(DOCSP-8867): Update ConfigMap for TLS, X.509

Author: Anthony Sansone

conf.py

@@ -85,7 +85,7 @@
     '.. |bic-short| replace:: :bic:`BI Connector </>`',
     '.. |bic| replace:: BI Connector for Atlas',
     '.. |bson| replace:: :abbr:`BSON (Binary Javascript Object Notation)`',
-    '.. |certauth| replace:: Certificate Authority',
+    '.. |certauth| replace:: :abbr:`CA (Certificate Authority)`',
     '.. |cidr| replace:: :abbr:`CIDR (Classless Inter-Domain Routing)`',
     '.. |cifs| replace:: :abbr:`CIFS (Common Internet File System)`',
     '.. |com| replace:: Cloud Manager or Ops Manager',

source/includes/code-examples/yaml-files/configmaps/example-configmap-client-x509-lower.yaml

@@ -0,0 +1,6 @@
+  sslMMSCAConfigMap: <root-ca-configmap-name>
+  sslRequireValidMMSServerCertificates: 'true'
+
+  authenticationMode: x509
+  credentials: <my-credentials>
+...

source/includes/code-examples/yaml-files/configmaps/example-configmap-internal-x509-lower.yaml

@@ -0,0 +1,6 @@
+  sslMMSCAConfigMap: <root-ca-configmap-name>
+  sslRequireValidMMSServerCertificates: 'true'
+
+  authenticationMode: x509
+  credentials: <my-credentials>
+...

source/includes/code-examples/yaml-files/configmaps/example-configmap-tls-full.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: <my-configmap>
+  namespace: <my-namespace>
+data:
+  projectName: <my-ops-manager-project-name>
+  orgId: <org-id> # Optional
+  baseUrl: https://<my-ops-manager-URL>
+
+  sslMMSCAConfigMap: <root-ca-configmap-name>
+  sslRequireValidMMSServerCertificates: 'true'
+...

source/includes/code-examples/yaml-files/configmaps/example-configmap-tls-lower.yaml

@@ -0,0 +1,3 @@
+  sslMMSCAConfigMap: <root-ca-configmap-name>
+  sslRequireValidMMSServerCertificates: ‘true’
+...

source/includes/code-examples/yaml-files/configmaps/example-configmap-tls-upper.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: <my-configmap>
+  namespace: <my-namespace>
+data:
+  projectName: <my-ops-manager-project-name>
+  orgId: <org-id> # Optional
+  baseUrl: https://<my-ops-manager-URL>
+

source/includes/prereqs-secure-resource-x509.rst

@@ -0,0 +1,9 @@
+Enabling X.509 authentication at the project level configures all
+agents to use X.509 client authentication when communicating with
+MongoDB deployments.
+
+X.509 client authentication requires one of the following:
+
+- |cloud-short|
+- |onprem| 4.1.7 or later
+- |onprem| 4.0.11 or later

source/includes/steps-deploy-k8s-replica-set-tls-custom.yaml

@@ -39,7 +39,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-tls-replset-lower-custom
       :end-before: END-tls-replset-lower-custom
       :emphasize-lines: 1-4

source/includes/steps-deploy-k8s-replica-set-tls.yaml

@@ -26,7 +26,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-tls-replset-lower
       :end-before: END-tls-replset-lower
       :emphasize-lines: 1-3

source/includes/steps-deploy-k8s-replica-set-x509-custom.yaml

@@ -38,7 +38,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-x509-client-replset-lower-custom
       :end-before: END-x509-client-replset-lower-custom
       :emphasize-lines: 1-7

source/includes/steps-deploy-k8s-replica-set-x509-internal-custom.yaml

@@ -44,7 +44,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-x509-internal-replset-lower-custom
       :end-before: END-x509-internal-replset-lower-custom
       :emphasize-lines: 1-8

