Navigation

Plan Your Ops Manager Resource

MongoDB Ops Manager is an enterprise application that manages, backs up, and monitors MongoDB deployments. With Ops Manager, you can scale and upgrade MongoDB, optimize queries, perform point-in-time restores, receive performance alerts, and more. To easily manage and maintain Ops Manager and its underlying database, you can use the MongoDB Enterprise Kubernetes Operator to run Ops Manager as a container on Kubernetes.

Before you deploy an Ops Manager resource, make sure you read the considerations and complete the prerequisites.

Architecture

The Kubernetes Operator manages and monitors each MongoDBOpsManager custom resource through a resource definition file that you create. Every time you create or update a resource definition, the Kubernetes Operator performs the following reconciliation process:

  1. The Kubernetes Operator creates or updates the StatefulSet that runs the Ops Manager Application Database. The Application Database is always deployed as a replica-set with SCRAM-SHA authentication enabled. Each database pod runs an instance of the MongoDB Agent which is configured directly by the Kubernetes Operator.
  2. The Kubernetes Operator creates or updates the StatefulSet that runs the Ops Manager pods. The Ops Manager instance connects to the Application Database.
  3. The Kubernetes Operator ensures the StatefulSet for the Backup Daemon Service is running unless backup is disabled. The StatefulSet consists of a single pod. The Backup Daemon connects to the Application Database.
  4. The Kubernetes Operator registers the first user with the Global Owner role and saves a public API key to a secret for later use.
  5. The Kubernetes Operator configures the Backup Daemon using Ops Manager API according to the spec.backup.enabled specification in the Ops Manager resource definition.

Considerations

Encryption Key

The Kubernetes Operator generates an encryption key to protect sensitive information in the Ops Manager Application Database. The Kubernetes Operator saves this key in a secret in the same namespace as the Ops Manager resource. The Kubernetes Operator names the secret <om-resource-name>-gen-key.

If you remove the Ops Manager resource, the key remains stored in the secret on the Kubernetes cluster. If you stored the Application Database in a Persistent Volume and you create another Ops Manager resource with the same name, the Kubernetes Operator reuses the secret. If you create an Ops Manager resource with a different name, then Kubernetes Operator creates a new secret and Application Database, and the old secret isn’t reused.

Application Database

Topology

When you create an instance of Ops Manager through the Kubernetes Operator, the Ops Manager Application Database is deployed as a replica set. You can’t configure the Application Database as a standalone database or sharded cluster. If you have concerns about performance or size requirements for the Application Database, contact MongoDB Support.

Monitoring

The Kubernetes Operator automatically configures Ops Manager to monitor the Application Database that backs the Ops Manager Application. The Kubernetes Operator creates a project named <ops-manager-deployment-name>-db for you to monitor the Application Database deployment.

Ops Manager monitors the Application Database deployment, but Ops Manager does not manage it. You cannot change the Application Database’s configuration in the Ops Manager Application.

Important

The Ops Manager UI might display warnings in the <ops-manager-deployment-name>-db project stating that the agents for the Application Database are out of date. You can safely ignore these warnings.

Authentication

The Kubernetes Operator enforces SCRAM-SHA-1 authentication on the Application Database.

The Kubernetes Operator creates the database user which Ops Manager uses to connect to the Application Database. This database user has the following attributes:

Username mongodb-ops-manager
Authentication Database admin
Roles

You can’t modify the Ops Manager database user’s name and roles. You create a secret to set the database user’s password. You edit the secret to update the password. If you don’t create a secret or delete an existing secret, the Kubernetes Operator generates a password and stores it.

If you need to authenticate to the Application Database as a different user:

  1. Deploy the Ops Manager resource
  2. Add a new user to the database using the mongo shell.

Offline Deployments

The Kubernetes Operator bundles MongoDB Enterprise version 4.2.2 with the Application Database image to enable offline deployments of Ops Manager resources.

To deploy Ops Manager inside Kubernetes without an Internet connection, omit the spec.applicationDatabase.version setting or leave the value empty.

