Skip to main content

PSMDB - A MongoDB alternative for having Encryption At Rest


Encryption is the most popular tool for securing data both in transit and at rest.

- For protecting data in transit, we can configure to use the TLS connection

- For protecting data at rest, we can use Percona Server for MongoDB (PSMDB), an open-source alternative for MongoDB Enterprise.


License

PSMDB Docker images follow the SSPL license. Therefore, it is not a problem when I only have my containers deployed in on-premises environments.

Running MongoDB Replication on OpenShift

I have successfully installed the replication by following the guide Install Percona Server for MongoDB on OpenShift. In order to make it work properly with my needs, I disabled some features from the default deployment. See the detail in this change

Basically, I needed to create a CRD (Custom Resource Definition) to let OpenShift/Kubernetes what PSMDB is. Then, I deployed the Operator pod. Finally, I deployed the PSMDB StatefulSet. I used NFS shares for Persistent Volumes.

Create CRD for PSMDB

2git clone https://github.com/percona/percona-server-mongodb-operator 3cd percona-server-mongodb-operator 4 5# create Custom Resource Definition (CRD) with cluster-admin role 6# This task is needed to executed once 7oc apply -f deploy/crd.yaml

Deploy the Operator pod

2oc new-project psmdb 3 4# Add role-based access control (RBAC) 5oc apply -f deploy/rbac.yaml 6 7# deploy operator pod 8oc apply -f deploy/operator.yaml 9 10# Add secret 11oc create -f deploy/secrets.yaml

Create SealedSecret for local keyfile

(Assumed that SealedSecret is installed and ready for use)

By default, the operator generates a normal Kubernetes secret with the name "my-cluster-name-mongodb-encryption-key". This secret is automatically attached to the MongoDB StatefulSet and persisted as a file through volumes. The operator also handles passing the files to "mongod" command in the container entry point. We can replace the secret in the deployment templates "deploy/cr.yaml". For example:

1 security 2 enableEncryption: true 3 encryptionKeySecret: mongodb-encryption-key 4 encryptionCipherMode: AES256-CBC

Here is an example to create a SealedSecret "mongodb-encryption-key" locally and apply it to the project.
1 $ openssl rand -base64 32 > mongodb-keyfile 2$ cat mongodb-keyfile | kubectl create secret generic mongodb-encryption-key \ 3--dry-run=client --from-file=encryption-key=/dev/stdin \ 4-o yaml > mongodb-encryption-secret.yaml 5$ kubeseal < mongodb-encryption-secret.yaml > mongodb-encryption-sealed-secret.yaml 6$ oc create -f mongodb-encryption-sealed-secret.yaml

Install PSMDB StatefulSet

(Assumed that NFS is installed and ready for use)

Create NFS shares: data-0, data-1, and data-2. Here is a sample command for data-0
1$> ssh someuser@files.example.com.local 2$> sudo mkdir /srv/data/psmdb/mongodb/data-0 3$> sudo chown nfsnobody:0 /srv/data/psmdb/mongodb/data-0 4$> sudo chmod go+w /srv/data/psmdb/mongodb/data-0 5$> sudo chmod g+s /srv/data/psmdb/mongodb/data-0

The directory attributes should look like

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-0

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:30 data-1

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-2

Create corresponding Persistent Volumes with NFS shares
1kind: PersistentVolume 2apiVersion: v1 3metadata: 4 name: psmdb-mongodb-data-0 5spec: 6 capacity: 7 storage: 2Gi 8 nfs: 9 server: files.example.com.local 10 path: /srv/data/psmdb/mongodb/data-0 11 accessModes: 12 - ReadWriteOnce 13 persistentVolumeReclaimPolicy: Recycle 14 storageClassName: psmdb 15

Install the PSMDB StatefulSet
1 $> oc apply -f deploy/cr.yaml
Labels:

Comments

Post a Comment

Popular posts from this blog

Styling Sort Icons Using Font Awesome for Primefaces' Data Table

So far, Primefaces has used image sprites for displaying the sort icons. This leads to a problem if we want to make a different style for these icons; for example, I would make the icon "arrow up" more blurry at the first time the table loading because I want to highlight the icon "arrow down". I found a way that I can replace these icons with Font Awesome icons. We will use "CSS Pseudo-classes" to achieve it. The hardest thing here is that we should handle displaying icons in different cases. There is a case both "arrow up" and "arrow down" showing and other case is only one of these icons is shown. .ui-sortable-column-icon.ui-icon.ui-icon-carat-2-n-s { background-image: none; margin-left: 5px; font-size: 1.1666em; position: relative; } .ui-sortable-column-icon.ui-icon.ui-icon-carat-2-n-s:not(.ui-icon-triangle-1-s)::before { content: "\f106"; font-family: "FontAwesome"; position: ...
Post a Comment
Read more

[Snippet] CSS - Child element overlap parent

I searched from somewhere and found that a lot of people says a basic concept for implementing this feature looks like below: HTML code: <div id="parent">  <div id="child">  </div> </div> And, CSS: #parent{   position: relative;   overflow:hidden; } #child{   position: absolute;   top: -1;   right: -1px; } However, I had a lot of grand-parents in my case and the above code didn't work. Therefore, I needed an alternative. I presumed that my app uses Boostrap and AngularJs, maybe some CSS from them affects mine. I didn't know exactly the problem, but I believed when all CSS is loaded into my browser, I could completely handle it. www.tom-collinson.com I tried to create an example to investigated this problem by Fiddle . Accidentally, I just changed: position: parent; to position: static; for one of parents -> the problem is solved. Look at my code: <div class="modal-body dn-placeholder-parent-positi...
Post a Comment
Read more

How to convert time between timezone in Java, Primefaces?

I use the calendar Primefaces component with timeOnly and timeZone attributes for using only hour format (HH:mm). Like this: <p:calendar id="xabsOvertimeTimeFrom" pattern="HH:mm" timeOnly="true" value="#{data.dateFrom}" timeZone="#{data.timeZone}"/> We can convert the value of #{data.dateFrom} from GMT/UTC time zone to local, conversely, from local time zone to GMT/UTC time zone. Here is my functions: package vn.nvanhuong.timezoneconverter; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.TimeZone; public class TimeZoneConverter { /** * convert a date with hour format (HH:mm) from local time zone to UTC time zone */ public static Date convertHourToUTCTimeZone(Date inputDate) throws ParseException { if(inputDate == null){ return null; } Calendar calendar = Calendar.getInstance(); calendar.setTime(inputDate); int ...
Post a Comment
Read more

Build Dynamic Forms in AngularJS Directives

We wanted to build a dynamic form that has some types of elements such as text field, text area, label, date picker, combobox, file uploader, etc. Beside that, the form is dynamic because basing on the provided configuration data, it should render our expected GUI. We conducted a  research with two options: building our own directives or using a third-party directives. - Approach 1: using a third-party directives  + Google keyword: " build dynamic forms directives + angular third party "  + This idea met our idea: " http://blog.backand.com/build-dynamic-forms/ ", but it's not free to use.  + This 3rd-party was possible:  http://schemaform.io/ Schema form hello world app:  http://plnkr.co/edit/7Oqxxl?p=info - Approach 2: building our own directives We chose this approach because it looks more simple than using "schema form" 3rd-party and we thought that we can confidently handle it. Example:   http://codepen.io/cavoirom/pen/meJBxv?edit...
Post a Comment
Read more

Software Craftsmanship by Sandro Mancuso

Source: http://www.goodreads.com/book/show/18054154-software-craftsmanship My first time to know about the term "Software Craftsmanship" is from Agile Tour Vietnam 2015. I finally read this book written by Sandro Mancuso who I met at this event. Software Craftsmanship is a metaphor for software development: software as a craft and developers as blacksmiths. In other words, Software Craftsmanship is about professionalism in software development. The Software Craftsmanship manifesto: Not only working software, but also well-crafted software : regardless how old the application is, developers can understand it easily; high an reliable test coverage, clear and simple design, business language well expressed in the code. Not only responding to change, but also steadily adding value : constantly improving the structure of the code, keeping it clean, extendable, testable, and easy to maintain; always leave the code cleaner than we found it. Not only individuals and int...
Post a Comment
Read more