˆ์šฉํ•˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ ๋น„์›Œ ๋‘ก๋‹ˆ๋‹ค. ์ด ์„ค์ •์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋ฆฌ์†Œ์Šค๋ฅผ ๋ฐฐํฌํ•  ๋•Œ TLS๋ฅผ ์‚ฌ์šฉํ•˜๋„๋ก ์„ค์ •ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

tls

string,
required

์ธ์ฆ์„ ์œ„ํ•ด mongod ๋˜๋Š” mongos ์— ์ œ๊ณต๋œ ์‚ฌ์šฉ์ž ์ด๋ฆ„์„ LDAP DN(๊ณ ์œ  ์ด๋ฆ„)์— ๋งคํ•‘ํ•˜๋Š” ๋งคํ•‘์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.

์ž์„ธํžˆ ์•Œ์•„๋ณด๋ ค๋ฉด security.ldap.userToDNMapping ์„ ์ฐธ์กฐํ•˜์„ธ์š”. ๋ฐ LDAP ์ฟผ๋ฆฌ ํ…œํ”Œ๋ฆฟ ์€ MongoDB Server ๋ฌธ์„œ์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<match: "(.+)",substitution: "uid={0},ou=groups,dc=example,dc=org">

string,
required

LDAP๋ฅผ ํ†ตํ•ด ์ธ์ฆ์„ ์‚ฌ์šฉํ•˜๋ ค๋ฉด LDAP ๋กœ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.

LDAP

๊ฒฐ๊ณผ ๊ตฌ์„ฑ์€ ๋‹ค์Œ ์˜ˆ์‹œ์™€ ์œ ์‚ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

security:
authentication:
enabled: true
# Enabled LDAP Authentication Mode
modes:
- "LDAP"
- "SCRAM"
# LDAP related configuration
ldap:
# Specify the hostname:port combination of one or
# more LDAP servers
servers:
- "ldap1.example.com:636"
- "ldap2.example.com:636"
# Set to "tls" to use LDAP over TLS. Leave blank if
# the LDAP server doesn't accept TLS. You must enable TLS when you deploy the database resource to use this setting.
transportSecurity: "tls"
# If TLS is enabled, add a reference to a ConfigMap that
# contains a CA certificate that validates the LDAP server's
# TLS certificate.
caConfigMapRef:
name: "<configmap-name>"
key: "<configmap-entry-key>"
# Specify the LDAP Distinguished Name to which
# MongoDB binds when connecting to the LDAP server
bindQueryUser: "cn=admin,dc=example,dc=org"
# Specify the password with which MongoDB binds
# when connecting to an LDAP server. This is a
# reference to a Secret Kubernetes Object containing
# one "password" key.
bindQueryPasswordSecretRef:
name: "<secret-name>"

LDAP ์„ค์ •์˜ ์ „์ฒด ๋ชฉ๋ก์€ Kubernetes ์—ฐ์‚ฐ์ž MongoDB ๋ฆฌ์†Œ์Šค ์‚ฌ์–‘์˜ ๋ณด์•ˆ ์„ค์ • ์„ ์ฐธ์กฐํ•˜์„ธ์š”. LDAP ์ง€์› Kubernetes ์—ฐ์‚ฐ์ž ๋ฐฐํฌ์—์„œ MongoDB ์—์ด์ „ํŠธ ์‚ฌ์šฉ์ž์— ๋Œ€ํ•œ spec.security.authentication.agents.automationUserName ์„ค์ •๋„ ์ฐธ์กฐํ•˜์„ธ์š”.

4

Kubernetes ์—ฐ์‚ฐ์ž MongoDB ๋ฆฌ์†Œ์Šค ์‚ฌ์–‘์—์„œ Agent ๊ด€๋ จ ๋ณด์•ˆ ์„ค์ • ์œผ๋กœ MongoDB ๋ฆฌ์†Œ์Šค๋ฅผ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค . ๊ฒฐ๊ณผ ๊ตฌ์„ฑ์€ ๋‹ค์Œ ์˜ˆ์‹œ์™€ ์œ ์‚ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

security:
authentication:
agents:
automationPasswordSecretRef:
key: automationConfigPassword
name: automation-config-password
automationUserName: mms-automation-agent
clientCertificateSecretRef:
name: agent-client-cert
mode: LDAP
enabled: true
ldap:
bindQueryPasswordSecretRef:
name: bind-query-password
bindQueryUser: cn=admin,dc=example,dc=org
servers:
- openldap.namespace.svc.cluster.local:389
userToDNMapping: '[{match: "(.+)",substitution: "uid={0},ou=groups,dc=example,dc=org"}]'
modes:
- LDAP
- SCRAM
requireClientTLSAuthentication: false
5
6

๋‹ค์Œ Kubernetes ๋ช…๋ น์„ ํ˜ธ์ถœํ•˜์—ฌ ์ƒค๋“œ ํด๋Ÿฌ์Šคํ„ฐ๋ฅผ ์—…๋ฐ์ดํŠธํ•ฉ๋‹ˆ๋‹ค.

kubectl apply -f <sharded-cluster-conf>.yaml
7

MongoDB ๋ฆฌ์†Œ์Šค์˜ ์ƒํƒœ๋ฅผ ํ™•์ธํ•˜๋ ค๋ฉด ๋‹ค์Œ ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜์„ธ์š”.

kubectl get mdb <resource-name> -o yaml -w

-w(watch) ํ”Œ๋ž˜๊ทธ ์„ค์ •์ด ์ ์šฉ๋œ ๊ฒฝ์šฐ, ๊ตฌ์„ฑ์ด ๋ณ€๊ฒฝ๋˜๋ฉด ์ƒํƒœ ๋‹จ๊ณ„๊ฐ€ Running ์ƒํƒœ๋ฅผ ๋‹ฌ์„ฑํ•  ๋•Œ๊นŒ์ง€ ์ถœ๋ ฅ์ด ์ฆ‰์‹œ ์ƒˆ๋กœ ๊ณ ์นจ ๋ฉ๋‹ˆ๋‹ค. ๋ฆฌ์†Œ์Šค ๋ฐฐํฌ ์ƒํƒœ์— ๋Œ€ํ•ด ์ž์„ธํžˆ ์•Œ์•„๋ณด๋ ค๋ฉด Kubernetes Operator ๋ฌธ์ œ ํ•ด๊ฒฐ์„ ์ฐธ์กฐํ•˜์„ธ์š”.

์ด ํŽ˜์ด์ง€์˜ ๋‚ด์šฉ