This is part of the Charmed MongoDB Tutorial. Please refer to this page for more information and the overview of the content.
TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB. This means enabling TLS on Charmed MongoDB is readily available and requires minimal effort on your end.
Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB K8s to the TLS Certificates Charm.
The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.
*Note: Only for the tutorial sake we will use self-signed certificates provided by self-signed-certificates-operator.
For production environments you should use [tls-certificates-operator](https://discourse.charmhub.io/t/tls-certificates-operator-tutorial-overview.
Before enabling TLS on Charmed MongoDB K8s we must first deploy the
juju deploy self-signed-certificates --channel=beta
Wait until the
self-signed-certificates is ready to be configured. When it is ready to be configured
juju status --watch 1s. Will show:
Model Controller Cloud/Region Version SLA Timestamp tutorial overlord localhost/localhost 3.1.6 unsupported 09:24:12Z App Version Status Scale Charm Channel Rev Exposed Message mongodb active 2 mongodb 6/beta 140 no Replica set primary self-signed-certificates active 1 self-signed-certificates beta 33 no Unit Workload Agent Machine Public address Ports Message mongodb/0* active idle 0 10.23.62.156 27017/tcp Replica set primary mongodb/1 active idle 1 10.23.62.55 27017/tcp Replica set secondary self-signed-certificates/0* active idle 3 10.23.62.8 Machine State Address Inst id Series AZ Message 0 started 10.23.62.156 juju-d35d30-0 jammy Running 1 started 10.23.62.55 juju-d35d30-1 jammy Running 3 started 10.23.62.8 juju-d35d30-3 jammy Running
After configuring the certificates
watch -n 1 juju status will show the status of
self-signed-certificates as active. To enable TLS on Charmed MongoDB K8s, relate the two applications:
juju integrate mongodb self-signed-certificates
Like before, generate and save the URI that is used to connect to MongoDB:
export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME echo $URI
Now ssh into
juju ssh mongodb/0
mongodb/0, we are now in the unit that is hosting Charmed MongoDB. Once TLS has been enabled we will need to change how we connect to MongoDB. Specifically we will need to specify the TLS CA file along with the TLS Certificate file. These are on the units hosting the Charmed MongoDB application in the folder
/var/snap/charmed-mongodb/common/etc/mongod. If you enter:
ls /var/snap/charmed-mongodb/current/etc/mongod/external* you should see the external certificate file and the external CA file:
As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:
sudo charmed-mongodb.mongosh mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem
Congratulations, you’ve now connected to MongoDB with TLS. Now exit the MongoDB shell by typing:
Now you should be back in the host of Charmed MongoDB (
mongodb/0). To exit this host type:
You should now be shell you started in where you can interact with Juju and LXD.
To disable TLS unrelate the two applications:
juju remove-relation mongodb-k8s self-signed-certificates