(DOCSP-5093): Kubernetes TLS/SSL docs (#44)

* (DOCSP-5093): Kubernetes TLS/SSL documentation>

* (DOCSP-5093): Additional tightening up.

* (DOCSP-5093): Update security toc.

* (DOCSP-5093): Move resource TLS stuff onto deployment pages.

* (DOCSP-5093): Refactored tutorial page content into ConfigMap and resource deploy pages.

* (DOCSP-5093): Remove unneeded pages from initial draft.

* (DOCSP-5093): Additional cleanup.

* Apply suggestions from code review

Co-Authored-By: Anthony Sansone <[email protected]>

* (DOCSP-5093) - Additional TLS/SSL -> SSL cleanup.

* (DOCSP-5093): Reflow.

* (DOCSP-5093): Add example blocks.

* CA replacements.

Co-Authored-By: Anthony Sansone <[email protected]>

* (DOCSP-5093): Fix sharded cluster example pod names.

* (DOCSP-5093): Review edits.

Author: jdestefano-mongo

conf.py

@@ -58,7 +58,9 @@
 
 source_constants = {
     'version': version,
-    'k8s-op-short': 'Kubernetes Operator'
+    'k8s-op-short': 'Kubernetes Operator',
+    'aagent': 'MongoDB Agent or legacy Automation Agent',
+    'aagents': 'MongoDB Agents or legacy Automation Agents'
 }
 
 rst_epilog = '\n'.join([
@@ -83,6 +85,7 @@
     '.. |cidr| replace:: :abbr:`CIDR (Classless Inter-Domain Routing)`',
     '.. |cifs| replace:: :abbr:`CIFS (Common Internet File System)`',
     '.. |com| replace:: Cloud Manager or Ops Manager',
+    '.. |compass| replace:: :compass:`MongoDB Compass </>`',
     '.. |dns| replace:: :abbr:`DNS (Domain Name System)`',
     '.. |dns-srv| replace:: :abbr:`DNS (Domain Name System)` :abbr:`SRV (Service)`',
     '.. |ent-build| replace:: MongoDB Enterprise',
@@ -188,6 +191,7 @@
     'cloudmgr': ('http://docs.cloudmanager.mongodb.com/%s', ''),
     'atlas': ('http://docs.atlas.mongodb.com/%s', ''),
     'bic': ('https://docs.mongodb.com/bi-connector/current%s',''),
+    'compass': ('https://docs.mongodb.com/compass/current%s',''),
     'product': ('http://www.mongodb.com/products/%s?jmp=docs',''),
     'dl': ('http://www.mongodb.com/download-center/%s?jmp=docs','')
 }

source/includes/list-table-configmap-keys.rst

@@ -0,0 +1,106 @@
+.. list-table::
+   :widths: 20 20 40 20
+   :header-rows: 1
+
+   * - Key
+     - Type
+     - Description
+     - Example
+
+   * - ``metadata.name``
+     - string
+     - Label for a |k8s| |k8s-obj|.
+
+       .. seealso::
+
+          - :setting:`metadata.name`
+          - |k8s| documentation on `names <https://kubernetes.io/docs/concepts/overview/working-with-objects/names/>`__.
+            This name must follow :rfc:`RFC1123 <1123>` naming
+            conventions, using only lowercase alphanumeric
+            characters, '-' or '.', and must start and end with an
+            alphanumeric character.
+
+     - ``myconfigmap``
+
+   * - ``metadata.namespace``
+     - string
+     - Scope of object names. Used to limit what can be managed to
+       a subset of all |k8s-objs|. The default value is ``mongodb``.
+
+       .. important::
+          The |k8s-op-short|, |k8s-secret|, and |k8s-mdbrsc|\s
+          *must* be created in the same |k8s-ns|.
+
+       .. seealso::
+
+          - :setting:`metadata.namespace`
+          - |k8s| documentation on |k8s-nss|
+
+     - ``mongodb``
+
+   * - ``data.projectName``
+     - string
+     - Label for your |mms|
+       :opsmgr:`Project </tutorial/manage-projects>`.
+
+       .. admonition:: Let |k8s-op-short| create the Project
+          :class: important
+
+          The |k8s-op-short| creates the |mms| Project if it does
+          not exist. It is **strongly recommended** to use the
+          Operator to create a new Project for |k8s| to manage. The
+          Operator adds additional internal information to Projects
+          that it creates.
+
+       If you need or want to use an existing Project, you can find
+       the ``projectName`` by clicking the :guilabel:`All Clusters`
+       link at the top left of the screen, then either search by
+       name in the :guilabel:`Search` box or scroll to find the
+       name in the list. Each card in this list represents the
+       combination of one **Organization** and **Project**.
+
+     - ``Development``
+
+   * - ``data.orgId``
+     - string
+     - 24 character hex string that uniquely identifies your
+       MongoDB :opsmgr:`Organization </tutorial/manage-organizations>`.
+       You can find the ``orgId`` in your |onprem| |url|:
+
+       1. Click the :guilabel:`Context` menu.
+       2. Select your Organization.
+       3. View the current |url| in your browser and copy the value
+          displayed in the ``<orgId>`` placeholder below:
+
+          | ``https://ops.example.com:8443/``
+          | ``v2#/org/<orgId>/projects``
+
+       .. important::
+
+          This field is *optional*. If you omit the ``orgId``,
+          |onprem| creates an Organization called ``projectName``
+          that contains a Project also called ``projectName``.
+
+          You must have the :authrole:`Organization Project Creator`
+          role to create a new project
+          *within an existing organization*.
+
+          .. admonition:: Limited to |com| Organizations
+
+             If you set this value, it can be for a |com|
+             organization only. If you try to use an Atlas
+             organization, the |k8s-op-short| may not work as
+             intended.
+
+     - | ``5cc9b333dd3e384a625a6615``
+
+   * - ``data.baseUrl``
+     - string
+     - |url| to your |application| including the |fqdn| and port
+       number.
+
+       .. note::
+
+          You may use |cloud-short| for the ``data.baseUrl`` value.
+
+     - ``https://ops.example.com:8443``

