(DOCSP-23416) Multi-cluster LDAP (#965)

JuliaMongo · web-flow · commit b9988a7e7449 · 2022-07-08T07:11:48.000-04:00
* (DOCSP-23416) Initial commit, seting up the stubs * Fixing the TOC, to be continued * Added steps, fixed the TOC * Removed the LDAP limitation, ready for the initial review with Mircea * Updated the prereqs * Added the multi-cluster steps now * Copy review. Added redirects, added two includes, added a ref to ldap users for multi-clusters to the arch topic * Added info to relnotes about LDAP for multi-clusters
diff --git a/config/redirects b/config/redirects
@@ -12,6 +12,14 @@ symlink: stable -> v1.16
 # Base URL
 raw: docs/kubernetes-operator/ -> ${base}/stable/
 
+# Add redirects related to the addition of new topics for multi-cluster
+# beta security in the Operator v1.16.x, and single cluster LDAP:
+
+[*-v1.15]: docs/kubernetes-operator/${version}/multi-cluster-secure-client-connections -> ${base}/stable/multi-cluster-secure-client-connections
+[*-v1.15]: docs/kubernetes-operator/${version}/multi-cluster-secure-ldap-auth -> ${base}/stable/multi-cluster-secure-ldap-auth
+[*-v1.15]: docs/kubernetes-operator/${version}/tutorial/secure-client-connections -> ${base}/stable/tutorial/secure-client-connections
+[*-v1.15]: docs/kubernetes-operator/${version}/tutorial/secure-ldap-auth -> ${base}/tutorial/secure-ldap-auth
+
 # Add redirects related to the addition of new topics for multi-cluster
 # beta in the Operator v1.13.
 
diff --git a/source/includes/facts/ldap-considerations.rst b/source/includes/facts/ldap-considerations.rst
@@ -0,0 +1,14 @@
+- To configure |ldap| in |k8s-crds|, use the parameters under the
+  :setting:`spec.security.authentication.ldap` and other
+  :ref:`security LDAP settings <security-settings>` specific to the
+  MongoDB Agent, from the |k8s-op-short| MongoDB resource specification.
+  The procedures in this section describe the required settings and
+  provide examples of LDAP configuration.
+
+- To improve security, consider :ref:`configuring TLS <secure-tls>`.
+  Encryption with |tls| is optional. By default, |ldap| traffic is sent
+  as plain text. This means that username and password are exposed to
+  network threats. Many modern directory services, such as Microsoft
+  Active Directory, require encrypted connections. Consider using
+  |ldap| over |tls-ssl| to encrypt vauthentication requests in your
+  |k8s-op-short| MongoDB deployments.
diff --git a/source/includes/facts/ldap-intro.rst b/source/includes/facts/ldap-intro.rst
@@ -0,0 +1,12 @@
+`MongoDB Enterprise <http://www.mongodb.com/products/mongodb-enterprise?jmp=docs>`_
+supports:
+
+- Proxying authentication requests to a Lightweight Directory Access
+  Protocol (LDAP) service.
+- Simple and SASL binding to LDAP servers. MongoDB Enterprise can bind
+  to an LDAP server via ``saslauthd`` or through the operating system
+  libraries.
+
+To learn more, see the :manual:`LDAP Proxy Authentication </core/security-ldap>`
+and :manual:`LDAP Authorization </core/security-ldap-external>` sections
+in the MongoDB Server documentation.
diff --git a/source/includes/steps-deploy-k8s-multi-cluster-replica-set-ldap.yaml b/source/includes/steps-deploy-k8s-multi-cluster-replica-set-ldap.yaml
@@ -0,0 +1,86 @@
+stepnum: 1
+ref: create-mc-rs-tls-secret
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-secret
+---
+
+stepnum: 2
+ref: create-k8s-mc-rs-tls-configmap
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: create-k8s-mc-tls-configmap
+
+---
+stepnum: 3
+ref: update-mongodbmulti-resource-ldap
+title: "Update your ``MongoDBMulti`` custom resource to enable |ldap| authentication."
+level: 4
+content: |
+
+  :ref:`Update your MongoDBMulti custom resource <k8s-edit-database-resource>`
+  with :ref:`security settings <security-settings>` from the |k8s-op-short|
+  MongoDB resource specification.
+
+  To enable |ldap| in your deployment, configure the following
+  settings in your |k8s| object:
+
+  .. include:: /includes/list-tables/ldap-settings.rst
+
+  The resulting configuration may look similar to the following
+  example:
+
+  .. code-block:: yaml
+
+     security:
+      authentication:
+        enabled: true
+        # Enabled LDAP Authentication Mode
+        modes:
+          - "LDAP"
+          - "SCRAM"
+          # LDAP related configuration
+        ldap:
+        # Specify the hostname:port combination of one or
+        # more LDAP servers
+          servers:
+            - "ldap1.example.com:636"
+            - "ldap2.example.com:636"
+ 
+        # Set to "tls" to use LDAP over TLS. Leave blank if
+        # the LDAP server doesn't accept TLS.
+        transportSecurity: "tls"
+ 
+        # If TLS is enabled, add a reference to a ConfigMap that
+        # contains a CA certificate that validates the LDAP server's
+        # TLS certificate.
+        caConfigMapRef:
+          name: "<configmap-name>"
+          key: "<configmap-entry-key>"
+ 
+        # Specify the LDAP Distinguished Name to which
+        # MongoDB binds when connecting to the LDAP server
+        bindQueryUser: "cn=admin,dc=example,dc=org"
+ 
+        # Specify the password with which MongoDB binds
+        # when connecting to an LDAP server. This is a
+        # reference to a Secret Kubernetes Object containing
+        # one "password" key.
+        bindQueryPasswordSecretRef:
+          name: "<secret-name>"
+
+  For a full list of LDAP settings, see :ref:`security settings
+  <security-settings>` in the |k8s-op-short| MongoDB resource specification.
+  Also see the :setting:`spec.security.authentication.agents.automationUserName`
+  setting for the MongoDB Agent user in your LDAP-enabled |k8s-op-short|
+  deployment.
+
+---
+stepnum: 4
+level: 4
+ref: verify-mc-resources-tls
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: verify-mdb-resources-mc
+
+...
diff --git a/source/includes/steps-multi-cluster-source.yaml b/source/includes/steps-multi-cluster-source.yaml
@@ -261,7 +261,7 @@ content: |
 
      kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
        --namespace=<metadata.namespace> \
-     create secret tls <prefix>-<metadata.name>-cert \
+       create secret tls <prefix>-<metadata.name>-cert \
        --cert=<resource-tls-cert> \
        --key=<resource-tls-key>
 
diff --git a/source/multi-cluster-arch.txt b/source/multi-cluster-arch.txt
@@ -25,7 +25,6 @@ The following features of the |k8s-op-full| and the underlying |k8s|
 clusters are not available in the beta release of the |multi-clusters|:
 
 - Sharded cluster deployments
-- LDAP authentication
 - |onprem| version earlier than 5.0.7
 
 .. _multi-cluster-capabilities:
@@ -55,10 +54,11 @@ documentation in this guide.
        and select the tab :guilabel:`Using the Kubernetes Secret`.
 
    * - Secure database users in |multi-clusters|
-     - Use these procedures:
+     - Manage database users using:
 
-       - :ref:`Configure database users with SCRAM authentication <k8s-manage-db-users-scram>`
-       - :ref:`Manage database users in deployments that use TLS and X.509 for internal cluster authentication <k8s-manage-db-users-x509>`
+       - :ref:`LDAP authentication <k8s-manage-db-users-ldap>`
+       - :ref:`SCRAM authentication <k8s-manage-db-users-scram>`
+       - :ref:`TLS and X.509 for internal cluster authentication <k8s-manage-db-users-x509>`
        
        These procedures are the same as for single clusters
        deployed with |k8s-op-short|, with the following exceptions:
diff --git a/source/multi-cluster-secure.txt b/source/multi-cluster-secure.txt
@@ -17,17 +17,15 @@ Secure Database Resources in Multi-Cluster Deployments
 :ref:`multi-cluster-secure-tls`
   Secure ``MongoDBMulti`` CustomResources with |tls|.
 
-:ref:`multi-cluster-secure-x509`
-  Configure x.509 for client authentication in |multi-clusters|.
+:ref:`multi-cluster-secure-client-connections`
+  Configure |ldap| and X.509 for client authentication and X.509 for
+  internal authentication in your |multi-clusters|.
 
-:ref:`multi-cluster-secure-internal-auth`
-  Configure |tls| and X.509 for internal authentication in |multi-clusters|.
 
 .. class:: hidden
 
    .. toctree::
       :titlesonly:
 
       /tutorial/multi-cluster-secure-tls
-      /tutorial/multi-cluster-secure-x509
-      /tutorial/multi-cluster-secure-internal-auth
+      /tutorial/multi-cluster-secure-client-connections
diff --git a/source/release-notes.txt b/source/release-notes.txt
@@ -34,7 +34,6 @@ Release Notes for |k8s-op-full|
    To learn how to upgrade your deployment, see
    :ref:`meko-upgrade-mdb-version`.
 
