Plan Your Ops Manager Resource
On this page
- Architecture
- Considerations
- Encryption Key
- Application Database
- Streamlined Configuration
- Backup
- Configure Ops Manager to Run over HTTPS
- Ops Manager Application Access
- Deploying Ops Manager in Remote or Local Mode
- Managing External MongoDB Deployments
- Deploying Ops Manager in Multi-Clusters
- Secret Storage
- Prerequisites
MongoDB Ops Manager is an enterprise application that manages, backs up, and monitors MongoDB deployments. With Ops Manager, you can scale and upgrade MongoDB, optimize queries, perform point-in-time restores, receive performance alerts, and monitor your deployments. To manage and maintain Ops Manager and its underlying database, you can use the MongoDB Enterprise Kubernetes Operator to run Ops Manager as a resource deployed in a container on Kubernetes.
You can deploy Ops Manager resources in one of the following ways:
Single Kubernetes cluster mode. You can deploy a single Ops Manager instance to support your single Kubernetes cluster deployment of MongoDB resources.
Multiple Kubernetes cluster mode. You can deploy multiple Ops Manager and Application Database instances in multiple Kubernetes clusters. In this mode, the multi-cluster of
Ops Managerresources supports a deployment of the Ops Manager Application and the Application Database on multiple Kubernetes clusters.
Before you deploy an Ops Manager resource in either a single or multiple Kubernetes clusters, review Ops Manager Architecture in Kubernetes and considerations, and complete the prerequisites.
Architecture
For Ops Manager resource architecture details, see:
Single Kubernetes cluster deployments of Ops Manager resources: Ops Manager Architecture in Kubernetes.
Multiple Kubernetes cluster deployments of Ops Manager resources: Multi-Cluster Ops Manager Architecture.
Considerations
Encryption Key
The Kubernetes Operator generates an encryption key to protect sensitive
information in the Ops Manager Application Database. The Kubernetes Operator
saves this key in a secret in the same namespace as the Ops Manager
resource. The Kubernetes Operator names the secret
<om-resource-name>-gen-key.
Note
To avoid storing secrets in single-cluster Kubernetes deployments, you can migrate all secrets to a secret storage tool. Deployments on multiple Kubernetes clusters don't support storing secrets in secret storage tools, such as HashiCorp Vault.
If you remove the Ops Manager resource, the key remains stored in the secret on the Kubernetes cluster. If you stored the Application Database in a Persistent Volume and you create another Ops Manager resource with the same name, the Kubernetes Operator reuses the secret. If you create an Ops Manager resource with a different name, then Kubernetes Operator creates a new secret and Application Database, and the old secret isn't reused.
Application Database
Topology
When you create an instance of Ops Manager through the Kubernetes Operator in a single Kubernetes cluster, the Ops Manager Application Database is deployed as a replica set. You can't configure the Application Database as a standalone database or sharded cluster. If you have concerns about performance or size requirements for the Application Database, contact MongoDB Support.
When you create an instance of Ops Manager through the Kubernetes Operator in a multi-cluster mode, the Kubernetes Operator can configure the Ops Manager Application Database on multiple member clusters. To learn more, see Multi-Cluster Ops Manager Architecture.
Monitoring
The Kubernetes Operator automatically configures Ops Manager to monitor the
Application Database that backs the Ops Manager Application. The Kubernetes Operator
creates a project named <ops-manager-deployment-name>-db for you to
monitor the Application Database deployment.
Ops Manager monitors the Application Database deployment, but Ops Manager doesn't manage it. You can't change the Application Database's configuration in the Ops Manager Application.
Important
The Ops Manager UI might display warnings in the
<ops-manager-deployment-name>-db project stating that the
agents for the Application Database are out of date. You can safely
ignore these warnings.
Authentication
The Kubernetes Operator enforces SCRAM-SHA-256
authentication on
the Application Database.
The Kubernetes Operator creates the database user which Ops Manager uses to connect to the Application Database. This database user has the following attributes:
Username | mongodb-ops-manager |
Authentication Database | admin |
Roles |
You can't modify the Ops Manager database user's name and roles. You create a secret to set the database user's password. You edit the secret to update the password. If you don't create a secret or delete an existing secret, the Kubernetes Operator generates a password and stores it.
