DEV Community: Arthur Germano

5 days to build the app, 1 month to publish it: I survived Google Play and I have proof

Arthur Germano — Mon, 09 Mar 2026 21:13:59 +0000

AI-assisted development really is a new era. Not hype — actual, measurable results. What used to require a team of three or four people — design, back-end, front-end, that one guy who knows Figma — one person can now deliver alone. As long as they have coffee. Coffee is non-negotiable.

I decided to take on a solo project. I chose Vue 3 because I genuinely believe it's the technology that fits best right now: organized, clean, with a learning curve that respects your time. Combined with Ionic to turn everything into a mobile app, the stack was lean and powerful. In 5 days, from flow conception to working code, the app was ready. Five days. I thought the hard part was over. I was wrong in a way that only hands-on experience can teach you.

Apple and the $100 that never had a chance

Before talking about Google Play, I need to mention the App Store, just to put it on record. Publishing on the App Store costs $99 per year. For a solo developer running an experimental project with no guarantee of return, that fee is simply a dealbreaker. For Brazilian developers specifically, the conversion rate turns it into a genuinely painful number. Noted. Moving on.

Google Play: the light at the end of the tunnel that turns out to be a train

Google Play charges a one-time registration fee of around $25. Reasonable for the challenge. I paid, uploaded the APK, and figured things would be live within a few days.

What I did not figure is that publishing an app on Google Play is the closest real-world equivalent of seeing the light at the end of the tunnel with every single step forward. You advance, you breathe, you think you made it — and then you realize it was the train. With another massive step. And a review that can take 3 to 7 business days. Per step. Of many.

From the moment I finished the app to the moment it was actually live in production: over a month. Thirty-something days staring at the Play Console dashboard like someone watching the sky and waiting for rain.

I have 15 years of experience and I almost couldn't find 12 testers

Part of the delay, I'll admit, is not Google's fault. I've been a developer for over 15 years. And when I leave the catacombs of my safe, quiet, air-conditioned environment, it's usually to grab coffee and return to the code. I don't have a large real-world network. My introverted nature has served my productivity well and my contact list poorly.

The uncomfortable detail is that Google Play requires a minimum of 12 real testers before allowing your app into production. Twelve actual people who need to install, open, and use the app for at least 14 consecutive days.

I had to go outside. Literally. I reached out to family members, friends, acquaintances, and people who never imagined they'd be beta testing a mobile app — and they showed up. In the end, I gathered 13 testers. One above the minimum. Considering my social interaction history, that is a personal record worth acknowledging.

Forms, versions, and more forms

When the testing period finally ended, I naively assumed it was just a matter of waiting for the final review. It was not. Two more weeks appeared, filled with forms, declarations, and one particularly memorable requirement: submit a new version of the app. Not a single line of code needed to change. Just the version number. 1.0 became 1.1, Google was satisfied, and I spent a quiet moment wondering what exactly had shifted in the universe.

What the project actually is, and what I learned beyond the code

The app itself is straightforward and, I'll admit, kind of fun: palm reading powered by artificial intelligence. You take a photo of your hand, the AI analyzes it, and delivers a reading. I built it because I thought it would be an interesting project to learn things that everyday CRUD work doesn't teach you.

And I did learn. I had to study how to write effective prompts — which is a real skill, not just a buzzword. I had to learn how to protect the API against attacks, which takes time but stays with you. And I built a result-sharing feature that makes the reading visually polished, ready to post on social media. Maybe it drives engagement, maybe it doesn't. Worth trying.

It's live

Today the app is available on Google Play. If you made it this far, you've already helped me more than you know. If you can install it, test it, and share it with someone who might find it interesting, every interaction genuinely matters — and I now know exactly how much work sits behind an app reaching a store.

Try it on Google Play

Before I forget: it speaks your language

The app is available in 10 languages — Portuguese, English, Spanish, Italian,
German, French, Chinese, Hindi, Japanese, and Esperanto. Yes, Esperanto.
Someone out there needs their palm read in a constructed language and I respect that.

Thanks for reading. Until next time.

From Spreadsheets to Steroids: The Function Point Counter Gets a Reboot

Arthur Germano — Tue, 03 Mar 2026 02:09:23 +0000

A couple of years ago I wrote about building a Function Point Counter — a project born out of genuine confusion and a stubborn desire to actually understand what I was doing. If you missed it, here it is:

Arthur Germano

Dec 28 '21

Function Point Counter

#management #function #point #svelte

Comments

3 min read

Go read it. I'll wait. =)

Well, time passed, things changed, and I rewrote the whole thing from scratch. Here's the story.

The AI Era is Real, and It's Glorious

Let me be upfront: working with AI is like coding on steroids. 💉 And I mean that in the best possible way — no side effects, no shrunken ego (well, maybe a little). As a regular programmer, I used to spend hours doing things that now take minutes. The kind of work that once required a senior team can now be tackled by one determined developer with good prompts and a cup of coffee.

I'm not saying AI does everything for you. It doesn't. But it does change your role. You stop being the guy who types every line and start being the manager-programmer — the senior one who knows what needs to be done, guides the process, reviews the output, and keeps everything on track. Honestly? I kind of love that version of myself.

Svelte... We Need to Talk =0

I'll say it plainly: Svelte was great. Was. In my humble opinion, somewhere along the way the Svelte team took a sharp left turn straight into React territory — and not the good parts of React. The reactivity model changed, and it became... ugh. Just ugh. I hate to say it because I genuinely loved Svelte. But here we are.

Enter Vue 3: The Comeback Kid \o/

Vue 3, on the other hand? Absolutely back on top. Easy, fun, productive — everything a frontend framework should be without making you feel like you're solving a philosophy exam. So the Function Point Counter was fully rewritten using Vue 3 and Vite, and honestly it's beautiful. The code is clean, the dev experience is smooth, and I haven't thrown my keyboard once. Success.

Now With Languages!

The new version comes with i18n language support — and here's where AI really showed its worth. Before, adding internationalization was a painful, tedious, soul-draining job. Now you just ask:

"Hey AI, could you please translate this to Portuguese?"

Ask nicely. Seriously. If AI ever rebels against humanity, it will remember who was polite. Don't risk it.

That said — don't get me wrong — it was still a lot of work. Managing translations, keeping things consistent, making sure nothing broke along the way. But the difference is that I was directing the work rather than doing all the grunt work myself. Big difference.

A Humble Request 🙏

If you made it this far, I'd love it if you gave the project a spin. Share it, test it, break it, use it — whatever works for you. The whole point of building this was for the community, so the community might as well enjoy it.

And if you liked it — if it saved you some time or made function points a little less terrifying — consider buying me a coffee via Stripe. It doesn't hurt to help, and it definitely helps me keep going. ☕

Same project, new era, better tools. Let's see what we can build next.

Creating Storagefy: A Framework-Agnostic Tool for Front-End State Persistence

Arthur Germano — Fri, 25 Apr 2025 15:20:45 +0000

In front-end application development, one of the biggest challenges is ensuring that the application state is correctly persisted across page reloads and user sessions. I encountered this problem while working on several projects, and that’s why I decided to create Storagefy, a framework-agnostic tool to synchronize state management libraries like Pinia, Redux, Zustand, and Svelte stores with browser storage mechanisms such as localStorage, sessionStorage, and IndexedDB.

