Charmed MongoDB K8S How To - Enable Encryption

How to enable encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Summary


Enable and disable TLS in a replica set

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS, integrate (formerly known as “relate”) the two applications:

juju integrate self-signed-certificates mongodb-k8s

Your replica set now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integration:

juju remove-relation mongodb-k8s self-signed-certificates

Enable and disable TLS in a sharded cluster

Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.

However, it requires that:

  1. All cluster components have encryption enabled
  2. All cluster components are integrated to the same Certificate Authority.

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates --config ca-common-name="Example CA"

Integrate your Certificate Authority into all cluster components. In a cluster with two shards and a config-server this would be done as follows:

juju integrate config-server self-signed-certificates
juju integrate shard-one self-signed-certificates
juju integrate shard-two self-signed-certificates

Your sharded cluster now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integrations:

juju remove-relation config-server self-signed-certificates
juju remove-relation shard-one self-signed-certificates
juju remove-relation shard-two self-signed-certificates

Rotate private keys

Updates to internal and external private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. To update all keys, you must run theset-tls-private-key action on all charmed MongoDB units in your replica set or sharded cluster.

Rotate with a manually generated key

To rotate the your private keys, first generate your keys:

openssl genrsa -out internal-key.pem 3072
openssl genrsa -out external-key.pem 3072

Then, apply the new external key to the leader of your replica set or config-server.

Note: Passing keys to juju should only be done with base64 -w0, not cat.

juju run <application-name>/leader set-tls-private-key \
"internal-key=$(base64 -w0 internal-key.pem)"  "external-key=$(base64 -w0 external-key-0.pem)"  

Rotate with an autogenerated key

The keys can be auto-generated and set as follows:

juju run <application-name>/leader set-tls-private-key