Ops Manager Resource Specification
On this page
The MongoDB Enterprise Kubernetes Operator creates a containerized Ops Manager deployment from specification files that you write.
After you create or update an Ops Manager resource specification, you direct MongoDB Enterprise Kubernetes Operator to apply this specification to your Kubernetes environment. Kubernetes Operator creates the services and custom Kubernetes resources that Ops Manager requires, then deploys Ops Manager and its backing application database in containers in your Kubernetes environment.
Each Ops Manager resource uses an object specification in YAML to define the characteristics and settings of the deployment.
Examples
The following example shows a resource specification for an Ops Manager deployment:
1 apiVersion: mongodb.com/v1 2 kind: MongoDBOpsManager 3 metadata: 4 name: om 5 spec: 6 replicas: 1 7 version: "6.0.0" 8 adminCredentials: ops-manager-admin 9 configuration: 10 mms.fromEmailAddr: admin@example.com 11 mms.security.allowCORS: "false" 12 backup: 13 enabled: true 14 encryption: 15 kmip: 16 server: 17 url: kmip.corp.mongodb.com:5696 18 ca: mongodb-kmip-certificate-authority-pem 19 headDB: 20 storage: "30Gi" 21 labelSelector: 22 matchLabels: 23 app: my-app 24 opLogStores: 25 - name: oplog1 26 # Sets labels for the oplog store. 27 assignmentLabels: ["test1", "test2"] 28 mongodbResourceRef: 29 name: my-oplog-db 30 mongodbUserRef: 31 name: my-oplog-user 32 s3Stores: 33 - name: s3store1 34 # Sets labels for the S3 store. 35 assignmentLabels: ["test1", "test2"] 36 37 mongodbResourceRef: 38 name: my-s3-metadata-db 39 mongodbUserRef: 40 name: my-s3-store-user 41 s3SecretRef: 42 name: my-s3-credentials 43 pathStyleAccessEnabled: true 44 s3BucketEndpoint: s3.region.amazonaws.com 45 s3BucketName: my-bucket 46 47 applicationDatabase: 48 passwordSecretKeyRef: 49 name: om-db-user-secret 50 key: password 51 members: 3 52 version: "4.4.5-ubi8"
Required Ops Manager Resource Settings
This section describes settings that you must use for all Ops Manager resources.
kind
Type: string
Required. Kind of MongoDB Kubernetes resource to create. Set this to
MongoDBOpsManager
.
metadata.name
Type: string
Required. Name of the MongoDB Kubernetes resource you are creating.
Resource names must be 44 characters or less.
spec.replicas
Type: integer
Required. Number of Ops Manager instances to run in parallel. The minimum accepted value is
1
.Note
Highly Available Ops Manager Resources
For high availability, set this value to more than
1
. Multiple Ops Manager instances can read from the same Application Database, ensuring failover if one instance is unavailable and enabling you to update the Ops Manager resource without downtime.
spec.version
Type: string
Required. Version of Ops Manager that you want to install on this MongoDB Kubernetes resource.
spec.adminCredentials
Type: string
Required. Name of the Kubernetes secret you created for the Ops Manager admin user. When you deploy the Ops Manager resource, Kubernetes Operator creates a user with these credentials.
Note
To avoid storing secrets in Kubernetes, you can migrate all secrets to a secret storage tool.
The admin user is granted the Global Owner role.
spec.applicationDatabase.members
Type: integer
Required. Number of members in the Application Database replica set.
spec.applicationDatabase.version
Type: string
Required. Version of MongoDB installed on the Ops Manager Application Database. You must specify a compatible enterprise MongoDB version based on the tag in the container registry. For example,
6.0.0-ubi8
. Starting in Kubernetes Operator version 1.20, tags no longer end in-ent
.Important
Ensure that you choose a compatible MongoDB Server version.
Compatible versions differ depending on the base image that the MongoDB database resource uses.
Note
If you update this value to a later version of MongoDB for the Application Database, the Feature Compatibility Version (FCV) does not change unless you also specify the
featureCompatibilityVersion
parameter underspec.applicationDatabase
.
Optional Ops Manager Resource Settings
Ops Manager resources can use the following settings:
spec.applicationDatabase
Type: collection
Ops Manager Application Database resource definition.
