Navigation
This version of the documentation is archived and no longer supported.
  • Reference >
  • MongoDB Database Resource Specification

MongoDB Database Resource Specification

On this page

Note

At any place on this page that says Ops Manager, you can substitute Cloud Manager.

The MongoDB Enterprise Kubernetes Operator creates Kubernetes StatefulSets from specification files that you wrote.

MongoDB resources are created in Kubernetes as custom resources. After you create or update a MongoDB Kubernetes resource specification, you direct MongoDB Enterprise Kubernetes Operator to apply this specification to your Kubernetes environment. Kubernetes Operator creates the defined StatefulSets, services and other Kubernetes resources. After the Operator finishes creating those objects, it updates the Ops Manager deployment configuration to reflect changes.

Deployment Type StatefulSets Size of StatefulSet
Standalone 1 1 Pod
Replica Set 1 1 Pod per member
Sharded Cluster <numberOfShards> + 2 1 Pod per mongos, shard, or config server member

Each MongoDB Kubernetes resource uses an object specification in YAML to define the characteristics and settings of the MongoDB object: standalone, replica set, and sharded cluster.

Common Resource Settings

Every resource type must use the following settings:

Required

apiVersion

Type: string

Version of the MongoDB Kubernetes resource schema.

kind

Type: string

Kind of MongoDB Kubernetes resource to create. Set this to MongoDB

metadata.name

Type: string

Name of the MongoDB Kubernetes resource you are creating.

Resource names must be 44 characters or less.

spec.credentials

Type: string

Required. Name of the Kubernetes secret you created as Ops Manager API authentication credentials for the Kubernetes Operator to communicate with Cloud Manager or Ops Manager.

The Ops Manager Kubernetes Secret object holding the Credentials must exist on the same Namespace as the resource you want to create.

Operator manages changes to the Secret

The Kubernetes Operator tracks any changes to the Secret and reconciles the state of the MongoDB Kubernetes resource.

spec.persistent

Type: boolean

Default: True

Warning

Grant your containers permission to write to your Persistent Volume. The Kubernetes Operator sets fsGroup = 2000, runAsUser = 2000, and runAsNonRoot = true in securityContext. Kubernetes Operator sets fsgroup equal to runAsUser to make the volume writable for a user that runs the main process in the container. To learn more, see Configure a Security Context for a Pod or Container and the related discussion in the Kubernetes documentation. If redeploying the resource doesn’t fix issues with your Persistent Volume, contact MongoDB Support.

Note

If you do not use Persistent Volumes, the Disk Usage and Disk IOPS charts cannot be displayed in either the Processes tab on the Deployment page or in the Metrics page when reviewing the data for this deployment.

spec.type

Type: string

Type of MongoDB Kubernetes resource to create. Accepted values are:

  • Standalone
  • ReplicaSet
  • ShardedCluster
spec.version

Type: string

Version of MongoDB that is installed on this MongoDB Kubernetes resource.

Important

Ensure that you choose a compatible MongoDB Server version.

Compatible versions differ depending on the base image that the MongoDB database resource uses.

Note

If you update this value to a later version, consider setting spec.featureCompatibilityVersion to give yourself the option to downgrade if necessary.

Conditional

Every resource must use one of the following settings:

spec.opsManager.configMapRef.name

Type: string

Name of the ConfigMap with the Cloud Manager or Ops Manager connection configuration. The spec.cloudManager.configMapRef.name setting is an alias for this setting and can be used in its place.

Note

This value must exist on the same namespace as the resource you want to create.

Operator manages changes to the ConfigMap

The Kubernetes Operator tracks any changes to the ConfigMap and reconciles the state of the MongoDB Kubernetes resource.

spec.cloudManager.configMapRef.name

Type: string

Alias for spec.opsManager.configMapRef.name.

Optional

Every resource type may use the following settings:

spec.featureCompatibilityVersion

Type: string

Limits changes to data that occur with an upgrade to a new major version. This allows you to downgrade to the previous major version. To learn more about feature compatibility, see setFeatureCompatibilityVersion in the MongoDB Manual.

spec.clusterDomain

Type: string

Default: cluster.local

Domain name of the Kubernetes cluster where you deploy the Kubernetes Operator. When Kubernetes creates a StatefulSet, the Kubernetes assigns each Pod a FQDN. To update Cloud Manager or Ops Manager, the Kubernetes Operator calculates the FQDN for each Pod using a provided cluster name. Kubernetes doesn’t provide an API to query these hostnames.

Warning

You must set spec.clusterDomain if your Kubernetes cluster has a default domain other than the default cluster.local. If you neither use the default nor set the spec.clusterDomain option, the Kubernetes Operator might not function as expected.

spec.clusterName

Type: string

Default: cluster.local

spec.clusterName is Deprecated

Use spec.clusterDomain instead.

Domain name of the Kubernetes cluster where you deploy the Kubernetes Operator. When Kubernetes creates a StatefulSet, the Kubernetes assigns each Pod a FQDN. To update Cloud Manager or Ops Manager, the Kubernetes Operator calculates the FQDN for each Pod using a provided cluster name. Kubernetes doesn’t provide an API to query these hostnames.

Warning

You must set spec.clusterDomain if your Kubernetes cluster has a default domain other than the default cluster.local. If you neither use the default nor set the spec.clusterDomain option, the Kubernetes Operator might not function as expected.

metadata.namespace

Type: string

Kubernetes namespace where this MongoDB Kubernetes resource and other objects are created.

spec.service

Type: string

Default: <resource_name>+”-svc” and <resource_name>+”-svc-external”

spec.service is Deprecated

Use spec.statefulSet.spec.serviceName instead.

Name of the Kubernetes service to be created or used for a StatefulSet. If the service with this name already exists, the MongoDB Enterprise Kubernetes Operator does not delete or recreate it. This setting lets you create your own custom services and lets the Kubernetes Operator reuse them.

spec.logLevel

Type: string

Default: INFO

Configures the level of Automation Agent logging inside the Pod. Accepted values include:

  • DEBUG
  • INFO
  • WARN
  • ERROR
  • FATAL
spec.security.authentication.ignoreUnknownUsers

Type: boolean

Default: false

Determines whether you can modify database users that were not configured through the Kubernetes Operator, or the Cloud Manager or Ops Manager user interface.

To manage database users directly through the mongod or mongos, set this setting to true.

Deployment-Specific Resource Settings

Other settings you can and must use in a MongoDB Kubernetes resource specification depend upon which MongoDB deployment item you want to create:

Standalone Settings

Note

All of the Standalone Settings also apply to replica set resources.

spec.additionalMongodConfig

Type: collection

Additional configuration options with which you want to start MongoDB processes.