To learn about other options for secret storage, see Configure Secret Storage. Multi-cluster deployments don't support storing secrets in HashiCorp Vault.
Offline Deployments
The Kubernetes Operator requires that you specify the MongoDB Enterprise version for the Application Database image to enable any deployments of Ops Manager resources, including offline deployments.
Streamlined Configuration
After you deploy Ops Manager, you need to configure it. The regular procedure involves setting up Ops Manager through the configuration wizard. If you set some essential settings in your object specification before you deploy, you can bypass the configuration wizard.
In the spec.configuration block of your Ops Manager object
specification, you need to:
Add mms.ignoreInitialUiSetup and set to
true.Add the minimum configuration settings to allow the Ops Manager instance to start without errors.
Example
To disable the Ops Manager configuration wizard, configure the
following settings in your spec.configuration block:
1 spec: 2 configuration: 3 mms.ignoreInitialUiSetup: "true" 4 automation.versions.source: "remote" 5 mms.adminEmailAddr: cloud-manager-support@mongodb.com 6 mms.fromEmailAddr: cloud-manager-support@mongodb.com 7 mms.mail.hostname: email-smtp.us-east-1.amazonaws.com 8 mms.mail.port: "465" 9 mms.mail.ssl: "true" 10 mms.mail.transport: smtp 11 mms.minimumTLSVersion: TLSv1.2 12 mms.replyToEmailAddr: cloud-manager-support@mongodb.com
Replace the example values with the values you want your Ops Manager to use.
Backup
Kubernetes Operator enables Backup by default. The Kubernetes Operator deploys a StatefulSet comprised of one Pod to host the Backup Daemon Service and then creates a Persistent Volume Claim and Persistent Volume for the Backup Daemon's head database. The Kubernetes Operator uses the Ops Manager API to enable the Backup Daemon and configure the head database.
Important
To configure Backup, you must create the MongoDB resources or MongoDBMultiCluster resources
for the oplog store and for one of the
following:
oplog store or S3 oplog store. If you deploy both the oplog store and the S3 oplog store, Ops Manager chooses one to use for Backup at random.
S3 snapshot store or blockstore. If you deploy both an S3 snapshot store and a blockstore, Ops Manager chooses one to use for Backup at random.
The Ops Manager resource remains in a Pending state until you configure these Backup resources.
You can also encrypt backup jobs, but limitations apply to deployments where the same Kubernetes Operator instance is not managing both the MongoDBOpsManager and MongoDB custom resources.
Oplog Store
You must deploy a three-member replica set to store your oplog slices.
The Oplog database only supports the SCRAM authentication mechanism.
You cannot enable other authentication mechanisms.
If you enable SCRAM authentication on the oplog database, you
must:
Create a MongoDB user resource to connect Ops Manager to the oplog database.
Specify the
nameof the user in the Ops Manager resource definition.
S3 Oplog Store
To configure an S3 oplog store, you must create an AWS S3 or S3-compatible bucket to store your database Backup Oplog.
You can configure the oplog store for both MongoDB resource and MongoDBMultiCluster resource,
using the spec.backup.s3OpLogStores.mongodbResourceRef.name setting
in the Ops Manager resource definition.
Blockstore
To configure a blockstore, you must deploy a replica set to store snapshots.
S3 Snapshot Store
To configure an S3 snapshot store, you must create an AWS S3 or S3-compatible bucket to store your database Backup snapshots.
The default configuration stores snapshot metadata in the Application
Database. You can also deploy a replica set to store snapshot metadata,
then configure it using the
spec.backup.s3Stores.mongodbResourceRef.name settings in
the Ops Manager resource definition.
You can configure the S3 snapshot store for both MongoDB resource and MongoDBMultiCluster resource.
You can update any additional S3 configuration settings that Kubernetes Operator doesn't manage through the Ops Manager Application.
Disable Backup
To disable backup after you enabled it:
Set the Ops Manager Kubernetes object
spec.backup.enabledsetting tofalse.Disable backups in the Ops Manager Application.
