Discussion:
MongoDB Charts : enabling HTTPS
(too old to reply)
Jake
2018-10-24 15:58:07 UTC
Permalink
Hi MongoDB Charts team,

Thanks again for a visualization too that's much needed.

I am using v.10.0.
So far, I can deploy it against my own replica that runs on my k8s cluster
successfully - but insecurely .

When it comes to enabling the HTTPS, I have so far failed.

Since I have diverted from using `docker-compose' , I am sailing alone here
without the benefit of following instructions at
https://docs.mongodb.com/charts/master/installation/

I have tried providing the .crt and .key files using k8s secrets.

I have created secrets as below:


$ kubectl create secret generic mongo-charts-https-cert
--from-file=tls-crt=mysite.pem
$ kubectl create secret generic mongo-charts-https-key
--from-file=tls-key=mysite.key

and had my k8s deployment yaml files *try* using those secrets as follows

...
volumes:
- name: web-certs-crt
secret:
secretName: mongo-charts-https-cert
defaultMode: 256
- name: web-certs-key
secret:
secretName: mongo-charts-https-key
defaultMode: 256
..


where those volumes are mounted physically as :

...
volumeMounts:
- name: charts-keys-pvc
mountPath: /mongodb-charts/volumes/keys
- name: charts-logs-pvc
mountPath: /mongodb-charts/volumes/logs
- name: web-certs-crt
mountPath: /mongodb-charts/volumes/web-certs/crt/
- name: web-certs-key
mountPath: /mongodb-charts/volumes/web-certs/key
...


only to see that
✖ nginxConfigured failure: specified certificate file doesn't exist:
/mongodb-charts/volumes/web-certs/crt/tls-crt



Has anyone successfully enabled HTTPS on MongoDB charts using k8s
deployments?

Best
Jake
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/39fefdc8-9224-49fd-915e-90241313d431%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Tom Hollander' via mongodb-user
2018-10-24 23:52:23 UTC
Permalink
Hi Jake -

Good to see you've mostly figured out how to deploy Charts using
Kubernetes. We haven't used this much ourselves although we know it's an
important scenario, and we have plans to improve the documentation and
support in future releases. We have tested basic k8s deployments but I
can't recall if we tested HTTPS - certainly I've never done this using
Kubernetes secrets.

Your config looks like you're on the right track, but for some reason the
startup script isn't finding the certificates. Have you tried opening a
shell session within the container and checking the certs are where you
expect and that the permissions are right?

Also while secrets are probably the best solution, you may want to try
using regular volumes and see if you can get that working.

Let me know how you go.
Tom
Post by Jake
Hi MongoDB Charts team,
Thanks again for a visualization too that's much needed.
I am using v.10.0.
So far, I can deploy it against my own replica that runs on my k8s cluster
successfully - but insecurely .
When it comes to enabling the HTTPS, I have so far failed.
Since I have diverted from using `docker-compose' , I am sailing alone
here without the benefit of following instructions at
https://docs.mongodb.com/charts/master/installation/
I have tried providing the .crt and .key files using k8s secrets.
$ kubectl create secret generic mongo-charts-https-cert
--from-file=tls-crt=mysite.pem
$ kubectl create secret generic mongo-charts-https-key
--from-file=tls-key=mysite.key
and had my k8s deployment yaml files *try* using those secrets as follows
...
- name: web-certs-crt
secretName: mongo-charts-https-cert
defaultMode: 256
- name: web-certs-key
secretName: mongo-charts-https-key
defaultMode: 256
..
...
- name: charts-keys-pvc
mountPath: /mongodb-charts/volumes/keys
- name: charts-logs-pvc
mountPath: /mongodb-charts/volumes/logs
- name: web-certs-crt
mountPath: /mongodb-charts/volumes/web-certs/crt/
- name: web-certs-key
mountPath: /mongodb-charts/volumes/web-certs/key
...
only to see that
/mongodb-charts/volumes/web-certs/crt/tls-crt
Has anyone successfully enabled HTTPS on MongoDB charts using k8s
deployments?
Best
Jake
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/a089471e-5bc6-4cbc-9231-351a625b649b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jake
2018-10-25 09:45:21 UTC
Permalink
Hi Tom,