The following settings from the replica set resource specification are optional:
spec.applicationDatabase.
additionalMongodConfig
spec.applicationDatabase.
agent
spec.applicationDatabase.agent.
startupOptions
spec.applicationDatabase.monitoringAgent.
startupOptions
spec.applicationDatabase.
featureCompatibilityVersion
spec.applicationDatabase.
logLevel
spec.applicationDatabase.podSpec.persistence.
single
spec.applicationDatabase.podSpec.persistence.multiple.
data
spec.applicationDatabase.podSpec.persistence.multiple.
journal
spec.applicationDatabase.podSpec.persistence.multiple.
logs
spec.applicationDatabase.podSpec.
podTemplate
Note
All settings under spec.applicationDatabase.agent
apply to both
Automation and Monitoring, unless you specify values for Automation
and Monitoring separately in spec.applicationDatabase.agent
and
spec.applicationDatabase.monitoringAgent
.
spec.applicationDatabase.memberConfig.priority
Type: string
Number that indicates the relative eligibility of an application database replica set member to become a primary.
To increase eligibility for a replica set member to become primary, specify a higher value.
To decrease eligibility for a replica set member to become primary, specify a lower value.
For example, a member with a
spec.applicationDatabase.memberConfig.priority
of"1.5"
is more likely than"0.5"
to become a primary. A priority of"0"
is ineligible to become primary. To learn more, see Member Priority.
spec.applicationDatabase.memberConfig.tags
Type: map
Map of replica set tags for directing read and write operations to specific members of your application database replica set.
spec.applicationDatabase.memberConfig.votes
Type: number
Determines whether an application database replica set member can vote in an election. Set to
1
to allow the member to vote. Set to0
to exclude the member from an election.
spec.applicationDatabase.passwordSecretKeyRef.name
Type: string
Name of the secret that contains the password for the Ops Manager database user
mongodb-ops-manager
. Ops Manager uses this password to authenticate to the Application Database.
spec.applicationDatabase.passwordSecretKeyRef.key
Type: string
Name of the field in the secret that contains the password for the Ops Manager database user
mongodb-ops-manager
. Ops Manager uses this password to authenticate to the Application Database.The default value is
password
.
spec.applicationDatabase.security.certsSecretPrefix
Type: string
Text to prefix to the name of the secret that contains the application database's TLS certificate. Name the secret
<prefix>-<metadata.name>-db-cert
.
spec.applicationDatabase.security.tls.ca
Type: string
Name of the Kubernetes ConfigMap containing the CA file for the application database.
Important
spec.applicationDatabase.security.tls.ca
is required if you use a custom CA to sign your application database's TLS certificates.The Kubernetes Operator requires that you name the application database's certificate
ca-pem
in the ConfigMap.The CA specified in this section is also used for configuring custom TLS certificates for S3 storage when either
spec.backup.s3OpLogStores.customCertificate
orspec.backup.s3Stores.customCertificate
are set totrue
.This CA signs the certificates that:
the application database replica set members use to communicate with one another, and
Ops Manager uses to communicate with the application database replica set.
Warning
You must concatenate your custom CA file and the entire TLS certificate chain from
downloads.mongodb.com
to prevent Ops Manager from becoming inoperable if the application database restarts.
spec.app
Type: string
Text to prefix to the Kubernetes secret that you created that contains your application database's TLS key and certificate.
You must name your secret
<prefix>-<metadata.name>-db-cert
.To learn how to configure your Ops Manager instance to run over HTTPS, see Deploy an Ops Manager Resource.
spec.applicationDatabase.security.tls.enabled
Important
spec.security.applicationDatabase.tls.enabled
is deprecated and will be removed in a future release. To enable TLS, provide a value for thespec.security.applicationDatabase.certsSecretPrefix
setting.Encrypts communications using TLS certificates between Ops Manager and the application database.
spec.backup.assignmentLabels
Type: array of strings
A list of assignment labels for the Backup Daemon Service processes. Use assignment labels to identify that specific backup daemon processes are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.
spec.backup.enabled
Type: boolean
Flag that enables Backup for your Ops Manager resource. When set to
false
, Backup is disabled.Default value is
true
.
spec.backup.encryption
Type: object
Object that contains the backup encryption configuration settings.
spec.backup.encryption.kmip
Type: object
Object that contains the KMIP backup encryption configuration settings. To learn more, see Configure KMIP Backup Encryption for Ops Manager.
