Skip to content

Updated setup_tls.sh script #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated setup_tls.sh script #273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.idea
*.iml
.DS_Store
tmp
41 changes: 24 additions & 17 deletions tools/multicluster/setup_tls.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,21 @@

set -Eeou pipefail

# this is useful for the user to see what is actually executing here
set -x

# This script is intended for demoing and not for general customer usage. This script has no official MongoDB support and is not guaranteed to be maintained.
#
# This script requires having `mkcert` installed for creating a local CA
# This script:
# - requires having "mkcert" (https://github.com/FiloSottile/mkcert) installed for creating a local CA.
# - executes all operation in the current kubectl context
# - installs cert-manager in cert-manager namespace using helm
# - creates issuer CA secret "ca-key-pair" using mkcert's root CA key pair to create ClusterIssuer in cert-manager
# - creates "issuer-ca" config map with the all necessary CA certificates for MongoDB resources
# - creates ClusterIssuer in cert-manager to issue certificates in different namespaces
# - creates Certificate in cert-manager to issue the certificate in the desired namespace. Cert-manager will create a secret in the specified namespace named: "certprefix-${resource}-cert".
# - tries to configure TLS encryption in MongoDBMultiCluster resource
# - It is issued for a wildcard hostname "*.${namespace}.svc.cluster.local" in SAN field, and it's suitable to use in all MongoDB databases and as Ops Manager's server certificate.
# Sample usage:
# ./setup_tls.sh mongodb multi-cluster-replica-set

Expand All @@ -15,22 +27,23 @@ resource="${2:-multi-replica-set}"
helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

# Setup local CA
echo "Installing root CA using: mkcert -install. Sudo password might be required."
mkcert -install

# Create CA secret in kubernetes
kubectl create secret tls ca-key-pair --cert="$(mkcert --CAROOT)/rootCA.pem" --key="$(mkcert --CAROOT)/rootCA-key.pem" -n "${namespace}"
kubectl create secret tls ca-key-pair --cert="$(mkcert --CAROOT)/rootCA.pem" --key="$(mkcert --CAROOT)/rootCA-key.pem" -n cert-manager || true

# Download mongodb certs and append them to the local CA cert
openssl s_client -showcerts -verify 2 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com </dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' || true
cat "$(mkcert --CAROOT)/rootCA.pem" cert1.crt cert2.crt cert3.crt cert4.crt >>ca-chain.crt
openssl s_client -showcerts -verify 2 -connect downloads.mongodb.com:443 -servername downloads.mongodb.com </dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
cat "$(mkcert --CAROOT)/rootCA.pem" cert1.crt cert2.crt cert3.crt cert4.crt >ca-chain.crt

# Create CA certificates config map from certificate chain
kubectl create configmap issuer-ca --from-file=mms-ca.crt=ca-chain.crt --from-file=ca-pem=ca-chain.crt -n "${namespace}"

# Crete Issuer for certs
# Create ClusterIssuer for certs
cat <<EOF | kubectl -n "${namespace}" apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
kind: ClusterIssuer
metadata:
name: mongodb-ca-issuer
spec:
Expand All @@ -46,18 +59,10 @@ metadata:
name: clustercert-${resource}-cert
spec:
dnsNames:
- ${resource}-svc.mongodb.svc.cluster.local
- ${resource}-0-0-svc.mongodb.svc.cluster.local
- ${resource}-0-1-svc.mongodb.svc.cluster.local
- ${resource}-0-2-svc.mongodb.svc.cluster.local
- ${resource}-1-0-svc.mongodb.svc.cluster.local
- ${resource}-1-1-svc.mongodb.svc.cluster.local
- ${resource}-2-0-svc.mongodb.svc.cluster.local
- ${resource}-2-1-svc.mongodb.svc.cluster.local
- ${resource}-2-2-svc.mongodb.svc.cluster.local
- "*.${namespace}.svc.cluster.local"
duration: 240h0m0s
issuerRef:
kind: Issuer
kind: ClusterIssuer
name: mongodb-ca-issuer
renewBefore: 120h0m0s
secretName: clustercert-${resource}-cert
Expand All @@ -80,4 +85,6 @@ spec:
EOF

# Enable TLS for custom resource
kubectl -n "${namespace}" patch mdbm "${resource}" --type=json -p='[{"op": "add", "path": "/spec/security", "value": {"certsSecretPrefix": "clustercert", "tls": {"ca": "issuer-ca"}}}]'
kubectl -n "${namespace}" patch mdbm "${resource}" --type=json -p='[{"op": "add", "path": "/spec/security", "value": {"certsSecretPrefix": "clustercert", "tls": {"ca": "issuer-ca"}}}]' || {
echo "Couldn't enable TLS in MongoDBMultiCluster resource ${resource}"
}