How to enable encryption
This guide will show how to enable TLS using the self-signed-certificates operator as an example.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Summary
- Enable and disable TLS in a replica set
- Enable and disable TLS in a sharded cluster
- Rotate private keys
Enable and disable TLS in a replica set
Enable TLS
Deploy the TLS charm:
juju deploy self-signed-certificates
To enable TLS, integrate (formerly known as “relate”) the two applications:
juju integrate self-signed-certificates mongodb-k8s
Your replica set now has encryption enabled via TLS.
Disable TLS
To disable TLS, just remove the integration:
juju remove-relation mongodb-k8s self-signed-certificates
Enable and disable TLS in a sharded cluster
Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.
However, it requires that:
- All cluster components have encryption enabled
- All cluster components are integrated to the same Certificate Authority.
Enable TLS
Deploy the TLS charm:
juju deploy self-signed-certificates --config ca-common-name="Example CA"
Integrate your Certificate Authority into all cluster components. In a cluster with two shards and a config-server this would be done as follows:
juju integrate config-server self-signed-certificates
juju integrate shard-one self-signed-certificates
juju integrate shard-two self-signed-certificates
Your sharded cluster now has encryption enabled via TLS.
Disable TLS
To disable TLS, just remove the integrations:
juju remove-relation config-server self-signed-certificates
juju remove-relation shard-one self-signed-certificates
juju remove-relation shard-two self-signed-certificates
Rotate private keys
Updates to internal and external private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. To update all keys, you must run theset-tls-private-key action on all charmed MongoDB units in your replica set or sharded cluster.
Rotate with a manually generated key
To rotate the your private keys, first generate your keys:
openssl genrsa -out internal-key.pem 3072
openssl genrsa -out external-key.pem 3072
Then, apply the new external key to the leader of your replica set or config-server.
Note: Passing keys to juju should only be done with base64 -w0, not cat.
juju run <application-name>/leader set-tls-private-key \
"internal-key=$(base64 -w0 internal-key.pem)" "external-key=$(base64 -w0 external-key-0.pem)"
Rotate with an autogenerated key
The keys can be auto-generated and set as follows:
juju run <application-name>/leader set-tls-private-key