Deploy a Replica Set
On this page
Note
At any place on this page that says Ops Manager, you can substitute Cloud Manager.
Important
You can use the Kubernetes Operator to deploy MongoDB resources with Cloud Manager and with Ops Manager version 6.0.x or later.
You can use the Atlas Operator to deploy MongoDB resources to Atlas.
Warning
Kubernetes Operator doesn't support arbiter nodes.
A replica set is a group of MongoDB deployments that maintain the same data set. Replica sets provide redundancy and high availability and are the basis for all production deployments.
To learn more about replica sets, see the Replication Introduction in the MongoDB manual.
Use this procedure to deploy a new replica set that Ops Manager manages. After deployment, use Ops Manager to manage the replica set, including such operations as adding, removing, and reconfiguring members.
Considerations
When you deploy your replica set via the Kubernetes Operator, you must choose whether to encrypt connections using TLS certificates.
The following procedure for TLS-Encrypted connections:
Establishes TLS-encrypted connections between MongoDB hosts in the replica set.
Establishes TLS-encrypted connections between client applications and MongoDB deployments.
Requires valid certificates for TLS encryption.
The following procedure for Non-Encrypted Connections:
Doesn't encrypt connections between MongoDB hosts in the replica set.
Doesn't encrypt connections between client applications and MongoDB deployments.
Has fewer setup requirements than a deployment with TLS-encrypted connections.
Note
You can't secure a Standalone Instance of MongoDB in a Kubernetes cluster.
To set up TLS encryption for a sharded cluster, see Deploy a Sharded Cluster.
Select the appropriate tab based on whether you want to encrypt your replica set connections with TLS.
Prerequisites
To deploy a replica set using an object, you must:
Have or create an Ops Manager instance or a Cloud Manager organization.
Have or install the MongoDB Enterprise Kubernetes Operator.
Create or generate a Kubernetes Operator ConfigMap.
Create credentials for the Kubernetes Operator or configure a different secret storage tool.
Note
To avoid storing secrets in single-cluster Kubernetes deployments, you can migrate all secrets to a secret storage tool. Deployments on multiple Kubernetes clusters don't support storing secrets in secret storage tools, such as HashiCorp Vault.
Generate one TLS certificate for each of the following components:
Your replica set. Ensure that you add SANs for each Kubernetes pod that hosts a member of your replica set to the certificate.
In your TLS certificate, the SAN for each pod must use the following format:
<pod-name>.<metadata.name>-svc.<namespace>.svc.cluster.local Important
If you're using an ACME based service provider such as Let's Encrypt to issue TLS certificates, the provider might prohibit you from adding the Pod's default FQDNs (
*.svc.cluster.local
) to SANs in the certificate.To use an ACME based certificate, you must configure the certificate for your replica set resource. To learn more, see the step about ACME based TLS certificates in the procedure.
Your project's MongoDB Agent. For the MongoDB Agent certificate, ensure that you meet the following requirements:
The Common Name in the TLS certificate is not empty.
The combined Organization and Organizational Unit in each TLS certificate differs from the Organization and Organizational Unit in the TLS certificate for your replica set members.
You must have the CA certificate file and name it
ca-pem
.You must have the key that you used to sign your TLS certificates.
Important
The Kubernetes Operator uses kubernetes.io/tls secrets to store TLS certificates and private keys for Ops Manager and MongoDB resources. Starting in Kubernetes Operator version 1.17.0, the Kubernetes Operator doesn't support concatenated PEM files stored as Opaque secrets.
To deploy a replica set using an object, you must:
Have or create an Ops Manager instance or a Cloud Manager organization.
Have or install the MongoDB Enterprise Kubernetes Operator.
Create or generate a Kubernetes Operator ConfigMap.
Create credentials for the Kubernetes Operator or configure a different secret storage tool.
Note
To avoid storing secrets in single-cluster Kubernetes deployments, you can migrate all secrets to a secret storage tool. Deployments on multiple Kubernetes clusters don't support storing secrets in secret storage tools, such as HashiCorp Vault.
