Navigation

Configure KMIP Backup Encryption for Ops Manager

Ops Manager can encrypt backup jobs. You can use the Kubernetes Operator to configure KMIP backup encryption for Ops Manager. To learn more, see Encrypted Backup Snapshots.

Procedure

1

Create the ConfigMap of the CA.

Run the following command:

copy 
kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca-pem
2

Configure the Ops Manager custom resource to use KMIP backup encryption.

Configure the spec.backup.encryption.kmip settings.

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
  apiVersion: mongodb.com/v1
  kind: MongoDBOpsManager
  metadata:
    name: om-backup-kmip
  spec:
    replicas: 1
    version: 6.0.0
    adminCredentials: ops-manager-admin-secret
    backup:
      encryption:
        kmip:
          server:
            url: kmip.corp.mongodb.com:5696
            ca: mongodb-kmip-certificate-authority-pem
3

Save your Ops Manager config file.

4

Apply changes to your Ops Manager deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

copy 
kubectl apply -f <opsmgr-resource>.yaml
5

Check the status of your Ops Manager resources.

Run the following command:

copy 
kubectl get om <resource-name> -o yaml -w
6

Create the secret of the client certificate and private key.

Run the following command:

copy 
kubectl -n mongodb create secret tls mongodb-kmip-client-pem-my-replica-set-client-kmip \
--cert=<path-to-cert-file> \
--key=<path-to-key-file>

The client certificate secret name has the following naming convention inferred from the MongoDB CustomResourceDefinition:

copy 
<clientCertificatePrefix>-<objectMeta.name>-client-kmip
clientCertificatePrefix Human-readable label specified in the spec.backup.encryption.kmip.client.clientCertificatePrefix field of the MongoDB CustomResourceDefinition.
objectMeta.name Human-readable label specified in the metadata.name field of the MongoDB CustomResourceDefinition.
client-kmip Fixed suffix that the Kubernetes Operator assumes.

To learn more, see kubernetes.io/tls.

7

Configure your MongoDB database deployment.

Configure the spec.backup.encryption.kmip settings.

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
  apiVersion: mongodb.com/v1
  kind: MongoDB
  metadata:
    name: my-replica-set
  spec:
    members: 3
    version: 4.0.20
    type: ReplicaSet
    backup:
      encryption:
        kmip:
          client:
            clientCertificatePrefix: mongodb-kmip-client-pem

To learn more, see deploy a replica set or deploy a sharded cluster.

8

Save your MongoDB database deployment config file.

9

Apply changes to your MongoDB database deployment.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

copy 
kubectl apply -f <mdb-database-deployment>.yaml
10

Check the status of your MongoDB database deployment.

Run the following command:

copy 
kubectl get mdb <resource-name> -o yaml -w

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.