Please find my answers below.
Post by 'Tom Hollander' via mongodb-user
Hi Jake -
Good to see you've mostly figured out how to deploy Charts using
Kubernetes. We haven't used this much ourselves although we know it's an
important scenario, and we have plans to improve the documentation and
support in future releases. We have tested basic k8s deployments but I
can't recall if we tested HTTPS - certainly I've never done this using
Kubernetes secrets.
Your config looks like you're on the right track, but for some reason the
startup script isn't finding the certificates. Have you tried opening a
shell session within the container and checking the certs are where you
expect and that the permissions are right?
I certainly have checked the container by logging in via a shell
session, and verified the files were created in the claimed folders .
In addition I also checked your /etc/nginx/nginx.https.conf inside the
charts pod , to see how it searches for the cert and the key files. It
looked like it referred to env variables , as displayed here ( and you
already know that):

server {
listen 443 ssl;
server_name localhost-https;

ssl_certificate CHARTS_HTTPS_CERTIFICATE_FILE;
ssl_certificate_key CHARTS_HTTPS_CERTIFICATE_KEY_FILE;

...

But I don't know what else goes on behind the scenes. I would've tried
finding what those `env variable` looking placeholders actually resolved to
, but I couldn't continue investigating too long.

Also while secrets are probably the best solution, you may want to try
Post by 'Tom Hollander' via mongodb-user
using regular volumes and see if you can get that working.
I certainly tried that too, I just didn't want to write about it yet.

Here it is - in summary : instead of using the k8s secrets, I mapped
each env variable to physical folders mounted at mentioned paths as follows
(in deployment yaml).


- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "/mongodb-charts/volumes/web-certs/crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "/mongodb-charts/volumes/web-certs/key/tls-key"

I expected that in my 1st try to bring up the pod, it would fail -
because the files were not there yet. ( files named "tls-crt" ,and
"tls-key" . )
Nevertheless, I copied them into the pod, and killed/ recreated it again
.. This time, expecting the pod to find the files in their paths.

But I still got the same error, exact same line as before ( as mentioned in
my first message)

Let me know how you go.
Post by 'Tom Hollander' via mongodb-user
Tom
Thank you,
Post by Jake
Hi MongoDB Charts team,
Thanks again for a visualization too that's much needed.
I am using v.10.0.
So far, I can deploy it against my own replica that runs on my k8s
cluster successfully - but insecurely .
When it comes to enabling the HTTPS, I have so far failed.
Since I have diverted from using `docker-compose' , I am sailing alone
here without the benefit of following instructions at
https://docs.mongodb.com/charts/master/installation/
I have tried providing the .crt and .key files using k8s secrets.
$ kubectl create secret generic mongo-charts-https-cert
--from-file=tls-crt=mysite.pem
$ kubectl create secret generic mongo-charts-https-key
--from-file=tls-key=mysite.key
and had my k8s deployment yaml files *try* using those secrets as follows
...
- name: web-certs-crt
secretName: mongo-charts-https-cert
defaultMode: 256
- name: web-certs-key
secretName: mongo-charts-https-key
defaultMode: 256
..
...
- name: charts-keys-pvc
mountPath: /mongodb-charts/volumes/keys
- name: charts-logs-pvc
mountPath: /mongodb-charts/volumes/logs
- name: web-certs-crt
mountPath: /mongodb-charts/volumes/web-certs/crt/
- name: web-certs-key
mountPath: /mongodb-charts/volumes/web-certs/key
...
only to see that
/mongodb-charts/volumes/web-certs/crt/tls-crt
Has anyone successfully enabled HTTPS on MongoDB charts using k8s
deployments?
Best
Jake
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/eea30f48-eecd-4c56-8347-a94ead323352%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Tom Hollander' via mongodb-user
2018-10-26 00:57:37 UTC
Permalink
Thanks for the extra info Jake. The relevant code is hidden deep in
charts-cli.js:

export function configureNginx({ log, installDir }, callback) {
const certFile = process.env[CHARTS_HTTPS_CERT_ENV_VAR];
const keyFile = process.env[CHARTS_HTTPS_CERT_KEY_ENV_VAR];
if (certFile && keyFile) {
const webCertsDir = path.join(installDir, CHARTS_VOLUMES_PATH,
WEB_CERTS_DIRECTORY);
const certPath = path.join(webCertsDir, certFile);
const keyPath = path.join(webCertsDir, keyFile);

fs.exists(certPath, certExists => {
if (!certExists) {
log.error(`specified certificate file doesn't exist: ${certFile}`);
return callback(new Error(`specified certificate file doesn't
exist: ${certFile}`));
}

fs.exists(keyPath, keyExists => {
if (!keyExists) {
log.error(`specified certificate key file doesn't exist:
${keyFile}`);
return callback(new Error(`specified certificate key file doesn't
exist: ${keyFile}`));
}

// replace Env Var with value in nginx.https.conf and write to
nginx.conf
fs.readFile('/etc/nginx/nginx.https.conf', 'utf8', (error,
httpsConfig) => {
if (error) {
return callback(error);
}
fs.writeFile(
'/etc/nginx/nginx.conf',
httpsConfig
.replace(CHARTS_HTTPS_CERT_ENV_VAR, certPath)
.replace(CHARTS_HTTPS_CERT_KEY_ENV_VAR, keyPath),
'utf8',
err => err ? callback(err) : callback(null, 'https')
);
});
});
});
} else {
// eslint-disable-next-line callback-return
callback(null, 'http');
}
}

So basically the script is checking for the existence of the two files, and
if they are found then it substitutes the tokens in the nginx config file.
In your case the existence check is failing.
It looks like the problem is that the environment variables are expected to
have just the filename (no path), as this is manually joined to the
web-certs volume path. Note that the error message is just outputting
*certFile*, but the check is actually against *certPath* which is the
result of the join. In your case it is probably looking for file called
/mongodb-charts/volumes/web-certs/mongodb-charts/volumes/web-certs/crt/ts-crt
which doesn't exist.

I know this isn't clear in the docs, so I'll get this updated.

