How to enable TLS
Charmed MongoDB 8 provides Transport Layer Security (TLS) for peer-to-peer and client-server communication.
Peer-to-peer: communication between members in the cluster will be encrypted and authenticated using certificates.
Client-to-server: the mongoDB client can verify the server identity and provide transport security.
Deploy a TLS provider
Charmed MongoDB provides the option of using different CA certificates for client-server and peer-to-peer communication. This allows you to have different levels of trust for the two types of communication. You can also use the same CA certificate for both types of communication.
You can enable peer-to-peer encryption alone, client-to-server encryption alone, or both at the same time.
This guide will use the Self-signed Certificates charm as an example for all cases.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Deploy the self-signed-certificates charm.
juju deploy self-signed-certificates
Enable TLS in a replica set
Integrate your replica set with the TLS provider according the required encryption.
Peer-to-peer
juju integrate self-signed-certificates mongodb:peer-certificates
Client-to-server
juju integrate self-signed-certificates mongodb:client-certificates
Enable TLS in a sharded cluster
Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.
However, it requires that:
- All cluster components have encryption enabled
- All cluster components are integrated to the same Certificate Authority.
Peer-to-peer
juju integrate self-signed-certificates config-server:peer-certificates
juju integrate self-signed-certificates shard-one:peer-certificates
juju integrate self-signed-certificates shard-two :peer-certificates
Your sharded cluster now has peer-to-peer encryption enabled via TLS.
Client-to-server
juju integrate self-signed-certificates config-server:client-certificates
juju integrate self-signed-certificates shard-one:client-certificates
juju integrate self-signed-certificates shard-two :client-certificates
Your sharded cluster now has client-to-server encryption enabled via TLS.