Charmed MongoDB
- By Canonical Data Platform
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
5/stable | 117 | 20 Apr 2023 | |
5/candidate | 117 | 20 Apr 2023 | |
5/edge | 118 | 03 May 2023 | |
3.6/stable | 100 | 28 Apr 2023 | |
3.6/candidate | 100 | 13 Apr 2023 | |
3.6/edge | 100 | 03 Feb 2023 |
juju deploy mongodb --channel 5/stable
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Enable Security in your MongoDB deployment
This is part of the Charmed MongoDB Tutorial. Please refer to this page for more information and the overview of the content.
Transcript Layer Security (TLS)
TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB. This means enabling TLS on Charmed MongoDB is readily available and requires minimal effort on your end.
Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.
Configure TLS
Before enabling TLS on Charmed MongoDB we must first deploy the TLS-certificates-operator
charm:
juju deploy tls-certificates-operator --channel=edge
Wait until the tls-certificates-operator
is ready to be configured. When it is ready to be configured juju status --watch 1s
. Will show:
Model Controller Cloud/Region Version SLA Timestamp
tutorial overlord localhost/localhost 2.9.37 unsupported 09:24:12Z
App Version Status Scale Charm Channel Rev Exposed Message
mongodb active 2 mongodb 5/edge 96 no Replica set primary
tls-certificates-operator blocked 1 tls-certificates-operator edge 16 no Configuration options missing: ['certificate', 'ca-certificate']
Unit Workload Agent Machine Public address Ports Message
mongodb/0* active idle 0 10.23.62.156 27017/tcp Replica set primary
mongodb/1 active idle 1 10.23.62.55 27017/tcp Replica set secondary
tls-certificates-operator/0* blocked idle 3 10.23.62.8 Configuration options missing: ['certificate', 'ca-certificate']
Machine State Address Inst id Series AZ Message
0 started 10.23.62.156 juju-d35d30-0 jammy Running
1 started 10.23.62.55 juju-d35d30-1 jammy Running
3 started 10.23.62.8 juju-d35d30-3 jammy Running
Now we can configure the TLS certificates. Configure the tls-certificates-operator
to use self signed certificates:
juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Tutorial CA"
Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.
Enable TLS
After configuring the certificates juju status --watch 1s
will show the status of tls-certificates-operator
as active. To enable TLS on Charmed MongoDB, relate the two applications:
juju relate tls-certificates-operator mongodb
Connect to MongoDB with TLS
Like before, generate and save the URI that is used to connect to MongoDB:
export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI
Now ssh into mongodb/0
:
juju ssh mongodb/0
After ssh
ing into mongodb/0
, we are now in the unit that is hosting Charmed MongoDB. Once TLS has been enabled we will need to change how we connect to MongoDB. Specifically we will need to specify the TLS CA file along with the TLS Certificate file. These are on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod
. If you enter: ls /var/snap/charmed-mongodb/current/etc/mongod/external*
you should see the external certificate file and the external CA file:
/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem
As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:
sudo charmed-mongodb.mongo mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem
Congratulations, you’ve now connected to MongoDB with TLS. Now exit the MongoDB shell by typing:
exit
Now you should be back in the host of Charmed MongoDB (mongodb/0
). To exit this host type:
exit
You should now be shell you started in where you can interact with Juju and LXD.
Disable TLS
To disable TLS unrelate the two applications:
juju remove-relation mongodb tls-certificates-operator
Help us improve this documentation
Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.