Issues setting up TLS for MongoDB with cert-manager

Hello,

I’m currently trying to setup TLS for the MongoDB deployment. I want to use the cert-manager to issue the certificates.

Cert-manager v1.6.0 was deployed way before I started deploying the MongoDB operator into our Azure Kubernetes Cluster. We already serve Let’s-Encrypt certificates with it. So, it is working. Further, the CRDs are applied and show up when I list them with.

$ kubectl get crds | grep cert-manager
certificaterequests.cert-manager.io
certificates.cert-manager.io
challenges.acme.cert-manager.io
clusterissuers.cert-manager.io
issuers.cert-manager.io
orders.acme.cert-manager.io

I have following options set in the deployment file

  mongod:
    security:
      redactClientLogData: false
      enableEncryption: true

So far so god, but I get an error:

"level":"error",
"ts":1637768579.1549218,
"logger":"controller_psmdb",
"msg":"issue cert with cert-manager",
"error":"create issuer: no matches for kind \"Issuer\" in version \"cert-manager.io/v1alpha2\"",
"stacktrace":
    "github.com/go-logr/zapr.(*zapLogger).Error
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/github.com/go-logr/zapr/zapr.go:128
    github.com/percona/percona-server-mongodb-operator/pkg/controller/perconaservermongodb.(*ReconcilePerconaServerMongoDB).reconsileSSL
        /go/src/github.com/percona/percona-server-mongodb-operator/pkg/controller/perconaservermongodb/ssl.go:37
    github.com/percona/percona-server-mongodb-operator/pkg/controller/perconaservermongodb.(*ReconcilePerconaServerMongoDB).Reconcile
        /go/src/github.com/percona/percona-server-mongodb-operator/pkg/controller/perconaservermongodb/psmdb_controller.go:296
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:256
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:232
    sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:211
    k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:152
    k8s.io/apimachinery/pkg/util/wait.JitterUntil
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:153
    k8s.io/apimachinery/pkg/util/wait.Until
        /go/src/github.com/percona/percona-server-mongodb-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"

I checked for permissions using:

$ kubectl --as=system:serviceaccount:mongo-database:percona-psmdb-operator auth can-i get -n mongo-database issuers 
yes

Any idea where the issue lies? Is there an issue that the cert-manager and operator are located in dfiferent namespaces?

1 Like

After a chat with the cert-manager devs I found out that v1alpha2 is no longer available in newer cert-manager versions.

Would you accept a PR which updates the cert creation to use the cert-manget api v1?
I read somewhere that you intend to restructure the whole part.
https://github.com/percona/percona-server-mongodb-operator/blob/main/pkg/controller/perconaservermongodb/ssl.go

1 Like

Hello @bstreitz , yeah, seems like updating the APIs would do the trick. @Ege_Gunes what do you think?

1 Like

After learning more about the configuration and the code I noticed that

  mongod:
    security:
      redactClientLogData: false
      enableEncryption: true

has nothing to do with TLS but encryption of data at rest. To clarify for those who stumble upon this thread, overall TLS handling is triggered via

spec:
  allowUnsafeConfigurations: false
1 Like