(DOCSP-21078) X509 and SCRAM for multi-cluster (#880)

* (DOCSP-21078) X509 and SCRAM for multi-cluster

* Periodic commit, to check that the stuff is still building correctly

* Periodic commit, to check that the stuff is still building correctly

* Figuring things out, to be continued

* Periodic commit

* Periodic commit

* Periodic commit

* Fixing warnings

* Getting ready for review

* Fixing build errors

* Fixing the  build

* Trying to fix the inheritance error

* Fixing steps

* Fixing step refs

* Edits, getting ready for a review. Build is clean.

* Address review feedback

* Added noprevnext, ready for a copy review

* Address copy review comments from John W, rearchitect how SCRAM is mentioned

* Fixing a build warning. Ready for the final tech review.

* Some more edits. Ready for the final tech review.

Author: JuliaMongo

source/includes/facts/fact-can-change-secret-storage-tool.rst

@@ -1,3 +1,4 @@
-This |k8s| |k8s-secret|, along with other |k8s-secrets| that |k8s-op-short|
-creates, can later be migrated to a different :ref:`secret storage tool <k8s-set-secret-storage-tool>` 
-to avoid storing secrets in |k8s|.
+.. note::
+
+   To avoid storing secrets in |k8s|, you can migrate all |k8s-secrets|
+   to a :ref:`secret storage tool <k8s-set-secret-storage-tool>`.

source/includes/prereqs-secure-resource-x509-multi-cluster.rst

@@ -0,0 +1,8 @@
+Enabling X.509 authentication at the project level configures all
+agents to use X.509 client authentication when communicating with
+MongoDB deployments.
+
+X.509 client authentication requires one of the following:
+
+- |cloud-short|
+- |onprem| 5.0.7 or later

source/includes/prereqs/custom-ca-prereqs-multi-cluster-rs-tls-only.rst

@@ -1,13 +1,19 @@
-- Generate one |tls| certificate for a ``MongoDBMulti`` resource.
-
-  For each |k8s| service corresponding to each Pod in each member cluster,
-  add |san-dns|\s to the certificate.
-
-  In your |tls| certificate, the |san-dns| for each |k8s| service  must
+- To enable internal cluster authentication, create certificates for
+  member clusters in the |multi-cluster|.
+- Generate one |tls| certificate covering the |san-dns|\s of all the member
+  clusters in the ``MongoDBMulti`` resource.
+- For each |k8s| service that the |k8s-op-short| generates corresponding
+  to each Pod in each member cluster, add |san-dns|\s to the certificate.
+  In your |tls| certificate, the |san-dns| for each |k8s| service must
   use the following format:
 
   .. include:: /includes/prereqs/san-format-multi-cluster.rst
 
-  You must possess the |certauth| certificate and the key that you used
-  to sign your |tls| certificates.
+- Generate one TLS certificate for your project's MongoDB Agents.
+
+  .. include:: /includes/prereqs/mdbagent-reqs-multi-cluster.rst
+
+- You must possess the |certauth| certificate and the key that you used to
+  sign your |tls| certificates.
 
+.. include:: /includes/prereqs/pem-format.rst

source/includes/prereqs/mdbagent-reqs-multi-cluster.rst

@@ -0,0 +1,6 @@
+- For the MongoDB Agent |tls| certificate:
+
+  - The Common Name in the |tls| certificate must not be empty.
+  - The combined Organization and Organizational Unit in each |tls|
+    certificate must differ from the Organization and Organizational
+    Unit in the |tls| certificate for your replica set members.

source/includes/prereqs/san-format-multi-cluster.rst

@@ -3,5 +3,3 @@
    <metadata.name>-<member_cluster_index>-<n>-svc.<namespace>.svc.cluster.local
 
 where ``n`` ranges from ``0`` to ``clusterSpecList[member_cluster_index].members - 1``.
-
-

source/includes/steps-add-database-user-scram.yaml

@@ -57,8 +57,8 @@ content: |
 
      * - ``spec.mongodbResourceRef.name``
        - string
-       - Name of the :ref:`MongoDB resource <k8s-deploy-mdb-resources>` to
-         which this user is associated.
+       - Name of the :ref:`MongoDB resource <k8s-deploy-mdb-resources>`
+         this user is associated with.
        - ``my-resource``
 