The Kubernetes Operator supports all configuration options that the MongoDB version you deploy through the MongoDB Agent supports, except that the Kubernetes Operator overrides values that you provide for any of the following options:

To learn more about the configuration options that the Kubernetes Operator owns, see MongoDB Kubernetes Operator Exclusive Settings.

To learn which configuration options you can use, see Advanced Options for MongoDB Deployments in the Ops Manager documentation.

spec.agent

Type: collection

MongoDB Agent configuration settings for MongoDB database resource.

spec.agent.startupOptions

Type: collection

MongoDB Agent settings with which you want to start MongoDB database resource.

You must provide MongoDB Agent settings as key-value pairs. The values must be strings.

For a list of supported MongoDB Agent settings, see:

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-standalone
spec:
  version: "4.4.0-ent"
  service: my-service

  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  type: Standalone

  persistent: true
  agent:
    startupOptions:
      maxLogFiles: "30"
      dialTimeoutSeconds: "40"
...
spec.exposedExternally

Type: boolean

Default: false

Determines whether the MongoDB deployment is exposed outside of the Kubernetes cluster. This results in Kubernetes creating a NodePort service.

spec.podSpec.nodeAffinity

Type: Struct

Kubernetes rule to place Pods for standalone database on a specific range of nodes.

Example

A user can isolate “dev” and “testing” environments to ensure Pods go to nodes with appropriate labels.

spec.podSpec.persistence.single

Type: collection

Has Kubernetes Operator create one Persistent Volume Claim and mount all three directories for data, journal, and logs to the same Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.multiple collections but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum size of Persistent Volume that should be mounted. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 16Gi.

Example

If standalone deployment in requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage specified in a Persistent Volume Claim. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.podSpec.persistence.multiple.data

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for data to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host standalone deployment on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 16Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for standalone deployment. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.podSpec.persistence.multiple.journal

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for journal to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host standalone deployment on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 1Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for standalone deployment. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.podSpec.persistence.multiple.logs

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for logs to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host standalone deployment on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 3Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for standalone deployment. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.podSpec.podAffinity

Type: Struct

Kubernetes rule to determine if multiple MongoDB Kubernetes resource Pods must be co-located with other Pods.

See also

The Kubernetes documentation for use cases on affinity and anti-affinity.

spec.podSpec.podTemplate

Type: collection

Template for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for MongoDB database resources.

Template values take precedence over values specified in spec.podSpec.

Note

The Kubernetes Operator doesn’t validate the fields you provide in spec.podSpec.podTemplate.

spec.podSpec.podTemplate.metadata

Type: collection

Metadata for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for MongoDB database resources.

To review which fields you can add to spec.podSpec.podTemplate.metadata, see the Kubernetes documentation.

spec.podSpec.podTemplate.spec

Type: collection

Specifications of the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for MongoDB database resources.

To review which fields you can add to spec.podSpec.podTemplate.spec, see the Kubernetes PodSpec v1 core API.

Note

When you add containers to spec.podSpec.podTemplate.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to MongoDB database resources containers in the pod.

Use this setting to specify the CPU and RAM allocations for each pod. For examples, see the samples on GitHub.

Replica Set Settings

Note

All of the Standalone Settings also apply to replica set resources.

The following settings apply only to replica set resource types:

spec.backup

Type: collection

The collection container for spec.backup.mode, which enables continuous backups for MongoDB resources in Kubernetes Operator.

spec.backup.assignmentLabels

Type: array

A comma-separated list of labels to assign backup daemons, oplog stores, blockstores, S3 snapshot stores, and file system stores to specific projects or groups. Use assignment labels to identify that specific backup stores are associated with particular projects.

If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don’t set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.mode

Type: string

Enables continuous backups for a MongoDB resource. Possible values are enabled, disabled, and terminated.

Note

The spec.backup.mode setting relies on Backup that is enabled in the Ops Manager and requires that spec.backup.enabled value in the Ops Manager resource specification is set to true.

After you enable continuous backups for your MongoDB resource with spec.backup.mode, you can check the backup status.

spec.backup.autoTerminateOnDeletion

Type: boolean

Flag that indicates whether the Kubernetes Operator stops and terminates the backup when you delete a MongoDB resource. If omitted, the default value is false. Setting this flag to true is useful when you want to delete the MongoDB custom resource while the spec.backup.mode setting is set to enabled.

spec.backup.encryption

Type: object

Object that contains the backup encryption configuration settings.

spec.backup.encryption.kmip

Type: object

Object that contains the KMIP backup encryption configuration settings. To learn more, see Configure KMIP Backup Encryption for Ops Manager.

spec.backup.encryption.kmip.client

Type: object

Object that contains the KMIP backup encryption client configuration settings.

spec.backup.encryption.kmip.client.clientCertificatePrefix

Type: string

spec.backup.snapshotSchedule

Type: collection

Collection container for snapshot schedule settings for continuous backups for MongoDB resources in Kubernetes Operator.

spec.backup.snapshotSchedule.snapshotIntervalHours

Type: number

Number of hours between snapshots. You can set a value of 6, 8, 12, or 24.

spec.backup.snapshotSchedule.snapshotRetentionDays

Type: number

Number of days to keep recent snapshots. You can set a value between 2 and 5, inclusive.

spec.backup.snapshotSchedule.dailySnapshotRetentionDays

Type: number

Number of days to keep daily snapshots. You can set a value between 1 and 365, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.weeklySnapshotRetentionWeeks

Type: number

Number of weeks to keep weekly snapshots. You can set a value between 1 and 52, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.monthlySnapshotRetentionMonths

Type: number

Number of months to keep monthly snapshots. You can set a value between 1 and 36, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.pointInTimeWindowHours

Type: number

Number of hours in the past for which you can create a point-in-time snapshot.

spec.backup.snapshotSchedule.referenceHourOfDay

Type: number

UTC hour of the day to schedule snapshots using a 24 hour clock. You can set a value between 0 and 23, inclusive.

spec.backup.snapshotSchedule.referenceMinuteOfHour

Type: number

UTC minute of the hour to schedule snapshots. You can set a value between 0 and 59, inclusive.

spec.backup.snapshotSchedule.fullIncrementalDayOfWeek

Type: string

Day of the week when Ops Manager takes a full snapshot. This setting ensures a recent complete backup. Ops Manager sets the default value to SUNDAY.

spec.clusterDomain

Type: string

Default: cluster.local

Domain name of the Kubernetes cluster where you deploy the Kubernetes Operator. When Kubernetes creates a StatefulSet, the Kubernetes assigns each Pod a FQDN. To update Cloud Manager or Ops Manager, the Kubernetes Operator calculates the FQDN for each Pod using a provided cluster name. Kubernetes doesn’t provide an API to query these hostnames.