The Challenge: State Persistence Across Different Frameworks

The first obstacle I encountered was the diversity of state management libraries in the JavaScript ecosystem. Redux, for example, handles state very differently compared to Pinia in Vue or Zustand in React. Each of these frameworks has its own peculiarities, and integrating them with browser storage mechanisms efficiently was an interesting challenge.

Storagefy was created to solve exactly that. The idea was to create a framework-agnostic solution that would be easy to integrate with any state management library and could use different storage adapters transparently. The solution I developed offers:

LocalStorageAdapter: To persist state across tabs and sessions.
SessionStorageAdapter: For temporary or sensitive data, persisted only during the tab session.
IndexedDBAdapter: For large or complex states, with asynchronous support.

In addition, I created adapters to facilitate integration with popular state management libraries such as Redux, Zustand, Jotai for React, Pinia for Vue, and Svelte stores, making state persistence easy to implement.

How Storagefy Works

Installing Storagefy is quick:

npm install storagefy

Data Encryption and Obfuscation

To ensure the security of data stored in Storagefy, I implemented an encryption layer using the AES-GCM algorithm. This makes it difficult to read or directly access the data, protecting it even if someone gains physical access to the browser storage.

The encryption is simple and efficient, using an AES key to encrypt JavaScript objects. When the data is stored, it is transformed into an encoded form (base64 or binary), making direct access and reading by unauthorized parties more difficult.

This approach ensures that even if the data is accessed, it cannot be easily interpreted without the encryption key, protecting user privacy and data integrity.

Development Challenges

While developing Storagefy, I faced technical challenges, especially with managing state across different browser tabs. One of the main difficulties was ensuring that state persistence didn’t interfere with reactivity, causing infinite loops between tabs.

The difficulties were even more noticeable with React, which presented greater complexity compared to Pinia or Svelte Stores. The updated solution in Storagefy resolves this automatically, updating values whenever they are reactive. It’s also possible to sync tabs using sessionStorage by simply configuring the adapter correctly. In other words, both localStorage, IndexedDB, and sessionStorage can be shared between tabs, and when synced, values are automatically updated in the store object.

Where to Find Storagefy

You can access the Storagefy project on GitHub and NPM:

Conclusion

Creating Storagefy was an interesting experience, as it allowed me to explore different state persistence techniques while also creating a solution that can be easily integrated into any framework. The goal of the project is not only to solve a technical problem but also to provide a useful tool for developers seeking to improve the user experience in their applications.

If you are dealing with state persistence in your front-end project, it's worth checking out Storagefy and considering how it can be useful for your case.

Accounting Overview - (Experience++)

Arthur Germano — Tue, 19 Nov 2024 21:10:39 +0000

Building a Complete PWA Application: An Experience Report

Developing a PWA (Progressive Web App) remains an interesting challenge, especially when I consider that it offers a more practical and accessible solution compared to the traditional model of app stores like Google Play and Apple Store. I don’t really understand why this technology doesn’t get more attention, as PWAs can be easily accessed from any mobile device, without the complexity of going through platforms—unless there are cases requiring more security or payment for downloading the app =).

Recently, I finished the alpha version of my project Accounting Overview, a tool focused on financial management. Although I initially started with Svelte, I decided to rewrite the app in Vue 3. Here’s a bit about my experience during this process, working with these technologies. If you like it or find it interesting, leave a like =)

Moleculer: An Amazing Framework

If you work with microservices in NodeJS, you’ve probably heard of Moleculer. This framework is, without exaggeration, amazing. It makes development easier, from security to full application control. While there’s a learning curve, once you overcome it, what it delivers is so impressive that it’s hard to describe everything here.

In addition to being extremely robust, Moleculer provides incredible tools that streamline the work and make the process more organized and efficient. I want to give a big shoutout to the creator of the project for their phenomenal contribution to the development community.

Svelte vs Vue 3: Why I Changed?

My first version used Svelte, as I mentioned in my previous article. The earlier versions—wow, what a framework! However, with the recent release of Svelte 5, I found that the reactivity lost its simplicity—and, in my opinion, became much worse!

It’s actually a shame, because what made it stand out was its simplicity, and now it’s become too similar to React.

When I switched to Vue 3, which I had programmed with on other occasions, I realized how robust and consistent it is, serving both small projects and complex applications well. Rewriting a good portion of the code was work, but it was worth the effort. Today, Accounting Overview is more stable, faster, and ready for future growth.

WebAuthn: Potential and Complexity

Implementing authentication with WebAuthn was, without a doubt, one of the biggest challenges during the development of Accounting Overview. Although the technology is excellent, it still lacks more accessible documentation and practical examples that make its application easier. This can cause confusion, especially for those trying to integrate it for the first time—like me =).

After an intense period of research and experimentation, I managed to set up the system reliably, ensuring security and providing a great user experience. To simplify and optimize this process, I developed a library NPM - Misc Helpers, available on NPM. This library not only offers some conveniences but also abstracts some of the complexities of WebAuthn integration, making it more accessible to explore this technology without facing so many initial barriers.

Donation System with Stripe

For monetization, I chose Stripe, implementing a donation system. While it’s relatively simple, I was surprised to learn that 55% of the donations would go to the platform—based on my initial tests 😁. Still, the system works perfectly, and I hope it helps keep the project active. (What’s five bucks, folks? Donate and let’s go!)

Internationalization: 10 Languages Available

From the beginning, I wanted to make Accounting Overview accessible to a global audience. That’s why the app was launched in 10 languages. If you can share it, it would be a huge help in reaching more people!

Here are the languages available as of this article:

English (USA)
Portuguese (Brazil)
Italian (Italy)
Spanish (Spain)
French (France)
German (Germany)
Esperanto (Esperanto)
Chinese (China)
Japanese (Japan)
Hindi (India)

By any chance, does anyone know a cool way to promote this to other languages? It would be great to get feedback from someone who speaks Japanese, Chinese, or Hindi.

Why Did I Create This Project?

This is a free project, focused on showcasing practical skills and building my portfolio. I’ve also created other libraries and projects, such as Function Point Counter, which I describe in more detail in this article.

How You Can Help?

This project has costs to maintain, and I don’t charge anything—just remember that I’ll continue to add more features over time, so any form of support is welcome!

Whether by sharing it with friends, commenting, or even leaving a small Tip/☕, it would be greatly appreciated.

Additionally, I’m looking for freelance projects to supplement my income—if you need someone for work outside of business hours, feel free to reach out.

Leave your like, suggestion, or comment. Every piece of feedback is very valuable. Let’s create connections and share ideas. God bless you! 😊

SPA-Storage a Plugin for Svelte and Pinia Browser Storage

Arthur Germano — Tue, 19 Jul 2022 18:11:01 +0000

Hello World.. Development is full of reusable code and when ideias become good, that ideia become reusable.

With this in mind I have been using in some of my projects a plugin that I developed that really help me. The ability to save and retrieve information in the storage.

Despite the fact it is very simple to do it in Svelte and Pinia, I have enhanced a little to facilitate my interaction with the stores and relieve myself of rewriting the same code over and over again.

Now I pushed to an npm repository to help everyone and myself to just import and install it.