Note
If you set this parameter, the API key linked with the value of
spec.credentials
must have theGlobal Owner
role.
spec.backup.encryption.kmip.server
Type: object
Object that contains the KMIP backup encryption server configuration settings.
spec.backup.encryption.kmip.server.ca
Type: string
Human-readable label that identifies the ConfigMap that contains an entry for the CA certificate (
ca.pem
) to use for KMIP authentication.
spec.backup.encryption.kmip.server.url
Type: string
URL for the KMIP server that uses the
hostname.port
format (for example,192.168.1.3:5696
ormy-kmip-server.mycorp.com:5696
).
spec.backup.headDB
Type: collection
Configuration settings for the head database. Kubernetes Operator creates a Persistent Volume Claim with the specified configuration.
ScalarData TypeDescriptionlabelSelector
stringTag used to bind mounted volumes to directories.storage
stringMinimum size of Persistent Volume that should be mounted. This value is expressed as an integer followed by a unit of storage in JEDEC notation.
Default value is
30Gi
.Example
If the head database requires 60 gigabytes of storage space, set this value to
60Gi
.storageClass
stringType of storage specified in a Persistent Volume Claim. You may create this storage type as a StorageClass object before using it in this object specification.
Note
Make sure to set the StorageClass
reclaimPolicy
to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.backup.jvmParameters
Type: array of strings
Optional. JVM parameters passed to the Ops Manager backup service in the container.
This Kubernetes Operator parameter defaults to an empty list.
spec: backup: jvmParameters: ["-XX:+UseStringCache"] Warning
Change the JVM Memory Heap values at your own risk
Kubernetes Operator calculates the JVM memory heap values of the backup service based on the container's memory. Changing the
-Xms
and-Xmx
values can cause issues with Ops Manager.
spec.backup.members
Type: integer
Optional. Number of backup daemon services to deploy in Kubernetes. If not specified, defaults to
1
. To ensure high availability for your backup service, deploy multiple backup daemons in Ops Manager.
spec.backup.opLogStores
Type: collection
Required if you enable backup.
Array of oplog stores used for backup. Each item in the array references a MongoDB database resource deployed in the Kubernetes cluster by the Kubernetes Operator.
spec.backup.opLogStores.assignmentLabels
Type: array of strings
A list of assignment labels for the oplog store. Use assignment labels to identify that specific oplog stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.
spec.backup.opLogStores.name
Type: string
Required if you enable Backup.
Name of the oplog store.
Important
Once specified, don't edit the name of the oplog store.
spec.backup.opLogStores.mongodbResourceRef.name
Type: string
Required if you enable Backup.
Name of the MongoDB database resource that you create to store oplog slices. You must deploy this database resource in the same namespace as the Ops Manager resource.
The Oplog database only supports the
SCRAM
authentication mechanism. You cannot enable other authentication mechanisms.If you enable
SCRAM
authentication on the oplog database, you must:Create a MongoDB user resource to connect Ops Manager to the oplog database.
Specify the
name
of the user in the Ops Manager resource definition.
If a MongoDB database resource with this name doesn't exist, the
backup
resource enters aPending
state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.Note
The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the
mongoURI
andssl
flags in the Ops Manager configuration based on your changes.
spec.backup.opLogStores.mongodbUserRef.name
Type: string
Required if SCRAM authentication is enabled on the oplog store database.
Name of the MongoDB user resource used to connect to the oplog store database. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:
spec.backup.blockStores
Type: collection
Required if you enable Backup using a blockstore.
Array of blockstores used for Backup. Each item in the array references a MongoDB database resource deployed in the Kubernetes cluster by the Kubernetes Operator.
spec.backup.blockStores.assignmentLabels
Type: array of strings
A list of assignment labels for the blockstore. Use assignment labels to identify that specific blockstores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.
spec.backup.blockStores.name
Type: string
Required if you enable backup using a blockstore.
Name of the blockstore.
Important
Once specified, don't edit the name of the blockstore.
spec.backup.blockStores.mongodbResourceRef.name
Type: string
Required if you enable backup using a blockstore.
Name of the MongoDB database resource that you create for the blockstore. You must deploy this database resource in the same namespace as the Ops Manager resource.
The blockstore database only supports the
SCRAM
authentication mechanism. You cannot enable other authentication mechanisms.If you enable
SCRAM
authentication on the blockstore database, you must:Create a MongoDB user resource to connect Ops Manager to the blockstore database.
Specify the
name
of the user in the Ops Manager resource definition.
If a MongoDB database resource with this name doesn't exist, the
backup
resource enters aPending
state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.Note
The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the
mongoURI
andssl
flags in the Ops Manager configuration based on your changes.
spec.backup.blockStores.mongodbUserRef.name
Type: string
Required if SCRAM authentication is enabled on the blockstore database.