Warning

You must set spec.clusterDomain if your Kubernetes cluster has a default domain other than the default cluster.local. If you neither use the default nor set the spec.clusterDomain option, the Kubernetes Operator might not function as expected.

spec.clusterName

Type: string

Default: cluster.local

spec.clusterName is Deprecated

Use spec.clusterDomain instead.

Domain name of the Kubernetes cluster where you deploy the Kubernetes Operator. When Kubernetes creates a StatefulSet, the Kubernetes assigns each Pod a FQDN. To update Cloud Manager or Ops Manager, the Kubernetes Operator calculates the FQDN for each Pod using a provided cluster name. Kubernetes doesn’t provide an API to query these hostnames.

Warning

You must set spec.clusterDomain if your Kubernetes cluster has a default domain other than the default cluster.local. If you neither use the default nor set the spec.clusterDomain option, the Kubernetes Operator might not function as expected.

spec.connectivity.replicaSetHorizons

Type: collection

Allows you to provide different DNS settings for client applications and the MongoDB Agents. The Kubernetes Operator uses split horizon DNS for replica set members. This feature allows communication both within the Kubernetes cluster and from outside Kubernetes.

You may add multiple external mappings per host.

Split Horizon Requirements

Example

In this example, the replica set members communicate amongst themselves on the example-localhost horizon. Clients communicate with the replica set using the example-website horizon.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: <my-replica-set>
spec:
  members: 3
  version: "4.2.2-ent"
  type: ReplicaSet
  opsManager:
    configMapRef:
      name: <configMap.metadata.name>
  credentials: <mycredentials>
  persistent: true
copy 
15
16
17
18
19
20
21
22
23
  security:
    tls:
      enabled: true
  connectivity:
    replicaSetHorizons:
      - "example-website": "web1.example.com:30907"
      - "example-website": "web2.example.com:32350"
      - "example-website": "web3.example.com:31185"
...
spec.featureCompatibilityVersion

Type: string

Limits changes to data that occur with an upgrade to a new major version. This allows you to downgrade to the previous major version. To learn more about feature compatibility, see setFeatureCompatibilityVersion in the MongoDB Manual.

spec.members

Type: integer

Required. Number of Members of the Replica Set.

spec.podSpec.podAntiAffinityTopologyKey

Type: string

Default: kubernetes.io/hostname

Sets a rule to spread MongoDB Kubernetes resource Pods to different locations. A location can be a single node, rack, or region. This key defines which node label is used to determine equal location for nodes. By default, Kubernetes Operator tries to spread pods across different hosts.

Sharded Cluster Settings

The following settings apply only to sharded cluster resource types:

spec.backup

Type: collection

The collection container for spec.backup.mode, which enables continuous backups for MongoDB resources in Kubernetes Operator.

spec.backup.assignmentLabels

Type: array

A comma-separated list of labels to assign backup daemons, oplog stores, blockstores, S3 snapshot stores, and file system stores to specific projects or groups. Use assignment labels to identify that specific backup stores are associated with particular projects.

If you set assignment labels using the Kubernetes Operator, the values that you set in the Kubernetes configuration file for assignment labels override the values defined in the Ops Manager UI. Assignment labels that you don’t set using the Kubernetes Operator continue to use the values set in the Ops Manager UI.

spec.backup.mode

Type: string

Enables continuous backups for a MongoDB resource. Possible values are enabled, disabled, and terminated.

Note

The spec.backup.mode setting relies on Backup that is enabled in the Ops Manager and requires that spec.backup.enabled value in the Ops Manager resource specification is set to true.

After you enable continuous backups for your MongoDB resource with spec.backup.mode, you can check the backup status.

spec.backup.encryption

Type: object

Object that contains the backup encryption configuration settings.

spec.backup.encryption.kmip

Type: object

Object that contains the KMIP backup encryption configuration settings. To learn more, see Configure KMIP Backup Encryption for Ops Manager.

spec.backup.encryption.kmip.client

Type: object

Object that contains the KMIP backup encryption client configuration settings.

spec.backup.encryption.kmip.client.clientCertificatePrefix

Type: string

spec.backup.snapshotSchedule

Type: collection

Collection container for snapshot schedule settings for continuous backups for MongoDB resources in Kubernetes Operator.

spec.backup.snapshotSchedule.snapshotIntervalHours

Type: number

Number of hours between snapshots. You can set a value of 6, 8, 12, or 24.

spec.backup.snapshotSchedule.snapshotRetentionDays

Type: number

Number of days to keep recent snapshots. You can set a value between 2 and 5, inclusive.

spec.backup.snapshotSchedule.dailySnapshotRetentionDays

Type: number

Number of days to keep daily snapshots. You can set a value between 1 and 365, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.weeklySnapshotRetentionWeeks

Type: number

Number of weeks to keep weekly snapshots. You can set a value between 1 and 52, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.monthlySnapshotRetentionMonths

Type: number

Number of months to keep monthly snapshots. You can set a value between 1 and 36, inclusive. Setting the value to 0 disables this rule.

spec.backup.snapshotSchedule.pointInTimeWindowHours

Type: number

Number of hours in the past for which you can create a point-in-time snapshot.

spec.backup.snapshotSchedule.referenceHourOfDay

Type: number

UTC hour of the day to schedule snapshots using a 24 hour clock. You can set a value between 0 and 23, inclusive.

spec.backup.snapshotSchedule.referenceMinuteOfHour

Type: number

UTC minute of the hour to schedule snapshots. You can set a value between 0 and 59, inclusive.

spec.backup.snapshotSchedule.fullIncrementalDayOfWeek

Type: string

Day of the week when Ops Manager takes a full snapshot. This setting ensures a recent complete backup. Ops Manager sets the default value to SUNDAY.

spec.backup.snapshotSchedule.clusterCheckpointIntervalMin

Type: number

Number of minutes between successive cluster checkpoints. This setting applies only to sharded clusters that run MongoDB with FCV of 4.0 or earlier. This number determines the granularity of point-in-time restores for sharded clusters. You can set a value of 15, 30, or 60.

spec.exposedExternally

Type: boolean

Default: false

Determines whether the MongoDB deployment is exposed outside of the Kubernetes cluster. This results in Kubernetes creating a NodePort service.

spec.configServerCount

Type: integer

Required. Number of members in the config server.

spec.configSrv.additionalMongodConfig

Type: collection

Additional configuration options with which you want to start each config server member.

