Description:
Im creating a psmdb.
I wanted to leverage certmanager corporate ACME to get a valid public PKI
Steps to Reproduce:
Define Certificate for public cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mongodb-instance-public-tls
spec:
issuerRef:
name: intranet-ca
kind: ClusterIssuer
#secretName: psm-db-psmdb-db-ssl #Secret name mut be (my-cluster-name-ssl)
secretName: mongodb-instance-public-tls
#one alternate name per LoadBalancer service
dnsNames:
- rs0-0-xxx
- rs0-1-xxx
- rs0-2-xxx
Define Certificate for private cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: manual-psm-db-psmdb-db-ssl-internal
spec:
commonName: psm-db-psmdb-db-rs0
dnsNames:
- localhost
#adding internal alt name (ACME compatible ? )
- psm-db-psmdb-db-rs0
- psm-db-psmdb-db-rs0.${namespace}
- psm-db-psmdb-db-rs0.${namespace}.svc.cluster.local
- "*.psm-db-psmdb-db-rs0"
- "*.psm-db-psmdb-db-rs0.${namespace}"
- "*.psm-db-psmdb-db-rs0.${namespace}.svc.cluster.local"
- psm-db-psmdb-db-mongos
- psm-db-psmdb-db-mongos.${namespace}
- psm-db-psmdb-db-mongos.${namespace}.svc.cluster.local
- '*.psm-db-psmdb-db-mongos'
- '*.psm-db-psmdb-db-mongos.${namespace}'
- '*.psm-db-psmdb-db-mongos.${namespace}.svc.cluster.local'
- psm-db-psmdb-db-cfg
- psm-db-psmdb-db-cfg.${namespace}
- psm-db-psmdb-db-cfg.${namespace}.svc.cluster.local
- '*.psm-db-psmdb-db-cfg'
- '*.psm-db-psmdb-db-cfg.${namespace}'
- '*.psm-db-psmdb-db-cfg.${namespace}.svc.cluster.local'
- psm-db-psmdb-db-mongos.${namespace}.svc.clusterset.local
- '*.psm-db-psmdb-db-mongos.${namespace}.svc.clusterset.local'
- psm-db-psmdb-db-cfg.${namespace}.svc.clusterset.local
- '*.psm-db-psmdb-db-cfg.${namespace}.svc.clusterset.local'
duration: 2160h0m0s
issuerRef:
kind: Issuer
name: manual-psm-db-psmdb-db-psmdb-issuer
secretName: manual-psm-db-psmdb-db-ssl-internal
subject:
organizations:
- PSMDB
Setup generated Secrets in the PSMDB
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: psm-db
spec:
values:
...
tls:
#https://docs.percona.com/percona-operator-for-mongodb/TLS.html
mode: preferTLS # turns on TLS for internal communication, and allows both TLS and non-TLS external traffic
#mode: requireTLS #enforces the use of TLS encrypted connections only,
allowInvalidCertificates: true #If true, the mongo shell will not attempt to validate the server certificates. Should be true (default variant) to use self-signed certificates generated by the Operator when there is no cert-manager.
secrets:
ssl: mongodb-instance-public-tls-with-ca #A secret with TLS certificate generated for external communications + tls.ca
sslInternal: internal-cert-with-ca # same as manual-psm-db-psmdb-db-ssl-internal + tls.ca
Version:
operator 1.19.1
Logs:
Expected Result:
Id expect internal cert to be used for internal traffic.
I dont expect my public cert to be used for internal traffic
Actual Result:
Seems the public tls is used for internal traffic. Forcing me to add alt SAN on my public cert (which is not possible with corp ACME)
mongodb pod failure log
Autoscroll:Off FullScreen:On Timestamps:Off Wrap:Off mongod {"t":{"$date":"2025-03-21T13:47:21.897+00:00"},"s":"W", "c":"NETWORK", "id":23238, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"The server certificate does not match the remote host name","attr":{"remoteHost":"psm-db-psmdb-db-rs0-0.psm-db-psmdb-db-rs0.mongodbaas-xplane-662b4aad-d123-4014-939e-b298f51b6b98.svc.cluster.local","certificateNames":"SAN(s): rs0-0-662b4aad-d123-4014-939e-b298f51b6b98.xxxxx, rs0-1-662b4aad-d123-4014-939e-b298f51b6b98.xxxxxx, rs0-2-662b4aad-d123-4014-939e-b298f51b6b98.xxxxxxx, CN: rs0-0-662b4aad-d123-4014-939e-b298f51b6b98.xxxxxxx"}}
Additional Information:
[Include any additional information that could be helpful to diagnose the issue, such as browser or device information]