Charmed MongoDB Tutorial (replica set) | 7. Enable TLS

doc
, ,
1

Charmed MongoDB Tutorials > Deploy a replica set > 7. Enable TLS

Enable TLS in your MongoDB deployment

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MongoDB so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed MongoDB with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your MongoDB deployment using TLS encryption.

Disclaimer: In this tutorial we use self-signed certificates provided by the self-signed-certificates-operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Summary

Configure TLS

First, deploy the self-signed-certificates charm:

juju deploy self-signed-certificates

Wait until the self-signed-certificates app is active with juju status --watch 1s, like in the output below.

Model              Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.4.0    unsupported  09:35:14+01:00

App                       Version  Status  Scale  Charm                     Channel  Rev  Exposed  Message
mongodb                            active      1  mongodb                   6/beta   149  no       Primary
self-signed-certificates           active      1  self-signed-certificates  stable    72  no

Unit                         Workload  Agent  Machine  Public address  Ports      Message
mongodb/0*                   active    idle   0        10.67.56.90     27017/tcp  Primary
self-signed-certificates/1*  active    idle   2        10.67.56.137    

Machine  State    Address       Inst id        Base          AZ  Message
0        started  10.67.56.90   juju-fab81d-0  ubuntu@22.04      Running
2        started  10.67.56.137  juju-fab81d-2  ubuntu@22.04      Running

Now that self-signed-certificates has finished deploying, we can configure it with:

juju config self-signed-certificates ca-common-name="Tutorial CA"

Enable TLS

To enable TLS on Charmed MongoDB, integrate the two applications:

juju integrate self-signed-certificates mongodb

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI

Now ssh into mongodb/0:

juju ssh mongodb/0

We are now in the unit that is hosting Charmed MongoDB.

Once TLS has been enabled, we will need to change how we connect to MongoDB. We will need to specify the TLS CA file along with the TLS Certificate file that were automatically created when we integrated the two charms.

You will find these files on the units hosting the Charmed MongoDB application in the folder /var/snap/charmed-mongodb/common/etc/mongod.

If you enter:

ls /var/snap/charmed-mongodb/current/etc/mongod/external*

you should see the following external certificate file and external CA files:

/var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  
/var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

sudo charmed-mongodb.mongosh mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP/$DB_NAME?replicaSet=$REPL_SET_NAME --tls --tlsCAFile /var/snap/charmed-mongodb/current/etc/mongod/external-ca.crt  --tlsCertificateKeyFile /var/snap/charmed-mongodb/current/etc/mongod/external-cert.pem

You have successfully connected to MongoDB with TLS!

When you are ready, leave the MongoDB shell by typing exit. You will be back in the host of Charmed MongoDB (mongodb/0). Exit this host by typing exit again.

You should now be at the original shell where you can interact with Juju and LXD.

Disable TLS

To disable TLS, remove the integration between the two applications:

juju remove-relation mongodb self-signed-certificates

Next step: 8. Clean up the environment

2

I’m using lxd mongo containers. I followed this steps but looks like certificates bind only the private ip’s of juju mongo containers.Then i tried manual TLS certificate option to bind the public ip’s of the server (Charmhub | Deploy Manual TLS Certificates using Charmhub - The Open Operator Collection) but when i run juju integrate manual-tls-certificates mongodb command manual-tls-certificates has 2 csr request even i have 1 mongo container.that is one problem to me, if we except that when i check the csr with text output that’s also contains ip of the mongo lxc container. My exact Requirement access mongo with public ip of the server with tls.

1.Is there any way to bind the server’s public ip with csr?

2.Assume we genrated our own csr with public ip of the server and certificate signed by external CA,then how we can integrate it with mongodb charm?

3

Hi @wimalatissa

Thanks for your interest in Charmed MongoDB + our docs and for your question

Some context for why we request two certificates is that we always request two certificates in Charmed MongoDB.

  • One for internal communication (replicas communicating with each other)
  • One for external communication (replica set communicating with client)

Even if you only have one replica in your replica set, we still request one for internal communication just in case you decide to add more replicas

I will answer your other questions later :slight_smile:

1 Like
4

For your other questions

  1. Is there any way to bind the server’s public ip with csr?

I do not believe there is . But let me double check and get back to you

  1. Assume we genrated our own csr with public ip of the server and certificate signed by external CA,then how we can integrate it with mongodb charm?

I don’t believe this is supported since Charmed MongoDB creates its own CSRs . But I will double check and get back to you

1 Like
5

Hi @wimalatissa - Thanks for your patience. So just a heads up this tutorial you are looking at is for deploying Charmed MongoDB as a replica set. Why this is notable is that even if you had a public ip address for your TLS certs in MongoDB, the client will still receive the replica set members with private IPs and the mongo client will reconnect using these private IPs (this is due to the nature of mongo client)

I assume that you are wanting to access the cluster from outside of LXC while maintaining encryption, is that correct?

If you wanted to communicate via a public IP I believe it would make the most sense to do this with the mongos charm. What I would suggest doing is:

  1. follow steps 1-6 of the sharding tutorial - steps 4&5 are optional
  2. Setup a bridge between LXC and outside network
  3. enable TLS on your cluster by following step 7 of the sharding tutorial