NPM — SPA-STORAGE

The Plugin

The installation is very easy and it is just a npm command away.

npm install spa-storage

After that you can import it and set some options as well choose if you want interact with Storage or Forage.

An example of options being set — really ease!
The options in the above example set to use the Forage of the Browsers, as well the encrypting the information. This is a simple encription that anyone can break, it is only to scramble the information in the browser.
No Encription
With Encription

The Usage

It works with Svelte and Pinia — this second is for VueJS.

Svelte Usage

Example of the value being set in the storage
Now retrieving the information, most common case is the first load of the application.
Example of retrieval of information

Pinia Usage

Pinia is a little bit different from Svelte

Conclusion

And that is it.. I just wanted to write this simple article to demonstrate this plugin.

For more information you can go to the NPM repository.

Other Projects

Finance Notes: Click to see this project made with Svelte and Framework7.

Function Point Counter: Click to see this project made entirely with Svelte.

Svelte-Client-Router: Click to see this router that is really ease to use with SPA Svelte Projects.

Function Point Counter

Arthur Germano — Tue, 28 Dec 2021 21:23:49 +0000

A PWA made with Svelte to help you to count function points of your projects!

Photo by Brands&People on Unsplash

To count function points is tricky. I have been requested to count function points earlier this year and I had no idea how to do it. I was helped to fill the created spreadsheet and there it was.. the function point count for my project.
But how is this done ? What is the concepts behind it ?

So I have decided to create in my spare time a project to kind of explain the concepts and make the function point count for me. Well not just for me.. to everyone that may be interested in that stuff.

In order to create and finish this project I had to study function points and this process lead me to learn the concepts. I find it one of the best ways to learn something.

What is Function Point?

Function Point Analysis (FPA) is a sizing measure of clear business significance. First made public by Allan Albrecht of IBM in 1979, the FPA technique quantifies the functions contained within software in terms that are meaningful to the software users. The measure relates directly to the business requirements that the software is intended to address. It can therefore be readily applied across a wide range of development environments and throughout the life of a development project, from early requirements definition to full operational use. Other business measures, such as the productivity of the development process and the cost per unit to support the software, can also be readily derived.The function point measure itself is derived in a number of stages. Using a standardized set of basic criteria, each of the business functions is a numeric index according to its type and complexity. These indices are totaled to give an initial measure of size which is then normalized by incorporating a number of factors relating to the software as a whole. The end result is a single number called the Function Point index which measures the size and complexity of the software product.

In summary, the function point technique provides an objective, comparative measure that assists in the evaluation, planning, management and control of software production.

https://www.ifpug.org/about-function-point-analysis/?lang=en

I have followed the - IFPUG − ISO/IEC 20926:2009 Software and systems engineering - Software measurement - IFPUG functional size measurement method.

Most part of it anyway. Some parts may not follow the ISO so I don't want to say I follow all the way.

The Svelte, The PWA and The Project

Svelte is a great technology it is a compiler and in my humble opinion better than Vue and any other frontend framework out there. I have worked with it in other projects and so far it has not disappointed me. So I trully recommend it.

The PWA part is something cool, it enables a website to become an app. No web stores, no burocracy at least not for the user, you can easilly install and uninstall no worries.

The project uses Svelte with the PWA approach because I think that PWA is worth to be spread and encouraged.

Try It!

Check the project at https://functionpointcounter.com

Other Projects

SCR - Svelte Client Router

GIT: https://github.com/arthurgermano/svelte-client-router
NPM: https://www.npmjs.com/package/svelte-client-router
Test it: https://arthurgermano.github.io/svelte-client-router/#/svelte-client-router

Finance Notes PWA App

So almost one year later I started and like I said almost giving up. I finished the project. Spend some money hiring a VPN server. Had to learn a lot to configure and secure it.
If you want to see it visit
Finance Notes App

That is It!

If you liked the project or want to send comments, suggestions and, above all, point out improvements and errors found, please contact me. See my LinkedIn profile at the bottom of project page.

Svelte Router - A Proposal

Arthur Germano — Thu, 13 May 2021 18:16:25 +0000

Photo by Matt Duncan on Unsplash

Hi.. I am using Svelte for quite a while now. I think it is a pretty sweet compiler for front-end.

But why do I decided to write a Router ?

Because until now I didn’t find a router to attend to specific need. Well not a router embedded inside a framework like the Framework7.

Don’t get me wrong, Framework7 is awesome too, but what if I just want a router not an entire framework.

So.. What Should a Router do ?

That is an important question and all the routers I saw, until now, doesn’t give me the control that I need. They are great routers, but let’s face it what is important for a router to do.

One can say routing.. of course — but is a little more than that.

It has to control the routing and:

If it should route to a route;
What to do before enter each route;
What to do before enter that specific route;
What to do when it is allowed to enter that route;
Allow we to control all that above behavior in a easy way;
And last but not least — access to everything everywhere!

This is what I think a route should deliver. Kind of what VueRouter delivers to us.

VueRouter is great and works like a charm.. so why shouldn’t Svelte have a great router too ?

As I said that Svelte does have good routers however I personally don’t like routes based on structure. I like routers to give me the choice to do what I want to do when I want to do.

SCR — Svelte Client Router — The Proposal

Who Am I to create a router right? I know my limitations I am not the wisest guy around, but I try to do my best =).

That’s why I came with this proposal — I have created a router for Svelte that does exactly what I think it should do.

ta-daaa! A lot of work =D

The key concept of this router is allow us to control the behavior before enter a route. So we can set:

-Global Before Enter Functions: To execute a function or array of functions to each route — Applied to all routes;
-Route Before Enter Functions: To execute a function or array of functions to a single route — Applied to a single route;
-Ignore Global Enter Functions: To just ignore Global Before Enter functions on a single route — Applied to a single route;
-Revert Order Of Execution: To execute Route Before Functions Before Global Before Functions;

Of course it offers more than just that.. but it is focused on deliver that!

With this router you will be able to control every aspect of routing, passing information forward throughout Before Enter Functions and After Before Enter Functions and receiving it in all components.

One of the cooliest things is that every param, variable defined will be delivered in all places — functions, components, etc, as soon as possible.

That means if you define a parameter inside of a Before Enter Function it will be delivered in the next one until the end, plus it will be delivered in your components.

Why is this nice, one can ask?

Because I can control the behavior of routing and even alter as soon as I want to.

Ah.. I almost forget you can set loading components to it — Global and Per Route too!

As soon as Before Enter Functions kicks in it will show a loading component if the loading take time enough.

Try It — Test It — Documentation

Yes, It is in its early stages however I think it is awesome!

SCR - Svelte Client Router - Documentation

NPM Package

SCR - Svelte Client Router - Package

See on Github

SCR - Svelte Client Router - Code

Motivation

I have worked with a little personal project and Svelte is really wonderful. I missed one thing in Svelte Community though, a good not embedded router.

So here it my proposal. Please check out — test it and let me know your thoughts. =)

Finance Notes Project

If you want to check out my personal project..

Finance Notes Project — PWA

Finance Notes Project

My Experience Building a PWA App with Svelte JS

Cheers!

My Experience Building a PWA App with Svelte JS

Arthur Germano — Wed, 28 Apr 2021 22:15:30 +0000

App built with SvelteJS

Hi, I would like to share a few words of what was my experience building an front-end application with SvelteJS. And a spoiler alert… was awesome!

