[bitnami/mongodb-sharded] Enabling TLS Not Supported

[mkellogg91]

Which chart: mongodb-sharded. appVersion 4.4.4

Is your feature request related to a problem? Please describe. I'm not able to enable TLS/SSL on my sharded cluster without wanting to kill myself

Describe the solution you'd like Ideally there would be properties for enabling TLS and setting Certfile and CA file properties equal to the file location of the certs on the pod. for example: " tlsMode: "requireTLS" certicateKeyFile: "/etc/mongodb/.... certificateKeyFilePassword: "foo"

Describe alternatives you've considered Here is what I'm currently doing to try and make this work

• Certs --> using k8s secret along with common.extraVolumes and common.extraVolumeMounts to get my certs into all of my pods in the cluster
• Mongo Config --> tried using the shardsvr.config, arbiter.config, mongos.config properties to enable tls settings required in mongo documentation but the config property seems to just chuck whatever list items you give it into a volume mount on your pod which is useless unless I'm missing something on applying that config. I was hoping that this property would append to the current default configuration but it doesn't. In the end I had to use the mongodbExtraFlags property to try and pass the tls properties needed via command line flags. However if I try to bring the cluster up from scratch it never gets off the ground. It seems like when the helm chart is trying to bootstrap the initial primary nodes it can't find the mongos and or configsvr to connect to.

I am currently trying an approach where I get my sharded cluster up and running with no tls properties set and see if I can enable them at runtime slowly.

Am I missing something glaringly obvious or am I just the first person to try to set up TLS on this mongdb-sharded helm chart?

Additional context unfortunately I can't provide my exact config stuff as all my work is on a closed network

• I was able to get my sharded cluster to run fine with "allowTLS". However when doing a helm upgrade to "requireTLS" I saw atleast one instance of "client connection failed, this server requires ssl connections only" in my config server logs. I don't know what this "client" is yet. So ill have to look into it. I would have thought that if I updated all command line flags to include requireTLS and include certfile and CA file that there wouldn't be any client that is making a request without tls enabled.

[carrodher]

Hi, thanks for creating this issue with a detailed explanation. I was checking the bitnami/mongodb-sharded and there is not an option to enable SSL/TLS out of the box in the chart, it is needed to do some manual changes.

On the other hand, the regular bitnami/mongodb chart contains different options to configure SSL/TLS, you can find more info about that in the following links:

• https://github.com/bitnami/charts/tree/master/bitnami/mongodb#enable-ssltls
• https://github.com/bitnami/charts/tree/master/bitnami/mongodb#mongodb-parameters
• https://docs.bitnami.com/kubernetes/infrastructure/mongodb/administration/enable-tls/

I think a similar approach can be used in the bitnami/mongodb-sharded one, would you like to create a PR implementing the required changes? The team will be happy to review it and merge the changes. Otherwise, I can create an internal task to do it ourselves, but it will depend on the other priorities of the team so I can't provide an ETA for the internal task to be completed.

[mkellogg91]

@carrodher thanks for getting back to me as this helps me decide what to do in the immediate future. While the challenge of getting this working and submitting a pr would be an interesting task to take on, unfortunately I don't have the luxury of using my work time to do so. I recommend opening an internal task if your team sees this as a valuable TODO.

For anyone who does take this issue on:

• using common.extraVolumes and common.extraVolumeMounts worked well to get my certs into every pod
• mongodbExtraFlags also worked in terms of setting mongo properties such as setting tlsMode to "requireTLS" and passing certs into mongo
• where I got stuck was, according to my mongod logs for config server, it appeared that something was still attempting to connect to my mongod instance without tls enabled which was causing everything to hault (maybe some shell script commands from the docker container are currently not configurable to use tls instead of just connecting?)
• I was able to set tlsMode to "allowTLS" on all pods and the cluster was able to come up normally without failure, but the moment I turned on "requireTLS" it would break, again, I would look at whatever init script commands are being run to see if they are not including TLS props when doing mongo connections when they would be required to

Unfortunately for me I will have to make some simpler custom helm charts

[carrodher]

Thanks for the detailed information, I'm sure it can be helpful for other people. In the same way, I'm glad you were able to continue with a patch for your use case!

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[tschneider-aneo]

I have encountered the same problems. Have you an idea when the TLS options for the non-sharded mongodb will be available for the sharded one ? Do you have any plan for that or not at all ?

If not do you know any workable workaround ?

Thank you for your help on the Helm chart !