How to enable TLS¶
Charmed MongoDB 8 provides Transport Layer Security (TLS) for peer-to-peer and client-server communication.
- Peer-to-peer
Communication between members in the cluster will be encrypted and authenticated using certificates.
- Client-to-server
The mongoDB client can verify the server identity and provide transport security.
Deploy a TLS provider¶
Charmed MongoDB provides the option of using different CA certificates for client-server and peer-to-peer communication. This allows you to have different levels of trust for the two types of communication. You can also use the same CA certificate for both types of communication.
You can enable peer-to-peer encryption alone, client-to-server encryption alone, or both at the same time.
This guide will use the Self-signed Certificates charm as an example for all cases.
Caution
Self-signed certificates are not recommended for a production environment.
See this guide for an overview of the available TLS certificates charms and how to choose the right one for your use-case.
Deploy the self-signed-certificates charm.
juju deploy self-signed-certificates
Enable TLS in a replica set¶
Integrate your replica set with the TLS provider according the required encryption.
Peer-to-peer¶
juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb:peer-certificates
juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb-k8s:peer-certificates
Client-to-server¶
juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb:client-certificates
juju deploy self-signed-certificates
juju integrate self-signed-certificates mongodb-k8s:client-certificates
Enable TLS in a sharded cluster¶
Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.
However, it requires that:
All cluster components have encryption enabled
All cluster components are integrated to the same Certificate Authority (CA).
To enable TLS, integrate the TLS provider charm with all cluster components.
In a cluster with two shards (named shard0 and shard1) and a config-server, it would look as follows:
Peer-to-peer¶
juju integrate self-signed-certificates config-server:peer-certificates
juju integrate self-signed-certificates shard0:peer-certificates
juju integrate self-signed-certificates shard1:peer-certificates
Your sharded cluster now has peer-to-peer encryption enabled via TLS.
Client-to-server¶
juju integrate self-signed-certificates config-server:client-certificates
juju integrate self-signed-certificates shard0:client-certificates
juju integrate self-signed-certificates shard1:client-certificates
Your sharded cluster now has client-to-server encryption enabled via TLS.