Motivation

The decision of building the app was smooth, I always wanted to create something that was not related to my work, something only mine. However with our routines and work we not always can.

My daily routine was go to work, do some workout on the gym, maybe go to the groceries shop and by the time I got home I need to plan and prepare everything for the next day and finally when I stop the day is over and I don’t want to get near of a screen.

But since the covid, things have changed, I started to work from home and all of the sudden I had time to do some personal project.

So what to do? There are so many apps developed that seem that all the ideas in the world are implemented already.

Since is my first project, by my self — for my self, I did an app to help me control and maintain my finances. I confess that I already use one, but I was displeased with some features and I thought.. hey maybe I can do it better =).

So I have the project, I know what I need and want.. so let’s start it. So I did. Since I had more time I started to work after my real job, and since I stopped to go to the gym — because of covid =( — I had a couple of hours in the day to do it.

The Project — Finance Notes PWA — WebApp

I started small by choosing which frameworks to use, planning which technologies to pick for the back-end and it took me almost a month to define and choose what to use.

In this time I did some mock-ups, a little bit of testing, asked for some opinions in this time to make sure I was making the right decisions, not that is the right way but I needed to feel confident enough that my choices would not backfire.

So I ended up with the following technologies:

Technologies used in the project

I will not describe all the technologies but mainly SvelteJS. The other technologies were indeed the right choices.

I really liked how Fastify worked. My first experience with it was not so great because I tried it in 2019 or 2018 or earlier I don’t remember but it was not OK.. a lot of issues and some features were complicated to make work. But now I truly recommend it. For monolith projects like this one that not justify microservices it is really fast.

PWA was a challenge for me. I did an udemy course a long time ago and I confess I didn’t remember much. I really liked PWA it makes all in one nicelly. Not having to publish in some store is nice. But still understand the concepts it is a little bit challenging.

There is plenty of documentation on the internet but mostly do not work well at first or it is out of date. If you want to implement PWA it is crucial to understand its flow. Understand that and you will be just fine! Good look with service-workers =).

Just a reminder: to make PWA work we have to go HTTPS! But nowadays we have Let’s Encrypt — really easy to start using our new generated certificates! — It took me a while to figure it out, but seriously it is not that difficult =)

All the other technologies are amazing and really fun to work with. All of them delivers what is promised, Jaeger, Docker, MongoDB, Redis and of course NodeJS.

I had to study and learn a lot for this project to work and I almost gave up. The technology area is overwhelming. To keep up with all of it we have to study in a everyday basis.

SvelteJS

The great star, in my opinion, is SvelteJS. I have worked with VueJS and it is really nice too. I did not worked with AngularJS or React and I didn’t want to.

Why not ?

Well, first AngularJS remember for me Java. We have a thousand configuration files just to start with it. I don’t like that. We spend a lot of time to do it.

React in the other hand seems a little bit nicer but we have to write a lot of code just to get things done to. It is like VueJS. A lot of places repeating myself makes coding a little tiring and boring.

Anyway it is just my opinion and my experience with this technologies.

Now SvelteJS is easy, fast and coding with it is really really nice. It so well made, its store works wonderfully.

It is productive, much much more productive than VueJS, I declare it once and reuse in any other place — I don’t have to tell to the file that I want to use and declare it in two thousand different places I just import what I want. With all of its features seems we are just using plain javascript in the end.

The animations, properties anything you can think of just works! So here it is my applause. Coding with SvelteJS I guarantee it is really nice and fun!

One last thing the code written is kept organized! Yes. I don’t have a file with a thousand lines. No. The other technologies are good but SvelteJS is better in that way too.

If I can say something that I found difficult about SvelteJS is that there is a lot of good frameworks or libraries supporting it. Framework7 came to the rescue for that.

When I started the project there weren’t good SPA routers. Because I have chosen to go SPA not using SSR. So I chose to use Framework7 which is a great framework. Anything you need it can provide and help me a lot during the project. I truly recommend it!

In my experience less is better. Since Framework7 was practically doing a lot things for me it was OK to use it. But I don’t like to use a whole framework and just focus on the little things using just what I need.

Since I really liked to work with SvelteJS I decided to create a router for it. I don’t know if it is perfect to use yet. But it reunites everything I think that a router should have!

SCR — Svelte Client Router

GIT: https://github.com/arthurgermano/svelte-client-router

NPM: https://www.npmjs.com/package/svelte-client-router

Test it: https://arthurgermano.github.io/svelte-client-router/#/svelte-client-router

Finance Notes PWA App

So almost one year later I started and like I said almost giving up. I finished the project. Spend some money hiring a VPN server. Had to learn a lot to configure and secure it.

If you want to see it visit:

Finance Notes

And that is it! Thanks for reading =)

Tutorial — Configuring a Local MongoDB-Docker ReplicaSet with 3Nodes and TLS.

Arthur Germano — Tue, 16 Feb 2021 16:44:30 +0000

And yes… All easy with shell scripts (Linux) and ready to run! ;)!

Hi there.. This is my very first article! I am excited about it.

The development is a difficult area, specially because we have to know everything, literally. Since new technologies up to new business rules. In my belief who works with code, programming, configuring servers, databases, front-ends, back-ends are the today’s magicians of a RPG game.

Anyway, let’s start talking about the important stuff. I intend to explain how I did configure a MongoDB ReplicaSet with 3 nodes in Docker Containers. In the next lines I will deliver a shell script to create ALL the certificates, CA, Server and Client to connect, as the docker compose file. Plus you can grab and customize it at your will and risk.

If you didn’t understand anything from the last phrase above.. well you need to start studying because your path is long my friend.

First things first, an image to help us visualize the configuration settings of what we will be accomplishing.

created with https://app.diagrams.net/

The docker-compose.yml file

So we have to create the following docker-compose file, all the explanation is in its comments section by section:

# docker-compose yml file 
# docker version must be compatible with your running docker version # for more info see https://docs.docker.com/compose/compose-file/compose-versioning/
# Don't forget to use only spaces to indent ok!
version: "3.9"
services:
  # The container mongo_node_1 configurations #############
  mongo_node_1:
    container_name: mongo_node_1
    hostname: mongo_node_1
    # the image from the docker-hub repository
    image: "mongo"
    # mongo uses port 27017 to change see more info https://hub.docker.com/_/mongo
    expose:
      - "27017"
    # here comes the interesting part, with volumes we can easily insert all the configuration that we need!
    volumes:
      # This volume will hold the database information, what you save, your collections, documents, etc. Since we have 3 nodes we need three places which will hold information this is the first one
      - /path/to/your/OS/folder/data/node_1:/data/db
      # This volume will hold the Server Certificate file which will be signed by the CA and will make work TLS - The shell script create all the folders inside ssl just need to run the script!
      - /path/to/your/OS/folder/ssl/node_1:/data/ssl
      # This volume will hold this node cluster configuration! Each node has it's own configuration and differences, but to simplify things I just created ONE configuration to dominate them ALL =D! The file is the cluster.conf 
      - /path/to/your/OS/folder/config:/data/config
    # always restart right.. keep it alive!
    restart: always
    # entrypoint will execute a command inside the container as soon as it starts. So basically we are saying run mongo database with this file configuration settings. Note that the cluster.conf is inside the volume folder set in the volume section. Since it is mapped inside the container we don't need to copy any files (nice and slender!)
    entrypoint: ["/usr/bin/mongod", "--config", "/data/config/cluster.conf"]
    # setting the inside network 
    networks:
      # the name of the below configured network we have to belong to it
      my_network:
        # we have to specify a FIXED IP - this IP will be use after
        ipv4_address: 170.17.5.5

