Ways to host a MongoDB cluster on Kubernetes

MongoDB from Opcito
  • Using Community Kubernetes Operator.
  • Using a custom Docker Image and Deployments.

1. Using Community Kubernetes Operator

  • Install the Community Kubernetes Operator
git clone https://github.com/mongodb/mongodb-kubernetes-operator.git
kubectl apply -f deploy/clusterwide
kubectl apply -k config/rbac --namespace
kubectl apply -f config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yam
kubectl get crd/mongodbcommunity.mongodbcommunity.mongodb.com
kubectl create -f config/manager/manager.yaml --namespace <my-namespace>
kubectl get pods --namespace <my-namespace>
openssl genrsa -out rootca.key 4096
# For the CA policy 
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096
default_keyfile = rootca.pem ## The default private key file name.
default_md = sha256 ## Use SHA-256 for Signatures
distinguished_name = req_dn
req_extensions = v3_req
x509_extensions = v3_ca # The extentions to add to the self-signed cert

[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate for TESTING only. NOT FOR PRODUCTION USE."
extendedKeyUsage = serverAuth, clientAuth

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = IN

countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Pune
stateOrProvinceName_max = 64

localityName = Locality Name (eg, city)
localityName_default = Pune
localityName_max = 64

organizationName = Organization Name (eg, company)
organizationName_default = TestComp
organizationName_max = 64

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = TestComp
organizationalUnitName_max = 64

commonName = Common Name (eg, YOUR name)
commonName_max = 64

[ v3_ca ]
# Extensions for a typical CA

subjectKeyIdentifier=hash
basicConstraints = critical,CA:true
authorityKeyIdentifier=keyid:always,issuer:always
openssl req -new -x509 -days 36500 -key rootca.key -out rootca.crt -config rootca.cnf
kubectl create configmap ca-config-map --from-file=”~/ca.crt” --namespace <your-namespace> 
kubectl create secret tls ca-key-pair --cert=”~/ca.crt” --key=”~/ca.key” --namespace <your-namespace>
  • Create a MongoDB replica set in Kubernetes
cat <<EOF | kubectl apply -f - 
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer-mongo
namespace: mongodb
spec:
ca:
secretName: ca-key-pair
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-manager-certificate
namespace: mongodb
spec:
secretName: mongodb-tls
issuerRef:
name: ca-issuer-mongo
kind: Issuer
commonName: "*.mongo-replicaset-svc.mongodb.svc.cluster.local"
dnsNames:
- "*.mongo-replicaset-svc.mongodb.svc.cluster.local"
- mongo-replicaset-0.com
- mongo-replicaset-1.com
- mongo-replicaset-2.com
EOF
cat <<EOF | kubectl apply -f - 
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: mongo-replicaset
namespace: mongodb
spec:
members: 3
type: ReplicaSet
version: "5.0.2"
replicaSetHorizons:
- horizon: mongo-replicaset-0.com:27017
- horizon: mongo-replicaset-1.com:27017
- horizon: mongo-replicaset-2.com:27017
security:
tls:
enabled: true
certificateKeySecretRef:
name: mongodb-tls
caConfigMapRef:
name: ca-config-map

authentication:
modes: ["SCRAM"]
users:
- name: admin
db: admin
passwordSecretRef: # a reference to the secret that will be used to generate the user's password
name: admin-password
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
- name: root
db: admin
scramCredentialsSecretName: admin-scram
- name: dumpUser
db: admin
passwordSecretRef: # a reference to the secret that will be used to generate the user's password
name: dumpuser-password
roles:
- name: readWriteAnyDatabase
db: admin
scramCredentialsSecretName: dumpuser-scram
additionalMongodConfig:
storage.wiredTiger.engineConfig.journalCompressor: zlib
statefulSet:
spec:
volumeClaimTemplates:
- metadata:
name: data-volume
spec:
storageClassName: mongodb-ssd-storage
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 512Gi
---
apiVersion: v1
kind: Secret
metadata:
name: admin-password
namespace: mongodb
type: Opaque
stringData:
password: password
---
apiVersion: v1
kind: Secret
metadata:
name: dumpuser-password
namespace: mongodb
type: Opaque
stringData:
password: password
EOF
cat <<EOF | kubectl apply -f - 
apiVersion: v1
kind: Service
metadata:
name: mongo-replicaset-0
namespace: mongodb
spec:
ports:
- port: 27017
protocol: TCP
targetPort: 27017
selector:
statefulset.kubernetes.io/pod-name: mongo-replicaset-0
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: mongo-replicaset-1
namespace: mongodb
spec:
ports:
- port: 27017
protocol: TCP
targetPort: 27017
selector:
statefulset.kubernetes.io/pod-name: mongo-replicaset-1
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: mongo-replicaset-2
namespace: mongodb
spec:
ports:
- port: 27017
protocol: TCP
targetPort: 27017
selector:
statefulset.kubernetes.io/pod-name: mongo-replicaset-2
type: LoadBalancer
EOF

2. Using a custom Docker Image and Deployments

--

--

Product engineering experts specializing in DevOps, Containers, Cloud, Automation, Blockchain, Test Engineering, & Open Source Tech

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Opcito Technologies

Opcito Technologies

Product engineering experts specializing in DevOps, Containers, Cloud, Automation, Blockchain, Test Engineering, & Open Source Tech