Docs Menu

Docs HomeMongoDB Enterprise Kubernetes Operator

Deploy a Resource to Use with Prometheus

On this page

  • Quick Start
  • Create a MongoDB Resource
  • Optional: Enable TLS on the Prometheus Endpoint
  • mongodb-prometheus-sample.yaml
  • Examples

You can use the mongodb-prometheus-sample.yaml file to deploy a MongoDB resource in your Kubernetes cluster, with a ServiceMonitor to indicate to Prometheus how to consume metrics data from it.

The sample specifies a simple MongoDB resource with one user, and the spec.prometheus attribute with basic HTTP authentication and no TLS. The sample lets you test the metrics that MongoDB sends to Prometheus.

Note

You can't use Prometheus with a multi-Kubernetes-cluster deployment.

We tested this setup with version 0.54 of the Prometheus Operator.

  • Kubernetes 1.16+

  • Helm 3+

You can install the Prometheus Operator using Helm. To learn more, see the installation instructions.

To install the Prometheus Operator using Helm, run the following commands:

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install prometheus prometheus-community/kube-prometheus-stack \
--namespace <prometheus-system> \
--create-namespace

Run the following command to install the Kubernetes Operator and create a namespace to contain the Kubernetes Operator and resources:

helm install enterprise-operator mongodb/enterprise-operator \
--namespace <mongodb> --create-namespace

To learn more, see Install the MongoDB Enterprise Kubernetes Operator.

You can use the mongodb-prometheus-sample.yaml file to deploy a MongoDB resource in your Kubernetes cluster, with a ServiceMonitor to indicate to Prometheus how to consume metrics data from it.

You can apply the sample directly with the following command:

Note

Specify the full path to the mongodb-prometheus-sample.yaml file. Ensure you specify spec.credentials and spec.cloudManager.configMapRef.name.

kubectl apply -f <mongodb-prometheus-sample.yaml>

This command creates two secrets that contain authentication for a new MongoDB user and basic HTTP authentication for the Prometheus endpoint. The command creates both secrets in the mongodb namespace.

This command also creates a ServiceMonitor that configures Prometheus to consume this resource's metrics. This command creates the ServiceMonitor in the prometheus-system namespace.

  1. To install cert-manager using Helm, see the cert-manager installation documentation.

  2. To create a cert-manager Issuer, see the cert-manager configuration documentation

  3. To create a certificate, see the cert-manager usage documentation.

Important

Do NOT use this configuration in Production environments! A security expert should advise you about how to configure TLS.

To enable TLS, you must add a new entry to the spec.prometheus section of the MongoDB custom resource. Run the following patch operation to add the needed entry.

Note

tlsSecretKeyRef.name points at a secret of type kubernetes.io/tls that holds a Server certificate.

kubectl patch mdbc mongodb --type='json' \
-p='[{"op": "add", "path": "/spec/prometheus/tlsSecretKeyRef", "value":{"name": "prometheus-target-cert"}}]' \
--namespace mongodb

The following response appears:

mongodbenterprise.mongodbenterprise.mongodb.com/mongodb patched

After a few minutes, the MongoDB resource should return to the Running phase. Now you must configure the Prometheus ServiceMonitor to point to the HTTPS endpoint.

To update the ServiceMonitor, run the following command to patch the resource again:

kubectl patch servicemonitors mongodb-sm --type='json' \
-p='
[
{"op": "replace", "path": "/spec/endpoints/0/scheme", "value": "https"},
{"op": "add", "path": "/spec/endpoints/0/tlsConfig", "value": {"insecureSkipVerify": true}}
]
' \
--namespace mongodb

The following reponse appears:

servicemonitor.monitoring.coreos.com/mongodb-sm patched

With these changes, the new ServiceMonitor points to the HTTPS endpoint (defined in /spec/endpoints/0/scheme). You also set spec/endpoints/0/tlsConfig/insecureSkipVerify to true, so that Prometheus doesn't verify the TLS certificates on MongoDB's end.

Prometheus should now be able to scrape the MongoDB target using HTTPS.

Create the following mongodb-prometheus-sample.yaml file to deploy a MongoDB resource in your Kubernetes cluster, with a ServiceMonitor to indicate to Prometheus how to consume metrics data from it.

This sample file specifies a simple MongoDB resource with one user, and the spec.prometheus attribute with basic HTTP authentication and no TLS. The sample lets you test the metrics that MongoDB sends to Prometheus.

To learn more, see Prometheus Settings.

---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
name: my-replica-set
spec:
members: 3
version: 5.0.6-ent
cloudManager:
configMapRef:
name: <project-configmap>
credentials: <credentials-secret>
type: ReplicaSet
persistent: true
prometheus:
passwordSecretRef:
# SecretRef to a Secret with a 'password' entry on it.
name: metrics-endpoint-password
# change this value to your Prometheus username
username: prometheus-username
# Enables HTTPS on the prometheus scrapping endpoint
# This should be a reference to a Secret type kuberentes.io/tls
# tlsSecretKeyRef:
# name: <prometheus-tls-cert-secret>
# Port for Prometheus, default is 9216
# port: 9216
#
# Metrics path for Prometheus, default is /metrics
# metricsPath: '/metrics'
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
# This needs to match `spec.ServiceMonitorSelector.matchLabels` from your
# `prometheuses.monitoring.coreos.com` resouce.
labels:
release: prometheus
name: mongodb-sm
# Make sure this namespace is the same as in `spec.namespaceSelector`.
namespace: mongodb
spec:
endpoints:
# Configuring a Prometheus Endpoint with basic Auth.
# `prom-secret` is a Secret containing a `username` and `password` entries.
- basicAuth:
password:
key: password
name: metrics-endpoint-creds
username:
key: username
name: metrics-endpoint-creds
# This port matches what we created in our MongoDB Service.
port: prometheus
# If using HTTPS enabled endpoint, change scheme to https
scheme: http
# Configure different TLS related settings. For more information, see:
# https://github.com/prometheus-operator/prometheus-operator/blob/main/pkg/apis/monitoring/v1/types.go#L909
# tlsConfig:
# insecureSkipVerify: true
# What namespace to watch
namespaceSelector:
matchNames:
# Change this to the namespace the MongoDB resource was deployed.
- mongodb
# Service labels to match
selector:
matchLabels:
app: my-replica-set-svc
---
apiVersion: v1
kind: Secret
metadata:
name: metrics-endpoint-creds
namespace: mongodb
type: Opaque
stringData:
password: 'Not-So-Secure!'
username: prometheus-username
...

The following examples show the resource definitions required to use Prometheus with your MongoDB resource.

To learn more, see Prometheus Settings.

---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
name: my-replica-set
spec:
members: 3
version: 5.0.6-ent
cloudManager:
configMapRef:
name: <project-configmap>
credentials: <credentials-secret>
type: ReplicaSet
persistent: true
prometheus:
passwordSecretRef:
name: metrics-endpoint-password
username: prometheus-username
...
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
release: prometheus
name: mongodb-sm
namespace: mongodb
spec:
endpoints:
- basicAuth:
password:
key: password
name: metrics-endpoint-creds
username:
key: username
name: metrics-endpoint-creds
port: prometheus
scheme: http
namespaceSelector:
matchNames:
- mongodb
selector:
matchLabels:
app: my-replica-set-svc
...
---
apiVersion: v1
kind: Secret
metadata:
name: metrics-endpoint-creds
namespace: mongodb
type: Opaque
stringData:
password: 'Not-So-Secure!'
username: prometheus-username
...
←  Deploy a Sharded ClusterEdit a Database Resource →