Docs Menu

Docs HomeMongoDB Enterprise Kubernetes Operator

Ops Manager Resource Specification

On this page

  • Examples
  • Required Ops Manager Resource Settings
  • Optional Ops Manager Resource Settings
  • Prometheus Settings
  • S3 Settings

The MongoDB Enterprise Kubernetes Operator creates a containerized Ops Manager deployment from specification files that you write.

After you create or update an Ops Manager resource specification, you direct MongoDB Enterprise Kubernetes Operator to apply this specification to your Kubernetes environment. Kubernetes Operator creates the services and custom Kubernetes resources that Ops Manager requires, then deploys Ops Manager and its backing application database in containers in your Kubernetes environment.

Each Ops Manager resource uses an object specification in YAML to define the characteristics and settings of the deployment.

The following examples show a resource specification for an Ops Manager deployment:

This section describes settings that you must use for all Ops Manager resources.

apiVersion

Type: string

Required. Version of the MongoDB Kubernetes resource schema.

kind

Type: string

Required. Kind of MongoDB Kubernetes resource to create. Set this to MongoDBOpsManager.

metadata.name

Type: string

Required. Name of the MongoDB Kubernetes resource you are creating.

Resource names must be 44 characters or less.

spec.replicas

Type: integer

Required. Number of Ops Manager instances to run in parallel. The minimum accepted value is 1.

Note

Highly Available Ops Manager Resources

For high availability, set this value to more than 1. Multiple Ops Manager instances can read from the same Application Database, ensuring failover if one instance is unavailable and enabling you to update the Ops Manager resource without downtime.

spec.version

Type: string

Required. Version of Ops Manager that you want to install on this MongoDB Kubernetes resource.

spec.adminCredentials

Type: string

Required. Name of the Kubernetes secret you created for the Ops Manager admin user. When you deploy the Ops Manager resource, Kubernetes Operator creates a user with these credentials.

Note

To avoid storing secrets in Kubernetes, you can migrate all secrets to a secret storage tool.

The admin user is granted the Global Owner role.

spec.applicationDatabase.version

Type: string

Required. Version of MongoDB installed on the Ops Manager Application Database. You must specify a compatible enterprise MongoDB version based on the tag in the container registry. For example, 6.0.0-ubi8. Starting in Kubernetes Operator version 1.20, tags no longer end in -ent.

Important

Ensure that you choose a compatible MongoDB Server version.

Compatible versions differ depending on the base image that the MongoDB database resource uses.

Note

If you update this value to a later version of MongoDB for the Application Database, the Feature Compatibility Version (FCV) does not change unless you also specify the featureCompatibilityVersion parameter under spec.applicationDatabase.

Ops Manager resources can use the following settings:

spec.applicationDatabase

Type: collection

Ops Manager Application Database resource definition.

The following settings from the replica set resource specification are optional.

Note

All settings under spec.applicationDatabase.agent apply to both Automation and Monitoring, unless you specify values for Automation and Monitoring separately in spec.applicationDatabase.agent and spec.applicationDatabase.monitoringAgent.

spec.applicationDatabase.agent.logRotate

Type: object

MongoDB configuration object for rotating the MongoDB logs of a process. To use the agent.logRotate settings, you must set systemLog.destination to file because you can't use the agent.logRotate settings if you're writing logs to the host's syslog system.

spec.applicationDatabase.agent.logRotate.numTotal

Type: integer

Default: 0

Total number of log files that Ops Manager retains. If you don't change the default, Ops Manager bases rotation on your other agent.logRotate settings.

spec.applicationDatabase.agent.logRotate.numUncompressed

Type: integer

Default: 5

Maximum number of total log files to leave uncompressed, including the current log file.

spec.applicationDatabase.agent.logRotate.percentOfDiskspace

Type: number

Default: 0.02

Maximum percentage of total disk space that Ops Manager can use to store the log files expressed as decimal. If this limit is exceeded, Ops Manager deletes compressed log files until it meets this limit. Ops Manager deletes the oldest log files first.

spec.applicationDatabase.agent.logRotate.sizeThresholdMB

Type: number

Required if rotating logs.

Maximum size in MB for an individual log file before Ops Manager rotates it. Ops Manager rotates the log file immediately if it meets the value given in either this sizeThresholdMB or the logRotate.timeThresholdHrs limit.

spec.applicationDatabase.agent.logRotate.timeThresholdHrs

Type: integer

Required if rotating logs.

Maximum duration in hours for an individual log file before the next rotation. The time is since the last rotation. Ops Manager rotates the log file immediately if it meets the value given in either this timeThresholdHrs or the logRotate.sizeThresholdM limit.

spec.applicationDatabase.agent.logRotate.includeAuditLogsWithMongoDBLogs

Type: boolean

Set to true to have the Automation Agent rotate the audit files along with MongoDB log files.

spec.applicationDatabase.agent.startupOptions

Type: object

MongoDB configuration object for startup options. See MongoDB Agent Settings for available fields.

spec.applicationDatabase.agent.systemLog

Type: object

MongoDB configuration object for configuring the systemLog options.

spec.applicationDatabase.agent.systemLog.path

Type: string

Default: /var/log/mongodb-mms-automation/mongodb.log

The path of the log file to which mongod or mongos should send all diagnostic logging information, rather than the standard output or the host's syslog. MongoDB creates the log file at the specified path.

The Linux package init scripts don't expect systemLog.path to change from the defaults. If you use the Linux packages and change systemLog.path, you will have to use your own init scripts and disable the built-in scripts.

spec.applicationDatabase.agent.systemLog.logAppend

Type: boolean

Default: false

When true, mongos or mongod appends new entries to the end of the existing log file when the mongos or mongod instance restarts. Without this option, mongod will back up the existing log and create a new file.

spec.applicationDatabase.agent.systemLog.destination

Type: string

The destination to which MongoDB sends all log output. Specify either file or syslog. If you specify file, you must also specify systemLog.path.

If you don't specify systemLog.path, MongoDB sends all log output to standard output.

Warning

The syslog daemon generates timestamps when it logs a message, not when MongoDB issues the message. This behavior can lead to misleading timestamps for log entries, especially when the system is under heavy load. We recommend using the file option for production systems to ensure accurate timestamps.

spec.applicationDatabase.topology

Type: string

Optional. The type of the Kubernetes deployment for the Application Database.

  • The values are SingleCluster or MultiCluster. If omitted, the default value is SingleCluster.

  • If you specify MultiCluster, you must specify the clusterSpecList and include in it the clusterName of each Kubernetes cluster included in your multi-Kubernetes-cluster deployment, and the number of members in each Kubernetes cluster.

  • If you specify MultiCluster, the Kubernetes Operator ignores values that you set for the spec.applicationDatabase.members field, if specified.

To learn more, see the example of the resource specification.

spec.applicationDatabase.clusterSpecList

Type: collection

Details of selected Kubernetes member clusters in a multi-Kubernetes-cluster deployment that serve as nodes that host the Application Database.

spec.applicationDatabase.clusterSpecList.clusterName

Type: string

Name of the member Kubernetes cluster in a multi-Kubernetes-cluster deployment where the MongoDB Enterprise Kubernetes Operator schedules the StatefulSet for the Application Database.

Important

You can't convert a single cluster Ops Manager instance to a multi-Kubernetes-cluster deployment instance by modifying the topology and the clusterSpecList settings in the CRD.

spec.applicationDatabase.clusterSpecList.clusterName.members

Type: number

Number of statefulSet nodes in the given member cluster. The member cluster is one of the member clusters that hosts the Application Database in a multi-Kubernetes-cluster deployment.

spec.applicationDatabase.memberConfig.priority

Type: string

Number that indicates the relative likelihood of an application database replica set member to become the primary.

  • To increase the relative likelihood that a replica set member becomes the primary, specify a higher priority value.

  • To decrease the relative likelihood that a replica set member becomes the primary, specify a lower priority value.

For example, a member with a memberConfig.priority of 1.5 is more likely than a member with a memberConfig.priority of 0.5 to become the primary.

A member with a memberConfig.priority of 0 is ineligible to become the primary. To learn more, see Member Priority.

spec.applicationDatabase.memberConfig.tags

Type: map

Map of replica set tags for directing read and write operations to specific members of your application database replica set.

spec.applicationDatabase.memberConfig.votes

Type: number

Determines whether an application database replica set member can vote in an election. Set to 1 to allow the member to vote. Set to 0 to exclude the member from an election.

spec.applicationDatabase.passwordSecretKeyRef.name

Type: string

Name of the secret that contains the password for the Ops Manager database user mongodb-ops-manager. Ops Manager uses this password to authenticate to the Application Database.

spec.applicationDatabase.passwordSecretKeyRef.key

Type: string

Name of the field in the secret that contains the password for the Ops Manager database user mongodb-ops-manager. Ops Manager uses this password to authenticate to the Application Database.

The default value is password.

spec.applicationDatabase.security.certsSecretPrefix

Type: string

Text to prefix to the name of the secret that contains the application database's TLS certificate. Name the secret <prefix>-<metadata.name>-db-cert.

spec.applicationDatabase.security.tls.ca

Type: string

Name of the Kubernetes ConfigMap containing the CA file for the application database.

Important

spec.applicationDatabase.security.tls.ca is required if you use a custom CA to sign your application database's TLS certificates.

The Kubernetes Operator requires that you name the application database's certificate ca-pem in the ConfigMap.

The CA specified in this section is also used for configuring custom TLS certificates for S3 storage when either spec.backup.s3OpLogStores.customCertificate or spec.backup.s3Stores.customCertificate are set to true.

This CA signs the certificates that:

  • the application database replica set members use to communicate with one another, and

  • Ops Manager uses to communicate with the application database replica set.

Warning

You must concatenate your custom CA file and the entire TLS certificate chain from downloads.mongodb.com to prevent Ops Manager from becoming inoperable if the application database restarts.

spec.app

Type: string

Text to prefix to the Kubernetes secret that you created that contains your application database's TLS key and certificate.

You must name your secret <prefix>-<metadata.name>-db-cert.

To learn how to configure your Ops Manager instance to run over HTTPS, see Deploy an Ops Manager Resource.

spec.applicationDatabase.security.tls.enabled

Important

spec.security.applicationDatabase.tls.enabled is deprecated and will be removed in a future release. To enable TLS, provide a value for the spec.security.applicationDatabase.certsSecretPrefix setting.

Encrypts communications using TLS certificates between Ops Manager and the application database.

spec.backup.assignmentLabels

Type: array of strings

A list of assignment labels for the Backup Daemon Service processes. Use assignment labels to identify that specific backup daemon processes are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.enabled

Type: boolean

Flag that enables Backup for your Ops Manager resource. When set to false, Backup is disabled.

Default value is true.

spec.backup.encryption

Type: object

Object that contains the backup encryption configuration settings.

spec.backup.encryption.kmip

Type: object

Object that contains the KMIP backup encryption configuration settings. To learn more, see Configure KMIP Backup Encryption for Ops Manager.

Note

If you set this parameter, the API key linked with the value of spec.credentials must have the Global Owner role.

spec.backup.encryption.kmip.server

Type: object

Object that contains the KMIP backup encryption server configuration settings.

spec.backup.encryption.kmip.server.ca

Type: string

Human-readable label that identifies the ConfigMap that contains an entry for the CA certificate (ca.pem) to use for KMIP authentication.

spec.backup.encryption.kmip.server.url

Type: string

URL for the KMIP server that uses the hostname.port format (for example, 192.168.1.3:5696 or my-kmip-server.mycorp.com:5696).

spec.backup.headDB

Type: collection

Configuration settings for the head database. Kubernetes Operator creates a Persistent Volume Claim with the specified configuration.

Scalar
Data Type
Description
labelSelector
string
Tag used to bind mounted volumes to directories.
storage
string

Minimum size of Persistent Volume that should be mounted. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 30Gi.

Tip

Example

If the head database requires 60 gigabytes of storage space, set this value to 60Gi.

storageClass
string

Type of storage specified in a Persistent Volume Claim. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.

spec.backup.jvmParameters

Type: array of strings

Optional. JVM parameters passed to the Ops Manager backup service in the container.

This Kubernetes Operator parameter defaults to an empty list.

spec:
backup:
jvmParameters: ["-XX:+UseStringCache"]

Warning

Change the JVM Memory Heap values at your own risk

Kubernetes Operator calculates the JVM memory heap values of the backup service based on the container's memory. Changing the -Xms and -Xmx values can cause issues with Ops Manager.

spec.backup.members

Type: integer

Optional. Number of backup daemon services to deploy in Kubernetes. If not specified, defaults to 1. To ensure high availability for your backup service, deploy multiple backup daemons in Ops Manager.

spec.backup.opLogStores

Type: collection

Required if you enable backup.

Array of oplog stores used for backup. Each item in the array references a MongoDB database resource deployed in the Kubernetes cluster by the Kubernetes Operator.

spec.backup.opLogStores.assignmentLabels

Type: array of strings

A list of assignment labels for the oplog store. Use assignment labels to identify that specific oplog stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.opLogStores.name

Type: string

Required if you enable Backup.

Name of the oplog store.

Important

Once specified, don't edit the name of the oplog store.

spec.backup.opLogStores.mongodbResourceRef.name

Type: string

Required if you enable Backup.

Name of the MongoDB resource or the MongoDBMultiCluster resource that you create to store oplog slices. You must deploy this resource in the same namespace as the Ops Manager resource.

The Oplog database only supports the SCRAM authentication mechanism. You cannot enable other authentication mechanisms.

If you enable SCRAM authentication on the oplog database, you must:

  • Create a MongoDB user resource to connect Ops Manager to the oplog database.

  • Specify the name of the user in the Ops Manager resource definition.

If a MongoDB database resource with this name doesn't exist, the backup resource enters a Pending state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.

Note

The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the mongoURI and ssl flags in the Ops Manager configuration based on your changes.

spec.backup.opLogStores.mongodbUserRef.name

Type: string

Required if SCRAM authentication is enabled on the oplog store database.

Name of the MongoDB user resource used to connect to the oplog store database. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:

spec.backup.blockStores

Type: collection

Required if you enable Backup using a blockstore.

Array of blockstores used for Backup. Each item in the array references a MongoDB database resource deployed in the Kubernetes cluster by the Kubernetes Operator.

spec.backup.blockStores.assignmentLabels

Type: array of strings

A list of assignment labels for the blockstore. Use assignment labels to identify that specific blockstores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.blockStores.name

Type: string

Required if you enable backup using a blockstore.

Name of the blockstore.

Important

Once specified, don't edit the name of the blockstore.

spec.backup.blockStores.mongodbResourceRef.name

Type: string

Required if you enable backup using a blockstore.

Name of the MongoDB database resource that you create for the blockstore. You must deploy this database resource in the same namespace as the Ops Manager resource.

The blockstore database only supports the SCRAM authentication mechanism. You cannot enable other authentication mechanisms.

If you enable SCRAM authentication on the blockstore database, you must:

  • Create a MongoDB user resource to connect Ops Manager to the blockstore database.

  • Specify the name of the user in the Ops Manager resource definition.

If a MongoDB database resource with this name doesn't exist, the backup resource enters a Pending state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.

Note

The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the mongoURI and ssl flags in the Ops Manager configuration based on your changes.

spec.backup.blockStores.mongodbUserRef.name

Type: string

Required if SCRAM authentication is enabled on the blockstore database.

Name of the MongoDB user resource used to connect to the blockstore database. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:

spec.backup.queryableBackupSecretRef.name

Type: string

Name of the secret that contains the queryable.pem file from Ops Manager that you will use for accessing and querying backups based on your deployment's TLS requirements.The PEM file contains a public key certificate and its associated private key that are needed to access and run queries on backup snapshots in Ops Manager. To query backups, specify the value for this parameter. If not set, backups are not affected, but you can't query them.

spec.backup.statefulSet.spec

Type: collection

Specification for the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.

To review which fields you can add to spec.backup.statefulSet.spec, see StatefulSetSpec v1 apps in the Kubernetes documentation.

spec.backup.statefulSet.spec.template

Type: collection

Template for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.

Note

The Kubernetes Operator doesn't validate the fields you provide in spec.backup.statefulSet.spec.template.

spec.backup.statefulSet.spec.template.metadata

Type: collection

Metadata for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.

To review which fields you can add to spec.backup.statefulSet.spec.template.metadata, see the Kubernetes documentation.

spec.backup.statefulSet.spec.template.spec

Type: collection

Specifications of the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.

To review the complete list of fields you can add to spec.backup.statefulSet.spec.template.spec, see the Kubernetes documentation.

The following example spec.backup.statefulSet.spec.template.spec defines minimum and maximum CPU and memory capacity for one backup daemon service container the MongoDB Enterprise Kubernetes Operator deploys:

statefulSet:
spec:
template:
spec:
containers:
- name: mongodb-backup-daemon
resources:
requests:
cpu: "0.50"
memory: "4500M"
limits:
cpu: "1"
memory: "6000M"
spec.backup.statefulSet.spec.template.spec.containers

Type: collection

List of containers that belong to the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the backup daemon service.

To modify the specifications of the backup daemon service container, you must provide the exact name of the container using the name field, as shown in the following example:

backup:
statefulSet:
spec:
template:
spec:
containers:
- name: mongodb-backup-daemon

Note

When you add containers to spec.backup.statefulSet.spec.template.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to the Backup Daemon Service containers in the pod.

spec.backup.statefulSet.spec.template.spec.containers.resources.requests.cpu

Type: string

Minimum CPU capacity that must be available on a Kubernetes node to host the backup daemon service.

The requested value must be less than or equal to spec.backup.statefulSet.spec.template.spec.containers.resources.limits.cpu.

spec.backup.statefulSet.spec.template.spec.containers.resources.limits.cpu

Type: string

Maximum CPU capacity for the node being created to host the backup daemon service. If omitted, this value is set to spec.backup.statefulSet.spec.template.spec.containers.resources.requests.cpu.

spec.backup.statefulSet.spec.template.spec.containers.resources.requests.memory

Type: string

Minimum memory capacity that must be available on a Kubernetes node to host the backup daemon service on Kubernetes. This value is expressed as an integer followed by a unit of memory in JEDEC notation.

Note

Set this value to at least 4.5Gi. Values of less than 4.5Gi might result in an error.

The requested value must be less than or equal to spec.backup.statefulSet.spec.template.spec.containers.resources.limits.memory.

spec.backup.statefulSet.spec.template.spec.containers.resources.limits.memory

Type: string

Maximum memory capacity for the node being created to host the backup daemon service. If omitted, this value is set to spec.backup.statefulSet.spec.template.spec.containers.resources.requests.memory.

The Kubernetes Operator calculates and sets parameters for Java heap size based on the container's memory.

Warning

Limit this value to less than 32 GB

Setting this value to a value greater than 32 GB (32Gi) can cause issues with the backup service. Excessive heaps can cause unpredictable results in Ops Manager.

spec.clusterDomain

Type: string

Kubernetes assigns each Pod a FQDN. The Kubernetes Operator calculates the FQDN for each Pod using a provided clusterDomain. Kubernetes doesn't provide an API to query these hostnames.

spec.clusterName

Important

spec.clusterName is Deprecated

Use spec.clusterDomain instead.

Type: string

Kubernetes assigns each Pod a FQDN. The Kubernetes Operator calculates the FQDN for each Pod using a provided clusterName. Kubernetes doesn't provide an API to query these hostnames.

spec.configuration

Type: collection

Ops Manager configuration properties. See Ops Manager Configuration Settings for property names and descriptions. Each property takes a value of type string.

Important

If Ops Manager will manage MongoDB resources deployed outside of the Kubernetes cluster it's deployed to, you must add the mms.centralUrl setting to spec.configuration.

Set the value to the URL by which Ops Manager is exposed outside of the Kubernetes cluster.

spec.configuration.mms.featureFlag.automation.verifyDownloads

Type: string

When set to enabled, the MongoDB Agent requires signature files for all MongoDB deployments that your Ops Manager instance manages.

When you upgrade the MongoDB Agent with this option enabled, the current version of the MongoDB Agent requires signature files of the new MongoDB Agent binary.

To learn more, see Verify MongoDB Signatures.

spec.configuration.mms.mongoDbUsage.defaultUsageType

Type: string

The Kubernetes service's default server type.

Accepted values are: PRODUCTION_SERVER, TEST_SERVER, DEV_SERVER, and RAM_POOL.

spec.externalConnectivity

Type: collection

Configuration object that enables external connectivity to Ops Manager. If provided, the Kubernetes Operator creates a Kubernetes service that allows traffic originating from outside of the Kubernetes cluster to reach the Ops Manager application.

If not provided, the Kubernetes Operator doesn't create a Kubernetes service. You must create one manually or use a third-party solution that enables you to route external traffic to the Ops Manager Application in your Kubernetes cluster.

spec.externalConnectivity.type

Type: string

The Kubernetes service ServiceType that exposes Ops Manager outside of Kubernetes.

Required if spec.externalConnectivity.type is present.

Accepted values are: LoadBalancer and NodePort. LoadBalancer is recommended if your cloud provider supports it. Use NodePort for local deployments.

spec.externalConnectivity.port

Type: integer

Value that indicates which port that a Kubernetes service exposes the Ops Manager Application should use for external traffic.

  • If spec.externalConnectivity.type is NodePort:

    • The Kubernetes service exposes the Ops Manager Application to external traffic through this port.

    • If you don't provide a spec.externalConnectivity.port value, the Kubernetes service routes traffic to the Ops Manager Application from an available port selected randomly from the following default range: 30000-32767.

      Note

      You must configure your network's firewall to allow traffic over this port.

  • If spec.externalConnectivity.type is LoadBalancer:

    • The load balancer resource that your cloud provider creates exposes the Ops Manager Application through this port.

    • If you don't provide a spec.externalConnectivity.port value, the Kubernetes service exposes the Ops Manager Application to external traffic through the default HTTP (8080) or HTTPS (8443) port.

spec.externalConnectivity.loadBalancerIP

Type: string

The IP address the LoadBalancer Kubernetes service uses when the Kubernetes Operator creates it.

This setting can only be used if your cloud provider supports it and spec.externalConnectivity.type is LoadBalancer. To learn more about the Type LoadBalancer, see the Kubernetes documentation.

spec.externalConnectivity.externalTrafficPolicy

Type: string

Routing policy for external traffic to the Ops Manager Kubernetes service. The service routes external traffic to node-local or cluster-wide endpoints depending the value of this setting.

Accepted values are: Cluster and Local. To learn which of values meet your requirements, see Source IPs in Kubernetes in the Kubernetes documentation.

Note

If you select Cluster, the Source-IP of your clients are lost during the network hops that happen at the Kubernetes network boundary.

spec.externalConnectivity.annotations

Type: collection

Key-value pairs that allow you to provide cloud provider-specific configuration settings.

To learn more about Annotations and TLS support on AWS, see the Kubernetes documentation.

spec.jvmParameters

Type: array of strings

Optional. JVM parameters passed to the Ops Manager Application in the container. Any parameters given replace the default JVM parameters for the Ops Manager Application.

This Kubernetes Operator parameter defaults to an empty list.

spec:
jvmParameters: ["-XX:+HeapDumpOnOutOfMemoryError","-XX:HeapDumpPath=/tmp"]

Important

Change the JVM Memory Heap values at your own risk

Kubernetes Operator calculates its JVM memory heap values of the Ops Manager Application based on the container's memory. Changing the -Xms and -Xmx values can cause issues with Ops Manager.

spec.security.certsSecretPrefix

Type: string

Text to prefix to the Kubernetes secret that you created that contain Ops Manager's TLS key and certificate.

You must name your secret <prefix>-<metadata.name>-cert.

To learn how to configure your Ops Manager instance to run over HTTPS, see Deploy an Ops Manager Resource.

spec.security.tls.ca

Name of the Kubernetes ConfigMap that contains a custom CA file for Ops Manager.

Important

spec.security.tls.ca is required if you use a custom CA to sign your Ops Manager TLS certificates.

The Kubernetes Operator requires that you name the certificate for the Ops Manager resource mms-ca.crt in the ConfigMap.

This CA signs the certificates that:

  • clients use to connect to the Ops Manager Application, and

  • agents in the application database Pods use to communicate with Ops Manager.

Warning

You must concatenate your custom CA file and the entire TLS certificate chain from downloads.mongodb.com to prevent Ops Manager from becoming inoperable if the application database restarts.

spec.security.tls.enabled

Important

spec.security.tls.enabled is deprecated and will be removed in a future release. To enable TLS, provide a value for the spec.security.certsSecretPrefix setting.

Encrypts communications using TLS certificates between clients and Ops Manager.

spec.statefulSet.spec

Type: collection

Specification for the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for Ops Manager.

To review which fields you can add to spec.statefulSet.spec, see StatefulSetSpec v1 apps in the Kubernetes documentation.

spec.statefulSet.spec.template

Type: collection

Template for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.

Note

The Kubernetes Operator doesn't validate the fields you provide in spec.statefulSet.spec.template.

spec.statefulSet.spec.template.metadata

Type: collection

Metadata for the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.

To review which fields you can add to spec.statefulSet.spec.template.metadata, see the Kubernetes documentation.

spec.statefulSet.spec.template.spec

Type: collection

Specifications of the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.

To review the complete list of fields you can add to spec.statefulSet.spec.template.spec, see the Kubernetes documentation.

The following example spec.statefulSet.spec.template.spec defines minimum and maximum CPU and memory capacity for one Ops Manager container the MongoDB Enterprise Kubernetes Operator deploys:

statefulSet:
spec:
template:
spec:
containers:
- name: mongodb-ops-manager
resources:
requests:
cpu: "0.70"
memory: "6Gi"
limits:
cpu: "1"
memory: "7000M"
spec.statefulSet.spec.template.spec.containers

Type: collection

List of containers that belong to the Kubernetes Pods in the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for the Ops Manager.

To modify the specifications of the Ops Manager container, you must provide the exact name of the container using the name field, as shown in the following example:

backup:
statefulSet:
spec:
template:
spec:
containers:
- name: mongodb-ops-manager

Note

When you add containers to spec.statefulSet.spec.template.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to the Ops Manager containers in the pod.

spec.statefulSet.spec.template.spec.containers.resources.requests.cpu

Type: string

Minimum CPU capacity that must be available on a Kubernetes node to host the Ops Manager.

The requested value must be less than or equal to spec.statefulSet.spec.template.spec.containers.resources.limits.cpu.

spec.statefulSet.spec.template.spec.containers.resources.limits.cpu

Type: string

Maximum CPU capacity for the node being created to host the Ops Manager. If omitted, this value is set to spec.statefulSet.spec.template.spec.containers.resources.requests.cpu.

spec.statefulSet.spec.template.spec.containers.resources.requests.memory

Type: string

Minimum memory capacity that must be available on a Kubernetes node to host the Ops Manager on Kubernetes. This value is expressed as an integer followed by a unit of memory in JEDEC notation.

Example

If Ops Manager on Kubernetes requires 6 gigabytes of memory, set this value to 6Gi.

Note

MongoDB recommends setting this value to at least 5Gi.

The requested value must be less than or equal to spec.statefulSet.spec.template.spec.containers.resources.limits.memory.

spec.statefulSet.spec.template.spec.containers.resources.limits.memory

Type: string

Maximum memory capacity for the node being created to host the Ops Manager. If omitted, this value is set to spec.statefulSet.spec.template.spec.containers.resources.requests.memory.

The Kubernetes Operator calculates and sets parameters for Java heap size based on the container's memory.

Warning

Limit this value to less than 32 GB

Setting this value to a value greater than 32 GB (32Gi) can cause issues with the backup service. Excessive heaps can cause unpredictable results in Ops Manager.

The following settings apply when you use Prometheus with your application database:

spec.applicationDatabase.prometheus

Type: array

Optional

List that contains the parameters for exposing metrics to Prometheus.

spec.applicationDatabase.prometheus.metricsPath

Type: string

Optional

Default: "/metrics"

Human-readable string that indicates the path to the metrics endpoint. If you don't specify this setting, the default applies.

spec.applicationDatabase.prometheus.passwordSecretRef

Type: object

Conditional

Object that contains the details of the secret for basic HTTP authentication. If you want to use Prometheus with your application database, you must specify this setting.

spec.applicationDatabase.prometheus.passwordSecretRef.key

Type: string

Optional

Default: "password"

Human-readable string that identifies the key in the secret that stores the password for basic HTTP authentication. If you don't specify this setting, the default applies.

spec.applicationDatabase.prometheus.passwordSecretRef.name

Type: string

Conditional

Human-readable label that identifies the secret that contains the password for basic HTTP authentication. If you want to use Prometheus with your application database, you must specify this setting.

spec.applicationDatabase.prometheus.port

Type: integer

Optional

Default: 9216

Number that identifies the port that the metrics endpoint will bind to. If you don't specify this setting, the default applies.

spec.applicationDatabase.prometheus.tlseSecretKeyRef

Type: object

Optional

Object that contains the details of the secret for TLS authentication.

spec.applicationDatabase.prometheus.tlseSecretKeyRef.key

Type: string

Optional

Default: "password"

Human-readable string that identifies the key in the secret that stores the password for TLS authentication. If you don't specify this setting, the default applies.

spec.applicationDatabase.prometheus.tlseSecretKeyRef.name

Type: string

Conditional

Human-readable label that identifies the secret that contains the password for TLS authentication. If you want to use Prometheus with your application database and you want to use TLS authentication, you must specify this setting.

spec.applicationDatabase.prometheus.username

Type: string

Conditional

Human-readable label that identifies the user for basic HTTP authentication. If you want to use Prometheus with your application database, you must specify this setting.

You can configure Ops Manager to use S3 for storing oplogs and backup snapshots, and secure connections to S3 with TLS using keys issued by custom CA.

To configure custom CA keys, use the ConfigMap with which you configured TLS for your application database as described on the TLS-Encrypted Connection (HTTPS) tab of Deploy an Ops Manager Resource. Set spec.applicationDatabase.security.tls.ca to this ConfigMap.

You can use TLS for both S3 and your application database, or for S3 only.

  • To use TLS for both, get certificates for both purposes from the same ca-pem referenced in the ConfigMap.

