Skip to main content

PSMDB - A MongoDB alternative for having Encryption At Rest


Encryption is the most popular tool for securing data both in transit and at rest.

- For protecting data in transit, we can configure to use the TLS connection

- For protecting data at rest, we can use Percona Server for MongoDB (PSMDB), an open-source alternative for MongoDB Enterprise.


License

PSMDB Docker images follow the SSPL license. Therefore, it is not a problem when I only have my containers deployed in on-premises environments.

Running MongoDB Replication on OpenShift

I have successfully installed the replication by following the guide Install Percona Server for MongoDB on OpenShift. In order to make it work properly with my needs, I disabled some features from the default deployment. See the detail in this change

Basically, I needed to create a CRD (Custom Resource Definition) to let OpenShift/Kubernetes what PSMDB is. Then, I deployed the Operator pod. Finally, I deployed the PSMDB StatefulSet. I used NFS shares for Persistent Volumes.

Create CRD for PSMDB

2git clone https://github.com/percona/percona-server-mongodb-operator 3cd percona-server-mongodb-operator 4 5# create Custom Resource Definition (CRD) with cluster-admin role 6# This task is needed to executed once 7oc apply -f deploy/crd.yaml

Deploy the Operator pod

2oc new-project psmdb 3 4# Add role-based access control (RBAC) 5oc apply -f deploy/rbac.yaml 6 7# deploy operator pod 8oc apply -f deploy/operator.yaml 9 10# Add secret 11oc create -f deploy/secrets.yaml

Create SealedSecret for local keyfile

(Assumed that SealedSecret is installed and ready for use)

By default, the operator generates a normal Kubernetes secret with the name "my-cluster-name-mongodb-encryption-key". This secret is automatically attached to the MongoDB StatefulSet and persisted as a file through volumes. The operator also handles passing the files to "mongod" command in the container entry point. We can replace the secret in the deployment templates "deploy/cr.yaml". For example:

1 security 2 enableEncryption: true 3 encryptionKeySecret: mongodb-encryption-key 4 encryptionCipherMode: AES256-CBC

Here is an example to create a SealedSecret "mongodb-encryption-key" locally and apply it to the project.
1 $ openssl rand -base64 32 > mongodb-keyfile 2$ cat mongodb-keyfile | kubectl create secret generic mongodb-encryption-key \ 3--dry-run=client --from-file=encryption-key=/dev/stdin \ 4-o yaml > mongodb-encryption-secret.yaml 5$ kubeseal < mongodb-encryption-secret.yaml > mongodb-encryption-sealed-secret.yaml 6$ oc create -f mongodb-encryption-sealed-secret.yaml

Install PSMDB StatefulSet

(Assumed that NFS is installed and ready for use)

Create NFS shares: data-0, data-1, and data-2. Here is a sample command for data-0
1$> ssh someuser@files.example.com.local 2$> sudo mkdir /srv/data/psmdb/mongodb/data-0 3$> sudo chown nfsnobody:0 /srv/data/psmdb/mongodb/data-0 4$> sudo chmod go+w /srv/data/psmdb/mongodb/data-0 5$> sudo chmod g+s /srv/data/psmdb/mongodb/data-0

The directory attributes should look like

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-0

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:30 data-1

drwxrwsrwx. 5 nfsnobody root 4096 Jun 24 03:31 data-2

Create corresponding Persistent Volumes with NFS shares
1kind: PersistentVolume 2apiVersion: v1 3metadata: 4 name: psmdb-mongodb-data-0 5spec: 6 capacity: 7 storage: 2Gi 8 nfs: 9 server: files.example.com.local 10 path: /srv/data/psmdb/mongodb/data-0 11 accessModes: 12 - ReadWriteOnce 13 persistentVolumeReclaimPolicy: Recycle 14 storageClassName: psmdb 15

Install the PSMDB StatefulSet
1 $> oc apply -f deploy/cr.yaml
Labels:

Comments

Post a Comment

Popular posts from this blog

BIRT - Fix the size of an image

I use a dynamic image as a logo my report in pdf. At the beginning, I use table to align the logo in left or right. I meet a problem with some images with a large width or height. My customer requires that the logo should be displayed in original size. These following steps solves my problem: 1. Use Grid instead of Table 2. Set Grid "Height" is 100%  and "Width" is blank 3. Set "Fit to container" for images are "true". Download the the template here .
Post a Comment
Read more

[Snippet] CSS - Child element overlap parent

I searched from somewhere and found that a lot of people says a basic concept for implementing this feature looks like below: HTML code: <div id="parent">  <div id="child">  </div> </div> And, CSS: #parent{   position: relative;   overflow:hidden; } #child{   position: absolute;   top: -1;   right: -1px; } However, I had a lot of grand-parents in my case and the above code didn't work. Therefore, I needed an alternative. I presumed that my app uses Boostrap and AngularJs, maybe some CSS from them affects mine. I didn't know exactly the problem, but I believed when all CSS is loaded into my browser, I could completely handle it. www.tom-collinson.com I tried to create an example to investigated this problem by Fiddle . Accidentally, I just changed: position: parent; to position: static; for one of parents -> the problem is solved. Look at my code: <div class="modal-body dn-placeholder-parent-positi...
Post a Comment
Read more

Generating PDF/A From HTML in Meteor

My live-chat app was a folk of project Rocket.Chat which was built with Meteor. The app had a feature that administrative users were able to export the conversations into PDF files. And, they wanted to archive these files for a long time. I happened to know that PDF/A documents were good for this purpose. It was really frustrated to find a solution with free libraries. Actually, it took me more than two weeks to find a possible approach. TL, DR; Using Puppeteer to generate a normal PDF and using PDFBox to load and converting the generated PDF into PDF/A compliance. What is PDF/A? Here is a definition from Wikipedia: PDF/A  is an  ISO -standardized version of the  Portable Document Format  (PDF) specialized for use in the  archiving  and long-term  preservation  of  electronic documents . PDF/A differs from PDF by prohibiting features unsuitable for long-term archiving, such as  font  linking (as opposed to  font em...
Post a Comment
Read more

[Snippet] Generate a new unique "name" string from an existing list

Suppose that we have a list of employees. Everytime, we want to add new employee into this list, the name of the employee will be generated with the following rules: - the name of the new one is set to " [originalname] 1 " - in case the name already exist, " [originalname] 2 " is used, and so on. Here is my code snippet by Javascript: var employees =[ {id: 1, name: 'name'}, {id: 2, name: 'name 1'}, {id: 3, name: 'name 2'}, {id: 5, name: 'name 4'} ]; var commonUtils = { isExistName: function(_name, _collection, _prop) { for(var i = 0; i< _collection.length; i++){ if(_collection[i][_prop].localeCompare(_name)==0){ return true; } } return false; }, generateNewName: function(_name, _collection, _prop){ var i = 1; var searching = true; while (searching) { var newName = _name+ " " + i; if (!this.isExistName(newName, _collection, _pro...
Post a Comment
Read more

Retrospective with Sailboat

Have you ever got bored with the Retrospective meeting? I have, sometime. Most of the times, this meeting just goes traditionally by answering three questions: "What good things have we done? What bad things have we done? And, what actions should we improve?" Ever and ever again! My team found a way to make it a little bit more exciting. The idea is that each member - not only our Scrum Master - will become a host. If a meeting is hosted by a memeber, the next meeting will be hold by another one. Yeah, I used "Sailboat" pattern in my turn. So, I just want to share with you guys how it was. I started the meeting by telling a short story that I hoped everyone in my team could recall the meaning behind of Retrospective meetings: There is a group of people trying pick up trash in a park. At the first look, the park seem not to have a lot of trash because they are spread out all over the place. However, these people continuously found trash when they sta...
Post a Comment
Read more