TLS + ReplicaSet (double secure)

जर तुम्हाला MongoDB ReplicaSet setup हवाय त्यामध्ये TLS encryption आणि node-level authentication (double secure) असेल, तर खालील प्रोडक्शन-ग्रेड YAML + deployment guide प्रमाणे तुम्ही setup करू शकता:

🔐 TLS + ReplicaSet: Full Secure Configuration (StatefulSet) 🚀

1. Certificates तयार करा (Self Signed CA + Node Certs)

एक Root CA (ca.pem, ca-key.pem)
प्रत्येक Replica node साठी अल्‍ग certificate signed by CA
प्रत्येक PEM फाईलमध्ये private key आणि signed certificate एकत्र (node.pem)
CN किंवा SAN मध्ये Pod hostnames वापरा (उदा. mongodb-0.mongodb.default.svc.cluster.local)

2. Kubernetes Secrets (TLS Certificates) तयार करा

kubectl create secret tls mongodb-tls-cert \

–cert=ca.pem \

–key=ca-key.pem

kubectl create secret generic mongodb-node-0-cert –from-file=node0.pem=./node0.pem \

# आणि बाकी nodes साठीही

tls-cert secret मध्ये CA certificate असावा
प्रत्येक node साठी अल्‍ग secret ठेवू शकतो

3. Headless Service (DNS + Pod Discovery)

apiVersion: v1

kind: Service

metadata:

spec:

clusterIP: None

selector:

app: mongodb

ports:

– port: 27017

4. StatefulSet with TLS and ReplicaSet flags

apiVersion: apps/v1

kind: StatefulSet

metadata:

spec:

serviceName: “mongodb”

replicas: 3

selector:

matchLabels:

app: mongodb

template:

metadata:

labels:

app: mongodb

spec:

containers:

– name: mongod

image: mongo:5.0

command:

– mongod

– “–replSet=rs0”

– “–bind_ip_all”

– “–tlsMode”

– “requireTLS”

– “–tlsCertificateKeyFile”

– “/tls/node.pem”

– “–tlsCAFile”

– “/tls/ca.pem”

– “–auth”

– “–clusterAuthMode”

– “x509”

ports:

– containerPort: 27017

volumeMounts:

– name: tls-volume

mountPath: /tls

readOnly: true

– name: mongo-data

mountPath: /data/db

volumes:

– name: tls-volume

projected:

sources:

– secret:

items:

– key: node0.pem

path: node.pem

– secret:

items:

– key: ca.pem

path: ca.pem

volumeClaimTemplates:

– metadata:

spec:

accessModes: [“ReadWriteOnce”]

resources:

requests:

storage: 2Gi

(Pods ordinal नुसार secret name अद्यतन करा)

5. ReplicaSet Initialization (once)

kubectl exec -it mongodb-0 — mongo –tls –tlsCAFile /tls/ca.pem \

–tlsCertificateKeyFile /tls/node.pem \

–eval ‘

rs.initiate({

_id: “rs0”,

members: [

{ _id: 0, host: “mongodb-0.mongodb.default.svc.cluster.local:27017” },

{ _id: 1, host: “mongodb-1.mongodb.default.svc.cluster.local:27017” },

{ _id: 2, host: “mongodb-2.mongodb.default.svc.cluster.local:27017” }

]

})’

6. Client side connection (TLS enabled)

mongosh”mongodb://mongodb0.mongodb.default.svc.cluster.local:27017, mongodb-1.mongodb.default.svc.cluster.local:27017, mongodb-2.mongodb.default.svc.cluster.local:27017/?replicaSet=rs0″ \

–tls –tlsCAFile ./ca.pem –tlsCertificateKeyFile ./client.pem

client.pem हा client certificate असावा, वाढवलेले CN किंवा SAN मध्ये hostnames सॅन एण्ड या म्हणून sign झालेला.
(github.com)

✅ सुरक्षेचे लाभ:

Transport encryption: traffic सर्व pods आणि clients मध्ये सुरक्षित (TLS).
Authentication between nodes: clusterAuthMode: x509 वापरून nodes एकमेकांशी प्रमाणित होतात.
Credentials-free clustering: username/password ऐवजी certificates वापरून auth होते.
ReplicaSet high availability: primary-secondary failover support.