-
 MongoDB Resource
 ````````````````
 
@@ -56,6 +55,16 @@ MongoDBOpsManager Resource
   <spec.applicationDatabase>` to configure these
   parameters.
 
+MongoDB Multi-Cluster Resource
+``````````````````````````````
+
+Added support for :ref:`LDAP client authentication
+<multi-cluster-secure-ldap-auth>` and for
+:ref:`managing database users with LDAP <multi-cluster-capabilities>`
+to |multi-clusters|.
+Use the beta release of the |multi-clusters| only in development
+environments.
+
 .. _ent_op-1.16.1:
 
 |k8s-op-full| 1.16.1
diff --git a/source/tutorial/multi-cluster-secure-client-connections.txt b/source/tutorial/multi-cluster-secure-client-connections.txt
@@ -0,0 +1,35 @@
+:noprevnext:
+
+.. _multi-cluster-secure-client-connections:
+
+======================================================
+Secure Client Connections in Multi-Cluster Deployments
+======================================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+:ref:`multi-cluster-secure-ldap-auth`
+  Configure |ldap| for client authentication in |multi-clusters|.
+
+:ref:`multi-cluster-secure-x509`
+  Configure X.509 for client authentication in |multi-clusters|.
+
+:ref:`multi-cluster-secure-internal-auth`
+  Configure |tls| and X.509 for internal authentication in
+  |multi-clusters|.
+
+.. class:: hidden
+
+   .. toctree::
+      :titlesonly:
+
+      /tutorial/multi-cluster-secure-ldap-auth
+      /tutorial/multi-cluster-secure-x509
+      /tutorial/multi-cluster-secure-internal-auth
+
diff --git a/source/tutorial/multi-cluster-secure-ldap-auth.txt b/source/tutorial/multi-cluster-secure-ldap-auth.txt
@@ -0,0 +1,44 @@
+:noprevnext:
+
+.. _multi-cluster-secure-ldap-auth:
+
+===================================================================
+Secure Client Authentication with LDAP in Multi-Cluster Deployments
+===================================================================
+
+.. include:: /includes/styles/corrections.rst
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. include:: /includes/facts/ldap-intro.rst
+
+You can use the |k8s-op-short| to configure LDAP to authenticate your
+client applications that connect to your |multi-clusters|. This guide
+describes how to configure LDAP authentication from client applications
+to your |multi-clusters|.
+
+Considerations
+--------------
+
+.. include:: /includes/facts/ldap-considerations.rst
+
+General Prerequisites
+---------------------
+
+Before you secure your |multi-cluster| using |tls|
+encryption, complete the following tasks:
+
+- Follow the steps in the :ref:`Multi-Cluster Quick Start Prerequisites <multi-cluster-prereqs>`.
+- Deploy a multi-cluster using a :ref:`multi-cluster-quick-start-ref`.
+
+Configure LDAP Client Authentication for a Multi-Cluster Replica Set
+---------------------------------------------------------------------
+
+.. include:: /includes/steps/deploy-k8s-multi-cluster-replica-set-ldap.rst
+
diff --git a/source/tutorial/secure-ldap-auth.txt b/source/tutorial/secure-ldap-auth.txt
@@ -16,43 +16,19 @@ Secure Client Authentication with LDAP
    :depth: 2
    :class: singlecol
 
-`MongoDB Enterprise
-<http://www.mongodb.com/products/mongodb-enterprise?jmp=docs>`_
-supports proxying authentication requests to a Lightweight Directory
-Access Protocol (LDAP) service.
+.. include:: /includes/facts/ldap-intro.rst
 
 You can use the |k8s-op-short| to configure LDAP to authenticate your
 client applications that connect to your MongoDB deployments. This guide
-guide describes how to configure LDAP authentication from client
-applications to your MongoDB deployments.
+describes how to configure LDAP authentication from client applications
+to your MongoDB deployments.
 
 .. include:: /includes/admonitions/cannot-secure-standalone.rst
 
 Considerations
 --------------
 
-- Support for LDAP binding types. MongoDB Enterprise supports simple and
-  SASL binding to Lightweight Directory Access Protocol (LDAP) servers.
-  MongoDB Enterprise can bind to an LDAP server via ``saslauthd`` or
-  through the operating system libraries. To learn more,
-  see the :manual:`LDAP Proxy Authentication </core/security-ldap>` and
-  :manual:`LDAP Authorization </core/security-ldap-external>` sections
-  in the MongoDB Server documentation.
-
-- Ways of configuring LDAP in |k8s-crds|. To configure LDAP in the
-  |k8s-op-short|, use the parameters under the
-  :setting:`spec.security.authentication.ldap` and 
-  with other :ref:`security LDAP settings <security-settings>` specific
-  to the Agent, from the |k8s-op-short| MongoDB resource specification.
-  The procedures in this section describe the required settings and
-  provide examples of LDAP configuration.
-
-- Consider :ref:`configuring TLS <secure-tls>`. Encryption with |tls| is
-  optional. By default, |ldap| traffic is sent as plain text. This means
-  that username and password are exposed to network threats. Many modern
-  directory services, such as Microsoft Active Directory, require
-  encrypted connections. Consider using |ldap| over |tls-ssl| to encrypt
-  authentication requests in your |k8s-op-short| MongoDB deployments.
+.. include:: /includes/facts/ldap-considerations.rst
 
 General Prerequisites
 ---------------------
