Charmed Operator for MongoDB

Channel Revision Published Runs on
6/stable 61 15 Nov 2024
Ubuntu 22.04
6/candidate 61 15 Nov 2024
Ubuntu 22.04
6/beta 61 15 Nov 2024
Ubuntu 22.04
6/edge 61 15 Nov 2024
Ubuntu 22.04
5/edge 39 14 Dec 2023
Ubuntu 22.04
juju deploy mongodb-k8s --channel 6/stable
Show information

Platform:

How to enable encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Summary


Enable and disable TLS in a replica set

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS, integrate (formerly known as “relate”) the two applications:

juju integrate self-signed-certificates mongodb-k8s

Your replica set now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integration:

juju remove-relation mongodb-k8s self-signed-certificates

Enable and disable TLS in a sharded cluster

Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.

However, it requires that:

  1. All cluster components have encryption enabled
  2. All cluster components are integrated to the same Certificate Authority.

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates --config ca-common-name="Example CA"

Integrate your Certificate Authority into all cluster components. In a cluster with two shards and a config-server this would be done as follows:

juju integrate config-server self-signed-certificates
juju integrate shard-one self-signed-certificates
juju integrate shard-two self-signed-certificates

Your sharded cluster now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integrations:

juju remove-relation config-server self-signed-certificates
juju remove-relation shard-one self-signed-certificates
juju remove-relation shard-two self-signed-certificates

Rotate private keys

Updates to internal and external private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. To update all keys, you must run theset-tls-private-key action on all charmed MongoDB units in your replica set or sharded cluster.

Rotate with a manually generated key

To rotate the your private keys, first generate your keys:

openssl genrsa -out internal-key.pem 3072
openssl genrsa -out external-key.pem 3072

Then, apply the new external key to the leader of your replica set or config-server.

Note: Passing keys to juju should only be done with base64 -w0, not cat.

juju run <application-name>/leader set-tls-private-key \
"internal-key=$(base64 -w0 internal-key.pem)"  "external-key=$(base64 -w0 external-key-0.pem)"  

Rotate with an autogenerated key

The keys can be auto-generated and set as follows:

juju run <application-name>/leader set-tls-private-key