The Kubernetes Operator supports all configuration options that the MongoDB version you deploy through the MongoDB Agent supports, except that the Kubernetes Operator overrides values that you provide for any of the following options:

To learn more about the configuration options that the Kubernetes Operator owns, see MongoDB Kubernetes Operator Exclusive Settings.

To learn which configuration options you can use, see Advanced Options for MongoDB Deployments in the Ops Manager documentation.

spec.configSrv.agent

Type: collection

MongoDB Agent configuration settings for each config server member.

spec.configSrv.agent.startupOptions

Type: collection

MongoDB Agent settings with which you want to start each config server member.

You must provide MongoDB Agent settings as key-value pairs. The values must be strings.

For a list of supported MongoDB Agent settings, see:

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-sharded-cluster-options
spec:
  version: "4.4.0-ent"
  type: ShardedCluster
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  persistent: true
  shardCount: 2
  mongodsPerShardCount: 3
  mongosCount: 2
  configServerCount: 1

  mongos:
    agent:
      startupOptions:
        maxLogFiles: "30"

  configSrv:
     agent:
       startupOptions:
         dialTimeoutSeconds: "40"
  shard:
     agent:
       startupOptions:
         serverSelectionTimeoutSeconds: "20"
...
spec.configSrvPodSpec.persistence.single

Type: collection

Has Kubernetes Operator create one Persistent Volume Claim and mount all three directories for data, journal, and logs to the same Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.multiple collections but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum size of Persistent Volume that should be mounted. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 5Gi.

Example

If each config server member in requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage specified in a Persistent Volume Claim. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.configSrvPodSpec.persistence.multiple.data

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for data to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each config server member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 16Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each config server member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.configSrvPodSpec.persistence.multiple.journal

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for journal to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each config server member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 1Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each config server member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.configSrvPodSpec.persistence.multiple.logs

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for logs to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each config server member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 3Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each config server member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.configSrvPodSpec.nodeAffinity

Type: collection

Kubernetes rule to place Pods for each config server member on a specific range of nodes.

Example

A user can isolate “dev” and “testing” environments to ensure Pods go to nodes with appropriate labels.

spec.configSrvPodSpec.podAffinity

Type: collection

Kubernetes rule to determine if multiple MongoDB Kubernetes resource Pods must be co-located with other Pods.

See also

The Kubernetes documentation for use cases on affinity and anti-affinity.

spec.configSrvPodSpec.podAntiAffinityTopologyKey

Type: string

Default: kubernetes.io/hostname

Sets a rule to spread MongoDB Kubernetes resource Pods to different locations. A location can be a single node, rack, or region. This key defines which node label is used to determine equal location for nodes. By default, Kubernetes Operator tries to spread pods across different hosts.

spec.configSrvPodSpec.podTemplate

Type: collection

Template for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each config server member.

Template values take precedence over values specified in spec.configSrvPodSpec.

Note

The Kubernetes Operator doesn’t validate the fields you provide in spec.configSrvPodSpec.podTemplate.

spec.configSrvPodSpec.podTemplate.metadata

Type: collection

Metadata for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each config server member.

To review which fields you can add to spec.configSrvPodSpec.podTemplate.metadata, see the Kubernetes documentation.

spec.configSrvPodSpec.podTemplate.spec

Type: collection

Specifications of the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each config server member.

To review which fields you can add to spec.configSrvPodSpec.podTemplate.spec, see the Kubernetes PodSpec v1 core API.

Note

When you add containers to spec.configSrvPodSpec.podTemplate.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to each config server member containers in the pod.

Use this setting to specify the CPU and RAM allocations for each pod. For examples, see the samples on GitHub.

spec.mongodsPerShardCount

Type: integer

Required. Number of members per shard.

spec.mongosCount

Type: integer

Required. Number of mongos instances in the sharded cluster.

spec.mongos.additionalMongodConfig

Type: collection

Additional configuration options with which you want to start each mongos instance.

The Kubernetes Operator supports all configuration options that the MongoDB version you deploy through the MongoDB Agent supports, except that the Kubernetes Operator overrides values that you provide for any of the following options:

To learn more about the configuration options that the Kubernetes Operator owns, see MongoDB Kubernetes Operator Exclusive Settings.

To learn which configuration options you can use, see Advanced Options for MongoDB Deployments in the Ops Manager documentation.

spec.mongos.agent

Type: collection

MongoDB Agent configuration settings for each mongos instance.

spec.mongos.agent.startupOptions

Type: collection

MongoDB Agent settings with which you want to start each mongos instance.

You must provide MongoDB Agent settings as key-value pairs. The values must be strings.

For a list of supported MongoDB Agent settings, see:

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-sharded-cluster-options
spec:
  version: "4.4.0-ent"
  type: ShardedCluster
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  persistent: true
  shardCount: 2
  mongodsPerShardCount: 3
  mongosCount: 2
  configServerCount: 1

  mongos:
    agent:
      startupOptions:
        maxLogFiles: "30"

  configSrv:
     agent:
       startupOptions:
         dialTimeoutSeconds: "40"
  shard:
     agent:
       startupOptions:
         serverSelectionTimeoutSeconds: "20"
...
spec.mongosPodSpec.nodeAffinity

Type: collection

Optional. Kubernetes rule to determine if multiple MongoDB Kubernetes resource nodes must be co-located with other nodes.

spec.mongosPodSpec.podAffinity

Type: collection

Optional. Kubernetes rule to determine if multiple MongoDB Kubernetes resource Pods must be co-located with other Pods.

spec.mongosPodSpec.podAntiAffinityTopologyKey

Type: string

Default: kubernetes.io/hostname

Sets a rule to spread MongoDB Kubernetes resource Pods to different locations. A location can be a single node, rack, or region. This key defines which node label is used to determine equal location for nodes. By default, Kubernetes Operator tries to spread pods across different hosts.

spec.mongosPodSpec.podTemplate

Type: collection

Template for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each mongos instance.

Template values take precedence over values specified in spec.mongosPodSpec.

Note

The Kubernetes Operator doesn’t validate the fields you provide in spec.mongosPodSpec.podTemplate.

spec.mongosPodSpec.podTemplate.metadata

Type: collection

Metadata for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each mongos instance.

To review which fields you can add to spec.mongosPodSpec.podTemplate.metadata, see the Kubernetes documentation.

spec.mongosPodSpec.podTemplate.spec

Type: collection

Specifications of the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each mongos instance.

To review which fields you can add to spec.mongosPodSpec.podTemplate.spec, see the Kubernetes PodSpec v1 core API.

Note

When you add containers to spec.mongosPodSpec.podTemplate.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to each mongos instance containers in the pod.

Use this setting to specify the CPU and RAM allocations for each pod. For examples, see the samples on GitHub.

spec.shardCount

Type: integer

Required. Number of shards in the sharded cluster.

spec.shard.additionalMongodConfig

Type: collection

Additional configuration options with which you want to start each sharded cluster shard member.