      * - ``spec.roles.db``

source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom-renew.yaml

@@ -1,7 +1,7 @@
 
 ---
 stepnum: 1
-ref: renew-k8s-rs-tls-secret
+ref: renew-k8s-rs-secret-tls
 source:
   file: steps-multi-cluster-source.yaml
   ref: renew-mc-rs-tls-secret

source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom.yaml

@@ -1,35 +1,18 @@
 ---
 stepnum: 1
 ref: create-k8s-mc-rs-tls-secret
-title: "Create the secret for the TLS certificate of your ``MongoDBMulti`` custom resource."
-level: 4
-content: |
-   Run the ``kubectl`` command to create a new secret that stores the
-   MongoDB multi-cluster resource's certificate:
-
-   .. code-block:: sh
-
-      kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
-      --namespace=<metadata.namespace> \
-      create secret tls <prefix>-<metadata.name>-cert \
-      --cert=<resource-tls-cert> \
-      --key=<resource-tls-key>
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-secret
 
 ---
 stepnum: 2
 ref: create-k8s-mc-rs-tls-configmap
-title: "Create the ConfigMap to link your CA with your ``MongoDBMulti`` custom resource."
-level: 4
-content: |
-   Run the ``kubectl`` command to link your |certauth| to your ``MongoDBMulti`` custom resource:
-
-   .. code-block:: sh
-
-      kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
-      --namespace=<metadata.namespace> \
-      create configmap custom-ca -from-file=ca-pem
-
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-configmap
 ---
+
 stepnum: 3
 ref: update-mongodbmulti-resource
 title: "Update your ``MongoDBMulti`` custom resource."

source/includes/steps-deploy-k8s-multi-cluster-rs-x509-custom-renew.yaml

@@ -0,0 +1,15 @@
+---
+stepnum: 1
+ref: renew-tls-secret
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: renew-mc-rs-tls-secret
+
+---
+stepnum: 2
+ref: renew-multi-cluster-secret-x509-agent
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: renew-mc-secret-x509-agent
+
+...

source/includes/steps-deploy-k8s-multi-cluster-rs-x509-custom.yaml

@@ -0,0 +1,77 @@
+---
+stepnum: 1
+ref: create-mc-rs-tls-secret
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-secret
+---
+stepnum: 2
+ref: create-multi-cluster-agent-secret-x509
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-mc-agent-secret-x509
+---
+stepnum: 3
+ref: create-k8s-mc-rs-tls-configmap
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-configmap
+
+---
+stepnum: 4
+ref: update-mongodbmulti-resource-x509
+title: "Update your ``MongoDBMulti`` custom resource to enable X509 authentication."
+level: 4
+content: |
+
+   :ref:`Update your MongoDB multi-cluster resource <k8s-edit-database-resource>`
+   with :ref:`security settings <security-settings>` from the |k8s-op-short|
+   MongoDB resource specification. The resulting configuration should look as
+   follows:
+
+   .. code-block:: yaml
+
+      apiVersion: mongodb.com/v1
+      kind: MongoDBMulti
+      metadata:
+       name: multi-replica-set
+      spec:
+       version: 4.4.0-ent
+       type: ReplicaSet
+       persistent: false
+       duplicateServiceObjects: true
+       credentials: my-credentials
+       opsManager:
+         configMapRef:
+           name: my-project
+       security:
+         tls:
+           ca: custom-ca
+         certsSecretPrefix: <prefix>
+       authentication:
+         enabled: true
+         modes: ["X509"]
+         agents: 
+           mode: "X509"
+       clusterSpecList:
+         clusterSpecs:
+         - clusterName: ${MDB_CLUSTER_1_FULL_NAME}
+           members: 3
+         - clusterName: ${MDB_CLUSTER_2_FULL_NAME}
+           members: 2
+         - clusterName: ${MDB_CLUSTER_3_FULL_NAME}
+           members: 3
+
+   The |k8s-op-short| copies the ConfigMap with the |certauth| created in
+   the central cluster to each member cluster, generates a concatenated
+   |pem| secret, and distributes it to the member clusters.
+
+---
+stepnum: 5
+level: 4
+ref: verify-mc-resources-tls
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: verify-mdb-resources-mc
+
+...