Navigation

Secure Internal Authentication with X.509

On this page

This guide instructs you on how to configure:

  • X.509 internal authentication between MongoDB nodes in each cluster in your multi-Kubernetes-cluster deployments.
  • X.509 authentication from clients to your MongoDB instances.

Prerequisites

Before you secure your multi-Kubernetes-cluster deployment using TLS encryption, complete the following tasks:

Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.

X.509 client authentication requires one of the following:

  • Cloud Manager
  • Ops Manager 5.0.7 or later

Configure X.509 Internal Authentication for a MongoDBMultiCluster Resource

1

Create the secret for your agent’s X.509 certificate of your MongoDBMultiCluster resource.

Run the kubectl command to create a new secret that stores the agent’s X.509 certificate:

copy 
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
  --cert=<agent-tls-cert> \
  --key=<agent-tls-key>
2

Create the secret for the member cluster’s internal X.509 certificate.

Run the kubectl command to create a new secret that stores the internal cluster member’s X.509 certificate. The member clusters are defined in your MongoDBMultiCluster resource.

copy 
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-clusterfile \
  --cert=<resource-clusterfile-tls-cert> \
  --key=<resource-clusterfile-tls-key>
3

Update your MongoDBMultiCluster resource to enable X509 authentication.

Update your MongoDBMultiCluster custom resource with security settings from the Kubernetes Operator MongoDBMultiCluster resource specification. Add the internalCluster setting, under spec.authentication, and set it to "X509". The resulting configuration may look similar to the following example:

copy 
apiVersion: mongodb.com/v1
kind: MongoDBMultiCluster
metadata:
 name: multi-replica-set
spec:
 version: 5.0.0-ent
 type: ReplicaSet
 persistent: false
 duplicateServiceObjects: true
 credentials: my-credentials
 opsManager:
   configMapRef:
     name: my-project
 security:
   tls:
     ca: custom-ca
   certsSecretPrefix: <prefix>
 authentication:
   enabled: true
   modes: ["X509"]
   agents:
     mode: "X509"
   internalCluster: "X509"
 clusterSpecList:
   - clusterName: ${MDB_CLUSTER_1_FULL_NAME}
     members: 3
   - clusterName: ${MDB_CLUSTER_2_FULL_NAME}
     members: 2
   - clusterName: ${MDB_CLUSTER_3_FULL_NAME}
     members: 3

The Kubernetes Operator copies the ConfigMap with the CA created in the central cluster to each member cluster, generates a concatenated PEM secret, and distributes it to the member clusters.

4

Verify that the MongoDBMultiCluster resources are running.

  1. For member clusters, run the following commands to verify that the MongoDB Pods are in the running state:

    copy 
    kubectl get pods \
 --context=$MDB_CLUSTER_1_FULL_NAME \
 --namespace mongodb
    copy 
    kubectl get pods \
 --context=$MDB_CLUSTER_2_FULL_NAME \
 --namespace mongodb
    copy 
    kubectl get pods \
 --context=$MDB_CLUSTER_3_FULL_NAME \
 --namespace mongodb

  2. In the central cluster, run the following command to verify that the MongoDBMultiCluster resource is in the running state:

    copy 
    kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace mongodb \
  get mdbmc multi-replica-set -o yaml -w

Renew Internal Authentication X.509 Certificates for a MongoDBMultiCluster Resource

If you have already created certificates, renew them periodically using the following procedure.

1

Renew the secret for a MongoDBMultiCluster resource.

Run this kubectl command to renew an existing secret that stores the certificates for the MongoDBMultiCluster resource:

copy 
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
--namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-cert \
--cert=<resource-tls-cert> \
--key=<resource-tls-key> \
--dry-run=client \
-o yaml |
kubectl apply -f -
2

Renew the secret for your agent’s X.509 certificates.

Run the kubectl command to renew an existing secret that stores the MongoDBMultiCluster resource agent certificates:

copy 
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-agent-certs \
  --cert=<agent-tls-cert> \
  --key=<agent-tls-key> \
  --dry-run=client \
  -o yaml | kubectl apply -f -
3

Renew the secret for internal members’s X.509 certificates of the MongoDBMultiCluster resource.

Run the kubectl command to renew an existing secret that stores X.509 certificates for internal members of the MongoDBMultiCluster resource:

copy 
kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
  --namespace=<metadata.namespace> \
create secret tls <prefix>-<metadata.name>-clusterfile \
  --cert=<resource-clusterfile-tls-cert> \
   --key=<resource-clusterfile-tls-key> \
   --dry-run=client \
   -o yaml | kubectl apply -f -

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.