Charmed MongoDB Tutorial (replica set) | 7. Enable security

Charmed MongoDB Tutorials > Deploy a replica set > 7. Enable security

Enable security in your MongoDB deployment

Transport Layer Security (TLS) is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB K8S. This means enabling TLS on Charmed MongoDB K8S is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB K8s to the Self Signed Certificates Charm. This charm centralises self-signed certificate management and handles providing, requesting, and renewing self-signed TLS certificates.

Disclaimer: In this tutorial we use self-signed certificates provided by the self-signed-certificates-operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.


Configure TLS

Before enabling TLS on Charmed MongoDB we must first deploy the self-signed-certificates charm:

juju deploy self-signed-certificates

Wait until the self-signed-certificates app is active with juju status --watch 1s, like in the output below.

Model              Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.4.0    unsupported  09:35:14+01:00

App                       Version  Status  Scale  Charm                     Channel  Rev  Exposed  Message
mongodb                            active      1  mongodb                   6/beta   149  no       Primary
self-signed-certificates           active      1  self-signed-certificates  stable    72  no

Unit                         Workload  Agent  Machine  Public address  Ports      Message
mongodb/0*                   active    idle   0     27017/tcp  Primary
self-signed-certificates/1*  active    idle   2    

Machine  State    Address       Inst id        Base          AZ  Message
0        started   juju-fab81d-0  ubuntu@22.04      Running
2        started  juju-fab81d-2  ubuntu@22.04      Running

Now that self-signed-certificates has finished deploying, we can configure it with:

juju config self-signed-certificates ca-common-name="Tutorial CA" 

Enable TLS

To enable TLS on Charmed MongoDB, integrate the two applications:

juju integrate self-signed-certificates mongodb

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

echo $URI

Now ssh into mongodb/0:

juju ssh mongodb/0

We are now in the unit that is hosting Charmed MongoDB.

Once TLS has been enabled, we will need to change how we connect to MongoDB. We will need to specify the TLS CA file along with the TLS Certificate file that were automatically created when we integrated the two charms.

You will find these files on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod.

If you enter:

ls /var/snap/charmed-mongodb/current/etc/mongod/external*

you should see the following external certificate file and external CA files:


As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

sudo charmed-mongodb.mongosh mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

You have successfully connected to MongoDB with TLS!

When you are ready, leave the MongoDB shell by typing exit. You will be back in the host of Charmed MongoDB (mongodb/0). Exit this host by typing exit again.

You should now be at the original shell where you can interact with Juju and LXD.

Disable TLS

To disable TLS, simply remove the integration between the two applications:

juju remove-relation mongodb self-signed-certificates

Next step: 8. Clean up the environment