The Kubernetes Operator supports all configuration options that the MongoDB version you deploy through the MongoDB Agent supports, except that the Kubernetes Operator overrides values that you provide for any of the following options:

To learn more about the configuration options that the Kubernetes Operator owns, see MongoDB Kubernetes Operator Exclusive Settings.

To learn which configuration options you can use, see Advanced Options for MongoDB Deployments in the Ops Manager documentation.

spec.shard.agent

Type: collection

MongoDB Agent configuration settings for each sharded cluster shard member.

spec.shard.agent.startupOptions

Type: collection

MongoDB Agent settings with which you want to start each sharded cluster shard member.

You must provide MongoDB Agent settings as key-value pairs. The values must be strings.

For a list of supported MongoDB Agent settings, see:

copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-sharded-cluster-options
spec:
  version: "4.4.0-ent"
  type: ShardedCluster
  opsManager:
    configMapRef:
      name: my-project
  credentials: my-credentials
  persistent: true
  shardCount: 2
  mongodsPerShardCount: 3
  mongosCount: 2
  configServerCount: 1

  mongos:
    agent:
      startupOptions:
        maxLogFiles: "30"

  configSrv:
     agent:
       startupOptions:
         dialTimeoutSeconds: "40"
  shard:
     agent:
       startupOptions:
         serverSelectionTimeoutSeconds: "20"
...
spec.shardPodSpec.nodeAffinity

Type: string

Kubernetes rule to place Pods for each sharded cluster shard member on a specific range of nodes.

Example

A user can isolate “dev” and “testing” environments to ensure Pods go to nodes with appropriate labels.

spec.shardPodSpec.persistence.single

Type: collection

Has Kubernetes Operator create one Persistent Volume Claim and mount all three directories for data, journal, and logs to the same Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.multiple collections but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum size of Persistent Volume that should be mounted. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 16Gi.

Example

If each sharded cluster shard member in requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage specified in a Persistent Volume Claim. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.shardPodSpec.persistence.multiple.data

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for data to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each sharded cluster shard member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 16Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each sharded cluster shard member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.shardPodSpec.persistence.multiple.journal

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for journal to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each sharded cluster shard member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 1Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each sharded cluster shard member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.shardPodSpec.persistence.multiple.logs

Type: collection

Has Kubernetes Operator create a Persistent Volume Claim and mount a directory for logs to its own Persistent Volume.

Note

  • You must set the values in this collection if spec.persistent : true.
  • You may set this collection or the persistence.single collection but not both.
Scalar Data Type Description
labelSelector string Tag used to bind mounted volumes to directories.
storage string

Minimum storage capacity that must be available on a Kubernetes node to host each sharded cluster shard member on Kubernetes. This value is expressed as an integer followed by a unit of storage in JEDEC notation.

Default value is 3Gi.

Example

If this MongoDB Kubernetes resource requires 60 gigabytes of storage space, set this value to 60Gi.
storageClass string

Type of storage needed for each sharded cluster shard member. You may create this storage type as a StorageClass object before using it in this object specification.

Note

Make sure to set the StorageClass reclaimPolicy to Retain. This ensures that data is retained when a Persistent Volume Claim is removed.
spec.shardPodSpec.podAffinity

Type: string

Kubernetes rule to determine if multiple MongoDB Kubernetes resource Pods must be co-located with other Pods.

See also

The Kubernetes documentation for use cases on affinity and anti-affinity.

spec.shardPodSpec.podAntiAffinityTopologyKey

Type: string

Default: kubernetes.io/hostname

Sets a rule to spread MongoDB Kubernetes resource Pods to different locations. A location can be a single node, rack, or region. This key defines which node label is used to determine equal location for nodes. By default, Kubernetes Operator tries to spread pods across different hosts.

spec.shardPodSpec.podTemplate

Type: collection

Template for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each sharded cluster shard member.

Template values take precedence over values specified in spec.shardPodSpec.

Note

The Kubernetes Operator doesn’t validate the fields you provide in spec.shardPodSpec.podTemplate.

spec.shardPodSpec.podTemplate.metadata

Type: collection

Metadata for the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each sharded cluster shard member.

To review which fields you can add to spec.shardPodSpec.podTemplate.metadata, see the Kubernetes documentation.

spec.shardPodSpec.podTemplate.spec

Type: collection

Specifications of the Kubernetes pods that the MongoDB Enterprise Kubernetes Operator creates for each sharded cluster shard member.

To review which fields you can add to spec.shardPodSpec.podTemplate.spec, see the Kubernetes PodSpec v1 core API.

Note

When you add containers to spec.shardPodSpec.podTemplate.spec.containers, the Kubernetes Operator adds them to the Kubernetes pod. These containers are appended to each sharded cluster shard member containers in the pod.

Use this setting to specify the CPU and RAM allocations for each pod. For examples, see the samples on GitHub.

Prometheus Settings

You can use Prometheus with your standalone resource, replica sets, or sharded clusters. To learn more, see Deploy a Resource to Use with Prometheus. To view an example, see MongoDB Resource with Prometheus.

The following settings apply when you use Prometheus with your MongoDB resource:

spec.prometheus

Type: array

Optional

List that contains the parameters for exposing metrics to Prometheus.

spec.prometheus.metricsPath

Type: string

Optional

Default: "/metrics"

Human-readable string that indicates the path to the metrics endpoint. If you don’t specify this setting, the default applies.

spec.prometheus.passwordSecretRef

Type: object

Conditional

Object that contains the details of the secret for basic HTTP authentication. If you want to use Prometheus with your MongoDB resource, you must specify this setting.

spec.prometheus.passwordSecretRef.key

Type: string

Optional

Default: "password"

Human-readable string that indentifies the key in the secret that stores the password for basic HTTP authentication. If you don’t specify this setting, the default applies.

spec.prometheus.passwordSecretRef.name

Type: string

Conditional

Human-readable label that identifies the secret that contains the password for basic HTTP authentication. If you want to use Prometheus with your MongoDB resource, you must specify this setting.

spec.prometheus.port

Type: integer

Optional

Default: 9216

Number that identifies the port that the metrics endpoint will bind to. If you don’t specify this setting, the default applies.

spec.prometheus.tlseSecretKeyRef

Type: object

Optional

Object that contains the details of the secret for TLS authentication.

spec.prometheus.tlseSecretKeyRef.key

Type: string

Optional

Default: "password"

Human-readable string that indentifies the key in the secret that stores the password for TLS authentication. If you don’t specify this setting, the default applies.

spec.prometheus.tlseSecretKeyRef.name

Type: string

Conditional

Human-readable label that identifies the secret that contains the password for TLS authentication. If you want to use Prometheus with your MongoDB resource and you want to use TLS authentication, you must specify this setting.

spec.prometheus.username

Type: string

Conditional

Human-readable label that identifies the user for basic HTTP authentication. If you want to use Prometheus with your MongoDB resource, you must specify this setting.

Security Settings

The following security settings apply only to replica set and sharded cluster resource types:

spec.security.tls.enabled

Type: boolean

Default: false

Important

spec.security.tls.enabled is deprecated and will be removed in a future release. To enable TLS, provide a value for the spec.security.certsSecretPrefix setting.

Encrypts communications using TLS certificates between:

  • MongoDB hosts in a replica set or sharded cluster configuration
  • Clients (mongo shell, drivers, MongoDB Compass, and others) and the MongoDB deployment

By default, net.ssl.mode is set to requireSSL. To change the TLS mode used for client and database connections, see spec.additionalMongodConfig.net.ssl.mode.

spec.security.tls.ca

Type: string

Provide the name of the ConfigMap that stores the CA.

spec.security.certsSecretPrefix

Type: string

Text to prefix to the Kubernetes secrets that you created that contain your replica set’s or sharded cluster’s TLS keys and certificates.

You must prefix your secrets with <prefix>-<metadata.name>.

Example

If you call your deployment my-deployment and you set the prefix to mdb, you must name the TLS secret for the client TLS communications mdb-my-deployment-cert. Also, you must name the TLS secret for internal cluster authentication (if enabled) mdb-my-deployment-clusterfile.

To learn more about naming the secrets that contain your TLS certificates, see the topic in Deploy a Replica Set that applies to your deployment.

spec.security.tls.additionalCertificateDomains

Type: boolean

List of every domain that should be added to TLS certificates to each pod in this deployment. When you set this parameter, every CSR that the Kubernetes Operator transforms into a TLS certificate includes a SAN in the form <pod name>.<additional cert domain>.

Replica set resources don’t need this parameter. Use spec.connectivity.replicaSetHorizons instead.

Note

If you add this parameter to a TLS-enabled resource, Kubernetes displays an error when the resource reaches the Pending state. This error displays: Please manually remove the |csr| in order to proceed. To remedy this issue:

  1. Remove any existing CSRs so that Kubernetes can generate new CSRs. To learn how to delete a resource, see the deleting resources in the Kubernetes documentation.
  2. Approve the CSRs after Kubernetes generates them.
spec.additionalMongodConfig.net.ssl.mode

Type: string

Default: requireSSL

Specifies which sslMode is used for network connections. The following are valid options:

Value Description
allowSSL Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS.
preferSSL Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS.
requireSSL The server uses and accepts only TLS encrypted connections.
spec.additionalMongodConfig.net.tls.disabledProtocols

Type: string

New in MongoDB version 4.2.

Prevents a MongoDB server running with TLS from accepting incoming connections that use a specific protocol or protocols. To specify multiple protocols, enter a comma separated list of protocols. For example, TLS1_0,TLS1_1.

This setting recognizes the following protocols: TLS1_0, TLS1_1, TLS1_2, and starting in MongoDB 4.0.4 (and 3.6.9), TLS1_3. If you specify an unrecognized protocol, the server won’t start.

On macOS, you can’t disable TLS1_1 and enable both TLS1_0 and TLS1_2. You must disable at least TLS1_0 or TLS1_2 also. For example, TLS1_0,TLS1_1 disables TLS1_2 on macOS.

The list of protocols that you disable replaces the default list of disabled protocols.

Starting in MongoDB version 4.0, MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. To enable the disabled TLS 1.0, specify none as the value for spec.additionalMongodConfig.net.tls.disabledProtocols. To learn more about this setting, see Disable TLS 1.0.

Members of replica sets and sharded clusters must speak at least one protocol in common.

spec.security.authentication

Type: collection

Authentication specifications for your MongoDB deployment.

spec.security.authentication.enabled

Type: boolean

Default: false

Specifies whether authentication is enabled on the Cloud Manager or Ops Manager project. If set to true, you must set an authentication mechanism in spec.security.authentication.modes.

Important

The Kubernetes Operator manages authentication for this MongoDB resource if you include this setting, even if it is set to false. You can’t configure authentication for this resource using the Cloud Manager or Ops Manager user interface or APIs while this setting exists in the resource specification.

Omit this setting if you want to manage authentication using the Cloud Manager or Ops Manager user interface or APIs.

spec.security.authentication.modes

Type: array

Specifies the authentication mechanism that your MongoDB deployment uses. Valid values are SCRAM, SCRAM-SHA-1, MONGODB-CR, X509, and LDAP. We recommend SCRAM-SHA-256 (SCRAM) over SCRAM-SHA-1. If you specify SCRAM-SHA-1, you must also specify MONGODB-CR.

X.509 Internal Cluster Authentication

To enable X.509 internal cluster authentication for the Cloud Manager or Ops Manager project, set this value to ["X509"] and specify the following settings:

If you provide more than one value for spec.security.authentication.modes, you must also specify a value for spec.security.authentication.agents.mode.

spec.security.authentication.internalCluster

Type: string

Specifies whether X.509 internal cluster authentication is enabled.

To enable X.509 internal cluster authentication, set to "X509". Requires that the following settings be specified:

The Kubernetes Operator accepts the following values:

  • ["X509"]: X.509 internal cluster authentication is enabled.
  • "" or omitted: internal cluster authentication is not enabled.

Important

After you enable internal cluster authentication, you can’t disable it.

spec.security.authentication.requireClientTLSAuthentication

Type: boolean

Default: false

Specifies whether the MongoDB host requires clients to connect using a TLS certificate. Defaults to true if you enable TLS authentication.

To enable TLS authentication, provide a value

spec.security.authentication.ldap

Type: collection

Required for LDAP authentication.

Configures LDAP authentication for the Cloud Manager or Ops Manager project. To enable LDAP authentication, set spec.security.authentication.modes to ["LDAP"].

spec.security.authentication.ldap.servers

Type: array of strings

Required for LDAP authentication.

List of hostnames and ports of the LDAP servers. Specify hostnames with their respective ports in the following format:

copy 
spec:
  security:
    authentication:
      ldap:
        servers:
          - "<hostname1>:<port1>"
          - "<hostname2>:<port2>"
spec.security.authentication.ldap.timeoutMS

Type: integer

Specifies how many milliseconds an authentication request should wait before timing out.

spec.security.authentication.ldap.transportSecurity

Type: string

Required for LDAP authentication.

