Use separate tls.crt and tls.key items in a kubernetes secret for certificates instead of a combined item named server.pem for a MondoDB rep
There should be a way to use separate tls.crt and tls.key items in a kubernetes secret for certificates instead of a combined item named server.pem.
We request our certs using cert-manager which generates secrets from the cert CRD and will get auto renewed every so often. These secrets have 2 items, tls.crt and tls.key.
So far the only way I have seen to enable tls is to combine these 2 items and rename it into a new secret in kubernetes as item called server.pem. This however means that when a cert auto renews that the wrong secret is being used. So our replicaSets would break on each renewal (every 90 days).
If some flexibility was built in on how to provide certificates to the replicaSet, there would be no issue and auto renewing our certs would not break MongoDB in production every 90 days.
Tom
shared this idea
Support for Cert Manager as well as support for separate crt and key is on a roadmap.
We will look into updating our docs to describe cert rotation.
-
Mattias
commented
It would be good if the operator could follow the Kubernetes secrets default settings as defined in the Kubernetes documentation https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
This will not only cover the use-case of cert-manager, but also the other use-cases