(DOCSP-6256): Add Custom CA to TLS, X.509

Author: Anthony Sansone

conf.py

@@ -164,6 +164,7 @@
     '.. |nfs| replace:: :abbr:`NFS (Network File System)`',
     '.. |ntp| replace:: :abbr:`NTP (Network Time Protocol)`',
     '.. |nvme-clusters| replace:: clusters with local NVMe SSDs',
+    '.. |pem| replace:: :abbr:`PEM (Privacy-Enhanced Mail)`',
     '.. |pit| replace:: :abbr:`PIT (Point in Time)`',
     '.. |piv| replace:: :abbr:`PIV (Personal Identity Verification)`',
     '.. |rdp| replace:: :abbr:`RDP (Remote Desktop Protocol)`',

source/includes/admonitions/cannot-secure-standalone.rst

@@ -0,0 +1 @@
+.. note:: You can't secure a Standalone Instance of MongoDB in a |k8s| cluster.

source/includes/code-examples/yaml-files/example-replica-set.yaml

@@ -258,6 +258,7 @@ spec:
 ...
 END-scaled-replset
 
+
 START-horizon-replset
 ---
 apiVersion: mongodb.com/v1
@@ -378,3 +379,164 @@ START-horizon-addcert-replset-lower-nodeports
       - "example-website": "web3.example.com:31185"
 ...
 END-horizon-addcert-replset-lower-nodeports
+
+START-tls-replset-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+...
+END-tls-replset-full-custom
+
+START-tls-replset-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+END-tls-replset-upper-custom
+
+START-tls-replset-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+...
+END-tls-replset-lower-custom
+
+START-x509-client-replset-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+...
+END-x509-client-replset-full-custom
+
+START-x509-client-replset-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+END-x509-client-replset-upper-custom
+
+START-x509-client-replset-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+...
+END-x509-client-replset-lower-custom
+
+START-x509-internal-replset-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+      internalCluster: "X509"
+...
+END-x509-internal-replset-full-custom
+
+START-x509-internal-replset-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-replica-set>
+spec:
+  members: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ReplicaSet
+  persistent: true
+END-x509-internal-replset-upper-custom
+
+START-x509-internal-replset-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+      internalCluster: "X509"
+...
+END-x509-internal-replset-lower-custom

source/includes/code-examples/yaml-files/example-sharded-cluster.yaml

@@ -292,6 +292,187 @@ spec:
 ...
 END-scaled-sharded
 
+
+START-tls-sharded-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+...
+END-tls-sharded-full-custom
+
+START-tls-sharded-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+END-tls-sharded-upper-custom
+
+START-tls-sharded-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+...
+END-tls-sharded-lower-custom
+
+START-x509-client-sharded-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+...
+END-x509-client-sharded-full-custom
+
+START-x509-client-sharded-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+END-x509-client-sharded-upper-custom
+
+START-x509-client-sharded-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+...
+END-x509-client-sharded-lower-custom
+
+START-x509-internal-sharded-full-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+      internalCluster: "X509"
+...
+END-x509-internal-sharded-full-custom
+
+START-x509-internal-sharded-upper-custom
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: <my-sharded-cluster>
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1
+  opsManager:
+    configMapRef:
+      name: <configMap.metadata.name>
+            # Must match metadata.name in ConfigMap file
+  credentials: <mycredentials>
+  type: ShardedCluster
+  persistent: true
+END-x509-internal-sharded-upper-custom
+
+START-x509-internal-sharded-lower-custom
+  security:
+    tls:
+      enabled: true
+      ca: <custom-ca>
+    authentication:
+      enabled: true
+      modes: ["X509"]
+      internalCluster: "X509"
+...
+END-x509-internal-sharded-lower-custom
+
+
 START-exposed-sharded-full
 ---
 apiVersion: mongodb.com/v1
@@ -371,4 +552,3 @@ START-exposed-sharded-tls-lower
         - "additional-cert-test.com"
 ...
 END-exposed-sharded-tls-lower
-