Navigation

Deploy a Replica Set

Supported with Cloud Manager and Ops Manager 4.0

You can use Kubernetes Operator to deploy MongoDB instances with Ops Manager version 4.0 or later and Cloud Manager. At any place in this guide that says Ops Manager, you can substitute Cloud Manager.

A replica set is a group of MongoDB deployments that maintain the same data set. Replica sets provide redundancy and high availability and are the basis for all production deployments.

To learn more about replica sets, see the Replication Introduction in the MongoDB manual.

Use this procedure to deploy a new replica set managed by Ops Manager. After deployment, use Ops Manager to manage the replica set, including such operations as adding, removing, and reconfiguring members.

Prerequisites

To deploy a replica set using an object, you need to complete the following procedures:

Considerations

Unique Names for Replica Set

Use a unique name for the replica set.

Important

Replica set, sharded cluster, and shard names within the same project must be unique. Failure to have unique names for the deployments will result in broken backup snapshots.

Procedure

The procedure for deploying a replica set depends on whether you require the deployment to run with TLS enabled for intra-cluster communication and clients connecting to the database:

1

Copy the following example replica set Kubernetes object.

This is a YAML file that you can modify to meet your desired configuration. Change the highlighted settings to match your desired replica set configuration.

---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: <myreplicaset>
  namespace: <metadata.namespace> # Should match metadata.namespace in
                                  # your configmap file.
spec:
  members: 3
  version: 4.0.6
  project: <myconfigmap> # Should match metadata.name in your
                         # configmap file.
  credentials: <mycredentials>
  type: ReplicaSet
  persistent: true
...
2

Open your preferred text editor and paste the object specification into a new text file.

3

Configure the settings highlighted in the above example as follows.

Key Type Description Example
metadata.name string

Label for this Kubernetes replica set object.

See also

myproject
metadata.namespace string

Scope of object names. Kubernetes namespace where this MongoDB Kubernetes resource and other objects are created.

Using two different namespaces allows you to delete your standalone or all of the resources in the namespace without affecting your Kubernetes Operator.

See also

mongodb
spec.project string

Name of the ConfigMap with the Ops Manager connection configuration.

Value must match namespace and name of ConfigMap

This value must match the value you provided for metadata.name in your Ops Manager project ConfigMap.

If this MongoDB Kubernetes resource is in a different namespace than the project ConfigMap, you should set this value to the namespace and name of the ConfigMap in this format: <metadata.namespace>/<metadata.name>

Operator manages changes to the ConfigMap

The Kubernetes Operator tracks any changes to the ConfigMap and reconciles the state of the MongoDB Kubernetes resource.

<myconfigmap> or <namespace>/<myconfigmap>
spec.credentials string

Name of the Kubernetes secret you created as Ops Manager API authentication credentials for the Kubernetes Operator to communicate with Ops Manager.

Value must use namespace and name of Secret

This value must match the value you provided for namespace and name for your Ops Manager Kubernetes Secret.

If this object is in a different namespace than the Secret, you should set this value to the namespace and name of the Secret in this format: <namespace>/<name>

Operator manages changes to the Secret

The Kubernetes Operator tracks any changes to the Secret and reconciles the state of the MongoDB Kubernetes resource.

<mycredentials> or <namespace>/<mycredentials>
spec.type string Type of MongoDB Kubernetes resource to create. ReplicaSet
spec.version string

Version of MongoDB that this replica set should run.

The format should be X.Y.Z for the Community edition and X.Y.Z-ent for the Enterprise edition.

To learn more about MongoDB versioning, see MongoDB Version Numbers in the MongoDB Manual.

3.6.7
spec.members integer Number of members of the replica set. 3
spec.persistent string

Optional.

Flag indicating if this MongoDB Kubernetes resource should use Persistent Volumes for storage. Persistent volumes are not deleted when the MongoDB Kubernetes resource is stopped or restarted.

If this value is true, then spec.podSpec.persistence.single is set to its default value of 16G.

To change your Persistent Volume Claims configuration, configure the following collections to meet your deployment requirements:

Warning

Your containers must have permissions to write to your Persistent Volume. The Kubernetes Operator sets fsGroup = 2000 in securityContext This makes Kubernetes try to fix write permissions for the Persistent Volume. If redeploying the deployment item does not fix issues with your Persistent Volumes, contact MongoDB support.

Note

If you do not use Persistent Volumes, the Disk Usage and Disk IOPS charts cannot be displayed in either the Processes tab on the Deployment page or in the Metrics page when reviewing the data for this deployment.

true
5

Save this file with a .yaml file extension.

6

Start your replica set deployment.

Invoke the following Kubernetes command to create your replica set:

kubectl apply -f <replica-set-conf>.yaml
7

Track the status of your replica set deployment.