Deploy a Replica Set
Configure kubectl
to default to your namespace.
If you have not already, run the following command to execute all
kubectl
commands in the namespace you created.
Note
If you are deploying an Ops Manager resource in a multi-Kubernetes cluster MongoDB deployment:
Set the
context
to the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME"
.Set the
--namespace
to the same scope that you used for your multi-Kubernetes cluster MongoDB deployment, such as:kubectl config --namespace "mongodb"
.
kubectl config set-context $(kubectl config current-context) --namespace=<metadata.namespace>
Create the secret for your replica set's TLS certificate.
Run this kubectl
command to create a new secret that stores
the replica set's certificate:
kubectl create secret tls <prefix>-<metadata.name>-cert \ --cert=<replica-set-tls-cert> \ --key=<replica-set-tls-key>
Note
You must prefix your secrets with <prefix>-<metadata.name>
.
For example, if you call your deployment my-deployment
and you set
the prefix to mdb
, you must name the TLS secret for the
client TLS communications mdb-my-deployment-cert
. Also,
you must name the TLS secret for internal cluster authentication
(if enabled) mdb-my-deployment-clusterfile
.
If you're using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.
To learn about your options for secret storage, see Configure Secret Storage.
Create the secret for your agent's TLS certificate.
Run this kubectl
command to create a new secret that stores
the agent's TLS certificate:
kubectl create secret tls <prefix>-<metadata.name>-agent-certs \ --cert=<agent-tls-cert> \ --key=<agent-tls-key>
If you're using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.
Create the ConfigMap to link your CA with your deployment.
Run this kubectl
command to link your CA to your replica
set and specify the CA certificate file.
Important
The Kubernetes Operator requires that the certificate for the MongoDB
resource
is named ca-pem
in the ConfigMap.
kubectl create configmap custom-ca --from-file=ca-pem=<your-custom-ca-file>
Copy the sample replica set resource.
Change the settings of this YAML file to match your desired replica set configuration.
1 2 apiVersion: mongodb.com/v1 3 kind: MongoDB 4 metadata: 5 name: <my-replica-set> 6 spec: 7 members: 3 8 version: "4.2.2-ent" 9 opsManager: 10 configMapRef: 11 # Must match metadata.name in ConfigMap file 12 name: <configMap.metadata.name> 13 credentials: <mycredentials> 14 type: ReplicaSet 15 persistent: true 16 ...
16 security: 17 tls: 18 ca: <custom-ca> 19 certsSecretPrefix: <prefix> 20 ...
Paste the copied example to create a new replica set resource.
Open your preferred text editor and paste the object specification into a new text file.
Change the settings to your preferred values.
Key | Type | Description | Example |
---|---|---|---|
string | Label for this Kubernetes replica set object. Resource names must be 44 characters or less. To learn more, see |
| |
integer | Number of members of the replica set. |
| |
string | Version of MongoDB that this replica set should run. The format should be IMPORTANT: Ensure that you choose a compatible MongoDB Server version. Compatible versions differ depending on the base image that the MongoDB database resource uses. To learn more about MongoDB versioning, see MongoDB Versioning in the MongoDB Manual. |
| |
string | Name of the ConfigMap with the Ops Manager connection
configuration. The
This value must exist on the same namespace as the resource you want to create. IMPORTANT: The Kubernetes Operator tracks any changes to the
ConfigMap and reconciles the state of the |
| |
string | Name of the secret you created as Ops Manager API authentication credentials for the Kubernetes Operator to communicate with Ops Manager. The Ops Manager Kubernetes Secret object holding the Credentials must exist on the same Namespace as the resource you want to create. IMPORTANT: The Kubernetes Operator tracks any changes to the Secret
and reconciles the state of the |
| |
string | Type of |
| |
string | Optional. Flag indicating if this If this value is To change your Persistent Volume Claims configuration, configure the following collections to meet your deployment requirements:
WARNING: Grant your containers permission to write to your Persistent Volume.
The Kubernetes Operator sets If you do not use Persistent Volumes, the Disk Usage and Disk IOPS charts cannot be displayed in either the Processes tab on the Deployment page or in the Metrics page when reviewing the data for this deployment. |
|
Configure the TLS settings for your replica set resource using a custom certificate authority (CA).
To enable TLS in your deployment, configure the following settings in your Kubernetes object:
Key | Type | Necessity | Description | Example |
---|---|---|---|---|
spec.security | string | Required | Add the ConfigMap's name that stores the custom CA that you used to sign your deployment's TLS certificates. |
|
spec.security | string | Required | Add the For example, if you call your deployment |
|
Optional: Configure ACME based TLS certificates for your replica set resource.
If you're using an ACME based service provider such as Let's Encrypt to issue TLS certificates, the provider
might prohibit you from adding the Pod's default FQDNs (*.svc.cluster.local
)
to SANs in the certificate.
To configure a certificate that doesn't contain the pod's FQDNs:
Issue the certificate for an external domain. For more information, see the Let's Encrypt documentation or the documentation for your provider.
Ensure that your certificate contains all hostnames that you plan to deploy in the replica set. Alternatively, you can issue a wildcard certificate for
*.<externalDomain>
.To use a certificate containing only external domains for your replica set deployment, you must change the default hostname used by the replica set:
If you prefer to configure the hostname while creating your Kubernetes cluster, change the default domain from
cluster.local
to the external domain when creating or recreating your Kubernetes cluster. Then, set this domain in your MongoDB resource by using thespec.clusterDomain
setting.Otherwise, create your MongoDB deployment with the following settings configured in your Kubernetes object:
Key | Type | Necessity | Description | |||||||
---|---|---|---|---|---|---|---|---|---|---|
spec.externalAccess | string | Required | An external domain used to externally expose your replica set deployment. By default, each replica set member uses the Kubernetes Pod's FQDN
(
For example:
After you deploy the replica set with this setting, the
Kubernetes Operator uses the hostname with the external domain to override
the To specify other hostnames for connecting to the replica set, you can use the
WARNING: Specifying this field changes how Ops Manager registers | |||||||
spec.externalAccess | collection | Optional | Configuration for the ServiceSpec. When you set the
For more information about the Kubernetes specification, see ServiceSpec in the Kubernetes documentation. | |||||||
spec.externalAccess | collection | Optional | Key-value pairs that let you add cloud provider-specific configuration settings to all clusters in your deployment. To learn more, see annotations and the documentation for your Kubernetes cloud provider. You can specify placeholder values to customize your annotations.
To learn more, see |
Add any additional accepted settings for a replica set deployment.
You can also add any of the following optional settings to the object specification file for a replica set deployment:
Warning
You must set spec.clusterDomain
if your Kubernetes cluster has
a default domain
other than the default cluster.local
. If you neither use the
default nor set the spec.clusterDomain
option, the
Kubernetes Operator might not function as expected.
Save this replica set config file with a .yaml
extension.
Start your replica set deployment.
In any directory, invoke the following Kubernetes command to create your replica set:
kubectl apply -f <replica-set-conf>.yaml
Track the status of your replica set deployment.
To check the status of your MongoDB
resource, use the following
command:
kubectl get mdb <resource-name> -o yaml -w
With the -w
(watch) flag set, when the configuration changes, the output
refreshes immediately until the status phase achieves the Running
state.
To learn more about resource deployment statuses, see Troubleshoot the Kubernetes Operator.
After you encrypt your database resource with TLS, you can secure the following:
Renew TLS Certificates for a Replica Set
Renew your TLS certificates periodically using the following procedure:
Configure kubectl
to default to your namespace.
If you have not already, run the following command to execute all
kubectl
commands in the namespace you created.
Note
If you are deploying an Ops Manager resource in a multi-Kubernetes cluster MongoDB deployment:
Set the
context
to the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME"
.Set the
--namespace
to the same scope that you used for your multi-Kubernetes cluster MongoDB deployment, such as:kubectl config --namespace "mongodb"
.
kubectl config set-context $(kubectl config current-context) --namespace=<metadata.namespace>
Renew the secret for your TLS certificates.
