Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Charmed MongoDB K8s Tutorials > Deploy a replica set > 7. Enable TLS

Enable TLS in your MongoDB deployment

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed MongoDB K8s so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed MongoDB K8s with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your MongoDB deployment using TLS encryption.

Disclaimer: In this tutorial, we use self-signed certificates provided by the self-signed-certificates-operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Summary


Configure TLS

First, deploy the self-signed-certificates charm:

juju deploy self-signed-certificates

Wait until the self-signed-certificates app is active with juju status --watch 1s, like in the output below.

Model     Controller  Cloud/Region        Version  SLA          Timestamp
tutorial  overlord    microk8s/localhost  3.1.6    unsupported  04:40:45Z

App                       Version  Status  Scale  Charm                     Channel  Rev  Address         Exposed  Message
data-integrator                    active      1  data-integrator           edge      13  10.152.183.196  no       
mongodb-k8s                        active      2  mongodb-k8s               6/edge    37  10.152.183.194  no       Primary
self-signed-certificates           active      1  self-signed-certificates  beta      33  10.152.183.116  no 

Unit                         Workload  Agent  Address       Ports  Message
data-integrator/0*           active    idle   10.1.137.151             
mongodb-k8s/0*               active    idle   10.1.137.145         Primary
mongodb-k8s/1                active    idle   10.1.137.149         
self-signed-certificates/0*  active    idle   10.1.137.152         

Now that self-signed-certificates has finished deploying, we can configure it with:

juju config self-signed-certificates ca-common-name="Tutorial CA" 

Enable TLS

To enable TLS on Charmed MongoDB K8s, integrate the two applications:

juju integrate mongodb-k8s self-signed-certificates

Connect to MongoDB with TLS

Like before, generate and save the URI that is used to connect to MongoDB:

export URI=mongodb://$DB_USERNAME:$DB_PASSWORD@$HOST_IP,$HOST_IP_1:27017/$DB_NAME?replicaSet=$REPL_SET_NAME
echo $URI

Now ssh into mongodb-k8s/0:

juju ssh --container=mongod mongodb-k8s/0

We are now in the unit that is hosting Charmed MongoDB K8s.

Once TLS has been enabled, we will need to change how we connect to MongoDB. We will need to specify the TLS CA file along with the TLS Certificate file that were automatically created when we integrated the two charms.

You will find these files on the units hosting the Charmed MongoDB K8s application in the folder /etc/mongod.

If you enter:

ls /etc/mongod/external*

you should see the external certificate file and the external CA file:

/etc/mongod/external-ca.crt  /etc/mongod/external-cert.pem

As before, we will connect to MongoDB via the saved MongoDB URI. Connect using the saved URI and the following TLS options:

mongosh "<saved uri>" --tls --tlsCAFile /etc/mongod/external-ca.crt  --tlsCertificateKeyFile /etc/mongod/external-cert.pem

Make sure you wrap the URI in quotation marks ("") with no trailing whitespace.

You have successfully connected to MongoDB with TLS!

When you are ready, leave the MongoDB shell by typing exit. You will be back in the host of Charmed MongoDB (mongodb-k8s/0). Exit this host by typing exit again.

You should now be at the original shell where you can interact with Juju and MicroK8s

Disable TLS

To disable TLS, remove the integration between the two applications:

juju remove-relation mongodb-k8s self-signed-certificates

Next step: 8. Clean up the environment

Last updated 2 months ago. Help improve this document in the forum.