Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

How to enable encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Summary


Enable and disable TLS in a replica set

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS, integrate (formerly known as “relate”) the two applications:

juju integrate self-signed-certificates mongodb

Your replica set now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integration:

juju remove-relation mongodb self-signed-certificates

Enable and disable TLS in a sharded cluster

Enabling encryption via TLS in a sharded cluster can be done before or after shards are added to the config-server.

However, it requires that:

  1. All cluster components have encryption enabled
  2. All cluster components are integrated to the same Certificate Authority.

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates --config ca-common-name="Example CA"

Integrate your Certificate Authority into all cluster components. In a cluster with two shards and a config-server this would be done as follows:

juju integrate config-server self-signed-certificates
juju integrate shard-one self-signed-certificates
juju integrate shard-two self-signed-certificates

Your sharded cluster now has encryption enabled via TLS.

Disable TLS

To disable TLS, just remove the integrations:

juju remove-relation config-server self-signed-certificates
juju remove-relation shard-one self-signed-certificates
juju remove-relation shard-two self-signed-certificates

Rotate private keys

Updates to internal and external private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. To update all keys, you must run theset-tls-private-key action on all charmed MongoDB units in your replica set or sharded cluster.

Rotate with a manually generated key

To rotate the your private keys, first generate your keys:

openssl genrsa -out internal-key.pem 3072
openssl genrsa -out external-key.pem 3072

Then, apply the new external key to the leader of your replica set or config-server.

Note: Passing keys to juju should only be done with base64 -w0, not cat.

juju run <application-name>/leader set-tls-private-key \
"internal-key=$(base64 -w0 internal-key.pem)"  "external-key=$(base64 -w0 external-key-0.pem)"  

Rotate with an autogenerated key

The keys can be auto-generated and set as follows:

juju run <application-name>/leader set-tls-private-key

Last updated 8 months ago. Help improve this document in the forum.