Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Verify and add KMIP support

Description

We have added support for KMIP in Percona Server for MongoDB. It is going to be in tech preview in 4.4.13 release. Docs PR: https://github.com/percona/psmdb-docs/pull/509/files

 

We need to:

  1. verify if Operator allows users to leverage the use of KMIP and assess the scope for engineering (if required)

  2. document how to use KMIP

Environment

None

Activity

Tomislav Plavcic 
August 22, 2022 at 3:55 PM

There's several things here:
1. We cannot start mongod's with "security.kmip.serverName" and "security.enableEncryption", because we seem to add "security.encryptionKeyFile" if encryption is enabled and vault is not used, so I'm hitting this error:

but I didn't specify encryptionKeyFile, seems to be added here: https://github.com/percona/percona-server-mongodb-operator/blob/main/pkg/apis/psmdb/v1/psmdb_types.go#L424-L459

2. In my test trial I have added kmip cert files to ssl-secret.yaml so that they are mounted to mongod containers and can be used by mongod, but we should probably specify some other secret for this.

3. In PSMDB KMIP docs it says "To make KMIP master key rotation, make sure that every mongod has a unique --kmipKeyIdentifier value." and currently not sure how to specify unique one to every mongod so it is a thing to consider.

^

Details

Assignee

Reporter

Priority

Created March 21, 2022 at 1:03 PM
Updated June 25, 2024 at 12:28 PM