Name of the MongoDB user resource used to connect to the blockstore database. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:
spec.backup.queryableBackupSecretRef.name
Type: string
Name of the secret that contains the queryable.pem file from Ops Manager that you will use for accessing and querying backups based on your deployment's TLS requirements.The PEM file contains a public key certificate and its associated private key that are needed to access and run queries on backup snapshots in Ops Manager. To query backups, specify the value for this parameter. If not set, backups are not affected, but you can't query them.
spec.backup.statefulSet.spec
Type: collection
Specification for the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.
To review which fields you can add to
spec.backup.statefulSet.spec
, see StatefulSetSpec v1 apps in the Kubernetes documentation.
spec.backup.statefulSet.spec.template
Type: collection
Template for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.
Note
The Kubernetes Operator doesn't validate the fields you provide in
spec.backup.statefulSet.spec.template
.
spec.backup.statefulSet.spec.template.metadata
Type: collection
Metadata for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.
To review which fields you can add to
spec.backup.statefulSet.spec.template.metadata
, see the Kubernetes documentation.
spec.backup.statefulSet.spec.template.spec
Type: collection
Specifications of the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.
To review the complete list of fields you can add to
spec.backup.statefulSet.spec.template.spec
, see the Kubernetes documentation.The following example
spec.backup.statefulSet.spec.template.spec
defines minimum and maximum CPU and memory capacity for one backup daemon service container the MongoDB Enterprise Kubernetes Operator deploys:statefulSet: spec: template: spec: containers: - name: mongodb-backup-daemon resources: requests: cpu: "0.50" memory: "4500M" limits: cpu: "1" memory: "6000M"
spec.backup.statefulSet.spec.template.spec.containers
Type: collection
List of containers that belong to the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.
To modify the specifications of the backup daemon service container, you must provide the exact name of the container using the
name
field, as shown in the following example:backup: statefulSet: spec: template: spec: containers: - name: mongodb-backup-daemon Note
When you add containers to
spec.backup.statefulSet.spec.template.spec.containers
, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to the Backup Daemon Service containers in the pod.
spec.backup.statefulSet.spec.template.spec.containers.resources.requests.cpu
Type: string
Minimum CPU capacity that must be available on a Kubernetes node to host the backup daemon service.
The requested value must be less than or equal to
spec.backup.statefulSet.spec.template.spec.containers.resources.limits.cpu
.
spec.backup.statefulSet.spec.template.spec.containers.resources.limits.cpu
Type: string
Maximum CPU capacity for the node being created to host the backup daemon service. If omitted, this value is set to
spec.backup.statefulSet.spec.template.spec.containers.resources.requests.cpu
.
spec.backup.statefulSet.spec.template.spec.containers.resources.requests.memory
Type: string
Minimum memory capacity that must be available on a Kubernetes node to host the backup daemon service on Kubernetes. This value is expressed as an integer followed by a unit of memory in JEDEC notation.
Note
Set this value to at least
4.5Gi
. Values of less than4.5Gi
might result in an error.The requested value must be less than or equal to
spec.backup.statefulSet.spec.template.spec.containers.resources.limits.memory
.
spec.backup.statefulSet.spec.template.spec.containers.resources.limits.memory
Type: string
Maximum memory capacity for the node being created to host the backup daemon service. If omitted, this value is set to
spec.backup.statefulSet.spec.template.spec.containers.resources.requests.memory
.The Kubernetes Operator calculates and sets parameters for Java heap size based on the container's memory.
Warning
Limit this value to less than 32 GB
Setting this value to a value greater than 32 GB (
32Gi
) can cause issues with the backup service. Excessive heaps can cause unpredictable results in Ops Manager.
spec.clusterDomain
Type: string
Kubernetes assigns each Pod a FQDN. The Kubernetes Operator calculates the FQDN for each Pod using a provided
clusterDomain
. Kubernetes doesn't provide an API to query these hostnames.
spec.clusterName
Type: string
Kubernetes assigns each Pod a FQDN. The Kubernetes Operator calculates the FQDN for each Pod using a provided
clusterName
. Kubernetes doesn't provide an API to query these hostnames.
spec.configuration
Type: collection
Ops Manager configuration properties. See Ops Manager Configuration Settings for property names and descriptions. Each property takes a value of type
string
.Important
If Ops Manager will manage MongoDB resources deployed outside of the Kubernetes cluster it's deployed to, you must add the
mms.centralUrl
setting tospec.configuration
.Set the value to the URL by which Ops Manager is exposed outside of the Kubernetes cluster.
spec.configuration.mms.mongoDbUsage.defaultUsageType
Type: string
The Kubernetes service's default server type.