When you upgrade the Kubernetes Operator, the Application Database performs a rolling upgrade for new patch releases of MongoDB, such as from 4.2.2-ent to 4.2.3-ent. However, the Application Database does not automatically upgrade between major versions, such as from 4.2.2-ent to 4.4.0-ent.

Streamlined Configuration

After you deploy Ops Manager, you need to configure it. The regular procedure involves setting up Ops Manager through the configuration wizard. If you set some essential settings in your object specification before you deploy, you can bypass the configuration wizard.

In the spec.configuration block of your Ops Manager object specification, you need to:

Example

To disable the Ops Manager configuration wizard, configure the following settings in your spec.configuration block:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
spec:
  configuration:
    mms.ignoreInitialUiSetup: "true"
    automation.versions.source: mongodb
    mms.adminEmailAddr: cloud-manager-support@mongodb.com
    mms.fromEmailAddr: cloud-manager-support@mongodb.com
    mms.mail.hostname: email-smtp.us-east-1.amazonaws.com
    mms.mail.port: "465"
    mms.mail.ssl: "true"
    mms.mail.transport: smtp
    mms.minimumTLSVersion: TLSv1.2
    mms.replyToEmailAddr: cloud-manager-support@mongodb.com

Replace the example values with the values you want your Ops Manager to use.

Backup

Kubernetes Operator enables Backup by default. The Kubernetes Operator deploys a StatefulSet comprised of one pod to host the Backup Daemon Service, and then creates a Persistent Volume Claim and Persistent Volume for the Backup Daemon’s head database. The Kubernetes Operator uses the Ops Manager API to enable the Backup Daemon and configure the head database.

Important

To configure Backup, you must create MongoDB database resources for the oplog store and for one of the following:

If you deploy both an S3 snapshot store and a blockstore, Ops Manager chooses one to use for Backup at random.

The Ops Manager resource remains in a Pending state until you configure these Backup resources.

Oplog Store

You must deploy a three-member replica set to store your oplog slices.

If you enable SCRAM authentication on the oplog database, you must:

  • Specify a MongoDB version earlier than v4.0 in the oplog database resource definition.
  • Create a MongoDB user resource to connect Ops Manager to the oplog database.
  • Specify the name of the user in the Ops Manager resource definition.

Blockstore

To configure a blockstore, you must deploy a replica set to store snapshots.

S3 Snapshot Store

To configure an S3 snapshot store, you must create an AWS S3 or S3-compatible bucket to store your database Backup snapshots.

The default configuration stores snapshot metadata in the Application Database. You can also deploy a replica set to store snapshot metadata, then configure it using the spec.backup.s3Stores.mongodbResourceRef.name and spec.backup.s3Stores.mongodbResourceRef.user settings in the Ops Manager resource definition.

You can update any additional S3 configuration settings that Kubernetes Operator doesn’t manage through the Ops Manager Application.

Disable Backup

To disable backup after you enabled it:

  1. Set the Ops Manager Kubernetes object spec.backup.enabled setting to false.

  2. Disable backups in the Ops Manager Application.

  3. Delete the Backup Daemon Service StatefulSet:

    kubectl delete statefulset <metadata.name>-backup-daemon -n <namespace>
    

Important

The Persistent Volume Claim and Persistent Volume for the Backup Daemon’s head database are not deleted when you delete the Backup Daemon Service StatefulSet. You can retrieve stored data before you delete these Kubernetes resources.

To learn about reclaiming Persistent Volumes, see the Kubernetes documentation.

Configure Ops Manager to Run over HTTPS

You can configure an instance Ops Manager created through the Kubernetes Operator to run over HTTPS, rather than HTTP. To configure your Ops Manager instance to run over HTTPS, you must provide a TLS certificate and Private Key in the Ops Manager configuration object. For detailed instructions, see Deploy an Ops Manager Resource.

Ops Manager Application Access

By default, the Kubernetes Operator doesn’t create a Kubernetes service to route traffic originating from outside of the Kubernetes cluster to the Ops Manager application.

To access the Ops Manager application, you can:

  • Configure the Kubernetes Operator to create a Kubernetes service.
  • Create a Kubernetes service manually. MongoDB recommends using a LoadBalancer Kubernetes service if your cloud provider supports it.
  • If you’re using OpenShift, use routes.
  • Use a third-party service, such as Istio.