  • To use TLS for S3 only, don't define spec.security.applicationDatabase.certsSecretPrefix in your ConfigMap.

spec.backup.s3OpLogStores.assignmentLabels

Type: array of strings

A list of assignment labels for S3 oplog stores. Use assignment labels to identify that specific S3 oplog stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.s3OpLogStores.customCertificate

Type: boolean

Deprecated. Use spec.backup.s3OpLogStores.customCertificateSecretRefs instead.

Flag that indicates whether you use AppDB certificates (appdb-ca) as the custom TLS certificate for your S3 oplog store. The default is False.

spec.backup.s3OpLogStores.customCertificateSecretRefs

Type: array of objects

List of custom certificates for your S3 oplog store using Kubernetes secrets. The base64-encoded x.509 certificate must already be present in a Kubernetes secret with a key and must be parsable by the Java CertifcateFactory. You can't specify multiple certificates in a chain in one secret. If you specify multiple certificates in a chain in one secret, Kubernetes Operator uses only the first certificate in the chain. If you also provide the customCertificate setting, Kubernetes Operator uses the spec.applicationDatabase.security.tls.ca as the custom certificate for backups.

Each entry in the list specifies the name and the key. If you specify multiple secrets, Kubernetes Operator uses all the certificates in the specified secrets.

If you don't provide this setting, Ops Manager uses the JVM Default Trust Store used by Ops Manager.

spec.backup.s3OpLogStores.customCertificateSecretRefs.name

Type: string

Required to use custom certificates for your S3 oplog store.

Kubernetes secret that contains the custom certificate.

spec.backup.s3OpLogStores.customCertificateSecretRefs.key

Type: string

Required to use custom certificates for your S3 oplog store.

File that represents the key in the secret that contains the base64-encoded x.509 certificate. If you don't specify this setting, Kubernetes Operator can't utilize the custom certificate for S3 oplog store backups.

spec.backup.s3OpLogStores.irsaEnabled

Type: boolean

Flag that enables using AWS IAM roles for service accounts in AWS EKS to configure an S3 oplog store. The default is False. If you aren't using AWS EKS, this flag has no effect. When set to False, using AWS IAM roles for service accounts in EKS to configure an S3 oplog store is disabled. To learn more, see IAM roles for service accounts in EKS.

spec.backup.s3OpLogStores.name

Type: string

Required to store the oplog using an S3 store.

Name of the S3 oplog store.

spec.backup.s3OpLogStores.mongodbResourceRef.name

Type: string

Name of the MongoDB database resource that you create to store metadata for the S3 oplog store. You must deploy this database resource in the same namespace as the Ops Manager resource.

Note

Omit this setting to use the application database to store metadata for the S3 oplog store.

If you omit this setting, you must also omit the spec.backup.s3OpLogStores.mongodbUserRef.name setting. The Kubernetes Operator handles SCRAM user authentication internally.

If you enable SCRAM authentication on this database, you must:

  • Create a MongoDB user resource to connect Ops Manager to the database.

  • Specify the name of the user in the Ops Manager resource definition.

spec.backup.s3OpLogStores.mongodbUserRef.name

Type: string

Required if you created a MongoDB database resource to store S3 oplog metadata and SCRAM is enabled on this database.

Name of the MongoDB user resource used to connect to the metadata database of the S3 oplog store. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:

Important

Once specified, don't edit the name of the S3 metadata oplog store username.

spec.backup.s3OpLogStores.s3SecretRef.name

Type: string

Required to store the oplog using an S3 store.

Name of the secret that contains the accessKey and secretKey fields. The backup daemon service uses the values of these fields as credentials to access your AWS S3 or S3-compatible bucket. To configure the S3 oplog store, you must specify both keys in the secret.

spec.backup.s3OpLogStores.pathStyleAccessEnabled

Type: boolean

Indicates the style of the bucket endpoint URL.

Value
Description
Example
true
Path-style URL
s3.amazonaws.com/<bucket>
false
Virtual-host-style URL
<bucket>.s3.amazonaws.com

Default value is true.

spec.backup.s3OpLogStores.s3BucketEndpoint

Type: string

Required to store the oplog using an S3 store.

URL of the AWS S3 bucket or S3-compatible bucket that hosts the oplog store.

Note

If your endpoint doesn't include a region in its URL, specify the s3RegionOverride field.

spec.backup.s3OpLogStores.s3BucketName

Type: string

Required to store the oplog using an S3 store.

Name of the AWS S3 bucket or S3-compatible bucket that hosts the oplog store.

spec.backup.s3OpLogStores.s3RegionOverride

Type: string

Region where your S3-compatible bucket resides. Use this field only if your S3 oplog store's s3BucketEndpoint doesn't support region scoping. Region scoping is when your endpoint doesn't include a region in its URL.

Don't use this field with AWS S3 buckets. For more information, see S3 Blockstore Configuration.

spec.backup.s3Stores.assignmentLabels

Type: array of strings

A list of assignment labels for the S3 or S3-compatible buckets where stores the database backup snapshots. Use assignment labels to identify that specific S3 stores are associated with particular projects. If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don't set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.s3Stores.customCertificate

Type: boolean

Deprecated. Use spec.backup.s3Stores.customCertificateSecretRefs instead.