Accepted values are:
PRODUCTION_SERVER
,TEST_SERVER
,DEV_SERVER
, andRAM_POOL
.
spec.externalConnectivity
Type: collection
Configuration object that enables external connectivity to Ops Manager. If provided, the Kubernetes Operator creates a Kubernetes service that allows traffic originating from outside of the Kubernetes cluster to reach the Ops Manager application.
If not provided, the Kubernetes Operator doesn't create a Kubernetes service. You must create one manually or use a third-party solution that enables you to route external traffic to the Ops Manager Application in your Kubernetes cluster.
spec.externalConnectivity.type
Type: string
The Kubernetes service ServiceType that exposes Ops Manager outside of Kubernetes.
Required if
spec.externalConnectivity.type
is present.Accepted values are:
LoadBalancer
andNodePort
.LoadBalancer
is recommended if your cloud provider supports it. UseNodePort
for local deployments.
spec.externalConnectivity.port
Type: integer
Value that indicates which port that a Kubernetes service exposes the Ops Manager Application should use for external traffic.
If
spec.externalConnectivity.type
isNodePort
:The Kubernetes service exposes the Ops Manager Application to external traffic through this port.
If you don't provide a
spec.externalConnectivity.port
value, the Kubernetes service routes traffic to the Ops Manager Application from an available port selected randomly from the following default range:30000
-32767
.Note
You must configure your network's firewall to allow traffic over this port.
If
spec.externalConnectivity.type
isLoadBalancer
:The load balancer resource that your cloud provider creates exposes the Ops Manager Application through this port.
If you don't provide a
spec.externalConnectivity.port
value, the Kubernetes service exposes the Ops Manager Application to external traffic through the default HTTP (8080) or HTTPS (8443) port.
spec.externalConnectivity.loadBalancerIP
Type: string
The IP address the
LoadBalancer
Kubernetes service uses when the Kubernetes Operator creates it.This setting can only be used if your cloud provider supports it and
spec.externalConnectivity.type
isLoadBalancer
. To learn more about the Type LoadBalancer, see the Kubernetes documentation.
spec.externalConnectivity.externalTrafficPolicy
Type: string
Routing policy for external traffic to the Ops Manager Kubernetes service. The service routes external traffic to node-local or cluster-wide endpoints depending the value of this setting.
Accepted values are:
Cluster
andLocal
. To learn which of values meet your requirements, see Source IPs in Kubernetes in the Kubernetes documentation.Note
If you select
Cluster
, theSource-IP
of your clients are lost during the network hops that happen at the Kubernetes network boundary.
spec.externalConnectivity.annotations
Type: collection
Key-value pairs that allow you to provide cloud provider-specific configuration settings.
To learn more about Annotations and TLS support on AWS, see the Kubernetes documentation.
spec.jvmParameters
Type: array of strings
Optional. JVM parameters passed to the Ops Manager Application in the container. Any parameters given replace the default JVM parameters for the Ops Manager Application.
This Kubernetes Operator parameter defaults to an empty list.
spec: jvmParameters: ["-XX:+HeapDumpOnOutOfMemoryError","-XX:HeapDumpPath=/tmp"] Important
Change the JVM Memory Heap values at your own risk
Kubernetes Operator calculates its JVM memory heap values of the Ops Manager Application based on the container's memory. Changing the
-Xms
and-Xmx
values can cause issues with Ops Manager.
spec.security.certsSecretPrefix
Type: string
Text to prefix to the Kubernetes secret that you created that contain Ops Manager's TLS key and certificate.
You must name your secret
<prefix>-<metadata.name>-cert
.To learn how to configure your Ops Manager instance to run over HTTPS, see Deploy an Ops Manager Resource.
spec.security.tls.ca
Name of the Kubernetes ConfigMap that contains a custom CA file for Ops Manager.
Important
spec.security.tls.ca
is required if you use a custom CA to sign your Ops Manager TLS certificates.The Kubernetes Operator requires that you name the certificate for the Ops Manager resource
mms-ca.crt
in the ConfigMap.This CA signs the certificates that:
clients use to connect to the Ops Manager Application, and
agents in the application database Pods use to communicate with Ops Manager.