The simplest method is configuring the Kubernetes Operator to create a Kubernetes service that routes external traffic to the Ops Manager application. The Ops Manager deployment procedure instructs you to add the following settings to the object specification that configures the Kubernetes Operator to create a service:

Deploying Ops Manager in Local Mode

See Configure an Ops Manager Resource to use Local Mode to use the Kubernetes Operator to deploy Ops Manager if your environment prevents granting hosts in your Kubernetes cluster access to the internet.

Managing External MongoDB Deployments

When you deploy Ops Manager with the Kubernetes Operator, Ops Manager can manage MongoDB database resources deployed:

  • To the same Kubernetes cluster as Ops Manager.
  • Outside of Kubernetes clusters.

If Ops Manager manages MongoDB database resources deployed to different Kubernetes clusters than Ops Manager or outside of Kubernetes clusters, you must:

  1. Add the mms.centralUrl setting to spec.configuration in the Ops Manager resource specification.

    Set the value to the URL by which Ops Manager is exposed outside of the Kubernetes cluster:

    spec:
      configuration:
        mms.centralUrl: https://a9a8f8566e0094380b5c257746627b82-1037623671.us-east-1.elb.example.com:8080/
    
  2. Update the ConfigMaps referenced by all MongoDB database resources inside the Kubernetes cluster that you deployed with the Kubernetes Operator.

    Set data.baseUrl to the same value of the spec.configuration.mms.centralUrl setting in the Ops Manager resource specification.

    Important

    This includes the ConfigMaps that the MongoDB database resources for the oplog and snapshot stores reference.

Prerequisites

  1. If you have not already, run the following command to execute all kubectl commands in the namespace you created:

    kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
    
  2. Install the MongoDB Enterprise Kubernetes Operator 1.4.1 or newer.

  3. Ensure that the host on which you want to deploy Ops Manager has a minimum of five gigabytes of memory.

  1. Create a Kubernetes secret for an admin user in the same namespace as the Ops Manager resource.

    When you deploy the Ops Manager resource, Ops Manager creates a user with these credentials and grants it the Global Owner role. Use these credentials to log in to Ops Manager for the first time. Once you deploy Ops Manager, change the password or remove this secret.

    Note

    The admin user’s password must adhere to the Ops Manager password complexity requirements.

    kubectl create secret generic <adminusercredentials> \
      --from-literal=Username="<username>" \
      --from-literal=Password="<password>" \
      --from-literal=FirstName="<firstname>" \
      --from-literal=LastName="<lastname>"
    
  1. (Optional) To set the password for the Ops Manager database user, create a secret in the same namespace as the Ops Manager resource.

    The Kubernetes Operator creates the database user that Ops Manager uses to connect to the Ops Manager Application Database. You can set the password for this database user by invoking the following command to create a secret:

    kubectl create secret generic <om-db-user-secret-name> \
      --from-literal=password="<om-db-user-password>"
    

    Note

    If you choose to create a secret for the Ops Manager database user, you must specify the secret’s name in the Ops Manager resource definition. By default, the Kubernetes Operator looks for the password value in the password key. If you stored the password value in a different key, you must also specify that key name in the Ops Manager resource definition.

    If you don’t create a secret, then the Kubernetes Operator automatically generates a password and stores it internally. To learn more, see Authentication.

  2. (Optional). To configure Backup to an S3 snapshot store, create a secret in the same namespace as the Ops Manager resource.

    This secret stores your S3 credentials so that the Kubernetes Operator can connect Ops Manager to your AWS S3 or S3-compatible bucket. The secret must contain the following key-value pairs:

    Key Value
    accessKey Unique identifer of the AWS user who owns the S3 or S3-compatible bucket.
    secretKey Secret key of the AWS user who owns the S3 or S3-compatible bucket.

    To create the secret, invoke the following command:

    kubectl create secret generic <my-aws-s3-credentials> \
      --from-literal=accessKey="<AKIAIOSFODNN7EXAMPLE>" \
      --from-literal=secretKey="<wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY>"
    

    To learn more about managing S3 snapshot storage, see the Prerequisites.