The /config/samples directory contains example MongoDB resources that you can modify and deploy.
- Deploy a Replica Set
- Scale a Replica Set
- Upgrade your MongoDB Resource Version and Feature Compatibility Version
- Deploy Replica Sets on OpenShift
- Define a Custom Database Role
To deploy your first replica set:
- Replace
<your-password-here>in config/samples/mongodb.com_v1_mongodbcommunity_cr.yaml to the password you wish to use. - Invoke the following
kubectlcommand:kubectl apply -f config/samples/mongodb.com_v1_mongodbcommunity_cr.yaml --namespace <my-namespace> - Verify that the MongoDB resource deployed:
kubectl get mongodbcommunity --namespace <my-namespace> - Connect clients to the MongoDB replica set:
mongo "mongodb://<service-object-name>.<namespace>.svc.cluster.local:27017/?replicaSet=<replica-set-name>"
NOTE: You can access each mongod process in the replica set only from within a pod
running in the cluster.
You can scale up (increase) or scale down (decrease) the number of members in a replica set.
Consider the following example MongoDB resource definition:
apiVersion: mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: example-mongodb
spec:
members: 3
type: ReplicaSet
version: "4.2.7"To scale a replica set:
-
Edit the resource definition.
Update
membersto the number of members that you want the replica set to have.apiVersion: mongodb.com/v1 kind: MongoDBCommunity metadata: name: example-mongodb spec: members: 5 type: ReplicaSet version: "4.2.7"
-
Reapply the configuration to Kubernetes:
kubectl apply -f <example>.yaml --namespace <my-namespace>NOTE: When you scale down a MongoDB resource, the Community Operator might take several minutes to remove the StatefulSet replicas for the members that you remove from the replica set.
You can upgrade the major, minor, and/or feature compatibility versions of your MongoDB resource. These settings are configured in your resource definition YAML file.
-
To upgrade your resource's major and/or minor versions, set the
spec.versionsetting to the desired MongoDB version. -
To modify your resource's feature compatibility version, set the
spec.featureCompatibilityVersionsetting to the desired version.
If you update spec.version to a later version, consider setting spec.featureCompatibilityVersion to the current working MongoDB version to give yourself the option to downgrade if necessary. To learn more about feature compatibility, see setFeatureCompatibilityVersion in the MongoDB Manual.
Consider the following example MongoDB resource definition:
apiVersion: mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: example-mongodb
spec:
members: 3
type: ReplicaSet
version: "4.0.6"To upgrade this resource from 4.0.6 to 4.2.7:
-
Edit the resource definition.
a. Update
spec.versionto4.2.7.b. Update
spec.featureCompatibilityVersionto4.0.apiVersion: mongodb.com/v1 kind: MongoDBCommunity metadata: name: example-mongodb spec: members: 3 type: ReplicaSet version: "4.2.7" featureCompatibilityVersion: "4.0"
NOTE: Setting
featureCompatibilityVersionto4.0disables 4.2 features incompatible with MongoDB 4.0. -
Reapply the configuration to Kubernetes:
kubectl apply -f <example>.yaml --namespace <my-namespace>
To deploy the operator on OpenShift you will have to provide the environment variable MANAGED_SECURITY_CONTEXT set to true for both the mongodb and mongodb-agent containers, as well as the operator deployment.
See here for an example of how to provide the required configuration for a MongoDB replica set.
See here for an example of how to configure the Operator deployment.
You can define custom roles to give you fine-grained access control over your MongoDB database resource.
NOTE: Custom roles are scoped to a single MongoDB database resource.
To define a custom role:
-
Add the following fields to the MongoDB resource definition:
Key Type Description Required? spec.security.rolesarray Array that defines custom roles roles that give you fine-grained access control over your MongoDB deployment. Yes spec.security.roles.rolestring Name of the custom role. Yes spec.security.roles.dbstring Database in which you want to store the user-defined role. Yes spec.security.roles.authenticationRestrictionsarray Array that defines the IP address from which and to which users assigned this role can connect. No spec.security.roles.authenticationRestrictions.clientSourcearray Array of IP addresses or CIDR blocks from which users assigned this role can connect.
MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array.No spec.security.roles.authenticationRestrictions.serverAddressarray Array of IP addresses or CIDR blocks to which users assigned this role can connect.
MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array.No spec.security.roles.privilegesarray List of actions that users granted this role can perform. For a list of accepted values, see Privilege Actions in the MongoDB Manual for the MongoDB versions you deploy with the Kubernetes Operator. Yes spec.security.roles.privileges.actionsarray Name of the role. Valid values are built-in roles. Yes spec.security.roles.privileges.resource.databasestring Database for which the privilege spec.security.roles.privileges.actionsapply. An empty string ("") indicates that the privilege actions apply to all databases.
If you provide a value for this setting, you must also provide a value forspec.security.roles.privileges.resource.collection.Conditional spec.security.roles.privileges.resource.collectionstring Collection for which the privilege spec.security.roles.privileges.actionsapply. An empty string ("") indicates that the privilege actions apply to all of the database's collections.
If you provide a value for this setting, you must also provide a value forspec.security.roles.privileges.resource.database.Conditional spec.security.roles.privileges.resource.clusterstring Flag that indicates that the privilege spec.security.roles.privileges.actionsapply to all databases and collections in the MongoDB deployment. If omitted, defaults tofalse.
If set totrue, do not provide values forspec.security.roles.privileges.resource.databaseandspec.security.roles.privileges.resource.collection.Conditional spec.security.roles.rolesarray An array of roles from which this role inherits privileges.
You must include the roles field. Use an empty array ([]) to specify no roles to inherit from.Yes spec.security.roles.roles.rolestring Name of the role to inherit from. Conditional spec.security.roles.roles.databasestring Name of database that contains the role to inherit from. Conditional --- apiVersion: mongodb.com/v1 kind: MongoDBCommunity metadata: name: custom-role-mongodb spec: members: 3 type: ReplicaSet version: "4.2.6" security: authentication: modes: ["SCRAM"] roles: # custom roles are defined here - role: testRole db: admin privileges: - resource: db: "test" collection: "" # an empty string indicates any collection actions: - find roles: [] users: - name: my-user db: admin passwordSecretRef: # a reference to the secret that will be used to generate the user's password name: my-user-password roles: - name: clusterAdmin db: admin - name: userAdminAnyDatabase db: admin - name: testRole # apply the custom role to the user db: admin scramCredentialsSecretName: my-scram
-
Save the file.
-
Apply the updated MongoDB resource definition:
kubectl apply -f <mongodb-crd>.yaml --namespace <my-namespace>