1

I’m deploying a MongoDB ReplicaSet using the MongoDB Community Operator v0.13.0 (Helm chart). I want to enforce mutual TLS so that clients must present a valid certificate signed by my CA. Based off MongoDB documentation, setting allowConnectionsWithoutCertificates to false and setting mode to requireTLS should restrict connection to only clients that present valid certificates. But I'm trying to set allowConnectionsWithoutCertificates: false inside the CR, but MongoDB is defaulting to true. My CR looks like this (simplified):

apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: mongodb
  namespace: mongodb
spec:
  members: 3
  type: ReplicaSet
  version: "7.0.7"

  security:
    tls:
      enabled: true
      certificateKeySecretRef:
        name: mongodb-server-tls
      caConfigMapRef:
        name: mongodb-ca

  additionalMongodConfig:
    net:
      tls:
        mode: requireTLS
        allowConnectionsWithoutCertificates: false

I've tried to reinstall MongoDB numerous times with allowConnectionsWithoutCertificates set to false, but it's still defaulting to true. At some point I thought it's a bug in the MongoDB Operator I was using (v0.12.0), so I upgraded to v0.13.0 but still got same error. Here is what I'm getting when I connect to the database and run db.adminCommand({getCmdLineOpts: 1}):

port: 27017,
      tls: {
        CAFile: '/var/lib/tls/ca/longhash.pem',
        allowConnectionsWithoutCertificates: true,
        certificateKeyFile: '/var/lib/tls/server/longhash.pem',
        mode: 'requireTLS'
      }

Operator Information

Kubernetes-mongodb-operator version 0.13.0 Mongodb community version 7.0.7 kubernetes version 1.33.2

Improve this question
5
  • Do you use the client certificate also for authentication? Commented Aug 27 at 10:52
  • Internal replica set member connection are also "client" connections, there is no difference. Did you create a client certificate for replicat set members? Either certificateKeyFile must be both, a client and a server certificate or you must create a client certificate and specify it at net.tls.clusterFile. Commented Aug 27 at 18:38
  • @WernfriedDomscheit so sorry for the delayed reply. Got caught in designing marketing and sales strategies. Yes, I do have certificateKeyFile, and it contains both client and server certificates. My initial thought was it's required and was actually providing it when connecting to mongodb. But then I tried connecting without, and as surprised the connection was successful. All the material I've come across says this is the correct way of setting up mTLS, but I'm wondering why it's failing. Commented Sep 11 at 12:32
  • I have no clue about Kubernetes, so I don't know why you get allowConnectionsWithoutCertificates: true in your config. And I don't fully understand what you mean by "I want to enforce mutual TLS". In general an invalid certificate can be used only to encrypt your connection via TLS/SSL. But it is the server certificate which initiates the TLS/SSL encryption. Thus, a client certificate which is not used for client authentication is actually not used for anything. Commented Sep 11 at 18:10
  • By "enforce mutual TLS", I mean forcing both client and server to provide TLS certificate so they can verify each other. allowConnectionsWithoutCertificates: true negates mutual TLS by allowing connection without the need for client and server to provide certificate. With "allowConnectionsWithoutCertificates" being set to true, I only need to add tls=true in the connection URI, and the connection is allowed, if that makes sense. Commented Sep 12 at 4:34
Related questions
1990
How to query MongoDB with "like"
945
How do I drop a MongoDB database from the command line?
940
How can I list all collections in the MongoDB shell?
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.