source/includes/list-table-requiressl-modes.rst

@@ -0,0 +1,23 @@
+.. list-table::
+   :header-rows: 1
+   :widths: 20 40
+
+   * - Value
+
+     - Description
+
+   * - ``allowSSL``
+
+     - Connections between servers do not use |tls|. For incoming
+       connections, the server accepts both |tls| and
+       non-TLS.
+
+   * - ``preferSSL``
+
+     - Connections between servers use |tls|. For incoming
+       connections, the server accepts both |tls| and
+       non-TLS.
+
+   * - ``requireSSL``
+
+     - The server uses and accepts only |tls| encrypted connections.

source/includes/options-k8s-replica-set.yaml

@@ -285,5 +285,18 @@ inherit:
   name: spec.logLevel
   program: _shared
   file: options-k8s-shared.yaml
-
+---
+program: k8sRsConf
+name: spec.security.tls.enabled
+inherit:
+  name: spec.security.tls.enabled
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.additionalMongodConfig.net.ssl.mode
+inherit:
+  name: spec.additionalMongodConfig.net.ssl.mode
+  program: _shared
+  file: options-k8s-shared.yaml
 ...

source/includes/options-k8s-shared.yaml

@@ -393,5 +393,34 @@ description: |
   - ``WARN``
   - ``ERROR``
   - ``FATAL``
+---
+program: _shared
+name: spec.security.tls.enabled
+type: boolean
+directive: setting
+optional: true
+default: "``false``"
+description: |
+  Encrypts communications using TLS certificates between:
+
+  - MongoDB hosts in a replica set or sharded cluster configuration
+  - Clients (|mongo| shell, drivers, |compass|, and others)
+    and the MongoDB deployment
+
+  By default, :setting:`net.ssl.mode` is set to ``requireSSL``. To change the
+  |tls| mode used for client and database connections, see
+  :setting:`spec.additionalMongodConfig.net.ssl.mode`.
+---
+program: _shared
+name: spec.additionalMongodConfig.net.ssl.mode
+type: string
+directive: setting
+optional: true
+default: "``requireSSL``"
+description: |
+  Specifies which :setting:`sslMode` is used for network connections.
+  The following are valid options:
+
+  .. include:: /includes/list-table-requiressl-modes.rst
 
 ...

