Skip to main content

PSMDB - A MongoDB alternative for having Encryption At Rest


Encryption is the most popular tool for securing data both in transit and at rest.

- For protecting data in transit, we can configure to use the TLS connection

- For protecting data at rest, we can use Percona Server for MongoDB (PSMDB), an open-source alternative for MongoDB Enterprise.


License

PSMDB Docker images follow the SSPL license. Therefore, it is not a problem when I only have my containers deployed in on-premises environments.

Running MongoDB Replication on OpenShift

I have successfully installed the replication by following the guide Install Percona Server for MongoDB on OpenShift. In order to make it work properly with my needs, I disabled some features from the default deployment. See the detail in this change

Basically, I needed to create a CRD (Custom Resource Definition) to let OpenShift/Kubernetes what PSMDB is. Then, I deployed the Operator pod. Finally, I deployed the PSMDB StatefulSet. I used NFS shares for Persistent Volumes.

Create CRD for PSMDB

2git clone https://github.com/percona/percona-server-mongodb-operator 3cd percona-server-mongodb-operator 4 5# create Custom Resource Definition (CRD) with cluster-admin role 6# This task is needed to executed once 7oc apply -f deploy/crd.yaml

Deploy the Operator pod

2oc new-project psmdb 3 4# Add role-based access control (RBAC) 5oc apply -f deploy/rbac.yaml 6 7# deploy operator pod 8oc apply -f deploy/operator.yaml 9 10# Add secret 11oc create -f deploy/secrets.yaml

Create SealedSecret for local keyfile

(Assumed that SealedSecret is installed and ready for use)

By default, the operator generates a normal Kubernetes secret with the name "my-cluster-name-mongodb-encryption-key". This secret is automatically attached to the MongoDB StatefulSet and persisted as a file through volumes. The operator also handles passing the files to "mongod" command in the container entry point. We can replace the secret in the deployment templates "deploy/cr.yaml". For example:

1 security 2 enableEncryption: true 3 encryptionKeySecret: mongodb-encryption-key 4 encryptionCipherMode: AES256-CBC

Here is an example to create a SealedSecret "mongodb-encryption-key" locally and apply it to the project.
1 $ openssl rand -base64 32 > mongodb-keyfile 2$ cat mongodb-keyfile | kubectl create secret generic mongodb-encryption-key \ 3--dry-run=client --from-file=encryption-key=/dev/stdin \ 4-o yaml > mongodb-encryption-secret.yaml 5$ kubeseal < mongodb-encryption-secret.yaml > mongodb-encryption-sealed-secret.yaml 6$ oc create -f mongodb-encryption-sealed-secret.yaml

Install PSMDB StatefulSet

(Assumed that NFS is installed and ready for use)

Create NFS shares: data-0, data-1, and data-2. Here is a sample command for data-0
1$> ssh someuser@files.example.com.local 2$> sudo mkdir /srv/data/psmdb/mongodb/data-0 3$> sudo chown nfsnobody:0 /srv/data/psmdb/mongodb/data-0 4$> sudo chmod go+w /srv/data/psmdb/mongodb/data-0 5$> sudo chmod g+s /srv/data/psmdb/mongodb/data-0

The directory attributes should look like

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-0

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:30 data-1

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-2

Create corresponding Persistent Volumes with NFS shares
1kind: PersistentVolume 2apiVersion: v1 3metadata: 4 name: psmdb-mongodb-data-0 5spec: 6 capacity: 7 storage: 2Gi 8 nfs: 9 server: files.example.com.local 10 path: /srv/data/psmdb/mongodb/data-0 11 accessModes: 12 - ReadWriteOnce 13 persistentVolumeReclaimPolicy: Recycle 14 storageClassName: psmdb 15

Install the PSMDB StatefulSet
1 $> oc apply -f deploy/cr.yaml
Labels:

Comments

Post a Comment

Popular posts from this blog

Set up a web server for learning HTTP headers

Motivation We all follow the client-server model using the HTTP protocol for most of our web apps today. In development, we simply may have a backend API server and a frontend (web pages or mobile apps) only. However, it seemed that a proxy server is always required for production. In fact, most of the hardest issues in production come from integration. The requests and responses might be modified by the proxy server. Therefore, the understanding of HTTP protocol is one of the key skills to resolve those issues. I wanted to dive deep into HTTP with some core concepts such as caching, cookies, and CORS. I didn't intend to go quickly rather than moved slowly to have a well understanding of what I do. Prepare a server The easiest way is to use my laptop as a server then I can just use "localhost". I can also use ngrok to make my web server online. Finally, I use an online tool such as RedBot to check the HTTP headers. To make it more excited though, I deployed the app on A...
Post a Comment
Read more

The power of acceptance test

User Story is the place PO gives his ideas about features so that developers are able to know what requirements are. Acceptance tests are these show the most valuable things of the features represented by some specific cases. Usually PO defines them, but not always. Therefore, refining existing acceptance tests – even defining new ones that cover all features of the User Story must be a worth task. Acceptance test with Given When Then pattern If we understand what we are going to do, we can complete it by 50% I have worked with some members those just start implementing the features one by one and from top to down of the User Story description. Be honest, I am the one used to be. What a risky approach! Because it might meet a case that is very easy to miss requirements or needs to re-work after finding any misunderstood things. I have also worked with some members those accept spending a long time to clarify the User Story. Reading carefully of whole User Story by defining...
Post a Comment
Read more

What the heck is Meteor DDP?

I was using Meteor for my messenger project. I was so curious about the real time connection. I wanted to know how exactly this mechanism works. In this post, I will go through the DDP Specification, an overview of WebSocket, and a simple demo about how to subscribe a publication of Rocket.Chat (containing a DDP server) from an external webpage. At a glance, I knew that Meteor invented a protocol called DDP which uses for handling real time connection. So then, what is DDP? "DDP (Distributed Data Protocol) is the stateful WebSocket protocol that Meteor uses to communicate between the client and the server." [1] All right! Why does DDP matter? "DDP is a standard way to solve the biggest problem facing client-side JavaScript developers: querying a server-side database, sending the results down to the client, and then pushing changes to the client whenever anything changes in the database" . [2] In order to understand deeply the protocol, I decided ...
Post a Comment
Read more

DevOps Toolchain Enhancement

 Historically, our company ubitec had started with a customer project. Agile/Scrum was our proposal for working with customers. Time by time, Agile/Scrum also became our culture for software development. To be successful with this development approach, we somehow needed to have a fast release for customers (i.e. every one week). Back then, we had a build tool Jenkins which was responsible for having sprint release packages for our customers. The build job pipelines contain some steps such as gathering the artifacts, checking the code convention, running the tests, building docker images, and packaging an archived file (a zip file). The set of tools involved in a pipeline is roughly called a toolchain. It is just a part of a bigger process called the DevOps toolchain. Source: https://www.ibm.com/blogs/cloud-archive/2016/11/devops-architecture-available-on-bluemix-garage-method-site/ DevOps is a proven method that fits Agile. Today,  it is even treated as a mandatory factor...
Post a Comment
Read more

Solving your data visualization needs with open source reporting

Most of applications have some types of data visualization needs: - Gather the data. - Perform calculation, sort, group, aggregate, total,.. - Present information professionally. and meeting user demand is crucial to the success of an application. To solve this problem, there are some different approaches: - Buy a closed-source commercial product (for example, Crystal Reports, JReport,..), we must to pay for a lot of features but maybe more of features we don't need. - Build a custom-developed solution, so we need a team to develop our solution but the problem is how much time and money that we need to spend for that. Nowaday, open source creates new choices. Firstly, we can leverage open source in a customer solution by plug-in it to our solution. Secondly, we can build open-source-based products by using open source code. There are many open source reporting tools for use in the enterprise such as BIRT, iReport, JasperReports,... In this post, I wou...
Post a Comment
Read more