# This works like MAGIC - this allows us to connect inside the network "my_network" FROM THE HOST - because we are creating a closed network we would have to configure a DNS server only to reach it. So very complicated. This option make it easy for us! Check your ip address with ifconfig in Linux and REPLACE "(YOUR MACHINE/SERVER IP)"
    extra_hosts:
      - "localhost:(YOUR MACHINE/SERVER IP)"
    # mongo images use this variables inside the container and they are very helpful. Set the username and password of the Database. We are going to have to configure it by hand anyway but it's nice to have it there
    environment:
      MONGO_INITDB_ROOT_USERNAME: mdb_admin
      MONGO_INITDB_ROOT_PASSWORD: mdb_pass
  # The container mongo_node_2 configurations #############
  mongo_node_2:
    container_name: mongo_node_2
    hostname: mongo_node_2
    # the image from the docker-hub repository
    image: "mongo"
    # mongo uses port 27017 to change see more info https://hub.docker.com/_/mongo
    expose:
      - "27017"
    # here comes the interesting part, with volumes we can easily insert all the configuration that we need!
    volumes:
      # This volume will hold the database information, what you save, your collections, documents, etc. Since we have 3 nodes we need three places which will hold information this is the second one
      - /path/to/your/OS/folder/data/node_2:/data/db
      # This volume will hold the Server Certificate file which will be signed by the CA and will make work TLS - The shell script create all the folders inside ssl just need to run the script!
      - /path/to/your/OS/folder/ssl/node_2:/data/ssl
      # This volume will hold this node cluster configuration! Each node has it's own configuration and differences, but to simplify things I just created ONE configuration to dominate them ALL =D! The file in the cluster.conf 
      - /path/to/your/OS/folder/config:/data/config
    # always restart right.. keep it alive!
    restart: always
    # entrypoint will execute a command inside the container as soon as it starts. So basically we are saying run mongo database with this file configuration settings. Note that the cluster.conf is inside the volume folder set in the volume section. Since it is mapped inside the container we don't need to copy any files (nice and slender!)
    entrypoint: ["/usr/bin/mongod", "--config", "/data/config/cluster.conf"]
    # setting the inside network 
    networks:
    # the name of the below configured network we have to belong to it
      my_network:
        # we have to specify a FIXED IP - this IP will be use after
        ipv4_address: 170.17.5.6
# This works like MAGIC - this allows us to connect inside the network "my_network" FROM THE HOST - because we are creating a closed network we would have to configure a DNS server only to reach it. So very complicated. This option make it easy for us! Check your ip address with ifconfig in Linux and REPLACE "(YOUR MACHINE/SERVER IP)"
    extra_hosts:
      - "localhost:(YOUR MACHINE/SERVER IP)"
    # mongo images use this variables inside the container and they are very helpful. Set the username and password of the Database. We are going to have to configure it by hand anyway but it's nice to have it there
    environment:
      MONGO_INITDB_ROOT_USERNAME: mdb_admin
      MONGO_INITDB_ROOT_PASSWORD: mdb_pass
  # The container mongo_node_arbiter configurations #############
  mongo_node_arbiter:
    container_name: mongo_node_arbiter
    hostname: mongo_node_arbiter
    # the image from the docker-hub repository
    image: "mongo"
    # mongo uses port 27017 to change see more info https://hub.docker.com/_/mongo
    expose:
      - "27017"
    # here comes the interesting part, with volumes we can easily insert all the configuration that we need!
    volumes:
      # This volume will hold the database information, what you save, your collections, documents, etc. Since we have 3 nodes we need three places which will hold information this is the third one and the arbiter only chooses which node is primary or secondary
      - /path/to/your/OS/folder/data/node_arbiter:/data/db
      # This volume will hold the Server Certificate file which will be signed by the CA and will make work TLS - The shell script create all the folders inside ssl just need to run the script!
      - /path/to/your/OS/folder/ssl/node_arbiter:/data/ssl
      # This volume will hold this node cluster configuration! Each node has it's own configuration and differences, but to simplify things I just created ONE configuration to dominate them ALL =D! The file in the cluster.conf 
      - /path/to/your/OS/folder/config:/data/config
    # always restart right.. keep it alive!
    restart: always
    # entrypoint will execute a command inside the container as soon as it starts. So basically we are saying run mongo database with this file configuration settings. Note that the cluster.conf is inside the volume folder set in the volume section. Since it is mapped inside the container we don't need to copy any files (nice and slender!)
    entrypoint: ["/usr/bin/mongod", "--config", "/data/config/cluster.conf"]
    # setting the inside network 
    networks:
      # the name of the below configured network we have to belong to it
      my_network:
        # we have to specify a FIXED IP - this IP will be use after
        ipv4_address: 170.17.5.7
# This works like MAGIC - this allows us to connect inside the network "my_network" FROM THE HOST - because we are creating a closed network we would have to configure a DNS server only to reach it. So very complicated. This option make it easy for us! Check your ip address with ifconfig in Linux and REPLACE "(YOUR MACHINE/SERVER IP)"
    extra_hosts:
      - "localhost:(YOUR MACHINE/SERVER IP)"
    # mongo images use this variables inside the container and they are very helpful. Set the username and password of the Database. We are going to have to configure it by hand anyway but it's nice to have it there
    environment:
      MONGO_INITDB_ROOT_USERNAME: mdb_admin
      MONGO_INITDB_ROOT_PASSWORD: mdb_pass
# Finally we create our network. And WE HAVE to create it. Docker only allows us to set IP address for custom networks so here we go
networks:
  # this is your custom network NAME inside this file 
  my_network:
    # this name is the docker network name outside. We can check it with docker network inspect my_network_default  
    name: my_network_default
    # here we configure the driver bridge is default, and set the network specifics
    ipam: 
      driver: default
      config:
        - subnet: 170.17.0.0/16
          ip_range: 170.17.0.0/16
          gateway: 170.17.5.254
# THE END

Wow.. this is a huge, easy to get lost docker-compose.yml file. I will not be able to explain everything, but if you copy that, create a file named docker-compose.yml inside a folder, paste it, and then open with your linux terminal that folder and run the following command:

# what this command does is.. it starts docker-compose.yml
# removes any possible previous set containers created
# forces to recreate all container inside the docker-compose.yml
# and for last... renew the volumes - DOES NOT recreate it,  just renew it's inside volumes
docker-compose up --remove-orphans --force-recreate --renew-anon-volumes

Of course it will throw an error:

the minimum we can do is try!

But the first part it okay! If you had any doubt about what each section of the file means, please read the comments inside the file. And an important note we will always run the docker-compose-yml with that command.