Warning
You must concatenate your custom CA file and the entire TLS certificate chain from
downloads.mongodb.com
to prevent Ops Manager from becoming inoperable if the application database restarts.
spec.security.tls.enabled
Important
spec.security.tls.enabled
is deprecated and will be removed in a future release. To enable TLS, provide a value for thespec.security.certsSecretPrefix
setting.Encrypts communications using TLS certificates between clients and Ops Manager.
spec.statefulSet.spec
Type: collection
Specification for the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for Ops Manager.
To review which fields you can add to
spec.statefulSet.spec
, see StatefulSetSpec v1 apps in the Kubernetes documentation.
spec.statefulSet.spec.template
Type: collection
Template for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.
Note
The Kubernetes Operator doesn't validate the fields you provide in
spec.statefulSet.spec.template
.
spec.statefulSet.spec.template.metadata
Type: collection
Metadata for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.
To review which fields you can add to
spec.statefulSet.spec.template.metadata
, see the Kubernetes documentation.
spec.statefulSet.spec.template.spec
Type: collection
Specifications of the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.
To review the complete list of fields you can add to
spec.statefulSet.spec.template.spec
, see the Kubernetes documentation.The following example
spec.statefulSet.spec.template.spec
defines minimum and maximum CPU and memory capacity for one Ops Manager container the MongoDB Enterprise Kubernetes Operator deploys:statefulSet: spec: template: spec: containers: - name: mongodb-ops-manager resources: requests: cpu: "0.70" memory: "6Gi" limits: cpu: "1" memory: "7000M"
spec.statefulSet.spec.template.spec.containers
Type: collection
List of containers that belong to the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.
To modify the specifications of the Ops Manager container, you must provide the exact name of the container using the
name
field, as shown in the following example:backup: statefulSet: spec: template: spec: containers: - name: mongodb-ops-manager Note
When you add containers to
spec.statefulSet.spec.template.spec.containers
, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to the Ops Manager containers in the pod.
spec.statefulSet.spec.template.spec.containers.resources.requests.cpu
Type: string
Minimum CPU capacity that must be available on a Kubernetes node to host the Ops Manager.
The requested value must be less than or equal to
spec.statefulSet.spec.template.spec.containers.resources.limits.cpu
.
spec.statefulSet.spec.template.spec.containers.resources.limits.cpu
Type: string
Maximum CPU capacity for the node being created to host the Ops Manager. If omitted, this value is set to
spec.statefulSet.spec.template.spec.containers.resources.requests.cpu
.
spec.statefulSet.spec.template.spec.containers.resources.requests.memory
Type: string
Minimum memory capacity that must be available on a Kubernetes node to host the Ops Manager on Kubernetes. This value is expressed as an integer followed by a unit of memory in JEDEC notation.
Example
If Ops Manager on Kubernetes requires 6 gigabytes of memory, set this value to
6Gi
.Note
MongoDB recommends setting this value to at least
5Gi
.The requested value must be less than or equal to
spec.statefulSet.spec.template.spec.containers.resources.limits.memory
.
spec.statefulSet.spec.template.spec.containers.resources.limits.memory
Type: string
Maximum memory capacity for the node being created to host the Ops Manager. If omitted, this value is set to
spec.statefulSet.spec.template.spec.containers.resources.requests.memory
.The Kubernetes Operator calculates and sets parameters for Java heap size based on the container's memory.
Warning
Limit this value to less than 32 GB
Setting this value to a value greater than 32 GB (
32Gi
) can cause issues with the backup service. Excessive heaps can cause unpredictable results in Ops Manager.
Prometheus Settings
The following settings apply when you use Prometheus with your application database:
spec.applicationDatabase.prometheus
Type: array
Optional
List that contains the parameters for exposing metrics to Prometheus.
spec.applicationDatabase.prometheus.metricsPath
Type: string
Optional
Default:
"/metrics"
Human-readable string that indicates the path to the metrics endpoint. If you don't specify this setting, the default applies.
spec.applicationDatabase.prometheus.passwordSecretRef
Type: object
Conditional
Object that contains the details of the secret for basic HTTP authentication. If you want to use Prometheus with your application database, you must specify this setting.
spec.applicationDatabase.prometheus.passwordSecretRef.key
Type: string
Optional
Default:
"password"
Human-readable string that identifies the key in the secret that stores the password for basic HTTP authentication. If you don't specify this setting, the default applies.
spec.applicationDatabase.prometheus.passwordSecretRef.name
Type: string
Conditional
Human-readable label that identifies the secret that contains the password for basic HTTP authentication. If you want to use Prometheus with your application database, you must specify this setting.
