search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.97k stars 9.2k forks source link

[bitnami/mongodb] Not possible to deploy using TLS without client Certificates (mTLS) #13317

Closed cmanzur closed 1 year ago

cmanzur commented 1 year ago

Name and Version

bitnami/mongodb-13.3.0

What steps will reproduce the bug?

I have found the problem and the solution also. The problem is that you can't currently deploy using TLS but without using certificates on the clients (mTLS) Basically if you deploy the chart with tlsEnabled it will set mutualTLS by default. and it's not possible to change this behavior.

Are you using any custom parameters or values?

rootPassword: "root1234" tlsEnabled: true

What is the expected behavior?

Deploy monoDB with TLS but without mTLS.

What do you see instead?

The problem is in this line (for standalone): https://github.com/bitnami/charts/blob/main/bitnami/mongodb/templates/standalone/dep-sts.yaml#L244 when you set --tlsCAFile on the extraFlags it will run mongodb in mutal TLS It's well documented here: https://www.mongodb.com/docs/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-client-certificate-validation

So, The client must use: mongosh admin --host "mongo-mongodb-headless" --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD --tls --tlsCAFile ca.pem --tlsCertificateKeyFile client-cert.pem

I have tested deleting the --tlsCAFile on that line and it works with TLS (without mutual TLS) You need to add some logic on the Helm template to achieve this.

The client can now use: mongosh admin --host "mongo-mongodb-headless" --authenticationDatabase admin -u root -p $MONGODB_ROOT_PASSWORD --tls --tlsCAFile ca.pem

Additional information

No response

javsalgar commented 1 year ago

Hi,

Thank you so much for reporting, would you like to submit a PR improving the solution?

github-actions[bot] commented 1 year ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 1 year ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

emahdij commented 11 months ago

I am encountering the exact same error described in this issue when attempting to deploy MongoDB with TLS without using mutual TLS. Could you provide more detailed instructions or an update on the fix for this?