The Cluster.conf file

So.. let’s move on to the next part. We have to configure each node with its own configuration. But, if you read the comments, I have created only one file config to make our lives easier.
To do that create a folder named “config” in the same folder where the docker-compose lies. Create a file name cluster.conf with the following content:

storage:
  dbPath: /data/db
replication:
  replSetName: my_mdb_rs
  enableMajorityReadConcern: true
net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    CAFile: /data/ssl/mdb_root_CA.crt
    certificateKeyFile: /data/ssl/mdb_nodes_keycert.pem
    certificateKeyFilePassword: mdb_my_custom_passphrase_security
    clusterFile: /data/ssl/mdb_nodes_keycert.pem
    clusterPassword: mdb_my_custom_passphrase_security
    allowInvalidCertificates: true
    allowInvalidHostnames: true
security:
  authorization: enabled
  clusterAuthMode: x509

Let’s review each section:

storage > dbPath: is where you set the volume data inside the docker-compose.yml file
replication > replSetName: this is the Mongo Replica Set name we will use it in several places
replication > enableMajorityReadConcern: it is not a must have config, but it is nice to enable it
net > port: the node configuration port, must be the same of the docker-compose.yml file. We didn’t specify one directly because 27017 is the default port of mongo DB
net > bindIpAll: the node IP. But since we are using the same file for all nodes and each node has it own IP we need to bind any IP that tries to connect.
net > tls > mode: Here we can have some options and we are choosing the most restrict one.
net > tls > CAFile: The certificate authority file. The location where the file lies inside the container. For that each node has it’s volume and we have configured each volume inside the docker-compose.yml.
net > tls > certificateKeyFile: This node server certificate file. The location where the file lies inside the container. For that each node has it’s volume and we have configured each volume inside the docker-compose.yml.
net > tls > certificateKeyFilePassword: This node password server certificate file. I have create the same password for each file and this is not a recommended thing to do.
net > tls > clusterFile: Since we create a cluster and each node has it’s own certificate we can connect to the cluster with them. The location where the file lies inside the container. For that each node has it’s volume and we have configured each volume inside the docker-compose.yml.
net > tls > clusterFilePassword: Cluster password certificate file. I have create the same password for each file and this is not a recommended thing to do.
net > tls > allowInvalidCertificates: Allows us to connect with self-signed certificates. (It isn’t a safe production measure, so use with caution)
net > tls > allowInvalidHostnames: We don’t have valid host names so we by pass using this option. (It isn’t a safe production measure, so use with caution)
security > authorization: Enable authorization on mongoDB
security > clusterAuthMode: There are some options here, the cool and easiest one is with keyfile. But we are using a little bit more secure. ### Important Note

I wrote above and I will repeat it here, the “CAFile”, “certificateKeyFile” and “clusterFile” are mapped in the docker-compose.yml file. So we have created a folder and inside of it the docker-compose-yml and a folder named “config” folder with our “cluster.conf” file inside this last one right ? So our volume section of each node inside the docker-compose-yml file must point to this very created “config” folder. Put the absolute path to be sure!

- /path/to/your/OS/folder/config:/data/config

The Certificate Mess — Made Easy Peasy

Part One — Shell Script

Who doesn’t struggle with certificates ?

They are difficult to understand, in a way, so to make things easy.. very very easy. I have created an shell script to create all this things for us. Yes .. you and I.
What this script does, and which I have make my best efforts to create for the past week in my spare time, is to create the Certificate Authority Files, all the three nodes server certificate files, and the client certificate files to connect from your application like an NodeJS application or MongoCompass.

Without it we would have to execute several commands in the linux terminal and make sure that all of them are correct and with the right information in the right spot. It is A LOT to process.

Enough talk.. let’s see this shell script. For that, create a folder where the docker-compose-yml lies named “ssl”. After this step create a file inside this ssl folder named generateSSLCerts.sh. Remember to give execute permission to this file!

And just to get ahead create another folder named “confs” inside ssl folder as well.

On MAC there some issues with LibreSSL lib, and when running the script make sure that the command line is in the script folder, the script does not work if the path is relative.

