Secure Internal Authentication with X.509
On this page
- Prerequisites
- Configure X.509 Internal Authentication for a MongoDBMultiCluster Resource
- Create the secret for your agent's X.509 certificate of your
MongoDBMultiCluster
resource. - Create the secret for the member cluster's internal X.509 certificate.
- Update your
MongoDBMultiCluster
resource to enable X509 authentication. - Verify that the
MongoDBMultiCluster
resources are running. - Renew Internal Authentication X.509 Certificates for a MongoDBMultiCluster Resource
- Renew the secret for a
MongoDBMultiCluster
resource. - Renew the secret for your agent's X.509 certificates.
- Renew the secret for internal members's X.509 certificates of the
MongoDBMultiCluster
resource.
This guide instructs you on how to configure:
X.509 internal authentication between MongoDB nodes in each cluster in your multi-Kubernetes-cluster deployments.
X.509 authentication from clients to your MongoDB instances.
Prerequisites
Before you secure your multi-Kubernetes-cluster deployment using TLS encryption, complete the following tasks:
Follow the steps in the Multi-Cluster Quick Start Prerequisites.
Create credentials for the Kubernetes Operator.
Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.
X.509 client authentication requires one of the following:
Cloud Manager
Ops Manager 5.0.7 or later
Configure X.509 Internal Authentication for a MongoDBMultiCluster Resource
Create the secret for your agent's X.509 certificate of your MongoDBMultiCluster
resource.
Run the kubectl
command to create a new secret that stores the agent's X.509 certificate:
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace=<metadata.namespace> \ create secret tls <prefix>-<metadata.name>-agent-certs \ --cert=<agent-tls-cert> \ --key=<agent-tls-key>
Create the secret for the member cluster's internal X.509 certificate.
Run the kubectl
command to create a new secret that stores the internal
cluster member's X.509 certificate. The member clusters are defined in
your MongoDBMultiCluster
resource.
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace=<metadata.namespace> \ create secret tls <prefix>-<metadata.name>-clusterfile \ --cert=<resource-clusterfile-tls-cert> \ --key=<resource-clusterfile-tls-key>
Update your MongoDBMultiCluster
resource to enable X509 authentication.
Update your MongoDBMultiCluster custom resource
with security settings from the Kubernetes Operator
MongoDBMultiCluster resource specification.
Add the internalCluster
setting, under spec.authentication
, and set it
to "X509"
. The resulting configuration may look similar to the following example:
apiVersion: mongodb.com/v1 kind: MongoDBMultiCluster metadata: name: multi-replica-set spec: version: 5.0.0-ent type: ReplicaSet persistent: false duplicateServiceObjects: true credentials: my-credentials opsManager: configMapRef: name: my-project security: tls: a: custom-ca certsSecretPrefix: <prefix> authentication: enabled: true modes: ["X509"] agents: mode: "X509" internalCluster: "X509" clusterSpecList: - clusterName: ${MDB_CLUSTER_1_FULL_NAME} members: 3 - clusterName: ${MDB_CLUSTER_2_FULL_NAME} members: 2 - clusterName: ${MDB_CLUSTER_3_FULL_NAME} members: 3 The |k8s-op-short| copies the ConfigMap with the |certauth| created in the central cluster to each member cluster, generates a concatenated |pem| secret, and distributes it to the member clusters.
Verify that the MongoDBMultiCluster
resources are running.
For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:
kubectl get pods \ --context=$MDB_CLUSTER_1_FULL_NAME \ --namespace mongodb kubectl get pods \ --context=$MDB_CLUSTER_2_FULL_NAME \ --namespace mongodb kubectl get pods \ --context=$MDB_CLUSTER_3_FULL_NAME \ --namespace mongodb In the central cluster, run the following command to verify that the
MongoDBMultiCluster
resource is in the running state:kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace mongodb \ get mdbmc multi-replica-set -o yaml -w
Renew Internal Authentication X.509 Certificates for a MongoDBMultiCluster Resource
If you have already created certificates, renew them periodically using the following procedure.
Renew the secret for a MongoDBMultiCluster
resource.
Run this kubectl
command to renew an existing secret that stores the certificates for the MongoDBMultiCluster
resource:
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace=<metadata.namespace> \ create secret tls <prefix>-<metadata.name>-cert \ --cert=<resource-tls-cert> \ --key=<resource-tls-key> \ --dry-run=client \ -o yaml | kubectl apply -f -
Renew the secret for your agent's X.509 certificates.
Run the kubectl
command to renew an existing secret that stores
the MongoDBMultiCluster
resource agent certificates:
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace=<metadata.namespace> \ create secret tls <prefix>-<metadata.name>-agent-certs \ --cert=<agent-tls-cert> \ --key=<agent-tls-key> \ --dry-run=client \ -o yaml | kubectl apply -f -
Renew the secret for internal members's X.509 certificates of the MongoDBMultiCluster
resource.
Run the kubectl
command to renew an existing secret that stores
X.509 certificates for internal members of the MongoDBMultiCluster
resource:
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \ --namespace=<metadata.namespace> \ create secret tls <prefix>-<metadata.name>-clusterfile \ --cert=<resource-clusterfile-tls-cert> \ --key=<resource-clusterfile-tls-key> \ --dry-run=client \ -o yaml | kubectl apply -f -