Mongo SSL

常用操作

1、登录

#登录
mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost
#有账户
mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost -uadmin -p

2、创建用户

use admin;
db.createUser({user: 'admin', pwd: '123456', roles: [{role: 'root', db: 'admin'}]});#mongodb每个数据库独立,需要进入每个数据库中创建用户,即使用户相同

#普通用户
use admin;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db1;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db2;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});
use db3;
db.createUser({user: 'safettice', pwd: '123456', roles: [{role: 'readWrite', db: ' db1'}, {role: 'readWrite', db: ' db2'}, {role: 'readWrite', db: ' db3'}]});

#只读账户
use db1;
db.createUser({user:"read",pwd:"read",roles: [{role: 'read', db: 'db1'}, {role: 'read', db: 'db2'}, {role: 'read', db: 'db3'}]})

3、导入导出

#导入
mongorestore --authenticationDatabase admin -uadmin -p123456 --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost -d db1 dbDir 
#导出
mongodump --authenticationDatabase admin -uadmin -p123456 --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost


生成证书

1、带密码认证的

req.conf

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = CH
ST = CQ
L = CQ
O = safettice
OU = server
emailAddress = test.com
CN = mongo

server_v3.ext

(此处写localhost和127.0.0.1就可以了)

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.96.12.102
IP.2 = 192.168.0.1
IP.3 = 127.0.0.1
DNS.1 = localhost
DNS.2 = 
DNS.3 = database-mongo

生成ca.pem和server.pem

#1.生成 ca.pem
openssl req -out ca.pem -new -x509 -days 3650 -passout pass:123456 -subj "/C=CH/ST=CQ/L=CQ/O=safettice/OU=ca"
#2.生成server.pem(不能与ca证书信息完全一致,区分证书颁发者,否则报错error 18 at 0 depth lookup:self signed certificate,例如此处修改OU)
openssl genrsa -out server.key 2048
openssl req -new -nodes -out server.csr -keyout server.key -config req.conf
openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem  -CAcreateserial -out server.crt -days 3650  -extfile server_v3.ext -passin pass:123456
cat server.key server.crt > server.pem
# 校验服务器端pem文件
openssl verify -CAfile ca.pem server.pem

#客户端证书可不需要,生成方式可与server一致

2、不带密码认证的

openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -days 3650 -nodes -key privkey.pem  -sha256 -out ca.pem -subj "/C=CH/ST=CQ/L=CQ/O=test/OU=ca"
openssl req -new -nodes -out server.csr -keyout server.key -config req.conf
openssl x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem  -CAcreateserial -out server.crt -days 3650  -extfile server_v3.ext
cat server.key server.crt > server.pem

部署

1、k8s容器部署

mongo.yaml

apiVersion: v1
data:
  mongo-login: |-
    db.createUser({user: 'admin', pwd: '123456', roles: [{role: 'root', db: 'admin'}]});
    mongo --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host localhost
    mongorestore -uadmin -p --ssl --sslCAFile /data/ssl/ca.pem --sslPEMKeyFile /data/ssl/server.pem --host 127.0.0.1 -d db1 dbdir --authenticationDatabase admin
kind: ConfigMap
metadata:
  name: mongo-login
  namespace: mongossl
---
#创建密钥
apiVersion: v1
data:
  .dockerconfigjson: xxxxx=
kind: Secret
metadata:
  creationTimestamp: null
  name: harbor
  namespace: mongossl
type: kubernetes.io/dockerconfigjson
---
#创建PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: database-mongo-data-pvc # PVC Name
  namespace: mongossl
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi # 数据存储需要的空间
  storageClassName: rbd # k8s集群上配置的storage class
---
#创建statefulset
apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: mongo # Pod标签设置
  name: database-mongo
  namespace: mongossl
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mongo # Pod标签设置
  serviceName: database-mongo
  template:
    metadata:
      labels:
        app: mongo # Pod标签设置
    spec:
      imagePullSecrets:
      - name: harbor
      containers:
      - command:
        - "numactl"
        - "--interleave=all"
        - "mongod"
        - "--wiredTigerCacheSizeGB"
        - "0.1"
        - "--bind_ip"
        - "0.0.0.0"
        - "--auth"
        - "--sslMode=requireSSL"
        - "--sslPEMKeyFile=/data/ssl/server.pem"
        - "--sslCAFile=/data/ssl/ca.pem"
        - "--sslClusterFile=/data/ssl/server.pem"
        image: ges.harbor.in/tools/mongo.4.2.3
        imagePullPolicy: Always
        name: mongo
        ports:
        - containerPort: 27017
          name: mongo
          protocol: TCP
        volumeMounts:
        - mountPath: /data/db
          name: mongo-data
        - name: mongo-ssl-volumne
          readOnly: true
          mountPath: /data/ssl
        - name: mongo-login
          mountPath: ./
      volumes:
      - name: mongo-data
        persistentVolumeClaim:
          claimName: database-mongo-data-pvc #和上面创建的PVC名称一致
      - name: mongo-login
        configMap:
          name: mongo-login
      - name: mongo-ssl-volumne
        secret:
          secretName: mongo-ssl
          defaultMode: 256
---
#创建Service
apiVersion: v1
kind: Service
metadata:
  name: database-mongo-svc
  namespace: mongossl
spec:
  ports:
  - name: mongo
    nodePort: 33333 # 可以通过k8s node ip来访问的端口,根据实际开放端口配置
    port: 27017
    protocol: TCP
    targetPort: 27017
  selector:
    app: mongo # 通过此标签来关联端口指向的Pod,参考上面的Deployment中的标签配置
  type: NodePort # 表示该服务发现为NodePort类型,可以在集群外部通过Node IP访问

2、独立部署

即yum 或者二进制包安装

例:

cat > /etc/yum.repos.d/mongo.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
yum install -y mongodb-org
yum install -y mongodb-org-4.0.27 mongodb-org-server-4.0.27 mongodb-org-shell-4.0.27 mongodb-org-mongos-4.0.27 mongodb-org-tools-4.0.27
mkdir -p /var/lib/mongo
mkdir -p /var/log/mongodb
chown -R mongod:mongod /var/lib/mongo
chown -R mongod:mongod /var/log/mongodb

vi mongod.conf

net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /etc/server.pem
    CAFile: /etc/ca.pem
    allowInvalidHostnames: true
    allowInvalidCertificates: true

运行

mongod  -f /etc/mongod.conf

你可能感兴趣的:(ssl,mongodb,数据库)