Delete the Backup Daemon Service StatefulSet:
kubectl delete statefulset <metadata.name> -backup-daemon \ -n <metadata.namespace>
Important
The Persistent Volume Claim and Persistent Volume for the Backup Daemon's head database are not deleted when you delete the Backup Daemon Service StatefulSet. You can retrieve stored data before you delete these Kubernetes resources.
To learn about reclaiming Persistent Volumes, see the Kubernetes documentation.
Manually Configure KMIP Backup Encryption
For deployments where the same Kubernetes Operator instance is not managing both the MongoDBOpsManager and MongoDB custom resources, you must manually configure KMIP backup encryption client settings in Ops Manager using the following procedure. If the Kubernetes Operator is managing both resources, see Configure KMIP Backup Encryption for Ops Manager instead.
Prerequisites
A running KMIP server.
A running Ops Manager instance, configured to use KMIP.
A TLS secret that concatenates the private key and the KMIP client certificate in PEM format.
Procedure
Mount the TLS secret to the MongoDBOpsManager custom resource. For example:
apiVersion: mongodb.com/v1 kind: MongoDBOpsManager metadata: name: ops-manager-pod-spec spec: < ... omitted ... > statefulSet: spec: template: spec: volumes: - name: kmip-client-test-prefix-mdb-latest-kmip-client secretName: test-prefix-mdb-latest-kmip-client containers: - name: mongodb-ops-manager volumeMounts: - mountPath: /mongodb-ops-manager/kmip/client/test-prefix-mdb-latest-kmip-client name: kmip-client-test-prefix-mdb-latest-kmip-client readOnly: true ... Configure the KMIP settings for your project in Ops Manager following the procedure in Configure Your Project to Use KMIP.
Configure Ops Manager to Run over HTTPS
You can configure your Ops Manager instance created through the Kubernetes Operator to run over HTTPS instead of HTTP.
To configure your Ops Manager instance to run over HTTPS:
Create a secret that contains the TLS certificate and private key.
Add this secret to the Ops Manager configuration object.
For detailed instructions, see Deploy an Ops Manager Resource.
Important
If you have existing deployments, you must restart them manually after enabling HTTPS. To avoid restarting your deployments, configure HTTPS before deploying your managed resources.
To learn more, see HTTPS Enabled After Deployment.
Ops Manager Application Access
By default, the Kubernetes Operator doesn't create a Kubernetes service to route traffic originating from outside of the Kubernetes cluster to the Ops Manager application.
To access the Ops Manager application, you can:
Configure the Kubernetes Operator to create a Kubernetes service.
Create a Kubernetes service manually. MongoDB recommends using a
LoadBalancerKubernetes service if your cloud provider supports it.If you're using OpenShift, use routes.
Use a third-party service, such as Istio.
The simplest method is configuring the Kubernetes Operator to create a Kubernetes service that routes external traffic to the Ops Manager application. The Ops Manager deployment procedure instructs you to add the following settings to the object specification that configures the Kubernetes Operator to create a service:
spec.externalConnectivityspec.externalConnectivity.type
In addition, for deployments on multiple Kubernetes clusters, see Networking, Load Balancing, Service Mesh.
Deploying Ops Manager in Remote or Local Mode
You can use the Kubernetes Operator to configure a single Ops Manager cluster to operate in Local or Remote mode if your environment prevents granting hosts in your Kubernetes cluster access to the Internet. In these modes, the Backup Daemons and managed MongoDB resources download installation archives from Ops Manager instead of from the Internet:
Configure an Ops Manager Resource to use Remote Mode: Ops Manager reads the installation archives from HTTP endpoints on a web server or S3-compatible file store deployed to your Kubernetes cluster.
Configure an Ops Manager Resource to use Local Mode: Ops Manager reads the instalation archives from a Persistent Volume that you create for the Ops Manager StatefulSet.
Managing External MongoDB Deployments
When you deploy Ops Manager with the Kubernetes Operator, Ops Manager can manage MongoDB database resources deployed:
To the same Kubernetes cluster as Ops Manager.
Outside of Kubernetes clusters.