spec.applicationDatabase.prometheus.port
Type: integer
Optional
Default: 9216
Number that identifies the port that the metrics endpoint will bind to. If you don't specify this setting, the default applies.
spec.applicationDatabase.prometheus.tlseSecretKeyRef
Type: object
Optional
Object that contains the details of the secret for TLS authentication.
spec.applicationDatabase.prometheus.tlseSecretKeyRef.key
Type: string
Optional
Default:
"password"
Human-readable string that identifies the key in the secret that stores the password for TLS authentication. If you don't specify this setting, the default applies.
spec.applicationDatabase.prometheus.tlseSecretKeyRef.name
Type: string
Conditional
Human-readable label that identifies the secret that contains the password for TLS authentication. If you want to use Prometheus with your application database and you want to use TLS authentication, you must specify this setting.
S3 Settings
You can configure Ops Manager to use S3 for storing oplogs and backup snapshots, and secure connections to S3 with TLS using keys issued by custom CA.
To configure custom CA keys, use the ConfigMap with which you
configured TLS for your application database as described on
the TLS-Encrypted Connection (HTTPS) tab of
Deploy an Ops Manager Resource.
Set spec.applicationDatabase.security.tls.ca
to this ConfigMap.
You can use TLS for both S3 and your application database, or for S3 only.
To use TLS for both, get certificates for both purposes from the same
ca-pem
referenced in the ConfigMap.To use TLS for S3 only, don't define
spec.security.applicationDatabase.certsSecretPrefix
in your ConfigMap.
spec.backup.s3OpLogStores.assignmentLabels
Type: array of strings
A list of assignment labels for S3 oplog stores. Use assignment labels to identify that specific S3 oplog stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.
spec.backup.s3OpLogStores.customCertificate
Type: boolean
Flag that indicates whether you use custom TLS certificates for your S3 oplog store specified by
spec.applicationDatabase.security.tls.ca
. The default isFalse
.
spec.backup.s3OpLogStores.irsaEnabled
Type: boolean
Flag that enables using AWS IAM roles for service accounts in AWS EKS to configure an S3 oplog store. The default is
False
. If you aren't using AWS EKS, this flag has no effect. When set toFalse
, using AWS IAM roles for service accounts in EKS to configure an S3 oplog store is disabled. To learn more, see IAM roles for service accounts in EKS.
spec.backup.s3OpLogStores.name
Type: string
Required to store the oplog using an S3 store.
Name of the S3 oplog store.
spec.backup.s3OpLogStores.mongodbResourceRef.name
Type: string
Name of the MongoDB database resource that you create to store metadata for the S3 oplog store. You must deploy this database resource in the same namespace as the Ops Manager resource.
Note
Omit this setting to use the application database to store metadata for the S3 oplog store.
If you omit this setting, you must also omit the
spec.backup.s3OpLogStores.mongodbUserRef.name
setting. The Kubernetes Operator handlesSCRAM
user authentication internally.If you enable
SCRAM
authentication on this database, you must:Create a MongoDB user resource to connect Ops Manager to the database.
Specify the
name
of the user in the Ops Manager resource definition.
spec.backup.s3OpLogStores.mongodbUserRef.name
Type: string
Required if you created a MongoDB database resource to store S3 oplog metadata and SCRAM is enabled on this database.
Name of the MongoDB user resource used to connect to the metadata database of the S3 oplog store. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:
Important
Once specified, don't edit the name of the S3 metadata oplog store username.
spec.backup.s3OpLogStores.s3SecretRef.name
Type: string
Required to store the oplog using an S3 store.
Name of the secret that contains the
accessKey
andsecretKey
fields. The backup daemon service uses the values of these fields as credentials to access your AWS S3 or S3-compatible bucket. To configure the S3 oplog store, you must specify both keys in the secret.
spec.backup.s3OpLogStores.pathStyleAccessEnabled
Type: boolean
Indicates the style of the bucket endpoint URL.
ValueDescriptionExampletrue
Path-style URLs3.amazonaws.com/<bucket>
false
Virtual-host-style URL<bucket>.s3.amazonaws.com
Default value is
true
.
spec.backup.s3OpLogStores.s3BucketEndpoint
Type: string
Required to store the oplog using an S3 store.
URL of the AWS S3 bucket or S3-compatible bucket that hosts the oplog store.