To check the status of your MongoDB Kubernetes resource, invoke the following command:

kubectl get mdb <resource-name> -n <namespace> -o yaml -w

The -w flag means “watch”. With the “watch” flag set, the output refreshes immediately when something changes until the status phase achieves the Running state.

If the deployment fails, see Troubleshooting the Kubernetes Operator.

The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt communication between:

  • MongoDB hosts in a replica set or sharded cluster configuration
  • Clients (mongo shell, drivers, MongoDB Compass, and others) and the MongoDB deployment

The following procedure walks you through deploying a replica set with TLS enabled:

1

Copy the following example replica set Kubernetes object.

This is a YAML file that you can modify to meet your desired configuration. Change the highlighted settings to match your desired replica set configuration.

---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-secure-rs
  namespace: <metadata.namespace> # Should match metadata.namespace in
                                  # your configmap file.
spec:
  members: 3
  version: 4.0.6
  project: <myconfigmap> # Should match metadata.name in your
                         # configmap file.
  credentials: <mycredentials>
  type: ReplicaSet
  persistent: true
  security:
    tls:
      enabled: true
    clusterAuthenticationMode: x509 # Optional. Enables X.509 internal
                                    # cluster authentication.
  additionalMongodConfig: # Optional
    net:
      ssl:
        mode: requireSSL
...
2

Open your preferred text editor and paste the object specification into a new text file.

3

Configure the settings highlighted in the above example as follows.

Key Type Description Example
metadata.name string

Label for this Kubernetes replica set object.

See also

myproject
metadata.namespace string

Scope of object names. Kubernetes namespace where this MongoDB Kubernetes resource and other objects are created.

Using two different namespaces allows you to delete your standalone or all of the resources in the namespace without affecting your Kubernetes Operator.

See also

mongodb
spec.project string

Name of the ConfigMap with the Ops Manager connection configuration.

Value must match namespace and name of ConfigMap

This value must match the value you provided for metadata.name in your Ops Manager project ConfigMap.

If this MongoDB Kubernetes resource is in a different namespace than the project ConfigMap, you should set this value to the namespace and name of the ConfigMap in this format: <metadata.namespace>/<metadata.name>

Operator manages changes to the ConfigMap

The Kubernetes Operator tracks any changes to the ConfigMap and reconciles the state of the MongoDB Kubernetes resource.

<myconfigmap> or <namespace>/<myconfigmap>
spec.credentials string

Name of the Kubernetes secret you created as Ops Manager API authentication credentials for the Kubernetes Operator to communicate with Ops Manager.

Value must use namespace and name of Secret

This value must match the value you provided for namespace and name for your Ops Manager Kubernetes Secret.

If this object is in a different namespace than the Secret, you should set this value to the namespace and name of the Secret in this format: <namespace>/<name>

Operator manages changes to the Secret

The Kubernetes Operator tracks any changes to the Secret and reconciles the state of the MongoDB Kubernetes resource.

<mycredentials> or <namespace>/<mycredentials>
spec.type string Type of MongoDB Kubernetes resource to create. ReplicaSet
spec.version string

Version of MongoDB that this replica set should run.

The format should be X.Y.Z for the Community edition and X.Y.Z-ent for the Enterprise edition.

To learn more about MongoDB versioning, see MongoDB Version Numbers in the MongoDB Manual.

3.6.7
spec.members integer Number of members of the replica set. 3
spec.persistent string

Optional.

Flag indicating if this MongoDB Kubernetes resource should use Persistent Volumes for storage. Persistent volumes are not deleted when the MongoDB Kubernetes resource is stopped or restarted.

If this value is true, then spec.podSpec.persistence.single is set to its default value of 16G.

To change your Persistent Volume Claims configuration, configure the following collections to meet your deployment requirements:

Warning

Your containers must have permissions to write to your Persistent Volume. The Kubernetes Operator sets fsGroup = 2000 in securityContext This makes Kubernetes try to fix write permissions for the Persistent Volume. If redeploying the deployment item does not fix issues with your Persistent Volumes, contact MongoDB support.

Note

If you do not use Persistent Volumes, the Disk Usage and Disk IOPS charts cannot be displayed in either the Processes tab on the Deployment page or in the Metrics page when reviewing the data for this deployment.

true
4

Configure the TLS settings for your replica set.

Enable TLS in your deployment by configuring the following settings in your Kubernetes object:

Key Type Description Example
spec.security.tls.enabled boolean

If this value is true, TLS is enabled on the MongoDB deployment.

The default TLS mode is requireSSL which configures the hosts to only use and accept TLS encrypted connections.

true
spec.security.clusterAuthenticationMode string

Optional. Enables X.509 internal cluster authentication.

