Skip to content

Commit 82bbcf7

Browse files
(DOCSP-12132): concatenate download.mongodb.com + custom ca certs (#379)
* (DOCSP-12132): concatenate download.mongodb.com + custom ca certs * (DOCSP-12132): copy review feedback
1 parent 10e190a commit 82bbcf7

File tree

5 files changed

+86
-16
lines changed

5 files changed

+86
-16
lines changed
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
.. warning::
2+
3+
You must concatenate your custom |certauth| file and the entire
4+
|tls| certificate chain from ``downloads.mongodb.com`` to prevent
5+
|onprem| from becoming inoperable if the application database
6+
restarts.

source/includes/options-k8s-shared.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -523,7 +523,7 @@ type: string
523523
directive: setting
524524
optional: true
525525
description: |
526-
Provide the name of the |k8s-secret| that store the |certauth|.
526+
Provide the name of the |k8s-secret| that stores the |certauth|.
527527
---
528528
program: _shared
529529
name: spec.security.authentication

source/includes/steps-deploy-k8s-opsmgr-https.yaml

Lines changed: 39 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -41,20 +41,51 @@ stepnum: 4
4141
ref: validate-tls-cert
4242
content: |
4343
44-
If your |tls| certificate is signed by a Custom Certificate
45-
Authority, you must provide a :abbr:`CA (Certificate Authority)`
46-
certificate to validate the |tls| certificate. To validate the
47-
|tls| certificate, create a |k8s-configmap| to hold the
48-
:abbr:`CA (Certificate Authority)` certificate:
44+
If your |tls| certificate is signed by a Custom Certificate
45+
Authority, you must provide a :abbr:`CA (Certificate Authority)`
46+
certificate to validate the |tls| certificate. To validate the
47+
|tls| certificate, create a |k8s-configmap| to hold the
48+
:abbr:`CA (Certificate Authority)` certificate:
4949
50-
.. code-block:: sh
50+
.. warning::
5151
52-
kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"
52+
You must concatenate your custom |certauth| file and the entire
53+
|tls| certificate chain from ``downloads.mongodb.com`` to prevent
54+
|onprem| from becoming inoperable if the application database
55+
restarts.
5356
54-
.. important::
57+
.. important::
5558
5659
The |k8s-op-short| requires that the certificate is named
5760
``mms-ca.crt`` in the ConfigMap.
61+
62+
a. Obtain the entire |tls| certificate chain from
63+
``downloads.mongodb.com``. The following ``openssl`` command
64+
outputs each certificate in the chain to your current working
65+
directory, in ``.crt`` format:
66+
67+
.. using path to openssl to preempt macOS libressl issues
68+
69+
.. code-block:: sh
70+
71+
/usr/local/opt/openssl/bin/openssl s_client -showcerts -verify 2 \
72+
-connect downloads.mongodb.com:443 < /dev/null \
73+
| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
74+
75+
#. Concatenate your |certauth|\'s certificate file with the
76+
entire |tls| certificate chain from ``downloads.mongodb.com`` that
77+
you obtained in the previous step:
78+
79+
.. code-block:: sh
80+
81+
cat cert1.crt cert2.crt cert3.crt cert4.crt >> ca-pem
82+
83+
#. Create the |k8s-configmap|:
84+
85+
.. code-block:: sh
86+
87+
kubectl create configmap om-http-cert-ca --from-file="mms-ca.crt"
88+
5889
---
5990
title: "Copy the following example |onprem| |k8s| |k8s-obj|."
6091
stepnum: 5

source/includes/steps-source-deploy-om-resource.yaml

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,27 +38,53 @@ title: "Create a ConfigMap containing the Certificate Authority."
3838
optional: true
3939
content: |
4040
41-
You need to provide a |certauth| certificate when the |certauth| that
41+
You must provide a |certauth| certificate when the |certauth| that
4242
signed the certificates might be not "recognized" as an official
4343
authority. Recognized and valid certificates can be created with
4444
`cert-manager <https://cert-manager.io/docs/>`__ or `HashiCorp Vault
4545
<https://www.vaultproject.io/>`__.
4646
47-
If you signed the certificates using a |k8s| certicate management
47+
If you signed the certificates using a |k8s| certificate management
4848
tool like `cert-manager <https://cert-manager.io/docs/>`__ or
4949
`HashiCorp Vault <https://www.vaultproject.io/>`__, you must create a
5050
|k8s-configmap| containing the |certauth|\'s certificate file.
5151
5252
If you output the certificate as a file, name this file ``ca-pem``.
5353
This simplifies creating the |k8s-configmap|.
5454
55-
.. code-block:: sh
55+
.. include:: /includes/admonitions/warning-concatenate-download-certs.rst
56+
57+
a. Obtain the entire |tls| certificate chain from
58+
``downloads.mongodb.com``. The following ``openssl`` command
59+
outputs each certificate in the chain to your current working
60+
directory, in ``.crt`` format:
61+
62+
.. using path to openssl to preempt macOS libressl issues
63+
64+
.. code-block:: sh
65+
66+
/usr/local/opt/openssl/bin/openssl s_client -showcerts -verify 2 \
67+
-connect downloads.mongodb.com:443 < /dev/null \
68+
| awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
69+
70+
#. Concatenate your |certauth|\'s certificate file with the
71+
entire |tls| certificate chain from ``downloads.mongodb.com`` that
72+
you obtained in the previous step:
73+
74+
.. code-block:: sh
75+
76+
cat cert1.crt cert2.crt cert3.crt cert4.crt >> ca-pem
77+
78+
#. Create the |k8s-configmap|:
79+
80+
.. code-block:: sh
5681
57-
kubectl create configmap appdb-ca --from-file=ca-pem
82+
kubectl create configmap ca --from-file="ca-pem"
5883
59-
This creates a |k8s-configmap| named ``appdb-ca``. This
84+
This creates a |k8s-configmap| named ``ca``. This
6085
|k8s-configmap| contains one entry called ``ca-pem`` with the
61-
contents of the |certauth| file.
86+
contents of the |certauth| file and the certificate chain for
87+
``downloads.mongodb.com``.
6288
6389
---
6490
stepnum: 0

source/reference/k8s-operator-om-specification.txt

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,8 @@ Optional |onprem| Resource Settings
200200
- |onprem| uses to communicate with the application database replica
201201
set.
202202

203+
.. include:: /includes/admonitions/warning-concatenate-download-certs.rst
204+
203205
.. opsmgrkube:: spec.applicationDatabase.security.tls.secretRef.name
204206

205207
*Type*: string
@@ -833,11 +835,16 @@ Optional |onprem| Resource Settings
833835
:opsmgrkube:`spec.security.tls.ca` is required if you use a Custom
834836
Certificate Authority to sign your |onprem| |tls| certificates.
835837

838+
The |k8s-op-short| requires that the certificate is named
839+
``mms-ca.crt`` in the ConfigMap.
840+
836841
This |certauth| signs the certificates that:
837842

838843
- clients use to connect to the |application|, and
839844
- agents in the application database |k8s-pods| use to communicate
840-
with |onprem|.
845+
with |onprem|.
846+
847+
.. include:: /includes/admonitions/warning-concatenate-download-certs.rst
841848

842849
.. opsmgrkube:: spec.security.tls.secretRef.name
843850

0 commit comments

Comments
 (0)