Charmed MongoDB

Channel Revision Published Runs on
6/beta 149 17 Jan 2024
Ubuntu 22.04
6/edge 154 16 Feb 2024
Ubuntu 22.04
5/stable 117 20 Apr 2023
Ubuntu 22.04
5/candidate 117 20 Apr 2023
Ubuntu 22.04
5/edge 139 21 Nov 2023
Ubuntu 22.04
3.6/stable 100 28 Apr 2023
Ubuntu 20.04 Ubuntu 18.04
3.6/candidate 100 13 Apr 2023
Ubuntu 20.04 Ubuntu 18.04
3.6/edge 100 03 Feb 2023
Ubuntu 20.04 Ubuntu 18.04
juju deploy mongodb --channel 6/beta
Show information

Platform:

Ubuntu
22.04

Enable security in your MongoDB deployment

This page is part of the tutorial Deploy a MongoDB replica set.

Transport Layer Security

Transport Layer Security (TLS) is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB K8S. This means enabling TLS on Charmed MongoDB K8S is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB K8s to the Self Signed Certificates Charm. The Self Signed Certificates Charm centralises self-signed certificate management in a consistent manner and handles providing, requesting, and renewing self-signed TLS certificates.

Note: Only for the tutorial sake we will use self-signed certificates provided by self-signed-certificates-operator. For production environments you should use tls-certificates-operator.

Configure TLS

Before enabling TLS on Charmed MongoDB we must first deploy the TLS-certificates-operator charm:

juju deploy tls-certificates-operator

Wait until the tls-certificates-operator is ready to be configured. When it is ready to be configured juju status --watch 1s. Will show:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.1.6   unsupported  09:24:12Z

App                        Version  Status   Scale  Charm                      Channel   Rev  Exposed  Message
mongodb                             active       2  mongodb                    5/edge   96  no       Replica set primary
tls-certificates-operator           blocked      1  tls-certificates-operator  edge       16  no       Configuration options missing: ['certificate', 'ca-certificate']

Unit                          Workload  Agent  Machine  Public address  Ports      Message
mongodb/0*                    active    idle   0        10.23.62.156    27017/tcp  Replica set primary
mongodb/1                     active    idle   1        10.23.62.55     27017/tcp  Replica set secondary
tls-certificates-operator/0*  blocked   idle   3        10.23.62.8                 Configuration options missing: ['certificate', 'ca-certificate']

Machine  State    Address       Inst id        Series  AZ  Message
0        started  10.23.62.156  juju-d35d30-0  jammy       Running
1        started  10.23.62.55   juju-d35d30-1  jammy       Running
3        started  10.23.62.8    juju-d35d30-3  jammy       Running

Now we can configure the TLS certificates. Configure the tls-certificates-operator to use self signed certificates:

juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Tutorial CA" 

Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.

Enable TLS

After configuring the certificates juju status --watch 1s will show the status of tls-certificates-operator as active. To enable TLS on Charmed MongoDB, relate the two applications:

juju integrate tls-certificates-operator mongodb

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI

Now ssh into mongodb/0:

juju ssh mongodb/0

After sshing into mongodb/0, we are now in the unit that is hosting Charmed MongoDB. Once TLS has been enabled we will need to change how we connect to MongoDB. Specifically we will need to specify the TLS CA file along with the TLS Certificate file. These are on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod. If you enter: ls /var/snap/charmed-mongodb/current/etc/mongod/external* you should see the external certificate file and the external CA file:

/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

sudo charmed-mongodb.mongosh mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

Congratulations, you have connected to MongoDB with TLS. Now exit the MongoDB shell by typing:

exit

Now you should be back in the host of Charmed MongoDB (mongodb/0). To exit this host type:

exit

You should now be shell you started in where you can interact with Juju and LXD.

Disable TLS

To disable TLS, unrelate the two applications:

juju remove-relation mongodb tls-certificates-operator

Next step: Clean up the environment