Remove this field from your ConfigMap to disable X.509 internal cluster authentication.

Important

Once internal cluster authentication is enabled, it can not be disabled.

x509
spec.additionalMongodConfig.net.ssl.mode string Optional. Changes the TLS mode the MongoDB deployment uses for intra-cluster communication and clients connecting to the database. requireSSL

The following options are valid for spec.additionalMongodConfig.net.ssl.mode:

Value Description
allowSSL Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS.
preferSSL Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS.
requireSSL The server uses and accepts only TLS encrypted connections.
6

Save this file with a .yaml file extension.

7

Start your replica set deployment.

Invoke the following Kubernetes command to create your replica set:

kubectl apply -f <replica-set-conf>.yaml
8

Check the status of your deployment.

The Kubernetes Operator will proceed to create the MongoDB resources and request the Kubernetes Certificate Authority to approve the database host’s certificates. Verify that the certificates are pending approval by running the following command:

kubectl get mdb <resource-name> -n <namespace> -o yaml -w

The status field of the output should resemble the following:

status:
  lastTransition: 2019-05-01T15:36:59Z
  message: Not all certificates have been approved by Kubernetes CA
  phase: Failed
  type: ""
  version: ""

If you do not see the status.message above, see Troubleshooting the Kubernetes Operator to help diagnose the issue.

9

Approve the certificate for each host in your deployment.

Retrieve the CSRs for each host by running the following command:

kubectl get csr

The output of the command and number of certificates to approve depend on whether X.509 internal cluster authentication is enabled by setting spec.security.clusterAuthenticationMode to x509 in step 4.

The command’s output resembles the following:

NAME                                 AGE       REQUESTOR                                                   CONDITION
my-secure-rs-0.mongodb               33s       system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-1.mongodb               31s       system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-2.mongodb               24s       system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending

Using the NAME field above, approve each certificate from the previous command’s output using the following command:

kubectl certificate approve <NAME>

Example

The following commands approve the certificates for the replica set example in the previous step:

kubectl certificate approve my-secure-rs-0.mongodb
kubectl certificate approve my-secure-rs-1.mongodb
kubectl certificate approve my-secure-rs-2.mongodb

kubectl prints a message to the console when a certificate is approved.

The command’s output resembles the following:

NAME                           AGE       REQUESTOR                                                   CONDITION
mms-automation-agent.mongodb   15m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
mms-backup-agent.mongodb       15m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
mms-monitoring-agent.mongodb   15m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
my-secure-rs-0.mongodb         6s        system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-1.mongodb         4s        system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-2.mongodb         1s        system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending

Using the NAME field above, approve each certificate from the previous command’s output using the following command:

kubectl certificate approve <NAME>

Example

The following commands approve the certificates for the replica set example in the previous step:

kubectl certificate approve my-secure-rs-0.mongodb
kubectl certificate approve my-secure-rs-1.mongodb
kubectl certificate approve my-secure-rs-2.mongodb

kubectl prints a message to the console when a certificate is approved.

When spec.security.clusterAuthenticationMode is set to x509 an additional CSR will be generated per host for the clusterfile.

After the first batch of certificates are approved, run the command to retrieve the CSRs again:

kubectl get csr

The clusterfile CSRs are now present in the output:

NAME                                       AGE       REQUESTOR                                                   CONDITION
mms-automation-agent.mongodb               17m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
mms-backup-agent.mongodb                   17m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
mms-monitoring-agent.mongodb               17m       system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
my-secure-rs-0-clusterfile.mongodb         13s       system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-0.mongodb                     105s      system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
my-secure-rs-1-clusterfile.mongodb         7s        system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-1.mongodb                     103s      system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued
my-secure-rs-2-clusterfile.mongodb         3s        system:serviceaccount:mongodb:mongodb-enterprise-operator   Pending
my-secure-rs-2.mongodb                     100s      system:serviceaccount:mongodb:mongodb-enterprise-operator   Approved,Issued

Approve the clusterfile CSRs using the same command:

kubectl certificate approve <NAME>

Example

The following commands approve the clusterfile certificates:

kubectl certificate approve my-secure-rs-0-clusterfile.mongodb
kubectl certificate approve my-secure-rs-1-clusterfile.mongodb
kubectl certificate approve my-secure-rs-2-clusterfile.mongodb
10

Track the status of your deployment.

To check the status of your MongoDB Kubernetes resource, invoke the following command:

kubectl get mdb <resource-name> -n <namespace> -o yaml -w

The -w flag means “watch”. With the “watch” flag set, the output refreshes immediately when something changes until the status phase achieves the Running state.

If the deployment fails, see Troubleshooting the Kubernetes Operator.