Charmed MongoDB

By Canonical Data Platform
Databases

Architecture:

Channel	Revision	Published	Runs on
5/stable	117	20 Apr 2023	Ubuntu 22.04
5/candidate	117	20 Apr 2023	Ubuntu 22.04
5/edge	118	03 May 2023	Ubuntu 22.04
3.6/stable	100	28 Apr 2023	Ubuntu 20.04 Ubuntu 18.04
3.6/candidate	100	13 Apr 2023	Ubuntu 20.04 Ubuntu 18.04
3.6/edge	100	03 Feb 2023	Ubuntu 20.04 Ubuntu 18.04

Platform:

22.04

Relevant links

Homepage

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Enable Security in your MongoDB deployment

This is part of the Charmed MongoDB Tutorial. Please refer to this page for more information and the overview of the content.

Transcript Layer Security (TLS)

TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB. This means enabling TLS on Charmed MongoDB is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.

Configure TLS

Before enabling TLS on Charmed MongoDB we must first deploy the TLS-certificates-operator charm:

juju deploy tls-certificates-operator --channel=edge

Wait until the tls-certificates-operator is ready to be configured. When it is ready to be configured juju status --watch 1s. Will show:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  2.9.37   unsupported  09:24:12Z

App                        Version  Status   Scale  Charm                      Channel   Rev  Exposed  Message
mongodb                             active       2  mongodb                    5/edge   96  no       Replica set primary
tls-certificates-operator           blocked      1  tls-certificates-operator  edge       16  no       Configuration options missing: ['certificate', 'ca-certificate']

Unit                          Workload  Agent  Machine  Public address  Ports      Message
mongodb/0*                    active    idle   0        10.23.62.156    27017/tcp  Replica set primary
mongodb/1                     active    idle   1        10.23.62.55     27017/tcp  Replica set secondary
tls-certificates-operator/0*  blocked   idle   3        10.23.62.8                 Configuration options missing: ['certificate', 'ca-certificate']

Machine  State    Address       Inst id        Series  AZ  Message
0        started  10.23.62.156  juju-d35d30-0  jammy       Running
1        started  10.23.62.55   juju-d35d30-1  jammy       Running
3        started  10.23.62.8    juju-d35d30-3  jammy       Running

Now we can configure the TLS certificates. Configure the tls-certificates-operator to use self signed certificates:

juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Tutorial CA"

Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.

Enable TLS

After configuring the certificates juju status --watch 1s will show the status of tls-certificates-operator as active. To enable TLS on Charmed MongoDB, relate the two applications:

juju relate tls-certificates-operator mongodb

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI

Now ssh into mongodb/0:

juju ssh mongodb/0

After sshing into mongodb/0, we are now in the unit that is hosting Charmed MongoDB. Once TLS has been enabled we will need to change how we connect to MongoDB. Specifically we will need to specify the TLS CA file along with the TLS Certificate file. These are on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod. If you enter: ls /var/snap/charmed-mongodb/current/etc/mongod/external* you should see the external certificate file and the external CA file:

/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

sudo charmed-mongodb.mongo mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

Congratulations, you’ve now connected to MongoDB with TLS. Now exit the MongoDB shell by typing:

exit

Now you should be back in the host of Charmed MongoDB (mongodb/0). To exit this host type:

exit

You should now be shell you started in where you can interact with Juju and LXD.

Disable TLS

To disable TLS unrelate the two applications:

juju remove-relation mongodb tls-certificates-operator

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated 25 days ago. Help improve this document in the forum.