Navigation

Deploy an Ops Manager Instance

Beta Release of Ops Manager Resource

Don’t use the Ops Manager resource in production environments.

You can deploy Ops Manager in a container with the Kubernetes Operator.

Prerequisites

To deploy an Ops Manager resource you must:

  1. Install the MongoDB Enterprise Kubernetes Operator 1.3.0 or newer.

  2. Ensure that the host on which you want to deploy Ops Manager has a minimum of five gigabytes of memory.

  3. Create a Kubernetes secret for an admin user in the same namespace as the Ops Manager resource.

    When you deploy the Ops Manager resource, Ops Manager creates a user with these credentials and grants it the Global Owner role. Use these credentials to log in to Ops Manager for the first time. Once Ops Manager is deployed, you should change the password or remove this secret.

    kubectl create secret generic <adminusercredentials> \
      --from-literal=Username="<username>" \
      --from-literal=Password="<password>" \
      --from-literal=FirstName="<firstname>" \
      --from-literal=LastName="<lastname>" \
      -n <namespace>
    
  1. (Optional) To set the password for the Ops Manager database user, create a secret in the same namespace as the Ops Manager resource.

    The Kubernetes Operator creates the database user that Ops Manager uses to connect to the Ops Manager Application Database. You can set the password for this database user by invoking the following command to create a secret:

    kubectl create secret generic <om-db-user-secret-name> \
      --from-literal=password="<om-db-user-password>" \
      -n <namespace>
    

    Note

    If you choose to create a secret for the Ops Manager database user, you must specify the secret’s name in the Ops Manager resource definition. By default, the Kubernetes Operator looks for the password value in the password key. If you stored the password value in a different key, you must also specify that key name in the Ops Manager resource definition.

    If you don’t create a secret, then the Kubernetes Operator automatically generates a password and stores it internally. For more information, see Application Database Authentication.

  2. (Optional). To configure Backup to an S3 snapshot store, create a secret in the same namespace as the Ops Manager resource.

    This secret stores your S3 credentials so that the Kubernetes Operator can connect Ops Manager to your AWS S3 or S3-compatible bucket. The secret must contain the following key-value pairs:

    Key Value
    accessKey The access key ID of the user who owns the S3 or S3-compatible bucket.
    secretKey The secret key of the user who owns the S3 or S3-compatible bucket.

    To create the secret, invoke the following command:

    kubectl create secret generic <my-aws-s3-credentials> \
      --from-literal=accessKey="<AKIAIOSFODNN7EXAMPLE>" \
      --from-literal=secretKey="<wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY>" \
      -n <namespace>
    

    To learn more about managing S3 blockstore snapshot storage, see the Prerequisites.

Considerations

Encryption Key

The Kubernetes Operator generates an encryption key to protect sensitive information in the Ops Manager Application Database. The Kubernetes Operator saves this key in a secret in the same namespace as the Ops Manager resource. The Kubernetes Operator names the secret <om-resource-name>-gen-key.

If you remove the Ops Manager resource, the key remains stored in the secret on Kubernetes cluster. If you stored the Application Database in a Persistent Volume and you create another Ops Manager resource with the same name, the Kubernetes Operator reuses the secret. If you create an Ops Manager resource with a different name, then Kubernetes Operator creates a new secret and Application Database, and the old secret isn’t reused.

Application Database Topology

When you create an instance of Ops Manager through the Kubernetes Operator, the Ops Manager Application Database is deployed as a replica set. You can’t configure the Application Database as a standalone database or sharded cluster. If you have concerns about performance or size requirements for the Application Database, contact MongoDB Support.

Application Database Authentication

The Kubernetes Operator enforces SCRAM-SHA-1 authentication on the Application Database.

The Kubernetes Operator creates the database user which Ops Manager uses to connect to the Application Database. This database user has the following attributes:

Username mongodb-ops-manager
Authentication Database admin
Roles

The Ops Manager database user’s name and roles cannot be modified. However, you can set the database user’s password by creating a secret and can later update the password by editing that secret. If you don’t create a secret, or if you delete a previously created secret, then the Kubernetes Operator automatically generates a password and stores it internally.

