- Install and Configure the Kubernetes Operator >
- Plan your MongoDB Enterprise Kubernetes Operator Installation
Plan your MongoDB Enterprise Kubernetes Operator Installation¶
Use the MongoDB Enterprise Kubernetes Operator to deploy:
- Ops Manager resources
- MongoDB standalone, replica set, and sharded cluster resources
Cloud Manager and Ops Manager 4.0.11 Support MongoDB Resources
You can use the Kubernetes Operator to deploy MongoDB resources with Ops Manager version 4.0.11 or later and Cloud Manager. At any place in this guide that says Ops Manager, you can substitute Cloud Manager.
To deploy MongoDB resources with the Kubernetes Operator, you need an Ops Manager instance. Deploy this instance to Kubernetes using the Operator or outside Kubernetes using traditional installation methods. The Operator uses Ops Manager API methods to deploy then manage MongoDB resources.
Considerations¶
Kubernetes Compatibility¶
MongoDB Enterprise Kubernetes Operator is compatible with Kubernetes v1.13 or later.
MANAGED_SECURITY_CONTEXT
for Kubernetes Operator OpenShift Deployments¶
When you deploy the Kubernetes Operator to OpenShift, you must set the
MANAGED_SECURITY_CONTEXT
flag to true
. This value is set for you
in the mongodb-enterprise-openshift.yaml
and values-openshift.yaml
files included in the MongoDB Enterprise Kubernetes Operator
repository.
For more information on modifying this value, see the instructions for the installation method you want to use.
Docker Container Details¶
MongoDB builds the container images from the latest builds of the following operating systems:
If you get your Kubernetes Operator from… | …the Container uses |
---|---|
quay.io or GitHub | Ubuntu 16.04 |
OpenShift | Red Hat Enterprise Linux 7 |
MongoDB, Inc. updates all packages on these images before releasing them every three weeks.
Validation Webhook¶
The Kubernetes Operator uses a webhook to prevent users from applying invalid resource definitions. The webhook rejects these requests immediately and the Kubernetes Operator doesn’t create or update the resource.
The ClusterRole
and ClusterRoleBinding
for the webhook are
included in the default configuration files that you apply during
installation. To create the role and binding, you must have
cluster-admin privileges.
If you apply an invalid resource definition, the webhook returns a message that describes the error to the shell:
The validation webhook is not required to create or update resources. If
you omit the validation webhook, remove its role and binding from the
default configuration, or have insufficient privileges to run it, the
Kubernetes Operator performs the same validations when it reconciles each
resource. The Kubernetes Operator marks resources as Failed
if validation
encounters a critical error. For non-critical errors, the Kubernetes Operator
issues warnings.
Kubernetes Operator Deployment Scopes¶
You can deploy the Kubernetes Operator with different scopes based on where you want to deploy Ops Manager and MongoDB Kubernetes resources resources:
- Operator in Same Namespace as Resources (Default)
- Operator in Different Namespace Than Resources
- Cluster-Wide Scope
Operator in Same Namespace as Resources¶
You scope the Kubernetes Operator to a namespace. The Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in that same namespace.
This is the default scope when you install the Kubernetes Operator using the installation instructions.
Operator in Different Namespace Than Resources¶
You scope the Kubernetes Operator to a namespace. The Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in the namespace you specify.
You must use helm
to install the Kubernetes Operator with this scope.
Follow the relevant helm
installation instructions,
but use the following command to set the namespace for the
Kubernetes Operator to watch:
Setting the namespace ensures that:
- The namespace you want the Kubernetes Operator to watch has the correct roles and role bindings.
- The Kubernetes Operator can watch and create resources in the namespace.
Cluster-Wide Scope¶
You scope the Kubernetes Operator to a cluster. The Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in all namespaces in the Kubernetes cluster.
Important
You can deploy only one Operator with a cluster-wide scope per Kubernetes cluster.
You must use helm
to install the Kubernetes Operator with this scope.
Follow the relevant helm
installation instructions,
but make the following adjustments:
Use the following command to set the Kubernetes Operator to watch all namespaces:
Create the required service accounts for each namespace where you want to deploy Ops Manager and MongoDB Kubernetes resources:
Prerequisites¶
To install the MongoDB Kubernetes Operator, you must:
Have a Kubernetes solution available to use.
If you need a Kubernetes solution, see the Kubernetes documentation on picking the right solution.
Have a running Ops Manager.
Clone the MongoDB Enterprise Kubernetes Operator repository.
Note
You can use Helm to install the Kubernetes Operator. To learn how to install Helm, see its documentation on GitHub.
Create a namespace for your Kubernetes deployment. By default, The Kubernetes Operator uses the
mongodb
namespace. To simplify your installation, consider creating a namespace labeledmongodb
using the followingkubectl
command:If you do not want to use the
mongodb
namespace, you can label your namespace anything you like:(Required for OpenShift Installs) Create a secret that contains credentials authorized to pull images from the
registry.connect.redhat.com
repository:If you have not already, obtain a Red Hat subscription.
Create a Registry Service Account.
Click on your Registry Service Account, then click the Docker Configuration tab.
Download the
<account-name>-auth.json
file and open it in a text editor.Copy the
registry.redhat.io
object, and paste another instance of this object into the file. Remember to add a comma after the first object. Rename the second objectregistry.connect.redhat.com
, then save the file:Create a
openshift-pull-secret.yaml
file with the contents of the modified<account-name>-auth.json
file asstringData
named.dockerconfigjson
:The value you provide in the
metadata.name
field contains the secret name. Provide this value when asked for the<openshift-pull-secret>
.Create a secret from the
openshift-pull-secret.yaml
file: