Skip to main content

PSMDB - A MongoDB alternative for having Encryption At Rest


Encryption is the most popular tool for securing data both in transit and at rest.

- For protecting data in transit, we can configure to use the TLS connection

- For protecting data at rest, we can use Percona Server for MongoDB (PSMDB), an open-source alternative for MongoDB Enterprise.


License

PSMDB Docker images follow the SSPL license. Therefore, it is not a problem when I only have my containers deployed in on-premises environments.

Running MongoDB Replication on OpenShift

I have successfully installed the replication by following the guide Install Percona Server for MongoDB on OpenShift. In order to make it work properly with my needs, I disabled some features from the default deployment. See the detail in this change

Basically, I needed to create a CRD (Custom Resource Definition) to let OpenShift/Kubernetes what PSMDB is. Then, I deployed the Operator pod. Finally, I deployed the PSMDB StatefulSet. I used NFS shares for Persistent Volumes.

Create CRD for PSMDB

2git clone https://github.com/percona/percona-server-mongodb-operator 3cd percona-server-mongodb-operator 4 5# create Custom Resource Definition (CRD) with cluster-admin role 6# This task is needed to executed once 7oc apply -f deploy/crd.yaml

Deploy the Operator pod

2oc new-project psmdb 3 4# Add role-based access control (RBAC) 5oc apply -f deploy/rbac.yaml 6 7# deploy operator pod 8oc apply -f deploy/operator.yaml 9 10# Add secret 11oc create -f deploy/secrets.yaml

Create SealedSecret for local keyfile

(Assumed that SealedSecret is installed and ready for use)

By default, the operator generates a normal Kubernetes secret with the name "my-cluster-name-mongodb-encryption-key". This secret is automatically attached to the MongoDB StatefulSet and persisted as a file through volumes. The operator also handles passing the files to "mongod" command in the container entry point. We can replace the secret in the deployment templates "deploy/cr.yaml". For example:

1 security 2 enableEncryption: true 3 encryptionKeySecret: mongodb-encryption-key 4 encryptionCipherMode: AES256-CBC

Here is an example to create a SealedSecret "mongodb-encryption-key" locally and apply it to the project.
1 $ openssl rand -base64 32 > mongodb-keyfile 2$ cat mongodb-keyfile | kubectl create secret generic mongodb-encryption-key \ 3--dry-run=client --from-file=encryption-key=/dev/stdin \ 4-o yaml > mongodb-encryption-secret.yaml 5$ kubeseal < mongodb-encryption-secret.yaml > mongodb-encryption-sealed-secret.yaml 6$ oc create -f mongodb-encryption-sealed-secret.yaml

Install PSMDB StatefulSet

(Assumed that NFS is installed and ready for use)

Create NFS shares: data-0, data-1, and data-2. Here is a sample command for data-0
1$> ssh someuser@files.example.com.local 2$> sudo mkdir /srv/data/psmdb/mongodb/data-0 3$> sudo chown nfsnobody:0 /srv/data/psmdb/mongodb/data-0 4$> sudo chmod go+w /srv/data/psmdb/mongodb/data-0 5$> sudo chmod g+s /srv/data/psmdb/mongodb/data-0

The directory attributes should look like

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-0

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:30 data-1

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-2

Create corresponding Persistent Volumes with NFS shares
1kind: PersistentVolume 2apiVersion: v1 3metadata: 4 name: psmdb-mongodb-data-0 5spec: 6 capacity: 7 storage: 2Gi 8 nfs: 9 server: files.example.com.local 10 path: /srv/data/psmdb/mongodb/data-0 11 accessModes: 12 - ReadWriteOnce 13 persistentVolumeReclaimPolicy: Recycle 14 storageClassName: psmdb 15

Install the PSMDB StatefulSet
1 $> oc apply -f deploy/cr.yaml
Labels:

Comments

Post a Comment

Popular posts from this blog

Junit - Test fails on French or German string assertion

In my previous post about building a regex to check a text without special characters but allow German and French . I met a problem that the unit test works fine on my machine using Eclipse, but it was fail when running on Jenkins' build job. Here is my test: @Test public void shouldAllowFrenchAndGermanCharacters(){ String source = "ÄäÖöÜüß áÁàÀâÂéÉèÈêÊîÎçÇ"; assertFalse(SpecialCharactersUtils.isExistSpecialCharater(source)); } Production code: public static boolean isExistNotAllowedCharacters(String source){ Pattern regex = Pattern.compile("^[a-zA-Z_0-9_ÄäÖöÜüß áÁàÀâÂéÉèÈêÊîÎçÇ]*$"); Matcher matcher = regex.matcher(source); return !matcher.matches(); } The result likes the following: Failed tests: SpecialCharactersUtilsTest.shouldAllowFrenchAndGermanCharacters:32 null A guy from stackoverflow.com says: "This is probably due to the default encoding used for your Java source files. The ö in the string literal in the J...
5 comments
Read more

Creating a Chatbot with RiveScript in Java

Motivation "Artificial Intelligence (AI) is considered a major innovation that could disrupt many things. Some people even compare it to the Internet. A large investor firm predicted that some AI startups could become the next Apple, Google or Amazon within five years"   - Prof. John Vu, Carnegie Mellon University. Using chatbots to support our daily tasks is super useful and interesting. In fact, "Jenkins CI, Jira Cloud, and Bitbucket" have been becoming must-have apps in Slack of my team these days. There are some existing approaches for chatbots including pattern matching, algorithms, and neutral networks. RiveScript is a scripting language using "pattern matching" as a simple and powerful approach for building up a Chabot. Architecture Actually, it was flexible to choose a programming language for the used Rivescript interpreter like Java, Go, Javascript, Python, and Perl. I went with Java. Used Technologies and Tools Oracle JDK 1.8...
Post a Comment
Read more

AngularJS - Build a custom validation directive for using multiple emails in textarea

AngularJS already supports the built-in validation with text input with type email. Something simple likes the following: <input name="input" ng-model="email.text" required="" type="email" /> <span class="error" ng-show="myForm.input.$error.email"> Not valid email!</span> However, I used a text area and I wanted to enter some email addresses that's saparated by a comma (,). I had a short research and it looked like AngualarJS has not supported this functionality so far. Therefore, I needed to build a custom directive that I could add my own validation functions. My validation was done only on client side, so I used the $validators object. Note that, there is the $asyncValidators object which handles asynchronous validation, such as making an $http request to the backend. This is just my implementation on my project. In order to understand that, I supposed you already had experiences with ...
Post a Comment
Read more

4 Remarkable Notes for JSF Apps Using HTML5

In the previous post , I've already shared with you how my team consults clients by using a HTML prototype. This post is about the used technologies for reusing the provided HTML template and communicating with backend. What is the issue when using HTML elements with Primefaces components? Primefaces is a great extension for developing JSF web apps. However, it is really frustrating in case we have to make it work with an existing HTML template. Why? - Primefaces has its own theme for styling. - Primefaces changes the HTML structure. Therefore, that would be a huge effort to use the Primefaces' components to replicate the elements of the HTML template; especially it is impossible for images drawing by " canvas " tag. That requires us to find a better approach. Since Java EE 7 (introducing JSF 2.2 included), it supports to use HTML5 elements . The idea is that JSF components don't effect the style and HTML structure, so we can easily reuse the provided HTM...
2 comments
Read more

My 2017 Review

Passion for System Design After finishing a one year project, my longest stable team (lasted for 3 years) was separated into two smaller teams. Sadly, but that was a good chance for me to become a key member in my new team. My preferred skills were about system architectures; therefore most of the tasks of building the application structures were handled by me. In order to enhance my design system skills, I have spent much my time for reading books closely after work. These following books help me a lot. - Object-Oriented Thought Process | Matt Weisfeld - Head First Design Pattern  | Elisabeth Freeman and Kathy Sierra - Java 8 in Action: Lambdas, Streams, and Functional-style Programming | Alan Mycroft and Mario Fusco Junior Technical Architect I was requested to join a technical architect team (aka Team. Alpha) where I actually had gained experiences almost on interviewing candidates for my company (lol). Besides, I noticed myself must improve the skills of convinci...
1 comment
Read more