If you need to authenticate to the Application Database as a different user:

  1. Deploy the Ops Manager resource
  2. Add a new user to the database using the mongo shell.

Backup

Kubernetes Operator enables Backup by default. The Kubernetes Operator deploys a StatefulSet comprised of one pod to host the Backup Daemon Service, and then creates a Persistent Volume Claim and Persistent Volume for the Backup Daemon’s head database . The Kubernetes Operator uses the Ops Manager API to enable the Backup Daemon and configure the head database.

Important

To configure Backup, you must create MongoDB database resources for the oplog store and S3 snapshot store. The Ops Manager resource remains in a Pending state until these Backup resources are configured.

Oplog Store

Deploy a three-member replica set to store your oplog slices.

If you enable SCRAM authentication on the oplog database, you must:

  • Specify a MongoDB version earlier than v4.0 in the oplog database resource definition.
  • Create a MongoDB user resource to connect Ops Manager to the oplog database.
  • Specify the name of the user in the Ops Manager resource definition.

S3 Snapshot Store

To configure an S3 snapshot store, you must:

  • Have an oplog store already configured.
  • Create an AWS S3 or S3-compatible bucket to store your database Backup snapshots.
  • Deploy a three-member replica set to store snapshot metadata.

You can update any additional S3 configuration settings that are not managed by the Kubernetes Operator through the Ops Manager Application.

Procedure

1

Copy the following example Ops Manager Kubernetes object.

Change the highlighted settings to match your desired Ops Manager configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
apiVersion: mongodb.com/v1
kind: MongoDBOpsManager
metadata:
  name: <myopsmanager>
spec:
  replicas: 1
  version: <opsmanagerversion>
  adminCredentials: <adminusercredentials> # Should match metadata.name
                                           # in the Kubernetes secret
                                           # for the admin user
  backup:
    enabled: true
    opLogStores:
      - name: <oplogname>
        mongodbResourceRef:
          name: <oplogresourcename> # Should match metadata.name
                                    # in the MongoDB database resource
                                    # for the oplog store
    s3Stores:
      - name: <s3storename>
        mongodbResourceRef:
          name: <s3storeresourcename> # Should match metadata.name
                                      # in the MongoDB database resource
                                      # for the snapshot store
        s3SecretRef:
          name: <awss3credentials> # Should match metadata.name
                                   # in the Kubernetes secret
                                   # for your |aws| credentials
        s3BucketEndpoint: <s3.region.amazonaws.com>
        s3BucketName: <bucketname>

  applicationDatabase:
    members: 3
    version: <mongodbversion>
    persistent: true
...
2

Open your preferred text editor and paste the object specification into a new text file.

3

Configure the settings highlighted in the prior example.

Key Type Description Example
metadata.name string

Name for this Kubernetes Ops Manager object.

See also

om
spec.replicas number

Number of Ops Manager instances to run in parallel.

The minimum valid value is 1.

Highly Available Ops Manager Resources

For high availability, set this value to more than 1. Multiple Ops Manager instances can read from the same Application Database, ensuring failover if one instance is unavailable and enabling you to update the Ops Manager resource without downtime.

1
spec.version string

Version of Ops Manager to be installed.

The format should be X.Y.Z. To view available Ops Manager versions, view the container registry.

4.2.0
spec.adminCredentials string

Name of the secret you created for the Ops Manager admin user.

Note

Configure the secret to use the same namespace as the Ops Manager resource.

