TLS implementation for mongo deployment with load balancer enabled

Adithya · September 8, 2021, 5:10am

Hi Team,

As per the Transport Layer Security (TLS) we are trying to enable TLS for mongo deployment in EKS. Have below queries :

If we enable exposeType as loadbalencer do we have to create TLS certificates along with LB dns names ?

    "hosts": [
      "${CLUSTER_NAME}-rs0",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.${CLUSTER_NAME}-rs0",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local"
<LB1 >
<LB2>
<LB3> 
etc

Can we use same certificates for both internal communication and client communications as i see only localhost is added while generating certitcates.
Will the TLS setup works if the certificates are signed by external CA ? if we try creating certs using cfssl certs says “{“error”:“SSL peer certificate validation failed: self signed certificate in certificate
chain”}}”

mongo "mongodb://aa709a02cc8e2400db71b89cfc0dea5c-1418412487.us-east-2.elb.amazonaws.com:27017/admin?replicaSet=rs0&ssl=true"

connecting to: mongodb://aa709a02cc8e2400db71b89cfc0dea5c-1418412487.us-east-2.elb.amazonaws.com:27017/admin?compressors=disabled&gssapiServiceName=mongodb&replicaSet=rs0&ssl=true
{"t":{"$date":"2021-09-08T05:08:33.042Z"},"s":"E",  "c":"NETWORK",  "id":23256,   "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"SSL peer certificate validation failed","attr":{"error":"SSL peer certificate validation failed: self signed certificate in certificate chain"}}

Please suggest.

Regards,
Adithya

Sergey_Pronin · September 9, 2021, 12:03pm

Hello @Adithya ,

in short - yes, you need to create the certificate with LBs.
As you might have seen we have the doc here about it: Transport Layer Security (TLS)

The easiest way would be to have some wildcard domain for Mongo that would be CNAMEd to Load Balancer IP-address or domain.

For example:

You have three nodes in a replica set, they are all exposed through LBs and have some random IPs
You create the domain *.mongo-rs0.mydomain.com
You point this domain to your nodes like node1.mongo-rs0.mydomain.com → aws-lb for node-1 and so on
You add the wildcard domain into Alternative Names section in the certificate:

"hosts": [
      "${CLUSTER_NAME}-rs0",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.${CLUSTER_NAME}-rs0",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}",
      "*.${CLUSTER_NAME}-rs0.${NAMESPACE}.svc.cluster.local",
      "*.mongo-rs0.mydomain.com"
]

We will improve our docs to cover this case.

Adithya · September 21, 2021, 5:13pm

Thanks @Sergey_Pronin for the steps provided.

Topic		Replies	Views
exposeType : LoadBalancer queries for percona Mongo k8s operator Percona Operator for MongoDB community , troubleshooting , percona , mongodb , new-release , kubernetes	8	1340	August 10, 2021
Exposed Replicaset doesn't accept TLS cert's generated by Cert Manager (MongoServerSelectionError: self-signed certificate) Percona Operator for MongoDB closed-no-reply	0	1055	July 25, 2023
[solved] Expose mongos with TLS Percona Operator for MongoDB psmdb-operator	1	1399	May 16, 2023
Issues setting up TLS for MongoDB with cert-manager Percona Operator for MongoDB	3	1505	November 29, 2021
Percona MonogDB Cluster Fails when enabling TLS Percona Operator for MongoDB	3	200	June 5, 2024

TLS implementation for mongo deployment with load balancer enabled

Related topics