Add additional CA certificate for mutual tls (teleport auth)

Did someone successfully added an additionally ca cert to the mongodb cluster?

I want to add the CA certificate from teleport so that connections can be tunneled over teleport:

Step 2: Configure MongoDB → Set up mutual TLS:

Export the Teleport Database Client CA from Teleport, and then add it as an additional trusted CA by concatenating it with your CA’s certificate:

tctl auth export --type=db-client > db-client-ca.crt
cat /path/to/your/ca.crt db-client-ca.crt > /etc/certs/mongo.cas
    mode: requireTLS
    certificateKeyFile: /etc/certs/mongo.crt
    CAFile: /etc/certs/mongo.cas

but not sure how to modify the mongodb perconca cluster to add additional CA certificate?

we have not tried it.

But to add additional CA you can modify <cluster_name>-ssl and <cluster_name>-ssl-internal secret resources.

In both secrets there will ba ca.crt file.

  1. kubectl get <cluster_name>-ssl -o yaml
  2. Copy the ca.crt base64 encoded string and decode it with base64 --decode
  3. Add the needful CA
  4. Encode the new ca.crt into base64
  5. Edit the secret and put the new string there

Do the same for internal secret.

Also have a look at Transport encryption (TLS/SSL) - Percona Operator for MongoDB

It explains how the certificates must be structured.

Note: we have not tested two CAs, so not sure how MongoDB would behave.