Skip to content

Commit dc62f6e

Browse files
sarahsimperssarahsimpers
authored
(DOCSP-25524) Refactors TLS for multi-clusters (#1085)
* (DOCSP-25524) Refactors TLS for multi-clusters * Includes changes from Melissa's copy review * Includes changes from reviews * Includes changes from tech and copy review
1 parent 33819f6 commit dc62f6e

21 files changed

+344
-217
lines changed

conf.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -184,8 +184,8 @@
184184
'.. |mongod| replace:: :binary:`~bin.mongod`',
185185
'.. |mongos| replace:: :binary:`~bin.mongos`',
186186
'.. |mongo| replace:: :binary:`~bin.mongo`',
187-
'.. |multi-cluster| replace:: multi-Kubernestes-cluster deployment',
188-
'.. |Multi-cluster| replace:: Multi-Kubernestes-cluster deployment',
187+
'.. |multi-cluster| replace:: multi-Kubernetes-cluster deployment',
188+
'.. |Multi-cluster| replace:: Multi-Kubernetes-cluster deployment',
189189
'.. |multi-clusters| replace:: multi-Kubernetes-cluster deployments',
190190
'.. |oc| replace:: :xml:`<mono><link target="https://docs.openshift.com/container-platform/3.11/cli_reference/index.html">oc</link></mono>`',
191191
'.. |onprem| replace:: Ops Manager',

config/redirects

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,5 +90,6 @@ raw: docs/kubernetes-operator/release-notes -> ${base}/stable/release-notes/
9090

9191
# All Versions
9292

93-
[*]: docs/kubernetes-operator/${version}/tutorial/secure-om-with-tls -> ${base}/${version}/tutorial/deploy-om-container
94-
[*]: docs/kubernetes-operator/${version}/tutorial/secure-tls -> ${base}/${version}/tutorial/deploy-replica-set
93+
[*]: docs/kubernetes-operator/${version}/tutorial/secure-om-with-tls -> ${base}/${version}/tutorial/deploy-om-container/
94+
[*]: docs/kubernetes-operator/${version}/tutorial/secure-tls -> ${base}/${version}/tutorial/deploy-replica-set/
95+
[*]: docs/kubernetes-operator/${version}/tutorial/multi-cluster-secure-tls -> ${base}/${version}/tutorial/mutli-cluster-quick-start-procedure/

source/includes/facts/ldap-considerations-multi-cluster.rst

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
- To configure |ldap| in |k8s-crds|, use the parameters under the
2+
:setting:`spec.security.authentication.ldap` and other
3+
:ref:`security LDAP settings <security-settings>` specific to the
4+
MongoDB Agent, from the |k8s-op-short| MongoDB resource specification.
5+
The procedures in this section describe the required settings and
6+
provide examples of |ldap| configuration.
7+
8+
- To improve security, consider deploying a
9+
:ref:`TLS-encrypted multi-cluster <multi-cluster-tls-overview>`.
10+
Encryption with |tls| is optional. By default, |ldap| traffic is sent
11+
as plain text. This means that username and password are exposed to
12+
network threats. Many modern directory services, such as Microsoft
13+
Active Directory, require encrypted connections. Consider using
14+
|ldap| over |tls-ssl| to encrypt vauthentication requests in your
15+
|k8s-op-short| MongoDB deployments.

source/includes/steps-deploy-k8s-multi-cluster-replica-set-ldap.yaml

Lines changed: 4 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,5 @@
1-
stepnum: 1
2-
ref: create-mc-rs-tls-secret
3-
source:
4-
file: steps-multi-cluster-source.yaml
5-
ref: create-k8s-mc-tls-secret
61
---
7-
8-
stepnum: 2
9-
ref: create-k8s-mc-rs-tls-configmap
10-
source:
11-
file: steps-multi-cluster-source.yaml
12-
ref: create-k8s-mc-tls-configmap
13-
14-
---
15-
stepnum: 3
2+
stepnum: 1
163
ref: update-mongodbmulti-resource-ldap
174
title: "Update your ``MongoDBMulti`` custom resource to enable |ldap| authentication."
185
level: 4
@@ -48,7 +35,8 @@ content: |
4835
- "ldap2.example.com:636"
4936
5037
# Set to "tls" to use LDAP over TLS. Leave blank if
51-
# the LDAP server doesn't accept TLS.
38+
# the LDAP server doesn't accept TLS. You must enable TLS when
39+
# you deploy the multi-cluster resource to use this setting.
5240
transportSecurity: "tls"
5341
5442
# If TLS is enabled, add a reference to a ConfigMap that
@@ -76,7 +64,7 @@ content: |
7664
deployment.
7765
7866
---
79-
stepnum: 4
67+
stepnum: 2
8068
level: 4
8169
ref: verify-mc-resources-tls
8270
source:

source/includes/steps-deploy-k8s-multi-cluster-rs-x509-custom.yaml

Lines changed: 2 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,12 @@
11
---
22
stepnum: 1
3-
ref: create-mc-rs-tls-secret
4-
source:
5-
file: steps-multi-cluster-source.yaml
6-
ref: create-k8s-mc-tls-secret
7-
---
8-
stepnum: 2
93
ref: create-multi-cluster-agent-secret-x509
104
source:
115
file: steps-multi-cluster-source.yaml
126
ref: create-mc-agent-secret-x509
13-
---
14-
stepnum: 3
15-
ref: create-k8s-mc-rs-tls-configmap
16-
source:
17-
file: steps-multi-cluster-source.yaml
18-
ref: create-k8s-mc-tls-configmap
197

208
---
21-
stepnum: 4
9+
stepnum: 2
2210
ref: update-mongodbmulti-resource-x509
2311
title: "Update your ``MongoDBMulti`` custom resource to enable X509 authentication."
2412
level: 4
@@ -67,7 +55,7 @@ content: |
6755
|pem| secret, and distributes it to the member clusters.
6856
6957
---
70-
stepnum: 5
58+
stepnum: 3
7159
level: 4
7260
ref: verify-mc-resources-tls
7361
source:

source/includes/steps-deploy-k8s-multi-cluster-x509-internal-custom.yaml

Lines changed: 3 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,17 @@
11
---
22
stepnum: 1
3-
ref: create-mc-rs-tls-secret
4-
source:
5-
file: steps-multi-cluster-source.yaml
6-
ref: create-k8s-mc-tls-secret
7-
---
8-
stepnum: 2
93
ref: create-multi-cluster-agent-secret-x509
104
source:
115
file: steps-multi-cluster-source.yaml
126
ref: create-mc-agent-secret-x509
137
---
14-
stepnum: 3
8+
stepnum: 2
159
ref: create-mc-secret-internal-x509
1610
source:
1711
file: steps-multi-cluster-source.yaml
1812
ref: create-mc-secret-x509-internal
1913
---
20-
stepnum: 5
21-
ref: create-k8s-mc-rs-tls-configmap
22-
source:
23-
file: steps-multi-cluster-source.yaml
24-
ref: create-k8s-mc-tls-configmap
25-
---
26-
stepnum: 6
14+
stepnum: 3
2715
ref: update-mongodbmulti-resource-x509
2816
title: "Update your ``MongoDBMulti`` custom resource to enable X509 authentication."
2917
level: 4
@@ -73,7 +61,7 @@ content: |
7361
the central cluster to each member cluster, generates a concatenated
7462
|pem| secret, and distributes it to the member clusters.
7563
---
76-
stepnum: 7
64+
stepnum: 4
7765
level: 4
7866
ref: verify-mc-resources-tls
7967
source:

source/includes/steps-multi-cluster-beta-quick-start-tls.yaml

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
---
2+
stepnum: 1
3+
ref: create-k8s-mc-rs-tls-secret
4+
source:
5+
file: steps-multi-cluster-source.yaml
6+
ref: create-k8s-mc-tls-secret
7+
8+
---
9+
stepnum: 2
10+
ref: create-k8s-mc-rs-tls-configmap
11+
source:
12+
file: steps-multi-cluster-source.yaml
13+
ref: create-k8s-mc-tls-configmap
14+
15+
---
16+
stepnum: 3
17+
level: 4
18+
ref: clone-k8s-qs
19+
inherit:
20+
file: steps-multi-cluster-source.yaml
21+
ref: clone-k8s-repo-multi-cluster
22+
23+
---
24+
stepnum: 4
25+
level: 4
26+
ref: run-mc-tool-qs
27+
inherit:
28+
file: steps-multi-cluster-source.yaml
29+
ref: run-multi-cluster-tool
30+
31+
---
32+
stepnum: 5
33+
level: 4
34+
ref: set-istio-webhook-qs
35+
inherit:
36+
file: steps-multi-cluster-source.yaml
37+
ref: set-istio-webhook
38+
39+
---
40+
stepnum: 6
41+
level: 4
42+
ref: configure-kubectl-mc-qs
43+
inherit:
44+
file: steps-multi-cluster-source.yaml
45+
ref: configure-kubectl-mc
46+
47+
---
48+
stepnum: 7
49+
level: 4
50+
ref: install-mc-helm-charts
51+
inherit:
52+
file: steps-multi-cluster-source.yaml
53+
ref: install-helm-charts
54+
55+
---
56+
stepnum: 8
57+
level: 4
58+
ref: install-kubectl-mc-qs
59+
inherit:
60+
file: steps-multi-cluster-source.yaml
61+
ref: install-kubectl-mc
62+
63+
---
64+
stepnum: 9
65+
level: 4
66+
title: "Deploy the MongoDB resource."
67+
ref: deploy-mdbresource-mc-qs
68+
inherit:
69+
file: steps-multi-cluster-source.yaml
70+
ref: deploy-mdbresource-mc-tls
71+
72+
---
73+
stepnum: 10
74+
level: 4
75+
ref: verify-mdb-resources-mc-qs
76+
inherit:
77+
file: steps-multi-cluster-source.yaml
78+
ref: verify-mdb-resources-mc
79+
80+
...