If Ops Manager manages MongoDB database resources deployed to different Kubernetes clusters than Ops Manager or outside of Kubernetes clusters, you must:
Add the
mms.centralUrlsetting tospec.configurationin the Ops Manager resource specification.Set the value to the URL by which Ops Manager is exposed outside of the Kubernetes cluster:
spec: configuration: mms.centralUrl: https://a9a8f8566e0094380b5c257746627b82-1037623671.us-east-1.elb.example.com:8080/ Update the ConfigMaps referenced by all MongoDB database resources inside the Kubernetes cluster that you deployed with the Kubernetes Operator.
Set
data.baseUrlto the same value of thespec.configuration.mms.centralUrlsetting in the Ops Manager resource specification.Important
This includes the ConfigMaps referenced by the MongoDB database resources for the oplog and snapshot stores.
Deploying Ops Manager in Multi-Clusters
Secret Storage
To avoid storing secrets in Kubernetes, migrate all Kubernetes secrets that the Kubernetes Operator creates to a secret storage tool. Multi-cluster deployments don't support storing secrets in secret storage tools such as HashiCorp Vault.
Prerequisites
If you have not already, run the following command to run all
kubectlcommands in the namespace you created:kubectl config set-context $(kubectl config current-context) \ -n <metadata.namespace> Note
If you are deploying an Ops Manager resource in a multi-Kubernetes cluster MongoDB deployment:
Set the
contextto the name of the central cluster, such as:kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME".Set the
--namespaceto the same scope that you used for your multi-Kubernetes cluster MongoDB deployment, such as:kubectl config --namespace "mongodb".
Install the MongoDB Enterprise Kubernetes Operator.
Ensure that the host on which you want to deploy Ops Manager has a minimum of five gigabytes of memory.
Create a Kubernetes secret for an admin user in the same namespace as the Ops Manager resource. If you are deploying Ops Manager in a multi-Kubernetes cluster MongoDB deployment, use the same namespace that you set for your multi-Kubernetes cluster MongoDB deployment scope.
If you're using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.
To learn about your options for secret storage, see Configure Secret Storage.
When you deploy the Ops Manager resource, Ops Manager creates a user with these credentials and grants it the
Global Ownerrole. Use these credentials to log in to Ops Manager for the first time. Once you deploy Ops Manager, change the password or remove this secret.Note
The admin user's password must adhere to the Ops Manager password complexity requirements.
kubectl create secret generic <adminusercredentials> \ --from-literal=Username="<username>" \ --from-literal=Password="<password>" \ --from-literal=FirstName="<firstname>" \ --from-literal=LastName="<lastname>"
(Optional) To set the password for the Ops Manager database user, create a secret in the same namespace as the Ops Manager resource.
If you're using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.
The Kubernetes Operator creates the database user that Ops Manager uses to connect to the Ops Manager Application Database. You can set the password for this database user by invoking the following command to create a secret:
kubectl create secret generic <om-db-user-secret-name> \ --from-literal=password="<om-db-user-password>" Note
If you choose to create a secret for the Ops Manager database user, you must specify the secret's
namein the Ops Manager resource definition. By default, the Kubernetes Operator looks for the password value in thepasswordkey. If you stored the password value in a different key, you must also specify thatkeyname in the Ops Manager resource definition.If you don't create a secret, then the Kubernetes Operator automatically generates a password and stores it internally. To learn more, see Authentication.
(Optional). To configure Backup to an S3 snapshot store, create a secret in the same namespace as the Ops Manager resource.
If you're using HashiCorp Vault as your secret storage tool, you can Create a Vault Secret instead.
This secret stores your S3 credentials so that the Kubernetes Operator can connect Ops Manager to your AWS S3 or S3-compatible bucket. The secret must contain the following key-value pairs:
KeyValueaccessKeyUnique identifer of the AWS user who owns the S3 or S3-compatible bucket.secretKeySecret key of the AWS user who owns the S3 or S3-compatible bucket.To create the secret, invoke the following command:
kubectl create secret generic <my-aws-s3-credentials> \ --from-literal=accessKey="<AKIAIOSFODNN7EXAMPLE>" \ --from-literal=secretKey="<wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY>" To learn more about managing S3 snapshot storage, see the Prerequisites.