Flag that indicates whether you use Application Database's certificates (appdb-ca) as the custom TLS certificate for your S3 backups. The default is False.

spec.backup.s3Stores.customCertificateSecretRefs

Type: array of objects

List of custom certificates for your S3 snapshot store using Kubernetes secrets. The base64-encoded x.509 certificate must already be present in a Kubernetes secret with a key and must be parsable by the Java CertifcateFactory. You can't specify multiple certificates in a chain in one secret. If you specify multiple certificates in a chain in one secret, Kubernetes Operator uses only the first certificate in the chain. If you also provide the spec.backup.s3Stores.customCertificate setting, Kubernetes Operator uses the spec.applicationDatabase.security.tls.ca as the custom certificate for backups.

Each entry in the list specifies the name and the key. If you specify multiple secrets, Kubernetes Operator uses all the specified secrets.

If you don't provide this setting, the Kubernetes Operator uses the JVM Default Trust Store used by Ops Manager for backups.

spec.backup.s3Stores.customCertificateSecretRefs.name

Type: string

Required to use custom certificates for your S3 oplog store.

Kubernetes secret that contains the custom certificate.

spec.backup.s3Stores.customCertificateSecretRefs.key

Type: string

Required to use custom certificates for your S3 oplog store.

File that represents the key in the secret that contains the base64-encoded x.509 certificate. If you don't specify this setting, Kubernetes Operator can't utilize the custom certificate for S3 snapshot store and defaults to the default JVM {Java Virtual Machine) trust store used by Ops Manager.

spec.backup.s3Stores.irsaEnabled

Type: boolean

Flag that enables using AWS IAM roles for service accounts in AWS EKS to configure an S3 snapshot store. The default is False. If you aren't using AWS EKS, this flag has no effect. When set to False, using AWS IAM roles for service accounts in EKS to configure an S3 snapshot store is disabled. To learn more, see IAM roles for service accounts in EKS.

spec.backup.s3Stores.name

Type: string

Required to store the oplog using an S3 store.

Name of the S3 snapshot store.

Important

Once specified, don't edit the name of the S3 snapshot store. This change will likely fail if backups use the old name. The consequences of a successful change are unpredictable.

spec.backup.s3Stores.mongodbResourceRef.name

Type: string

Name of the MongoDB resource or MongoDBMultiCluster resource that you create to store metadata for the S3 snapshot store. You must deploy this database resource in the same namespace as the Ops Manager resource.

Note

Omit this setting to use the application database to store metadata for the S3 snapshot store.

If you omit this setting, you must also omit the spec.backup.s3Stores.mongodbUserRef.name setting. The Kubernetes Operator handles SCRAM user authentication internally.

If you enable SCRAM authentication on this database, you must:

  • Create a MongoDB user resource to connect Ops Manager to the database.

  • Specify the name of the user in the Ops Manager resource definition.

Important

Once specified, don't edit the name of the S3 snapshot store. This change will likely fail if backups use the old name. The consequences of a successful change are unpredictable.

If a MongoDB database resource with this name doesn't exist, the backup resource enters a Pending state. The Kubernetes Operator retries every 10 seconds until a MongoDB database resource with this name is created.

Note

The Kubernetes Operator begins to reconcile the Ops Manager resource automatically when you make security changes to the database resources you reference in this setting. The Kubernetes Operator updates the mongoURI and ssl flags in the Ops Manager configuration based on your changes.

spec.backup.s3Stores.mongodbUserRef.name

Type: string

Required if you created a MongoDB database resource to store |s3| snapshot metadata and SCRAM is enabled on this database.

Name of the MongoDB user resource used to connect to the metadata database of the S3 snapshot store. Deploy this user resource in the same namespace as the Ops Manager resource and with all of the following roles:

Important

Once specified, don't edit the name of the S3 metadata snapshot store username.

spec.backup.s3Stores.s3SecretRef.name

Type: string

Required if you enable Backup using an S3 store.

Name of the secret that contains the accessKey and secretKey fields. The backup daemon service uses the values of these fields as credentials to access your AWS S3 or S3-compatible bucket. The S3 snapshot store can't be configured if the secret is missing either key.

spec.backup.s3Stores.pathStyleAccessEnabled

Type: boolean

Indicates the style of the bucket endpoint URL.

Value
Description
Example
true
Path-style URL
s3.amazonaws.com/<bucket>
false
Virtual-host-style URL
<bucket>.s3.amazonaws.com

Default value is true.

spec.backup.s3Stores.s3BucketEndpoint

Type: string

Required if you enable Backup using an S3 store.

URL of the AWS S3 bucket or S3-compatible bucket that hosts the snapshot store.

Note

If your endpoint doesn't include a region in its URL, specify the s3RegionOverride field.

spec.backup.s3Stores.s3BucketName

Type: string

Required if you enable Backup using an S3 store.

Name of the AWS S3 bucket or S3-compatible bucket that hosts the snapshot store.

spec.backup.s3Stores.s3RegionOverride

Type: string

Region where your S3-compatible bucket resides. Use this field only if your S3 store's s3BucketEndpoint doesn't support region scoping. Region scoping is when your endpoint doesn't include a region in its URL.

Don't use this field with AWS S3 buckets. For more information, see S3 Blockstore Configuration.

←  ReferenceMongoDB User Resource Specification →