Note
If your endpoint doesn't include a region in its URL, specify the
s3RegionOverride
field.
spec.backup.s3OpLogStores.s3BucketName
Type: string
Required to store the oplog using an S3 store.
Name of the AWS S3 bucket or S3-compatible bucket that hosts the oplog store.
spec.backup.s3OpLogStores.s3RegionOverride
Type: string
Region where your S3-compatible bucket resides. Use this field only if your S3 oplog store's
s3BucketEndpoint
doesn't support region scoping. Region scoping is when your endpoint doesn't include a region in its URL.Don't use this field with AWS S3 buckets. For more information, see S3 Blockstore Configuration.
spec.backup.s3Stores.assignmentLabels
Type: array of strings
A list of assignment labels for the S3 or S3-compatible buckets where stores the database backup snapshots. Use assignment labels to identify that specific S3 stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.
spec.backup.s3Stores.customCertificate
Type: boolean
Flag that indicates whether you use custom TLS certificates for your S3 snapshot store specified by
spec.applicationDatabase.security.tls.ca
. The default isFalse
.
spec.backup.s3Stores.irsaEnabled
Type: boolean
Flag that enables using AWS IAM roles for service accounts in AWS EKS to configure an S3 snapshot store. The default is
False
. If you aren't using AWS EKS, this flag has no effect. When set toFalse
, using AWS IAM roles for service accounts in EKS to configure an S3 snapshot store is disabled. To learn more, see IAM roles for service accounts in EKS.
spec.backup.s3Stores.name
Type: string
Required to store the oplog using an S3 store.
Name of the S3 snapshot store.
Important
Once specified, don't edit the name of the S3 snapshot store. This change will likely fail if backups use the old name. The consequences of a successful change are unpredictable.
spec.backup.s3Stores.mongodbResourceRef.name
Type: string
Name of the MongoDB database resource that you create to store metadata for the S3 snapshot store. You must deploy this database resource in the same namespace as the Ops Manager resource.
Note
Omit this setting to use the application database to store metadata for the S3 snapshot store.
If you omit this setting, you must also omit the
spec.backup.s3Stores.mongodbUserRef.name
setting. The Kubernetes Operator handlesSCRAM
user authentication internally.If you enable
SCRAM
authentication on this database, you must:Create a MongoDB user resource to connect Ops Manager to the database.
Specify the
name
of the user in the Ops Manager resource definition.
Important
Once specified, don't edit the name of the S3 snapshot store. This change will likely fail if backups use the old name. The consequences of a successful change are unpredictable.
If a MongoDB database resource with this name doesn't exist, the
backup
resource enters aPending
state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.Note
The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the
mongoURI
andssl
flags in the Ops Manager configuration based on your changes.
spec.backup.s3Stores.mongodbUserRef.name
Type: string
Required if you created a MongoDB database resource to store |s3| snapshot metadata and SCRAM is enabled on this database.
Name of the MongoDB user resource used to connect to the metadata database of the S3 snapshot store. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:
Important
Once specified, don't edit the name of the S3 metadata snapshot store username.
spec.backup.s3Stores.s3SecretRef.name
Type: string
Required if you enable Backup using an S3 store.
Name of the secret that contains the
accessKey
andsecretKey
fields. The backup daemon service uses the values of these fields as credentials to access your AWS S3 or S3-compatible bucket. The S3 snapshot store can't be configured if the secret is missing either key.
spec.backup.s3Stores.pathStyleAccessEnabled
Type: boolean
Indicates the style of the bucket endpoint URL.
ValueDescriptionExampletrue
Path-style URLs3.amazonaws.com/<bucket>
false
Virtual-host-style URL<bucket>.s3.amazonaws.com
Default value is
true
.
spec.backup.s3Stores.s3BucketEndpoint
Type: string
Required if you enable Backup using an S3 store.
URL of the AWS S3 bucket or S3-compatible bucket that hosts the snapshot store.
Note
If your endpoint doesn't include a region in its URL, specify the
s3RegionOverride
field.
spec.backup.s3Stores.s3BucketName
Type: string
Required if you enable Backup using an S3 store.
Name of the AWS S3 bucket or S3-compatible bucket that hosts the snapshot store.
spec.backup.s3Stores.s3RegionOverride
Type: string
Region where your S3-compatible bucket resides. Use this field only if your S3 store's
s3BucketEndpoint
doesn't support region scoping. Region scoping is when your endpoint doesn't include a region in its URL.Don't use this field with AWS S3 buckets. For more information, see S3 Blockstore Configuration.