Let me know if this helps
Tom
Post by Jake
Hi Tom,
Please find my answers below.
Post by 'Tom Hollander' via mongodb-user
Hi Jake -
Good to see you've mostly figured out how to deploy Charts using
Kubernetes. We haven't used this much ourselves although we know it's an
important scenario, and we have plans to improve the documentation and
support in future releases. We have tested basic k8s deployments but I
can't recall if we tested HTTPS - certainly I've never done this using
Kubernetes secrets.
Your config looks like you're on the right track, but for some reason the
startup script isn't finding the certificates. Have you tried opening a
shell session within the container and checking the certs are where you
expect and that the permissions are right?
I certainly have checked the container by logging in via a shell
session, and verified the files were created in the claimed folders .
In addition I also checked your /etc/nginx/nginx.https.conf inside
the charts pod , to see how it searches for the cert and the key files. It
looked like it referred to env variables , as displayed here ( and you
server {
listen 443 ssl;
server_name localhost-https;
ssl_certificate CHARTS_HTTPS_CERTIFICATE_FILE;
ssl_certificate_key CHARTS_HTTPS_CERTIFICATE_KEY_FILE;
...
But I don't know what else goes on behind the scenes. I would've tried
finding what those `env variable` looking placeholders actually resolved to
, but I couldn't continue investigating too long.
Also while secrets are probably the best solution, you may want to try
Post by 'Tom Hollander' via mongodb-user
using regular volumes and see if you can get that working.
I certainly tried that too, I just didn't want to write about it yet.
Here it is - in summary : instead of using the k8s secrets, I mapped
each env variable to physical folders mounted at mentioned paths as follows
(in deployment yaml).
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "/mongodb-charts/volumes/web-certs/crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "/mongodb-charts/volumes/web-certs/key/tls-key"
I expected that in my 1st try to bring up the pod, it would fail -
because the files were not there yet. ( files named "tls-crt" ,and
"tls-key" . )
Nevertheless, I copied them into the pod, and killed/ recreated it again
.. This time, expecting the pod to find the files in their paths.
But I still got the same error, exact same line as before ( as mentioned
in my first message)
Let me know how you go.
Post by 'Tom Hollander' via mongodb-user
Tom
Thank you,
Post by Jake
Hi MongoDB Charts team,
Thanks again for a visualization too that's much needed.
I am using v.10.0.
So far, I can deploy it against my own replica that runs on my k8s
cluster successfully - but insecurely .
When it comes to enabling the HTTPS, I have so far failed.
Since I have diverted from using `docker-compose' , I am sailing alone
here without the benefit of following instructions at
https://docs.mongodb.com/charts/master/installation/
I have tried providing the .crt and .key files using k8s secrets.
$ kubectl create secret generic mongo-charts-https-cert
--from-file=tls-crt=mysite.pem
$ kubectl create secret generic mongo-charts-https-key
--from-file=tls-key=mysite.key
and had my k8s deployment yaml files *try* using those secrets as follows
...
- name: web-certs-crt
secretName: mongo-charts-https-cert
defaultMode: 256
- name: web-certs-key
secretName: mongo-charts-https-key
defaultMode: 256
..
...
- name: charts-keys-pvc
mountPath: /mongodb-charts/volumes/keys
- name: charts-logs-pvc
mountPath: /mongodb-charts/volumes/logs
- name: web-certs-crt
mountPath: /mongodb-charts/volumes/web-certs/crt/
- name: web-certs-key
mountPath: /mongodb-charts/volumes/web-certs/key
...
only to see that
/mongodb-charts/volumes/web-certs/crt/tls-crt
Has anyone successfully enabled HTTPS on MongoDB charts using k8s
deployments?
Best
Jake
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/471fb5ab-4a6c-421c-82ad-5e91266bb8bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jake
2018-10-26 11:57:44 UTC
Permalink
Hi Tom,

Thanks for following up .

I forgot to tell in my previous message, that I already tried that. And
just to make sure, I revisited the same procedure again, as follows:

That is, Ive already tried the following ( in my yaml file) while I

...
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "tls-key"
...
with this error :
✖ nginxConfigured failure: specified certificate file doesn't exist:
tls-crt

over this :
..
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "/mongodb-charts/volumes/web-certs/crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "/mongodb-charts/volumes/web-certs/key/tls-key"
..

with still the same error .
✖ nginxConfigured failure: specified certificate file doesn't exist:
/mongodb-charts/volumes/web-certs/crt/tls-crt


But the file is on the path ( here is the output from inside the pod ) :

:~/staging/kubernetes_control_st$ kubectl exec -it o-charts-dep-0 --
/bin/bash
***@o-charts-dep-0:/# cd /mongodb-charts/volumes/web-certs/crt/
***@o-charts-dep-0:/mongodb-charts/volumes/web-certs/crt# ls -lt
total 20
-r-------- 1 root root 8 Oct 26 11:42 tls-crt
drwx------ 2 root root 16384 Oct 26 10:06 lost+found
***@o-charts-dep-0:/mongodb-charts/volumes/web-certs/crt#

Thanks,
Best,
cnk
Post by 'Tom Hollander' via mongodb-user
Thanks for the extra info Jake. The relevant code is hidden deep in
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/bc8b98d6-c457-41cf-943c-dfc8b6b64187%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Tom Hollander' via mongodb-user
2018-10-28 21:45:20 UTC
Permalink
Hi Jake -

I think there's still a mismatch between the configured and actual path.
With your first example:
...
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "tls-key"
...

