You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/tutorials.rst
+47
Original file line number
Diff line number
Diff line change
@@ -51,6 +51,53 @@ Parameters
51
51
The agent is configured to automatically reload the agent config if any
52
52
changes occur on the configmap or in the file-system
53
53
54
+
======================
55
+
Customized Deployments
56
+
======================
57
+
58
+
This section covers non-default deployment configurations that may be useful when deploying DBoM core services in production or niche use cases
59
+
60
+
Using TLS and x.509 authentication with MongoDB
61
+
-----------------------------------------------
62
+
63
+
In a production deployment, if you are choosing to use the mongodb repository implementation (database-agent), the recommended way to securely communicate to the repository is to use the built-in TLS support and x.509 user authentication.
64
+
65
+
This is fairly simple to do as database agent, and the mongodb-audit watcher (which is run by the repository owner) has built in support for mutual TLS authentication and authorization.
66
+
67
+
To begin with, you will have to configure your mongodb deployment to use tls and x.509 client authentication. The generation of certificates and configuration of the mongodb server is outside the scope of the DBoM documentation.
68
+
69
+
However, if you want to try out this deployment by creating a local CA which can sign a certificate, follow the official mongoDB documentation:
70
+
71
+
- `Creating CA Certificates <https://docs.mongodb.com/manual/appendix/security/appendixA-openssl-ca/>`_
72
+
- `Creating Certificates for your MongoDB Server <https://docs.mongodb.com/manual/appendix/security/appendixB-openssl-server/>`_
73
+
- `Creating Certificates for Mongo clients <https://docs.mongodb.com/manual/appendix/security/appendixC-openssl-client/>`_
74
+
75
+
You will need to generate multiple client certificates and associated user roles, as follows:
76
+
77
+
- One for the mongodb-audit-watcher, having read access to your channels collection as well as the ability to listen to change streams
78
+
- One for each DBoM node that you want joined to the repository, having appropriate access control to the channel collections
79
+
80
+
The details for creating these roles are present in the `MongoDB documentation for Users and Roles <https://docs.mongodb.com/manual/tutorial/manage-users-and-roles/>`_ and `x.509 authentication for clients <https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/>`_
81
+
82
+
Once you have configured mongodb with the certificates that you have generated, it is now time to configure the database agent instances and the mongoDB audit watcher appropriately
83
+
84
+
This is done using environment variables. Set the appropriate environment variables, as specified in the README for `database-agent <https://github.com/DBOMproject/database-agent>`_ and `mongodb-audit-watcher <https://github.com/DBOMproject/mongodb-audit-watcher>`_. If you are using docker, ensure that the certificates that you are providing are available within the container as a volume mount.
85
+
86
+
.. list-table:: Example Environment Variables
87
+
:header-rows: 1
88
+
:align: center
89
+
90
+
* - Key
91
+
- Value
92
+
* - MONGO_TLS_MODE_ENABLED
93
+
- ``1``
94
+
* - MONGO_TLS_CLIENT_CERT_PATH
95
+
- ``.secrets/client_cert.pem``
96
+
* - MONGO_TLS_CA_CERT_PATH
97
+
- ``.secrets/ca_cert.pem``
98
+
99
+
If you are using Helm Charts to deploy on Kubernetes, these keys are stored within a secret. Refer to the helm chart READMEs for further details.
0 commit comments