[bitnami/mongodb] x509 Authentication with MongoDB

[RainTomassi]

Name and Version

bitnami/mongodb

What architecture are you using?

amd64

What steps will reproduce the bug?

Hi, I'm looking for some guidance on using X509 authentication using the chart. I've set up a cert-manager to bootstrap a self-signed cert and custom CA. Using that, I've generated certificates and configured the chart so that it seems to be at least using the certs. Note: I'm coming from using the MongoDB Community Operator, so it is a bit different in configuring the certs, etc., but once I get that properly configured, the next step is the X509 Authentication.

Unfortunately, the Community Operator doesn't support X509 Auth (the Enterprise does), so I'm hoping that it is relatively straightforward to do with this Helm Chart, however, I didn't see any specific options to set the authorization mechanism (MONGODB-X509): https://www.mongodb.com/docs/v4.4/reference/parameters/#mongodb-parameter-param.authenticationMechanisms

Can anyone provide some pointers to what I'd need to do? I'm assuming that I need to use the extraFlags value and add the authenticationMechanisms, but are there alternate (standard) ways to do this?

I'm also rather new to MongoDB, so a side tangent question would be, what do folks normally do to add the X509 authorizations as it seems like a chicken and egg situation. You need to be able to log in to update the $external database, but you can't log in if X509 is the only authentication mechanism. I'm assuming this would need to be done in two steps, enable SCRAM, to add the X509, then swap the auth mechanisms and helm upgrade.

Thank you for any guidance you can give.

Are you using any custom parameters or values?

helm install mongodb oci://registry-1.docker.io/bitnamicharts/mongodb \ --namespace=$mongo_ns \ --set arbiter.enabled=false \ --set livenessProbe.enabled=false \ --set service.nameOverride=$mongodb_svc_name \ --set architecture=replicaset \ --set auth.rootPassword=$mongo_pass \ --set tls.enabled=true \ --set tls.mode=requireTLS \ --set tls.autoGenerated=false \ --set tls.replicaset.existingSecrets={"${mongo_cert_secretname}-0,${mongo_cert_secretname}-1,${mongo_cert_secretname}-2"} \ --set tls.caCert=$caCert \ --set tls.caKey=$caKey \ --set replicaCount=3

What is the expected behavior?

No response

What do you see instead?

N/A

Additional information

No response

[carrodher]

It seems a very specific use case difficult to reproduce on our side and very tied to your scenario.

For information regarding the application itself, customization of the content within the application, or questions about the use of the technology or infrastructure; we highly recommend checking forums and user guides made available by the project behind the application or the technology.

That said, we will keep this ticket open until the stale bot closes it just in case someone from the community adds some valuable info.

[RainTomassi]

@carrodher Thank you for the quick response. I think I over complicated my initial message. I'm wondering what the proper method is to configure X509 client authentication (MONGODB-X509) with this chart.

[RainTomassi]

Update: Got X509 client authentication working with my use case. Last step is to configure X509 to be the only accepted authentication mechanism. I'll tinker some more, but I'll close this to reduce clutter. Thank you.

[riffrack]

@RainTomassi could you please provide me with more detailed information or an example on how you got x.509 working in the chart? I'm struggling with the same issue

[RainTomassi]

@riffrack I don't recall exactly the issue I was running into at the time, but here are some snippets from what I've done:

 local caCert="$(k8s_get_secret_tls_crt $self_signed_ca_secret  $cert_mgr_ns)"
  local caKey="$(k8s_get_secret_tls_key $self_signed_ca_secret  $cert_mgr_ns)"

  opts="$opts --set auth.enabled=true"
  opts="$opts --set auth.rootUser=$mongo_root_user"
  opts="$opts --set auth.rootPassword=$mongo_root_pass"
  opts="$opts --set auth.replicaSetKey=$mongo_rs_key"

  opts="$opts --set tls.enabled=true"
  opts="$opts --set tls.mTLS.enabled=true"
  opts="$opts --set tls.mode=requireTLS"
  opts="$opts --set tls.autoGenerated=false"

  opts="$opts --set tls.replicaset.existingSecrets[0]=${mongo_cert_secretname}"
  opts="$opts --set tls.replicaset.existingSecrets[1]=${mongo_cert_secretname}"
  opts="$opts --set tls.replicaset.existingSecrets[2]=${mongo_cert_secretname}"

  opts="$opts --set tls.caCert=$caCert"
  opts="$opts --set tls.caKey=$caKey"

  # Leave this comment to remember the option exists
  # opts="$opts --set image.debug=true"

First we request a certificate from cert-manager with the cert secret stored in 'mongo_cert_secretname'. I did try using a separate certificate for each node, however, I ran into issues. Once Mongo is deployed, we can then create the x509 users. The way I do it is to exec into the pod and authenticate via SCRAM then issue the create user command on the $external database.

local cmd="mongosh admin --verbose --authenticationDatabase admin --tlsCertificateKeyFile /certs/mongodb.pem --tlsCAFile /certs/mongodb-ca-cert --authenticationMechanism SCRAM-SHA-256 --tls -u $mongo_root_user -p $mongo_root_pass"

eval_cmd="--eval 'db.getSiblingDB(\"\$external\").runCommand({ createUser: \"$cn\", roles: [{ role: \"readWrite\", db: \"$mongo_db_name\" }] })'"

Then in the application that is connecting to Mongo via X509, I use the cert-manager CSI driver in the manifest to automatically mount the certificates.

               csi:
                driver: csi.cert-manager.io
                readOnly: true
                volumeAttributes:
                  csi.cert-manager.io/common-name: "$app"
                  csi.cert-manager.io/issuer-name: $cluster_issuer_name
                  csi.cert-manager.io/issuer-kind: ClusterIssuer
                  csi.cert-manager.io/dns-names: "\${POD_NAME}.\${POD_NAMESPACE}.svc.cluster.local"

Hope that can help