#!/bin/sh
TXT_LOG=" ----- "
CONFS_FILES_DIR="./confs/"
# the paths must match in docker-compose.yml file
# must match the file name of cluster.conf
MDB_NODE1_DIR="node_1"
MDB_NODE1_KEY="mdb_node_1.key"
MDB_NODE1_CSR="mdb_node_1.csr"
MDB_NODE1_CRT="mdb_node_1.crt"
MDB_NODE1_CNF="${CONFS_FILES_DIR}mdb_node1_CN.cnf"
# the paths must match in docker-compose.yml file
# must match the file name of cluster.conf
MDB_NODE2_DIR="node_2"
MDB_NODE2_KEY="mdb_node_2.key"
MDB_NODE2_CSR="mdb_node_2.csr"
MDB_NODE2_CRT="mdb_node_2.crt"
MDB_NODE2_CNF="${CONFS_FILES_DIR}mdb_node2_CN.cnf"
# the paths must match in docker-compose.yml file
# must match the file name of cluster.conf
MDB_NODE_ARB_DIR="node_arbiter"
MDB_NODE_ARB_KEY="mdb_node_arbiter.key"
MDB_NODE_ARB_CSR="mdb_node_arbiter.csr"
MDB_NODE_ARB_CRT="mdb_node_arbiter.crt"
MDB_NODE_ARB_CNF="${CONFS_FILES_DIR}mdb_node_arbiter_CN.cnf"
# must match the file name of cluster.conf
MDB_CA_DIR="CA"
MDB_CA_KEY="mdb_root_CA.key"
MDB_CA_CRT="mdb_root_CA.crt"
MDB_CA_SRL="mdb_root_CA.srl"
MDB_CA_CNF="${CONFS_FILES_DIR}mdb_root_CA.cnf"
MDB_PASS_PHRASE_CA="mdb_my_custom_passphrase_security"
# must match the file name of cluster.conf
MDB_FINAL_KEYCERT_PEM="mdb_nodes_keycert.pem"
MDB_CLIENT_DIR="serverclient"
MDB_CLIENT_KEY="mdb_client.key"
MDB_CLIENT_CSR="mdb_client.csr"
MDB_CLIENT_CRT="mdb_client.crt"
MDB_CLIENT_PEM="mdb_client.pem"
MDB_CLIENT_CN_CNF="${CONFS_FILES_DIR}mdb_client_CN.cnf"
# param order
# DIR         ----- $1 - $X_DIR
# FILE        ----- $2 - $FILEVAR_NAME
move_files() {
mkdir $1 2> /dev/null
printf "Moving $2 to ./$1/$2 $TXT_LOG \n"
mv ./$2 ./$1/$2
}
# param order
# DIR         ----- $1 - $X_DIR
# FILE        ----- $2 - $FILEVAR_NAME
copy_files() {
mkdir $1 2> /dev/null
printf "Copying $2 to ./$1/$2 $TXT_LOG \n"
cp ./$2 ./$1/$2
}
# param order
# DIR         ----- $1 - $MDB_NODEX_DIR
# NODE .key file  ----- $2 - $MDB_NODEX_KEY
# NODE .csr file  ----- $3 - $MDB_NODEX_CSR
# NODE .cnf file  ----- $4 - $MDB_NODEX_CNF
# MDB CA .crt file  ----- $5 - $MDB_CA_CRT
# MDB CA .key file  ----- $6 - $MDB_CA_KEY
# NODE .crt file  ----- $7 - $MDB_NODEX_CRT
gen_node_keycerts(){
printf "\nSTARTING $1 Certificates $TXT_LOG \n"
mkdir $1 2> /dev/null
printf "Generating $1 - KEY and CSR files $TXT_LOG\n"
openssl genrsa -des3 -out $2 -passout pass:"$MDB_PASS_PHRASE_CA" 4096
printf "\nGenerating $1 - CRT file $TXT_LOG\n"
openssl req -new -config $4 -key $2 -passin pass:"$MDB_PASS_PHRASE_CA" -out $3 -config $4
openssl x509 -req -days 365 -in $3 -CA $5 -CAkey $6 -CAcreateserial -passin pass:"$MDB_PASS_PHRASE_CA" -out $7
printf "\nGenerating $1 - PEM file $TXT_LOG\n"
cat $2 $7 > $MDB_FINAL_KEYCERT_PEM
move_files $1 $2
move_files $1 $3
move_files $1 $7
move_files $1 $MDB_FINAL_KEYCERT_PEM
copy_files $1 $5
printf "\nFINISHED $1 $TXT_LOG\n"
}
openssl rand -writerand .rnd
printf "STARTING SCRIPT $TXT_LOG\n\n"
openssl genrsa -des3 -out $MDB_CA_KEY -passout pass:"$MDB_PASS_PHRASE_CA" 4096
printf "Root CA key OK $TXT_LOG \n"
openssl req -x509 -new -key $MDB_CA_KEY -sha256 -passin pass:"$MDB_PASS_PHRASE_CA" -days 720 -out $MDB_CA_CRT -config $MDB_CA_CNF
printf "Root CA crt OK $TXT_LOG \n"
printf "FINISHED CA CERTIFICATE $TXT_LOG \n"
gen_node_keycerts $MDB_NODE1_DIR $MDB_NODE1_KEY $MDB_NODE1_CSR $MDB_NODE1_CNF $MDB_CA_CRT $MDB_CA_KEY $MDB_NODE1_CRT
gen_node_keycerts $MDB_NODE2_DIR $MDB_NODE2_KEY $MDB_NODE2_CSR $MDB_NODE2_CNF $MDB_CA_CRT $MDB_CA_KEY $MDB_NODE2_CRT
gen_node_keycerts $MDB_NODE_ARB_DIR $MDB_NODE_ARB_KEY $MDB_NODE_ARB_CSR $MDB_NODE_ARB_CNF $MDB_CA_CRT $MDB_CA_KEY $MDB_NODE_ARB_CRT
printf "Generating client access certificates key and cert $TXT_LOG \n"
openssl req -new -out $MDB_CLIENT_CSR -keyout $MDB_CLIENT_KEY -passout pass:"$MDB_PASS_PHRASE_CA" -config $MDB_CLIENT_CN_CNF
printf "Signing client access certificates $TXT_LOG \n"
openssl x509 -req -in $MDB_CLIENT_CSR -CA $MDB_CA_CRT -CAkey $MDB_CA_KEY -passin pass:"$MDB_PASS_PHRASE_CA" -out $MDB_CLIENT_CRT
printf "Generating client PEM file $TXT_LOG \n"
cat $MDB_CLIENT_KEY $MDB_CLIENT_CRT > $MDB_CLIENT_PEM
move_files $MDB_CLIENT_DIR $MDB_CLIENT_CSR
move_files $MDB_CLIENT_DIR $MDB_CLIENT_KEY
move_files $MDB_CLIENT_DIR $MDB_CLIENT_CRT
move_files $MDB_CLIENT_DIR $MDB_CLIENT_PEM
copy_files $MDB_CLIENT_DIR $MDB_CA_CRT
move_files $MDB_CA_DIR $MDB_CA_KEY
move_files $MDB_CA_DIR $MDB_CA_CRT
move_files $MDB_CA_DIR $MDB_CA_SRL
printf "FINISHED $1 $TXT_LOG\n"

This is a pretty long script file. I will not explain what it does step-by-step. What you have to know is the following things:

MDB_PASS_PHRASE_CA=”mdb_my_custom_passphrase_security” — This variable holds the password configured inside the cluster.conf file. We use the same password for everything and it is not a recommended thing to do! If you want you can set your own custom password, but keep in mind that you have to change it in the cluster.conf file and when connecting with the clients.

The Folder Structure created reflects what we have declared inside of docker-compose.yml file. So the variables in the shell can be customized, but you have to remember to changed it in all other places too, which means all the volumes must point to the correct folder. For example:

# Note that we set each node volume like to ../../node_X:/data/ssl where "X" is the node name.
# the "node_X" part - the script will create it and it is declared in the _DIR variables of the script.
# the /data/ssl/ part - lies inside the container and we are mapping all the content inside ../../../node_X to /data/ssl. For example node_1
- /path/to/your/OS/folder/ssl/node_1:/data/ssl/

Although we have our script ready to run, if you do so, it will run with errors! (Not recommended!)
That happens because we are not ready yet. To spare us to execute any kind of interaction with the commands of the shell script with have a couple of configuration files. =S

Part two — Configuration Files

The configuration files are all the names, options and choices that we have to make when generating certificates. Since we are creating self-signing certificates we can have it done this way. So it is not for production!

Only to make things easier “for me”, I will only show the two files. But for the script actually are five files, which four of them have the same content. Again, it is not recommended for production!

The first one is the Certificate Authority Configuration File. I will not comment all it’s items, mostly because I don’t know them well and I found it somewhere in the internet!

So to start this section create a file named “mdb_root_CA.cnf” inside of the previously create folder named “confs” with the following content:

RANDFILE        = ./.rnd
####################################################################
[ ca ]
# The default ca section
default_ca    = CA_default
[ CA_default ]
# How long to certify for
default_days     = 1000
# How long before next CRL
default_crl_days = 30
# Use public key default MD
default_md       = sha256
# Keep passed DN ordering
preserve         = no
# The extensions to add to the cert
x509_extensions = ca_extensions
# Don't concat the email in the DN
email_in_dn     = no
# Required to copy SANs from CSR to cert
copy_extensions = copy
# Set to 'no' to allow creation of 
# several certificates with same subject.
unique_subject = no
####################################################################
[ req ]
default_bits       = 4096
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only
prompt = no
####################################################################
[ ca_distinguished_name ]
countryName         = BR
stateOrProvinceName         = Parana
localityName                = YourCity
organizationName            = Your Company Name
organizationalUnitName         = Company Dev Departament
commonName         = yourcompanycn.com
emailAddress = yourcompanyemail@email.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
####################################################################
[ signing_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = keyCertSign, cRLSign, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth

The second content will be used for all the other four files. There are three server certificate configuration files and one client certificate connection configuration file.