source/includes/steps-multi-cluster-source.yaml

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,99 @@ content: |
210210
members: 3
211211
EOF
212212
213+
---
214+
stepnum: 0
215+
title: "Deploy the MongoDB resource with |tls|."
216+
ref: deploy-mdbresource-mc-tls
217+
content: |
218+
219+
a. Create a secret so that the |k8s-op-short|
220+
can create and update objects in your |mms| project.
221+
To learn more, see :ref:`create-k8s-credentials`.
222+
223+
#. Create a ConfigMap to link the |k8s-op-short|
224+
to your |mms| project. To learn more, see :ref:`create-k8s-project`.
225+
226+
#. Configure the required service accounts
227+
for each member cluster:
228+
229+
.. code-block:: sh
230+
231+
helm template --show-only \
232+
templates/database-roles.yaml \
233+
mongodb/enterprise-operator \
234+
--set namespace=mongodb | \
235+
kubectl apply -f - \
236+
--context=$MDB_CLUSTER_1_FULL_NAME \
237+
--namespace mongodb
238+
239+
.. code-block:: sh
240+
241+
helm template --show-only \
242+
templates/database-roles.yaml \
243+
mongodb/enterprise-operator \
244+
--set namespace=mongodb | \
245+
kubectl apply -f - \
246+
--context=$MDB_CLUSTER_2_FULL_NAME \
247+
--namespace mongodb
248+
249+
.. code-block:: sh
250+
251+
helm template --show-only \
252+
templates/database-roles.yaml \
253+
mongodb/enterprise-operator \
254+
--set namespace=mongodb | \
255+
kubectl apply -f - \
256+
--context=$MDB_CLUSTER_3_FULL_NAME \
257+
--namespace mongodb
258+
259+
#. Set :setting:`spec.credentials`,
260+
:setting:`spec.opsManagerconfigMapRef.name`, and
261+
:ref:`security settings <security-settings>`
262+
and deploy the MongoDB resource.
263+
In the following code sample, ``duplicateServiceObjects``
264+
is set to ``true`` to enable
265+
`DNS proxying <https://istio.io/latest/docs/ops/configuration/traffic-management/dns-proxy/>`__
266+
in Istio.
267+
268+
.. note::
269+
To enable the cross-cluster DNS resolution by the Istio
270+
service mesh, this tutorial creates service objects with a
271+
single ClusterIP address per each |k8s| Pod.
272+
273+
.. code-block:: sh
274+
275+
kubectl apply -f - <<EOF
276+
apiVersion: mongodb.com/v1
277+
kind: MongoDBMulti
278+
metadata:
279+
name: multi-replica-set
280+
spec:
281+
version: 4.4.0-ent
282+
type: ReplicaSet
283+
persistent: false
284+
duplicateServiceObjects: true
285+
credentials: my-credentials
286+
opsManager:
287+
configMapRef:
288+
name: my-project
289+
security:
290+
tls:
291+
ca: custom-ca
292+
clusterSpecList:
293+
clusterSpecs:
294+
- clusterName: ${MDB_CLUSTER_1_FULL_NAME}
295+
members: 3
296+
- clusterName: ${MDB_CLUSTER_2_FULL_NAME}
297+
members: 2
298+
- clusterName: ${MDB_CLUSTER_3_FULL_NAME}
299+
members: 3
300+
EOF
301+
302+
The |k8s-op-short| copies the ConfigMap with the |certauth| that you
303+
created in step 2 to each member cluster, generates a
304+
concatenated |pem| secret, and distributes it to the member clusters.
305+
213306
---
214307
stepnum: 0
215308
level: 4

source/multi-cluster-quick-start-prerequisites.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -389,3 +389,14 @@ across two |k8s| clusters.
389389

390390
Hello version: v1, instance: helloworld-v1-758dd55874-6x4t8
391391

392+
.. _multi-cluster-tls-prereqs:
393+
394+
Prepare for TLS-Encrypted Connections
395+
-------------------------------------
396+
397+
If you plan to secure your multi-cluster MongoDB deployment using |tls|
398+
encryption, complete the following tasks:
399+
400+
.. include:: /includes/prereqs/custom-ca-prereqs-multi-cluster-rs-tls-only.rst
401+
402+

0 commit comments

Comments
 (0)