Encryption is the most popular tool for securing data both in transit and at rest.
- For protecting data in transit, we can configure to use the TLS connection
- For protecting data at rest, we can use Percona Server for MongoDB (PSMDB), an open-source alternative for MongoDB Enterprise.
License
PSMDB Docker images follow the SSPL license. Therefore, it is not a problem when I only have my containers deployed in on-premises environments.
Running MongoDB Replication on OpenShift
I have successfully installed the replication by following the guide Install Percona Server for MongoDB on OpenShift. In order to make it work properly with my needs, I disabled some features from the default deployment. See the detail in this change
Basically, I needed to create a CRD (Custom Resource Definition) to let OpenShift/Kubernetes what PSMDB is. Then, I deployed the Operator pod. Finally, I deployed the PSMDB StatefulSet. I used NFS shares for Persistent Volumes.
Create CRD for PSMDB
2git clone https://github.com/percona/percona-server-mongodb-operator
3cd percona-server-mongodb-operator
4
5# create Custom Resource Definition (CRD) with cluster-admin role
6# This task is needed to executed once
7oc apply -f deploy/crd.yamlDeploy the Operator pod
2oc new-project psmdb
3
4# Add role-based access control (RBAC)
5oc apply -f deploy/rbac.yaml
6
7# deploy operator pod
8oc apply -f deploy/operator.yaml
9
10# Add secret
11oc create -f deploy/secrets.yaml
Create SealedSecret for local keyfile
(Assumed that SealedSecret is installed and ready for use)
By default, the operator generates a normal Kubernetes secret with the name "my-cluster-name-mongodb-encryption-key". This secret is automatically attached to the MongoDB StatefulSet and persisted as a file through volumes. The operator also handles passing the files to "mongod" command in the container entry point. We can replace the secret in the deployment templates "deploy/cr.yaml". For example:
1 security
2 enableEncryption: true
3 encryptionKeySecret: mongodb-encryption-key
4 encryptionCipherMode: AES256-CBC
Here is an example to create a SealedSecret "mongodb-encryption-key" locally and apply it to the project.
1 $ openssl rand -base64 32 > mongodb-keyfile
2$ cat mongodb-keyfile | kubectl create secret generic mongodb-encryption-key \
3--dry-run=client --from-file=encryption-key=/dev/stdin \
4-o yaml > mongodb-encryption-secret.yaml
5$ kubeseal < mongodb-encryption-secret.yaml > mongodb-encryption-sealed-secret.yaml
6$ oc create -f mongodb-encryption-sealed-secret.yaml
Install PSMDB StatefulSet
(Assumed that NFS is installed and ready for use)
Create NFS shares: data-0, data-1, and data-2. Here is a sample command for data-0
1$> ssh someuser@files.example.com.local
2$> sudo mkdir /srv/data/psmdb/mongodb/data-0
3$> sudo chown nfsnobody:0 /srv/data/psmdb/mongodb/data-0
4$> sudo chmod go+w /srv/data/psmdb/mongodb/data-0
5$> sudo chmod g+s /srv/data/psmdb/mongodb/data-0The directory attributes should look like
drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-0
drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:30 data-1
drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-2
Create corresponding Persistent Volumes with NFS shares
1kind: PersistentVolume
2apiVersion: v1
3metadata:
4 name: psmdb-mongodb-data-0
5spec:
6 capacity:
7 storage: 2Gi
8 nfs:
9 server: files.example.com.local
10 path: /srv/data/psmdb/mongodb/data-0
11 accessModes:
12 - ReadWriteOnce
13 persistentVolumeReclaimPolicy: Recycle
14 storageClassName: psmdb
15
Install the PSMDB StatefulSet
1 $> oc apply -f deploy/cr.yaml
Comments
Post a Comment