Specifies whether the LDAP server accepts TLS.

If the LDAP server accepts TLS, set to tls. If the LDAP server doesn’t accept TLS, leave this value blank.

spec.security.authentication.ldap.caConfigMapRef

Type: collection

Required for LDAP authentication with TLS.

ConfigMap that contains a CA which validates the LDAP server’s TLS certificate.

spec.security.authentication.ldap.caConfigMapRef.name

Type: string

Required for LDAP authentication with TLS.

Name of the ConfigMap that contains a CA which validates the LDAP server’s TLS certificate.

spec.security.authentication.ldap.caConfigMapRef.key

Type: string

Required for LDAP authentication with TLS.

Field name that stores the CA which validates the LDAP server’s TLS certificate.

spec.security.authentication.ldap.bindQueryUser

Type: string

Required for LDAP authentication.

LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.

spec.security.authentication.ldap.bindQueryPasswordSecretRef

Type: collection

Required for LDAP authentication.

Specifies the secret that contains the password with which MongoDB binds when connecting to the LDAP server.

spec.security.authentication.ldap.bindQueryPasswordSecretRef.name

Type: string

Required for LDAP authentication.

Name of the secret that contains the password with which MongoDB binds when connecting to the LDAP server.

The secret must contain only one password field which stores the password.

spec.security.authentication.ldap.authzQueryTemplate

Type: string

Required for LDAP authorization.

An RFC4515 and RFC4516 LDAP-formatted query URL template executed by MongoDB to obtain the LDAP groups that the user belongs to. The query is relative to the host or hosts specified in spec.security.authentication.ldap.servers. You can use the following tokens in the template:

  • {USER}
    Substitutes the authenticated username, or the transformed username, into the LDAP query.
  • {PROVIDED_USER}
    Substitutes the supplied username, before either authentication or LDAP transformation, into the LDAP query. (Available starting in MongoDB version 4.2)

See also

LDAP Query Templates in the MongoDB Manual

spec.security.authentication.ldap.automationLdapGroupDN

Type: string

The Distinguished Name (DN) of the LDAP group to which the MongoDB Agent user belongs.

This setting is required if:

spec.security.authentication.ldap.userToDNMapping

Type: string

Maps the username provided to mongod or mongos for authentication to a LDAP Distinguished Name (DN).

See also

security.ldap.userToDNMapping in the MongoDB Manual

spec.security.authentication.ldap.userCacheInvalidationInterval

Type: integer

Specifies how many seconds MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.

spec.security.authentication.agents

Type: collection

MongoDB Agent authentication configuration for the Cloud Manager or Ops Manager project.

spec.security.authentication.agents.mode

Type: string

The authentication mechanism that the MongoDB Agents for your MongoDB deployment use. Valid values are SCRAM, SCARM-SHA-1, MONGODB-CR, X509, and LDAP. The value you specify must also be present in spec.security.authentication.modes. We recommend SCRAM-SHA-256 (SCRAM) over SCRAM-SHA-1. If you specify SCRAM-SHA-1, you must also specify MONGODB-CR.

This setting is required if you specified more than one value for spec.security.authentication.modes.

spec.security.authentication.agents.automationUserName

Type: string

Name of the user that the MongoDB Agents use to interact with your MongoDB deployment. The username is mapped to an LDAP Distinguished Name (DN) according to spec.security.authentication.ldap.userToDNMapping. The resulting DN must already exist in your LDAP deployment.

This setting is required if spec.security.authentication.agents.mode is LDAP.

spec.security.authentication.agents.automationPasswordSecretRef

Type: collection

Details of the secret that contains the password for the spec.security.authentication.agents.automationUserName user.

This setting is required if spec.security.authentication.agents.mode is LDAP.

spec.security.authentication.agents.automationPasswordSecretRef.name

Type: string

Name of the secret that contains the password for the spec.security.authentication.agents.automationUserName user. You must create this secret in the same namespace to which you deploy the Kubernetes Operator:

copy 
kubectl create secret generic ldap-agent-user \
--from-literal="password=<password>" -n <metadata.namespace>

This secret must contain one key, the value of which matches the password of the spec.security.authentication.agents.automationUserName user in your LDAP deployment.

This setting is required if spec.security.authentication.agents.mode is LDAP.

spec.security.authentication.agents.automationPasswordSecretRef.key

Type: string

Key in the spec.security.authentication.agents.automationPasswordSecretRef.name secret that contains the password for the user in spec.security.authentication.agents.automationUserName.

This setting is required if spec.security.authentication.agents.mode is LDAP.

spec.security.authentication.agents.clientCertificateSecretRef.name

Type: string

Specifies the secret that contains the MongoDB Agent’s TLS certificate. If omitted, defaults to agent-certs.

This secret must contain the following keys, the values of which are TLS certificates that can be validated by the server:

  • mms-automation-agent-pem
  • mms-backup-agent-pem
  • mms-monitoring-agent-pem

You must create this secret in the same namespace to which you deploy the Kubernetes Operator:

copy 
kubectl create secret generic agent-certs \
--from-file=mms-automation-agent-pem=<automation-cert.pem> \
--from-file=mms-backup-agent-pem=<backup-cert.pem> \
--from-file=mms-monitoring-agent-pem=<monitoring-cert.pem> \
--namespace=<metadata.namespace>
spec.security.roles

Type: array

Array that defines User-defined roles that give you fine-grained access control over your MongoDB deployment.

To enable user-defined roles, the spec.security.authentication.enabled must be true.

Example

In this example, a user-defined role named customRole allows users assigned this role to:

  • Insert documents into the cats collection in the pets database, and
  • Find and insert documents into the dogs collection in the pets database.
copy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: <my-replica-set>
spec:
  members: 3
  version: "4.2.2-ent"
  type: ReplicaSet
  opsManager:
    configMapRef:
      name: <configMap.metadata.name>
  credentials: <mycredentials>
  persistent: true
  security:
    authentication:
      enabled: true
      modes:
        - "SCRAM"
    roles:
      - role: "customRole"
        db: admin    
        privileges:
        - actions:
          - insert
          resource:
            collection: cats
            db: pets
        - actions:
          - insert
          - find
          resource:
            collection: dogs
            db: pets
...
spec.security.roles.role

Type: string

Name of the user-defined role.

spec.security.roles.db

Type: string

The database in which you want to store the user-defined role.

Example

admin

spec.security.roles.authenticationRestrictions

Type: array

Array that defines the IP address from which and to which users assigned this spec.security.roles.role can connect.

spec.security.roles.authenticationRestrictions.clientSource

Type: array

Array of IP addresses or CIDR blocks from which users assigned this spec.security.roles.role can connect.

MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array.

spec.security.roles.authenticationRestrictions.serverAddress

Type: array

Array of IP addresses or CIDR blocks to which users assigned this spec.security.roles.role can connect.

MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array.

spec.security.roles.privileges

Type: array

Array that describes the privileges that users granted this role possess.

spec.security.roles.privileges.actions

Type: array

List of actions that users granted this role can perform. For a list of accepted values, see Privilege Actions in the MongoDB Manual for the MongoDB versions you deploy with the Kubernetes Operator.

spec.security.roles.privileges.resource

Type: collection

Resources for which the privilege actions apply.

This collection must include either:

spec.security.roles.privileges.resource.database

Type: string

Database for which the privilege actions apply.

If you provide a value for this setting, you must also provide a value for spec.security.roles.privileges.resource.collection.

spec.security.roles.privileges.resource.collection

Type: string

Collection in the database for which the privilege actions apply.

If you provide a value for this setting, you must also provide a value for spec.security.roles.privileges.resource.database.

spec.security.roles.privileges.resource.cluster

Type: boolean

Default: False

Flag that indicates that the privilege actions apply to all databases and collections in the MongoDB deployment. If omitted, defaults to false.

If set to true, do not provide values for spec.security.roles.privileges.resource.database and spec.security.roles.privileges.resource.collection.

Examples

The following example shows a resource specification for a standalone deployment with every setting provided:

copy 
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-standalone
spec:
  version: "4.2.2-ent"
  service: my-service
  opsManager: # Alias of cloudManager
    configMapRef:
      name: my-project
  credentials: my-credentials
  persistent: true
  type: Standalone
  additionalMongodConfig:
    systemLog:
      logAppend: true
      verbosity: 4
    operationProfiling:
      mode: slowOp
  podSpec:
    persistence:
      single:
        storage: "12Gi"
        storageClass: standard
        labelSelector:
          matchExpressions:
          - {key: environment, operator: In, values: [dev]}
    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: security
            operator: In
            values:
            - S1
        topologyKey: failure-domain.beta.kubernetes.io/zone
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/e2e-az-name
            operator: In
            values:
            - e2e-az1
            - e2e-az2
    podTemplate:
      metadata:
        labels:
          label1: mycustomlabel
      spec:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  topologyKey: "mykey"
                weight: 50
...

The following example shows a resource specification for a replica set with every setting provided:

copy 
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-replica-set
spec:
  members: 3
  version: "4.4.0-ent"
  service: my-service
  opsManager: # Alias of cloudManager
    configMapRef:
      name: my-project
  credentials: my-credentials
  persistent: true
  type: ReplicaSet
  podSpec:
    persistence:
      multiple:
        data:
          storage: "10Gi"
        journal:
          storage: "1Gi"
          labelSelector:
            matchLabels:
              app: "my-app"
        logs:
          storage: "500M"
          storageClass: standard
    podAntiAffinityTopologyKey: nodeId
    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: security
            operator: In
            values:
            - S1
        topologyKey: failure-domain.beta.kubernetes.io/zone
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: kubernetes.io/e2e-az-name
            operator: In
            values:
            - e2e-az1
            - e2e-az2
    podTemplate:
      metadata:
        labels:
          label1: mycustomlabel
      spec:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  topologyKey: "mykey"
                weight: 50
  security:
    certsSecretPrefix: "prefix"
    tls:
      ca: custom-ca
    authentication:
      enabled: true
      modes: ["X509"]
      internalCluster: "X509"
  statefulSet:
    spec:
      serviceName: my-service
  additionalMongodConfig:
    net:
      ssl:
        mode: preferSSL
...

The following example shows a resource specification for a sharded cluster with every setting provided:

copy 
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
  name: my-sharded-cluster
spec:
  shardCount: 2
  mongodsPerShardCount: 3
  mongosCount: 2
  configServerCount: 3
  version: "4.4.0-ent"
  service: my-service
  type: ShardedCluster

  ## Please Note: The default Kubernetes cluster name is
  ## `cluster.local`.
  ## If your cluster has been configured with another name, you can
  ## specify it with the `clusterDomain` attribute.

  opsManager: # Alias of cloudManager
    configMapRef:
      name: my-project
  credentials: my-credentials

  persistent: true
  configSrvPodSpec:

    # if "persistence" element is omitted then Operator uses the
    # default size (5Gi) for mounting single Persistent Volume

    podAntiAffinityTopologyKey: kubernetes.io/hostname
    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: security
            operator: In
            values:
            - S1
        topologyKey: failure-domain.beta.kubernetes.io/zone
    podTemplate:
      metadata:
        labels:
          label1: mycustomlabel
      spec:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  topologyKey: "mykey"
                weight: 50
  mongosPodSpec:
    podAntiAffinityTopologyKey: rackId
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        preference:
          matchExpressions:
          - key: another-node-label-key
            operator: In
            values:
            - another-node-label-value
    podTemplate:
      metadata:
        labels:
          label1: mycustomlabel
      spec:
        affinity:
          podAntiAffinity:
            preferredDuringSchedulingIgnoredDuringExecution:
              - podAffinityTerm:
                  topologyKey: "mykey"
                weight: 50
  shardPodSpec:
    persistence:
      multiple:
        # if the child of "multiple" is omitted then the default size will be used.
        # 16GB for "data", 1GB for "journal", 3GB for "logs"
        data:
          storage: "20Gi"
        logs:
          storage: "4Gi"
          storageClass: standard
    podAntiAffinityTopologyKey: kubernetes.io/hostname
  mongos:
    additionalMongodConfig:
      systemLog:
        logAppend: true
        verbosity: 4
  configSrv:
    additionalMongodConfig:
      operationProfiling:
        mode: slowOp
  shard:
    additionalMongodConfig:
      storage:
        journal:
          commitIntervalMs: 50
  security:
    certsSecretPrefix: "prefix"
    tls:
     ca: custom-ca
    authentication:
      enabled: true
      modes: ["X509"]
      internalCluster: "X509"
  statefulSet:
    spec:
      serviceName: my-service
...

StatefulSet Settings

The following StatefulSets settings apply only to replica set and sharded cluster resource types.

spec.statefulSet.spec

Type: collection

Specification for the StatefulSet that the MongoDB Enterprise Kubernetes Operator creates for MongoDB Kubernetes resources.

spec.statefulSet.spec.serviceName

Type: string

Default: <resource_name>-svc and <resource_name>-svc-external

Name of the Kubernetes service to be created or used for a StatefulSet. If the service with this name already exists, the MongoDB Enterprise Kubernetes Operator doesn’t delete or recreate it. This setting lets you create your own custom services and lets the Kubernetes Operator reuse them.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.