...the startup script will look in /mongodb-charts/columns/web-certs for
these two files. Per your output you've stored the certs in subfolders (crt
and key).
You *might* be able to get it work with the files in the current locations
by specifying relative paths in the environment variables, e.g.
"crt/tls-crt" although that depends a bit on exactly how the path join APIs
used by the script work. The path of least resistance would probably be to
store the 2 files directly under web-certs as that's what the script and
procedures expect.

HTH
Tom
Post by Jake
Hi Tom,
Thanks for following up .
I forgot to tell in my previous message, that I already tried that. And
That is, Ive already tried the following ( in my yaml file) while I
...
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "tls-key"
...
tls-crt
..
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "/mongodb-charts/volumes/web-certs/crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "/mongodb-charts/volumes/web-certs/key/tls-key"
..
with still the same error .
/mongodb-charts/volumes/web-certs/crt/tls-crt
:~/staging/kubernetes_control_st$ kubectl exec -it o-charts-dep-0 --
/bin/bash
total 20
-r-------- 1 root root 8 Oct 26 11:42 tls-crt
drwx------ 2 root root 16384 Oct 26 10:06 lost+found
Thanks,
Best,
cnk
Post by 'Tom Hollander' via mongodb-user
Thanks for the extra info Jake. The relevant code is hidden deep in
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/da59323b-6c7a-4f60-910f-a46af14917a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jake
2018-10-30 07:42:19 UTC
Permalink
Hi Tom,

Looks like you are right, I didn't give the subfolder in the env variable
value declaration .

In summary; the following declaration resulted in a pod that started up
the nginx securely.
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "./crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "./key/tls-key"

But not before I added the dots in front of the folders . That is , this
didn't work ;
value: "/crt/tls-crt"

neither this;
value: "crt/tls-crt"

Best,
Post by 'Tom Hollander' via mongodb-user
Hi Jake -
I think there's still a mismatch between the configured and actual path.
...
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "tls-key"
...
...the startup script will look in /mongodb-charts/columns/web-certs for
these two files. Per your output you've stored the certs in subfolders (crt
and key).
You *might* be able to get it work with the files in the current
locations by specifying relative paths in the environment variables, e.g.
"crt/tls-crt" although that depends a bit on exactly how the path join APIs
used by the script work. The path of least resistance would probably be to
store the 2 files directly under web-certs as that's what the script and
procedures expect.
HTH
Tom
Post by Jake
Hi Tom,
Thanks for following up .
I forgot to tell in my previous message, that I already tried that. And
That is, Ive already tried the following ( in my yaml file) while I
...
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "tls-key"
...
tls-crt
..
- name: CHARTS_HTTPS_CERTIFICATE_FILE
value: "/mongodb-charts/volumes/web-certs/crt/tls-crt"
- name: CHARTS_HTTPS_CERTIFICATE_KEY_FILE
value: "/mongodb-charts/volumes/web-certs/key/tls-key"
..
with still the same error .
/mongodb-charts/volumes/web-certs/crt/tls-crt
:~/staging/kubernetes_control_st$ kubectl exec -it o-charts-dep-0 --
/bin/bash
total 20
-r-------- 1 root root 8 Oct 26 11:42 tls-crt
drwx------ 2 root root 16384 Oct 26 10:06 lost+found
Thanks,
Best,
cnk
Post by 'Tom Hollander' via mongodb-user
Thanks for the extra info Jake. The relevant code is hidden deep in
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/43d691d2-a6ef-4db8-86f9-126e41650407%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Continue reading on narkive:
Loading...