source/includes/steps-deploy-k8s-replica-set-x509-internal.yaml

@@ -26,7 +26,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-x509-internal-replset-lower
       :end-before: END-x509-internal-replset-lower
       :emphasize-lines: 1-7

source/includes/steps-deploy-k8s-replica-set-x509.yaml

@@ -26,7 +26,7 @@ replacement:
    .. literalinclude:: /includes/code-examples/yaml-files/example-replica-set.yaml
       :language: yaml
       :linenos:
-      :lineno-start: 18
+      :lineno-start: 16
       :start-after: START-x509-client-replset-lower
       :end-before: END-x509-client-replset-lower
       :emphasize-lines: 1-6

source/includes/steps-deploy-k8s-sharded-cluster-tls-custom.yaml

@@ -53,7 +53,7 @@ replacement:
       :start-after: START-tls-sharded-lower-custom
       :end-before: END-tls-sharded-lower-custom
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-4
 
 ---

source/includes/steps-deploy-k8s-sharded-cluster-tls.yaml

@@ -28,7 +28,7 @@ replacement:
       :start-after: START-tls-sharded-lower
       :end-before: END-tls-sharded-lower
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-3
 
 ---

source/includes/steps-deploy-k8s-sharded-cluster-x509-custom.yaml

@@ -46,7 +46,7 @@ replacement:
       :start-after: START-x509-client-sharded-lower-custom
       :end-before: END-x509-client-sharded-lower-custom
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-7
 
 ---

source/includes/steps-deploy-k8s-sharded-cluster-x509-internal-custom.yaml

@@ -64,7 +64,7 @@ replacement:
       :start-after: START-x509-internal-sharded-lower-custom
       :end-before: END-x509-internal-sharded-lower-custom
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-8
 
 ---

source/includes/steps-deploy-k8s-sharded-cluster-x509-internal.yaml

@@ -28,7 +28,7 @@ replacement:
       :start-after: START-x509-internal-sharded-lower
       :end-before: END-x509-internal-sharded-lower
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-7
 
 ---

source/includes/steps-deploy-k8s-sharded-cluster-x509.yaml

@@ -28,7 +28,7 @@ replacement:
       :start-after: START-x509-client-sharded-lower
       :end-before: END-x509-client-sharded-lower
       :linenos:
-      :lineno-start: 21
+      :lineno-start: 19
       :emphasize-lines: 1-6
 
 ---

source/includes/steps-set-configmap-for-client-x509.yaml

@@ -0,0 +1,99 @@
+---
+stepnum: 1
+level: 4
+ref: create-configmap-ca-certs
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: create-configmap-ca
+---
+title: "Copy the highlighted section of the following example ``ConfigMap``."
+stepnum: 2
+level: 4
+ref: copy-k8s-configmap-tls
+content: |
+  .. literalinclude:: /includes/code-examples/yaml-files/configmaps/example-configmap-tls-upper.yaml
+     :language: yaml
+     :linenos:
+     :copyable: false
+
+  .. literalinclude:: /includes/code-examples/yaml-files/configmaps/example-configmap-client-x509-lower.yaml
+     :language: yaml
+     :linenos:
+     :lineno-start: 11
+     :emphasize-lines: 1-5
+---
+stepnum: 3
+level: 4
+ref: paste-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: paste-k8s-configmap
+---
+title: "Specify the TLS and X.509 settings"
+stepnum: 4
+level: 4
+ref: configure-project-tls
+content: |
+   Update the following keys with the appropriate values:
+
+   .. list-table::
+      :widths: 20 20 40 20
+      :header-rows: 1
+
+      * - Key
+        - Type
+        - Description
+        - Example
+
+      * - ``sslMMSCAConfigMap``
+        - string
+        - Name of the |k8s-configmap| created in the first step
+          containing the root |certauth| certificate used to sign the
+          |onprem| host's certificate. This mounts the CA certificate
+          to the |k8s-op-short| and database resources.
+        - ``my-root-ca``
+
+      * - ``sslRequireValidMMSServerCertificates``
+        - boolean
+        - Forces the Operator to require a valid |tls| certificate
+          from |mms|.
+
+          .. important::
+
+             The value must be enclosed in single quotes or the
+             operator will throw an error.
+
+        - ``'true'``
+
+      * - ``data.authenticationMode``
+        - string
+        - Requires all agents to use X.509 client authentication when
+          communicating with MongoDB deployments.
+        - ``x509``
+
+      * - ``data.credentials``
+        - string
+        - Name of the |k8s| secret containing the |com| Public and
+          Private Keys for your desired |svc-api-key|. If you have not
+          created these credentials yet, see :ref:`create-k8s-secret`.
+        - ``mycredentials``
+---
+title: "Save your updated ConfigMap."
+stepnum: 5
+level: 4
+ref: save-k8s-configmap
+---
+stepnum: 6
+level: 4
+ref: reapply-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: reapply-k8s-configmap
+---
+stepnum: 7
+level: 4
+ref: verify-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: verify-k8s-configmap
+...

