Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Kubernetes Operator, refer to the upgrade documentation.

Plan Your Ops Manager Resource

On this page

MongoDB Ops Manager is an enterprise application that manages, backs up, and monitors MongoDB deployments. With Ops Manager, you can scale and upgrade MongoDB, optimize queries, perform point-in-time restores, receive performance alerts, and more. To easily manage and maintain Ops Manager and its underlying database, you can use the MongoDB Enterprise Kubernetes Operator to run Ops Manager as a container on Kubernetes.

Before you deploy an Ops Manager resource, make sure you read the considerations and complete the prerequisites.

Architecture

For Ops Manager resource architecture details, see Ops Manager Architecture in Kubernetes.

Considerations

Encryption Key

The Kubernetes Operator generates an encryption key to protect sensitive information in the Ops Manager Application Database. The Kubernetes Operator saves this key in a secret in the same namespace as the Ops Manager resource. The Kubernetes Operator names the secret <om-resource-name>-gen-key.

If you remove the Ops Manager resource, the key remains stored in the secret on the Kubernetes cluster. If you stored the Application Database in a Persistent Volume and you create another Ops Manager resource with the same name, the Kubernetes Operator reuses the secret. If you create an Ops Manager resource with a different name, then Kubernetes Operator creates a new secret and Application Database, and the old secret isn’t reused.

Application Database

Topology

When you create an instance of Ops Manager through the Kubernetes Operator, the Ops Manager Application Database is deployed as a replica set. You can’t configure the Application Database as a standalone database or sharded cluster. If you have concerns about performance or size requirements for the Application Database, contact MongoDB Support.

Important

The Application Database must use Persistent Volumes. When you Deploy an Ops Manager Resource, ensure that you set spec.applicationDatabase. persistent to true.

Monitoring

The Kubernetes Operator automatically configures Ops Manager to monitor the Application Database that backs the Ops Manager Application. The Kubernetes Operator creates a project named <ops-manager-deployment-name>-db for you to monitor the Application Database deployment.

Ops Manager monitors the Application Database deployment, but Ops Manager does not manage it. You cannot change the Application Database’s configuration in the Ops Manager Application.

Important

The Ops Manager UI might display warnings in the <ops-manager-deployment-name>-db project stating that the agents for the Application Database are out of date. You can safely ignore these warnings.

Authentication

The Kubernetes Operator enforces SCRAM-SHA-1 authentication on the Application Database.

The Kubernetes Operator creates the database user which Ops Manager uses to connect to the Application Database. This database user has the following attributes:

Username mongodb-ops-manager
Authentication Database admin
Roles

You can’t modify the Ops Manager database user’s name and roles. You create a secret to set the database user’s password. You edit the secret to update the password. If you don’t create a secret or delete an existing secret, the Kubernetes Operator generates a password and stores it.

If you need to authenticate to the Application Database as a different user:

  1. Deploy the Ops Manager resource
  2. Add a new user to the database using the mongo shell.

Offline Deployments

The Kubernetes Operator bundles MongoDB Enterprise version 4.2.2 with the Application Database image to enable offline deployments of Ops Manager resources.

To deploy Ops Manager inside Kubernetes without an Internet connection, omit the spec.applicationDatabase.version setting or leave the value empty.

When you upgrade the Kubernetes Operator, the Application Database performs a rolling upgrade for new patch releases of MongoDB, such as from 4.2.2-ent to 4.2.3-ent. However, the Application Database does not automatically upgrade between major versions, such as from 4.2.2-ent to 4.4.0-ent.

Streamlined Configuration

After you deploy Ops Manager, you need to configure it. The regular procedure involves setting up Ops Manager through the configuration wizard. If you set some essential settings in your object specification before you deploy, you can bypass the configuration wizard.

In the spec.configuration block of your Ops Manager object specification, you need to:

Example

To disable the Ops Manager configuration wizard, configure the following settings in your spec.configuration block:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
spec:
  configuration:
    mms.ignoreInitialUiSetup: "true"
    automation.versions.source: "remote"
    mms.adminEmailAddr: cloud-manager-support@mongodb.com
    mms.fromEmailAddr: cloud-manager-support@mongodb.com
    mms.mail.hostname: email-smtp.us-east-1.amazonaws.com
    mms.mail.port: "465"
    mms.mail.ssl: "true"
    mms.mail.transport: smtp
    mms.minimumTLSVersion: TLSv1.2
    mms.replyToEmailAddr: cloud-manager-support@mongodb.com

Replace the example values with the values you want your Ops Manager to use.

Backup

Kubernetes Operator enables Backup by default. The Kubernetes Operator deploys a StatefulSet comprised of one pod to host the Backup Daemon Service, and then creates a Persistent Volume Claim and Persistent Volume for the Backup Daemon’s head database. The Kubernetes Operator uses the Ops Manager API to enable the Backup Daemon and configure the head database.

Important

To configure Backup, you must create MongoDB database resources for the oplog store and for one of the following:

If you deploy both an S3 snapshot store and a blockstore, Ops Manager chooses one to use for Backup at random.

The Ops Manager resource remains in a Pending state until you configure these Backup resources.

Oplog Store

You must deploy a three-member replica set to store your oplog slices.

The Oplog database only supports the SCRAM authentication mechanism. You cannot enable other authentication mechanisms.

If you enable SCRAM authentication on the oplog database, you must:

  • Create a MongoDB user resource to connect Ops Manager to the oplog database.
  • Specify the name of the user in the Ops Manager resource definition.

Note

If you deploy Ops Manager 4.2 with SCRAM authentication enabled, you must specify a MongoDB version earlier than than 4.0 in the oplog database resource definition.

Blockstore

To configure a blockstore, you must deploy a replica set to store snapshots.

S3 Snapshot Store

To configure an S3 snapshot store, you must create an AWS S3 or S3-compatible bucket to store your database Backup snapshots.

The default configuration stores snapshot metadata in the Application Database. You can also deploy a replica set to store snapshot metadata, then configure it using the spec.backup.s3Stores.mongodbResourceRef.name and spec.backup.s3Stores.mongodbResourceRef.user settings in the Ops Manager resource definition.

You can update any additional S3 configuration settings that Kubernetes Operator doesn’t manage through the Ops Manager Application.

Disable Backup

To disable backup after you enabled it:

  1. Set the Ops Manager Kubernetes object spec.backup.enabled setting to false.

  2. Disable backups in the Ops Manager Application.

  3. Delete the Backup Daemon Service StatefulSet:

    copy 
    kubectl delete statefulset <metadata.name>-backup-daemon -n <namespace>

Important

The Persistent Volume Claim and Persistent Volume for the Backup Daemon’s head database are not deleted when you delete the Backup Daemon Service StatefulSet. You can retrieve stored data before you delete these Kubernetes resources.

To learn about reclaiming Persistent Volumes, see the Kubernetes documentation.

Configure Ops Manager to Run over HTTPS

You can configure your Ops Manager instance created through the Kubernetes Operator to run over HTTPS instead of HTTP.

To configure your Ops Manager instance to run over HTTPS, provide a TLS certificate and Private Key in the Ops Manager configuration object.

For detailed instructions, see Deploy an Ops Manager Resource.

Important

If you have existing deployments, you must restart them manually after enabling HTTPS. To avoid restarting your deployments, configure HTTPS before deploying your managed resources.

To learn more, see HTTPS Enabled After Deployment.

Ops Manager Application Access

By default, the Kubernetes Operator doesn’t create a Kubernetes service to route traffic originating from outside of the Kubernetes cluster to the Ops Manager application.

To access the Ops Manager application, you can:

  • Configure the Kubernetes Operator to create a Kubernetes service.
  • Create a Kubernetes service manually. MongoDB recommends using a LoadBalancer Kubernetes service if your cloud provider supports it.
  • If you’re using OpenShift, use routes.
  • Use a third-party service, such as Istio.

The simplest method is configuring the Kubernetes Operator to create a Kubernetes service that routes external traffic to the Ops Manager application. The Ops Manager deployment procedure instructs you to add the following settings to the object specification that configures the Kubernetes Operator to create a service:

Deploying Ops Manager in Remote or Local Mode

You can use the Kubernetes Operator to configure Ops Manager to operate in Local or Remote mode if your environment prevents granting hosts in your Kubernetes cluster access to the Internet. In these modes, the Backup Daemons and managed MongoDB resources download installation archives from Ops Manager instead of from the Internet:

Managing External MongoDB Deployments

When you deploy Ops Manager with the Kubernetes Operator, Ops Manager can manage MongoDB database resources deployed:

  • To the same Kubernetes cluster as Ops Manager.
  • Outside of Kubernetes clusters.

If Ops Manager manages MongoDB database resources deployed to different Kubernetes clusters than Ops Manager or outside of Kubernetes clusters, you must:

  1. Add the mms.centralUrl setting to spec.configuration in the Ops Manager resource specification.

    Set the value to the URL by which Ops Manager is exposed outside of the Kubernetes cluster:

    copy 
    spec:
  configuration:
    mms.centralUrl: https://a9a8f8566e0094380b5c257746627b82-1037623671.us-east-1.elb.example.com:8080/

  2. Update the ConfigMaps referenced by all MongoDB database resources inside the Kubernetes cluster that you deployed with the Kubernetes Operator.

    Set data.baseUrl to the same value of the spec.configuration.mms.centralUrl setting in the Ops Manager resource specification.

    Important

    This includes the ConfigMaps that the MongoDB database resources for the oplog and snapshot stores reference.

Prerequisites

  1. If you have not already, run the following command to execute all kubectl commands in the namespace you created:

    copy 
    kubectl config set-context $(kubectl config current-context) --namespace=<namespace>

  2. Install the MongoDB Enterprise Kubernetes Operator 1.4.1 or newer.

  3. Ensure that the host on which you want to deploy Ops Manager has a minimum of five gigabytes of memory.

  1. Create a Kubernetes secret for an admin user in the same namespace as the Ops Manager resource.

    When you deploy the Ops Manager resource, Ops Manager creates a user with these credentials and grants it the Global Owner role. Use these credentials to log in to Ops Manager for the first time. Once you deploy Ops Manager, change the password or remove this secret.

    Note

    The admin user’s password must adhere to the Ops Manager password complexity requirements.

    copy 
    kubectl create secret generic <adminusercredentials> \
  --from-literal=Username="<username>" \
  --from-literal=Password="<password>" \
  --from-literal=FirstName="<firstname>" \
  --from-literal=LastName="<lastname>"

  1. (Optional) To set the password for the Ops Manager database user, create a secret in the same namespace as the Ops Manager resource.

    The Kubernetes Operator creates the database user that Ops Manager uses to connect to the Ops Manager Application Database. You can set the password for this database user by invoking the following command to create a secret:

    copy 
    kubectl create secret generic <om-db-user-secret-name> \
  --from-literal=password="<om-db-user-password>"

    Note

    If you choose to create a secret for the Ops Manager database user, you must specify the secret’s name in the Ops Manager resource definition. By default, the Kubernetes Operator looks for the password value in the password key. If you stored the password value in a different key, you must also specify that key name in the Ops Manager resource definition.

    If you don’t create a secret, then the Kubernetes Operator automatically generates a password and stores it internally. To learn more, see Authentication.

  2. (Optional). To configure Backup to an S3 snapshot store, create a secret in the same namespace as the Ops Manager resource.

    This secret stores your S3 credentials so that the Kubernetes Operator can connect Ops Manager to your AWS S3 or S3-compatible bucket. The secret must contain the following key-value pairs:

    Key Value
    accessKey Unique identifer of the AWS user who owns the S3 or S3-compatible bucket.
    secretKey Secret key of the AWS user who owns the S3 or S3-compatible bucket.

    To create the secret, invoke the following command:

    copy 
    kubectl create secret generic <my-aws-s3-credentials> \
  --from-literal=accessKey="<AKIAIOSFODNN7EXAMPLE>" \
  --from-literal=secretKey="<wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY>"

    To learn more about managing S3 snapshot storage, see the Prerequisites.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.