Run this kubectl
command to renew an existing secret that
stores the replica set's certificates:
kubectl create secret tls <prefix>-<metadata.name>-cert \ --cert=<replica-set-tls-cert> \ --key=<replica-set-tls-key> \ --dry-run=client \ -o yaml | kubectl apply -f -
Configure kubectl
to default to your namespace.
If you have not already, run the following command to execute all
kubectl
commands in the namespace you created.
Note
If you are deploying an Ops Manager resource in a multi-Kubernetes cluster MongoDB deployment:
Set the
context
to the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME"
.Set the
--namespace
to the same scope that you used for your multi-Kubernetes cluster MongoDB deployment, such as:kubectl config --namespace "mongodb"
.
kubectl config set-context $(kubectl config current-context) --namespace=<metadata.namespace>
Copy the sample replica set resource.
Change the settings of this YAML file to match your desired replica set configuration.
1 2 apiVersion: mongodb.com/v1 3 kind: MongoDB 4 metadata: 5 name: <my-replica-set> 6 spec: 7 members: 3 8 version: "4.2.2-ent" 9 opsManager: 10 configMapRef: 11 # Must match metadata.name in ConfigMap file 12 name: <configMap.metadata.name> 13 credentials: <mycredentials> 14 type: ReplicaSet 15 persistent: true 16 ...
Paste the copied example to create a new replica set resource.
Open your preferred text editor and paste the object specification into a new text file.
Change the settings to your preferred values.
Key | Type | Description | Example |
---|---|---|---|
string | Label for this Kubernetes replica set object. Resource names must be 44 characters or less. To learn more, see |
| |
integer | Number of members of the replica set. |
| |
string | Version of MongoDB that this replica set should run. The format should be IMPORTANT: Ensure that you choose a compatible MongoDB Server version. Compatible versions differ depending on the base image that the MongoDB database resource uses. To learn more about MongoDB versioning, see MongoDB Versioning in the MongoDB Manual. |
| |
string | Name of the ConfigMap with the Ops Manager connection
configuration. The
This value must exist on the same namespace as the resource you want to create. IMPORTANT: The Kubernetes Operator tracks any changes to the
ConfigMap and reconciles the state of the |
| |
string | Name of the secret you created as Ops Manager API authentication credentials for the Kubernetes Operator to communicate with Ops Manager. The Ops Manager Kubernetes Secret object holding the Credentials must exist on the same Namespace as the resource you want to create. IMPORTANT: The Kubernetes Operator tracks any changes to the Secret
and reconciles the state of the |
| |
string | Type of |
| |
string | Optional. Flag indicating if this If this value is To change your Persistent Volume Claims configuration, configure the following collections to meet your deployment requirements:
WARNING: Grant your containers permission to write to your Persistent Volume.
The Kubernetes Operator sets If you do not use Persistent Volumes, the Disk Usage and Disk IOPS charts cannot be displayed in either the Processes tab on the Deployment page or in the Metrics page when reviewing the data for this deployment. |
|
Add any additional accepted settings for a replica set deployment.
You can also add any of the following optional settings to the object specification file for a replica set deployment:
Warning
You must set spec.clusterDomain
if your Kubernetes cluster has
a default domain
other than the default cluster.local
. If you neither use the
default nor set the spec.clusterDomain
option, the
Kubernetes Operator might not function as expected.
Save this replica set config file with a .yaml
extension.
Start your replica set deployment.
In any directory, invoke the following Kubernetes command to create your replica set:
kubectl apply -f <replica-set-conf>.yaml
Track the status of your replica set deployment.
To check the status of your MongoDB
resource, use the following
command:
kubectl get mdb <resource-name> -o yaml -w
With the -w
(watch) flag set, when the configuration changes, the output
refreshes immediately until the status phase achieves the Running
state.
To learn more about resource deployment statuses, see Troubleshoot the Kubernetes Operator.