om-admin-secret
spec
.backup
boolean
Flag that indicates that Backup is enabled for your Ops Manager resource.
You must specify spec.backup.enabled: true to configure settings for the head database, oplog store, and snapshot store.
true
spec
.backup
.opLogStores
string Name of the oplog store. oplog1
spec
.backup
.opLogStores
.mongodbRef
string Name of the MongoDB database resource for the oplog store. my-oplog-db
spec
.backup
.s3Stores
string Name of the S3 snapshot store. s3store1
spec
.backup
.s3Stores
.mongodbResourceRef
string Name of the MongoDB database resource for the S3 snapshot store metadata. my-s3-metadata-db
spec
.backup
.s3Stores
.s3SecretRef
string Name of the secret that contains the accessKey and secretKey fields. The Backup Daemon Service uses the values of these fields as credentials to access the S3 or S3-compatible bucket. my-s3-credentials
spec
.backup
.s3Stores
string URL of the S3 or S3-compatible bucket that stores the database Backup snapshots. s3.us-east-1.amazonaws.com
spec
.backup
.s3Stores
string Name of the S3 or S3-compatible bucket that stores the database Backup snapshots. my-bucket
spec
.applicationDatabase
integer Number of members of the Ops Manager Application Database replica set. 3
spec
.applicationDatabase
string

Version of MongoDB that the Ops Manager Application Database should run.

The format should be X.Y.Z for the Community edition and X.Y.Z-ent for the Enterprise edition.

To learn more about MongoDB versioning, see see MongoDB Versioning in the MongoDB Manual.

4.0.7
spec
.applicationDatabase
boolean

Optional.

Flag indicating if this MongoDB Kubernetes resource should use Persistent Volumes for storage. Persistent volumes are not deleted when the MongoDB Kubernetes resource is stopped or restarted.

If this value is true, then spec.applicationDatabase.podSpec.persistence. single is set to its default value of 16G.

To change your Persistent Volume Claims configuration, configure the following collections to meet your deployment requirements:

  • If you want one Persistent Volume for each pod, configure the spec.applicationDatabase. single collection.

  • If you want separate Persistent Volumes for data, journals, and logs for each pod, configure the following collections:

    • spec.applicationDatabase
      .podSpec.persistence.multiple.
    • spec.applicationDatabase
      .podSpec.persistence.multiple.
    • spec.applicationDatabase
      .podSpec.persistence.multiple.

Warning

Grant your containers permission to write to your Persistent Volume. The Kubernetes Operator sets fsGroup = 2000 in securityContext This makes Kubernetes try to fix write permissions for the Persistent Volume. If redeploying the resource does not fix issues with your Persistent Volumes, contact MongoDB support.

true
4

Allow external traffic to reach the Ops Manager application.

By default, the Kubernetes Operator does not create a Kubernetes service to route traffic originating from outside of the Kubernetes cluster to the Ops Manager application.

To access the Ops Manager application, you can:

  • Configure the Kubernetes Operator to create a Kubernetes service.
  • Create a Kubernetes service manually. MongoDB recommends using a LoadBalancer Kubernetes service if your cloud provider supports it.
  • If you’re using OpenShift, use Routes.
  • Use a third-party service, such as Istio.

The simplest method is to configure the Kubernetes Operator to create a Kubernetes service to route external traffic to the Ops Manager application:

  1. Add the spec.externalConnectivity setting to the object specification.
  2. Add the following settings to the object specification to configure the Kubernetes service that routes external traffic to the Ops Manager application:
    • spec.externalConnectivity.type
    • (optional) spec.externalConnectivity.port

To learn how to create a Kubernetes service manually, see the Kubernetes documentation.

To learn how to route external traffic to the Ops Manager application using a different method, refer to the documentation for your solution.

5

(Optional) Configure any additional settings for an Ops Manager deployment.

You can add any of the following optional settings to the object specification file for an Ops Manager deployment:

6

Save this file with a .yaml file extension.

7

Create your Ops Manager instance.

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <opsmgr-resource>.yaml
8

Track the status of your Ops Manager instance.

To check the status of your Ops Manager resource, invoke the following command:

kubectl get om -n <namespace> -o yaml -w

The command returns the following output under the status field while the resource deploys:

status:
 applicationDatabase:
  lastTransition: "2019-11-15T19:48:01Z"
  message: AppDB Statefulset is not ready yet
  phase: Reconciling
  type: ""
  version: ""
 opsManager:
  lastTransition: "2019-11-15T19:48:01Z"
  message: Ops Manager is still starting
  phase: Reconciling
  version: ""

After the resource completes the Reconciling phase, the command returns the following output under the status field:

 status:
   applicationDatabase:
     lastTransition: "2019-12-06T18:23:22Z"
     members: 3
     phase: Running
     type: ReplicaSet
     version: 4.0.7
   opsManager:
     lastTransition: "2019-12-06T18:23:26Z"
     message: The MongoDB object namespace/oplogdbname doesn't exist
     phase: Pending
     url: http://om-svc.dev.svc.cluster.local:8080
     version: ""

The Ops Manager Application remains in a Pending state until you configure the Backup databases.

Tip

The status.opsManager.url field states the resource’s connection URL. Using this URL, you can reach Ops Manager from inside the Kubernetes cluster or create a project using a ConfigMap.

9

Access the Ops Manager application.

The steps you take differ based on how you are routing traffic to the Ops Manager application in Kubernetes. If you configured the Kubernetes Operator to create a Kubernetes service for you, or you created a Kubernetes service manually, use one of the following methods to access the Ops Manager application:

  1. Query your cloud provider to get the FQDN of the load balancer service. See your cloud provider’s documentation for details.

  2. Open a browser window and navigate to the Ops Manager application using the FQDN and port number of your load balancer service.

    http://ops.example.com:8080
    
  3. Log in to Ops Manager using the admin user credentials.

  1. Set your firewall rules to allow access from the Internet to the spec.externalConnectivity.port on the host on which your Kubernetes cluster is running.

  2. Open a browser window and navigate to the Ops Manager application using the FQDN and the spec.externalConnectivity.port.

    http://ops.example.com:30036
    
  3. Log in to Ops Manager using the admin user credentials.

To learn how to access the Ops Manager application using a different traffic routing method, refer to the documentation for your solution.

9

Create credentials for the Kubernetes Operator.

To configure credentials, you must create an Ops Manager organization, generate programmatic API keys, and create a secret. These activities follow the prerequisites and procedure on the Create Credentials for the Kubernetes Operator page.

10

Create a project using a ConfigMap.

To create a project, follow the prerequisites and procedure on the Create a Project using a ConfigMap page.

You must set data.baseUrl in the ConfigMap to the Ops Manager Application’s URL. To find this URL, invoke the following command:

kubectl get om -n <namespace> -o yaml -w

The command returns the URL of the Ops Manager Application in the status.opsManager.url field.

 status:
   applicationDatabase:
     lastTransition: "2019-12-06T18:23:22Z"
     members: 3
     phase: Running
     type: ReplicaSet
     version: 4.0.7
   opsManager:
     lastTransition: "2019-12-06T18:23:26Z"
     message: The MongoDB object namespace/oplogdbname doesn't exist
     phase: Pending
     url: http://om-svc.dev.svc.cluster.local:8080
     version: ""
11

Deploy MongoDB database resources to complete the Backup configuration.

By default, Ops Manager enables Backup. Create a MongoDB database resource for the oplog and snapshot stores to complete the configuration.

  1. Deploy a MongoDB database resource for the oplog store in the same namespace as the Ops Manager resource.

    Note

    Create this database as a three-member replica set.

    Match the metadata.name of the resource with the spec.backup.opLogStores.mongodbResourceRef.name that you specified in your Ops Manager resource definition.

  2. Deploy a MongoDB database resource for the S3 snapshot store in the same namespace as the Ops Manager resource.

    Note

    Create the S3 snapshot store as a replica set.

    Match the metadata.name of the resource to the spec.backup.s3Stores.mongodbResourceRef.name that you specified in your Ops Manager resource definition.

12

Confirm that the Ops Manager resource is running.

To check the status of your Ops Manager resource, invoke the following command:

kubectl get om -n <namespace> -o yaml -w

When the Ops Manager is running, the command returns the following output under the status field:

status:
  applicationDatabase:
    lastTransition: "2019-12-06T17:46:15Z"
    members: 3
    phase: Running
    type: ReplicaSet
    version: 4.0.7
  opsManager:
    lastTransition: "2019-12-06T17:46:32Z"
    phase: Running
    replicas: 1
    url: http://om-backup-svc.dev.svc.cluster.local:8080
    version: 4.2.0

If the deployment fails, see Troubleshooting the Kubernetes Operator.