source/includes/steps-create-k8s-configmap-tls.yaml

@@ -0,0 +1,102 @@
+---
+title: "Create a ConfigMap for the Certificate Authority certificate."
+level: 1
+ref: create-configmap-ca
+content: |
+  The |k8s-op-short| requires the root |certauth| certificate of the
+  Certificate Authority that issued the |mms| host's certificate. Run
+  the following command to create a |k8s-configmap| containing the root
+  CA certificate in the same namespace of your database pods:
+
+  .. code-block:: sh
+
+     kubectl -n <namespace> create configmap <root-ca-configmap-name> \
+       --from-file=mms-ca.crt
+  
+  .. important::
+
+     The |k8s-op-short| requires that the certificate is named
+     ``mms-ca.crt`` in the ConfigMap.
+
+---
+title: "Copy the following example ``ConfigMap``."
+stepnum: 2
+level: 4
+ref: copy-k8s-configmap-tls
+content: |
+
+  .. literalinclude:: /reference/k8s/example-configmap-tls.yaml
+     :language: yaml
+     :emphasize-lines: 5-6,8-10,12-13
+  
+---
+stepnum: 3
+level: 4
+ref: paste-k8s-configmap-tls
+source:
+  file: steps-create-k8s-configmap.yaml
+  ref: paste-k8s-configmap
+---
+stepnum: 4
+level: 4
+ref: configure-k8s-configmap-tls
+source:
+  file: steps-create-k8s-configmap.yaml
+  ref: configure-k8s-configmap
+---
+title: "Specify the TLS settings"
+level: 5
+ref: configure-project-tls
+content: |
+   Change the following |tls| keys:
+
+   .. list-table::
+      :widths: 25 25 25 25
+      :header-rows: 1
+
+      * - Key
+        - Type
+        - Description
+        - Example
+
+      * - ``sslMMSCAConfigMap``
+        - string
+        - Name of the |k8s-configmap| created in the first step
+          containing the Root |certauth| certificate used to sign the |onprem|
+          host's certificate. This mounts the CA certificate to the
+          |k8s-op-short| and database resources.
+        - ``my-root-ca``
+ 
+      * - ``sslRequireValidMMSServerCertificates``
+        - boolean
+        - Forces the Operator to require a valid |tls| certificate
+          from |mms|.
+
+          .. important::
+
+             The value must be enclosed in single quotes or the operator
+             will throw an error.
+
+        - ``'true'``
+---
+stepnum: 6
+level: 4
+ref: save-k8s-configmap-tls
+source:
+  file: steps-create-k8s-configmap.yaml
+  ref: save-k8s-configmap
+---
+stepnum: 7
+level: 4
+ref: create-k8s-configmap-tls
+source:
+  file: steps-create-k8s-configmap.yaml
+  ref: create-k8s-configmap
+---
+stepnum: 8
+level: 4
+ref: verify-k8s-configmap-tls
+source:
+  file: steps-create-k8s-configmap.yaml
+  ref: verify-k8s-configmap
+...

source/includes/steps-create-k8s-configmap.yaml

@@ -0,0 +1,70 @@
+---
+title: "Copy the following example ConfigMap."
+stepnum: 1
+level: 4
+ref: copy-k8s-configmap
+content: |
+
+  .. literalinclude:: /reference/k8s/example-configmap.yaml
+     :language: yaml
+     :emphasize-lines: 5-6, 8-10
+---
+title: "Open your preferred text editor and paste the example |k8s-configmap| into a new text file."
+stepnum: 2
+level: 4
+ref: paste-k8s-configmap
+---
+title: "Change the highlighted four lines."
+stepnum: 3
+level: 4
+ref: configure-k8s-configmap
+content: |
+  .. include:: /includes/list-table-configmap-keys.rst
+---
+title: "Save this file with a ``.yaml`` file extension."
+stepnum: 4
+level: 4
+ref: save-k8s-configmap
+---
+title: "Invoke the |k8s| command to create your |k8s-configmap|."
+stepnum: 5
+level: 4
+ref: create-k8s-configmap
+content: |
+  .. code-block:: sh
+
+      kubectl apply -f <myconfigmap.yaml>
+
+  .. important::
+
+     All subsequent ``kubectl`` commands you invoke must add the
+     ``-n`` option with the :setting:`metadata.namespace` you
+     specified in your |k8s-configmap|.
+---
+title: "Invoke the |k8s| command to verify your |k8s-configmap|."
+stepnum: 6
+level: 4
+ref: verify-k8s-configmap
+content: |
+  .. code-block:: sh
+
+     kubectl describe configmaps <myconfigmap> -n <metadata.namespace>
+
+  .. admonition:: *Always include the namespace option with* ``kubectl``
+        :class: important
+
+        |kubectl| defaults to an empty namespace if you do not specify
+        the ``-n`` option, resulting in deployment failures. You must
+        specify the value of the ``<metadata.namespace>`` field.
+        The |k8s-op-short|, |k8s-secret|, and |k8s-mdbrsc|\s should
+        run in the same unique namespace.
+
+  This command returns a ConfigMap description in the shell:
+
+  .. code-block:: sh
+
+     Name:           <myconfigmap>
+     Namespace:      <metadata.namespace>
+     Labels:         <none>
+     Annotations:    <none>
+...