source/includes/steps-set-configmap-for-internal-x509.yaml

@@ -0,0 +1,101 @@
+---
+stepnum: 1
+level: 4
+ref: create-configmap-ca-certs
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: create-configmap-ca
+---
+title: "Copy the highlighted section of the following example ``ConfigMap``."
+stepnum: 2
+level: 4
+ref: copy-k8s-configmap-tls
+content: |
+  .. literalinclude:: /includes/code-examples/yaml-files/configmaps/example-configmap-tls-upper.yaml
+     :language: yaml
+     :linenos:
+     :copyable: false
+
+  .. literalinclude:: /includes/code-examples/yaml-files/configmaps/example-configmap-internal-x509-lower.yaml
+     :language: yaml
+     :linenos:
+     :lineno-start: 11
+     :emphasize-lines: 1-5
+
+---
+stepnum: 3
+level: 4
+ref: paste-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: paste-k8s-configmap
+---
+title: "Specify the TLS and X.509 settings"
+stepnum: 4
+level: 4
+ref: configure-project-tls
+content: |
+   Update the following keys with the appropriate values:
+
+   .. list-table::
+      :widths: 20 20 40 20
+      :header-rows: 1
+
+      * - Key
+        - Type
+        - Description
+        - Example
+
+      * - ``sslMMSCAConfigMap``
+        - string
+        - Name of the |k8s-configmap| created in the first step
+          containing the root |certauth| certificate used to sign the
+          |onprem| host's certificate. This mounts the root |certauth|
+          certificate to the |k8s-op-short| and database resources.
+        - ``my-root-ca``
+
+      * - ``sslRequireValidMMSServerCertificates``
+        - boolean
+        - Forces the Operator to require a valid |tls| certificate
+          from |mms|.
+
+          .. important::
+
+             The value must be enclosed in single quotes or the
+             operator will throw an error.
+
+        - ``'true'``
+
+      * - ``data.authenticationMode``
+        - string
+        - Requires all agents to use X.509 client authentication when
+          communicating with MongoDB deployments.
+        - ``x509``
+
+      * - ``data.credentials``
+        - string
+        - Name of the |k8s| secret containing the |com| Public and Private
+          Keys for your desired |svc-api-key|. If you have not
+          created these credentials yet, see :ref:`create-k8s-secret`.
+        - ``mycredentials``
+
+---
+title: "Save your updated ConfigMap."
+stepnum: 5
+level: 4
+ref: save-k8s-configmap
+---
+stepnum: 6
+level: 4
+ref: reapply-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: reapply-k8s-configmap
+---
+stepnum: 7
+level: 4
+ref: verify-k8s-configmap-tls
+source:
+  file: steps-source-configmap-secure.yaml
+  ref: verify-k8s-configmap
+...