Charmed MongoDB Tutorial (replica set) | 7. Enable security

Enable security in your MongoDB deployment

This page is part of the tutorial Deploy a MongoDB replica set.

Transport Layer Security (TLS) is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed MongoDB K8S. This means enabling TLS on Charmed MongoDB K8S is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed MongoDB K8s to the Self Signed Certificates Charm. The Self Signed Certificates Charm centralises self-signed certificate management in a consistent manner and handles providing, requesting, and renewing self-signed TLS certificates.

Summary

Disclaimer: In this tutorial we use self-signed certificates provided by the self-signed-certificates-operator. This is not recommended for a production environment.

For production environments you should use the tls-certificates-operator.


Configure TLS

Before enabling TLS on Charmed MongoDB we must first deploy the tls-certificates-operator charm:

juju deploy tls-certificates-operator

Wait until the tls-certificates-operator is ready to be configured with juju status --watch 1s.

When ready, it will be in a blocked state like in the example below:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.1.6   unsupported  09:24:12Z

App                        Version  Status   Scale  Charm                      Channel   Rev  Exposed  Message
mongodb                             active       2  mongodb                    5/edge   96  no       Replica set primary
tls-certificates-operator           blocked      1  tls-certificates-operator  edge       16  no       Configuration options missing: ['certificate', 'ca-certificate']

Unit                          Workload  Agent  Machine  Public address  Ports      Message
mongodb/0*                    active    idle   0        10.23.62.156    27017/tcp  Replica set primary
mongodb/1                     active    idle   1        10.23.62.55     27017/tcp  Replica set secondary
tls-certificates-operator/0*  blocked   idle   3        10.23.62.8                 Configuration options missing: ['certificate', 'ca-certificate']

Machine  State    Address       Inst id        Series  AZ  Message
0        started  10.23.62.156  juju-d35d30-0  jammy       Running
1        started  10.23.62.55   juju-d35d30-1  jammy       Running
3        started  10.23.62.8    juju-d35d30-3  jammy       Running

Configure the tls-certificates-operator to use self signed certificates:

juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Tutorial CA" 

Enable TLS

After configuring the certificates juju status --watch 1s will show the status of tls-certificates-operator as active. To enable TLS on Charmed MongoDB, relate the two applications:

juju integrate tls-certificates-operator mongodb

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI

Now ssh into mongodb/0:

juju ssh mongodb/0

We are now in the unit that is hosting Charmed MongoDB.

Once TLS has been enabled, we will need to change how we connect to MongoDB. Specifically, we will need to specify the TLS CA file along with the TLS Certificate file. These are on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod.

If you enter: ls /var/snap/charmed-mongodb/current/etc/mongod/external* you should see the external certificate file and the external CA file:

/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  
/var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

sudo charmed-mongodb.mongosh mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

You have successfully connected to MongoDB with TLS!

Return to original shell

Leave the MongoDB shell by typing exit. You will be back in the host of Charmed MongoDB (mongodb/0). Exit this host by typing exit again.

You should now be at the original shell where you can interact with Juju and LXD.

Disable TLS

To disable TLS, remove the integration between the two applications:

juju remove-relation mongodb tls-certificates-operator

Next step: 8. Clean up the environment