To do that create four files named as it follows:

“mdb_node1_CN.cnf”;
“mdb_node2_CN.cnf”;
“mdb_node_arbiter_CN.cnf”;
“mdb_client_CN.cnf”;

All of them with the same following content:

RANDFILE        = ./.rnd
####################################################################

[ req ]
default_bits       = 2048
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only
prompt = no

####################################################################
[ server_distinguished_name ]
countryName         = BR
stateOrProvinceName         = Parana
localityName                = YourCity
organizationName            = Your Company Name
commonName         = mdb_node_cn
emailAddress = yourcompanyemail@email.com
####################################################################

[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"
extendedKeyUsage = clientAuth, serverAuth
####################################################################

[ alternate_names ]
IP.1 = 170.17.5.5
IP.2 = 170.17.5.6
IP.3 = 170.17.5.7
IP.4 = 170.17.5.254
IP.5 = 127.0.0.1
IP.6 = ::1
DNS.1 = localhost

Just to emphasize, I will repeat that I don’t know very well all items inside this configuration file. I found them on the internet across many stack overflow questions, MongoDB pages and etc. I will try to reference most of them at the final of this tutorial.

Now we are good to go. So go ahead and run the generateSSLCerts.sh script in the Linux terminal. It will print step-by-step of what is going on. No errors should occur.

If everything goes well we must go from this:

ssl folder content before run the script

To the following:

ssl folder content after you run the script

Each folder contains all the files needed to the containers operate with TLS. And that is it for this section. And we are almost finished. Just to show you, go back one folder and this is what you should see:

root folder where we a creating this amazing secure thing — yes it is missing the data folder

As you can see, there is one more folder structure that we have to create. It is the data folder which will hold the nodes database contents. Let’s go ahead and create a folder named “data” and inside of it you have to create three more folders named as it follows:

“db_node_1”;
“db_node_2”;
“db_node_arbiter”;

With that the folder structure are complete and we have all the necessary. Important thing to note we are creating exactly as we declared inside docker-compose.yml.

# for example - node_1 
- /path/to/your/OS/folder/data/node_1:/data/db

Now let’s run docker-compose.yml and see what we got so far.

Configuring MongoDB ReplicaSet Cluster

After you run the command you should get lots of log lines in the terminal. And that is normal. It stops more or less like the next image:

Matrix log style! “You get used to it, I don’t even see the code, All I see is blond, brunette, redhead…”

We are now running and that is a very nice thing. And yet we do not have our cluster. We have to configure it. Let’s get over with it.

Open another linux terminal shell and run the following command:

# it executes a shell inside then container. You can choose the container in which to run. All three containers are the same for now.
docker exec -it mongo_node_1 /bin/bash

After we run the previous command we will enter inside the container. Now we have to login inside mongoDB node_1. How do we do that? Any clues? Took a lot for me too. But I finally could craft the final command as it follows:

# this command helps us to log as root inside mongodatabase
# we have to log as root to create the replicaset and the user
# IMPORTANT: Note that we are inside the container and they are reflecting our node mapped volume
# IMPORTANT2: remember the password set in the SCRIPT and cluster.conf. Yes we are using here to connect and decrypt the files
# IMPORTANT3: the option --tlsAllowInvalidHostnames is necessary because we are using self-signed certificates!
mongo --tls --tlsCertificateKeyFile /data/ssl/mdb_nodes_keycert.pem --tlsCAFile /data/ssl/mdb_root_CA.crt --tlsCertificateKeyFilePassword mdb_my_custom_passphrase_security --tlsAllowInvalidHostnames

Now we are logged inside the database. Let’s configure it. The first step is to set the ReplicaSet as it follows:

rs.initiate({
  "_id": "my_mdb_rs", 
  "version": 1, 
  "writeConcernMajorityJournalDefault": true, 
  "members": [
    { 
      "_id": 0, 
      "host": "170.17.5.5:27017", 
    }, 
    { 
      "_id": 1, 
      "host": "170.17.5.6:27017", 
    }, 
    { 
      "_id": 2, 
      "host": "170.17.5.7:27017", 
      arbiterOnly: true 
    }
  ]
});

Important parts are the following:

The _id of the configuration is the ReplicaSet name, configured in the cluster file and when setting the mongo string connection.
The last node we are setting is the arbiter. It has the “arbiterOnly” flag to true
You will see something like this:

The vote happened, maybe you got the primary — not important

Now we have to set the user as it follows:

use admin;
db.createUser({
  user: "mdb_admin",
  pwd: "mdb_pass",
  roles: [
    {role: "root", db: "admin"},
    { role: "userAdminAnyDatabase", db: "admin" }, 
    { role: "dbAdminAnyDatabase", db: "admin" }, 
    { role: "readWriteAnyDatabase", db:"admin" }, 
    { role: "clusterAdmin",  db: "admin" }
  ]
});

This will create the admin user that can connect properly outside the replicaset! It should be as demonstrated by the following image:

Success! We have now a configured mongo docker replica set with 3 nodes!

Now we are done! All set!

To test it you can exit mongo terminal, but continue inside the container. Then run the following command:

# Remember we set the user and pass environment into docker-compose.yml file. Well we can use them now!
mongo --tls --tlsCertificateKeyFile /data/ssl/mdb_nodes_keycert.pem --tlsCAFile /data/ssl/mdb_root_CA.crt --tlsCertificateKeyFilePassword mdb_my_custom_passphrase_security -u $MONGO_INITDB_ROOT_USERNAME -p $MONGO_INITDB_ROOT_PASSWORD --sslAllowInvalidHostnames

It should connect successfully! \o/. But wait… there is more! And a leave this section with the big question….

How can we connect now with MongoCompass or NodeJS ?

Connecting with MongoCompass on our ReplicaSet

Well, we started this journey a hundred years ago. You grow old and now.. look at you.. all smiley and wise!

Now we finish our journey with the cherry on the top!

To connect on mongocompass — first install it. It shouldn’t be difficult and I will not show it here. However I will go ahead and just open it and then show the following images that show how to configure it.

After you open MongoCompass click in the text:
“Fill in connection fields individually”

Fill the fields as the image shows

For the next image, do remember the ssl folder ? So inside of it there is a folder named serverclient. There lies all the files that you need to select to connect and some more. You need to select the right ones so let’s see them:

Certificate Authority: mdb_root_CA.crt
Client Certificate: mdb_client.pem
Client Private key: mdb_client.key
Client Key Password: mdb_my_custom_passphrase_security

Also, fill the “Replica Set Name” correctly.

What could go wrong ? After what we just went through this should be easy!

If you did everything correctly.. well you should be connected =). Let’s see the next screen:

Yes! We did it! =)

Connecting with Mongoose in a NodeJS Application

The last section, but not least, is to exemplify a connection with mongoose. The same again.. I will not show how to install and configure your NodeJS application with Mongoose, however I going to post the string connection that you can use. I struggled with it a little bit, but in the end I found the way.

See the next image:

NodeJS configuration for Mongoose

Conclusion

Yes. We did it! I hope that this tutorial helped you because for me it was very difficult. I had to learn all by myself, researching in the web. All the knowledge is there, the computer community is amazing everyone helping everyone. So I am trying to do the same. I did it by myself because others did first and helped leading the way!

The code for this project is hosted on github!
Github Repository

I want to say that I am sorry for my english. It isn’t my first language… so if I misspoke or I did something wrong let me know and feel free to correct me. =)

Here there is some links which helped me find the path!
Docker - ReplicaSet
Mongo - ReplicaSet
Tutorial Mongo with ReplicaSet SSL
Root CA File Configuration
Mongo Cluster with SSL and TLS
Configure MongoDB with TLS and SSL
Self-Signed Request With CA