- Install and Configure the Kubernetes Operator >
- Create a Project using a ConfigMap
Create a Project using a ConfigMap¶
On this page
The MongoDB Enterprise Kubernetes Operator uses a Kubernetes ConfigMap to create or link your Ops Manager Project. To create a Kubernetes Operator ConfigMap, you need to edit a few lines of the example ConfigMap YAML file and apply the ConfigMap.
The prerequisites and procedure depend on whether your Ops Manager deployment is running with TLS enabled.
- Without TLS
- With TLS
The MongoDB Enterprise Kubernetes Operator can use TLS certificates to encrypt communication between:
- The Kubernetes Operator and Ops Manager
- The MongoDB Agent or legacy Automation Agent and Ops Manager
The following sections guide you through verifying your Ops Manager configuration and configuring the Kubernetes Operator to use TLS.
Prerequisites¶
Ops Manager
- Ops Manager is running with TLS enabled.
- For more information, see the Ops Manager documentation on Configuring TLS.
- MongoDB Agents or legacy Automation Agents retrieve MongoDB builds from the Ops Manager
application server.
- Configure this by setting Ops Manager’s Installer Download Source setting to Ops Manager Application Server.
- For detailed instructions on how to set this, see Configure Deployment to Have Limited Internet Access.
TLS
Get the root Certificate Authority for your Ops Manager instance.
To find who issued your root Certificate Authority:
- Visit your Ops Manager instance using a web browser.
- Click the lock icon next to your Ops Manager URL in the browser address box.
- View the Certificate. If you do not know how to view the certificate list for your web site, consult your browser’s documentation.
- The first certificate listed is the root Certificate Authority.
To download your root Certificate Authority from an outside provider:
- Search for the issuing company and
"download root CA"
. - Follow the issuing company’s instructions.
To get your root Certificate Authority from an internal source:
- Contact your security team and request the certificate file.
Procedure¶
Copy the following example ConfigMap.¶
Change the highlighted four lines.¶
Key | Type | Description | Example |
---|---|---|---|
metadata.name |
string | Label for a Kubernetes object. See also
|
myconfigmap |
metadata.namespace |
string | Scope of object names. Used to limit what can be managed to
a subset of all objects. The default value is Important The Kubernetes Operator, secret, and MongoDB Kubernetes resources must be created in the same namespace. See also
|
mongodb |
data.projectName |
string | Label for your Ops Manager Project. Let Kubernetes Operator create the Project The Kubernetes Operator creates the Ops Manager Project if it does not exist. It is strongly recommended to use the Operator to create a new Project for Kubernetes to manage. The Operator adds additional internal information to Projects that it creates. If you need or want to use an existing Project, you can find
the |
Development |
data.orgId |
string | 24 character hex string that uniquely identifies your
MongoDB Organization.
You can find the
Important This field is optional. If you omit the You must have the Limited to Cloud Manager or Ops Manager Organizations If you set this value, it can be for a Cloud Manager or Ops Manager organization only. If you try to use an Atlas organization, the Kubernetes Operator may not work as intended. |
5cc9b333dd3e384a625a6615 |
data.baseUrl |
string | URL to your Ops Manager Application including the FQDN and port number. Note You may use Cloud Manager for the |
https://ops.example.com:8443 |
(Optional) Enable X.509 authentication at the Cloud Manager or Ops Manager project level.¶
Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.
Cloud Manager or one of the following versions of Ops Manager is required to use X.509 client authentication:
Ops Manager Version | Required Patch |
---|---|
Ops Manager 4.1 | 4.1.7 |
Ops Manager 4.0 | 4.0.11 |
To enable X.509 authentication, add the highlighted lines to your ConfigMap:
Key | Type | Description | Example |
---|---|---|---|
data.authenticationMode |
string | Requires all agents to use X.509 client authentication when communicating with MongoDB deployments. | x509 |
data.credentials |
string | Name of the Kubernetes secret containing the Cloud Manager or Ops Manager Public and Private Keys for your desired Programmatic API Key. If you have not created these credentials yet, see Create Credentials for the Kubernetes Operator. | mycredentials |
Save this file with a .yaml
file extension.¶
Invoke the Kubernetes command to create your ConfigMap.¶
Important
All subsequent kubectl
commands you invoke must add the
-n
option with the metadata.namespace
you
specified in your ConfigMap.
Invoke the Kubernetes command to verify your ConfigMap.¶
Always include the namespace option with kubectl
kubectl
defaults to an empty namespace if you do not specify
the -n
option, resulting in deployment failures. You must
specify the value of the <metadata.namespace>
field.
The Kubernetes Operator, secret, and MongoDB Kubernetes resources should
run in the same unique namespace.
This command returns a ConfigMap description in the shell:
If X.509 is enabled, approve the X.509 client certificates for the agents.¶
Note
If X.509 client authentication was not enabled in step 4, skip this step.
Run the following command to verify the agent certificate signing requests are pending:
The command returns the following output:
Approve the certificate for each agent using the NAME
field
above in the following command:
The following commands approve the agent CSRs:
Create a ConfigMap for the Certificate Authority certificate.¶
The Kubernetes Operator requires the root Certificate Authority certificate of the Certificate Authority that issued the Ops Manager host’s certificate. Run the following command to create a ConfigMap containing the root CA certificate in the same namespace of your database pods:
Important
The Kubernetes Operator requires that the certificate is named
mms-ca.crt
in the ConfigMap.
Copy the following example ConfigMap
.¶
Change the highlighted four lines.¶
Key | Type | Description | Example |
---|---|---|---|
metadata.name |
string | Label for a Kubernetes object. See also
|
myconfigmap |
metadata.namespace |
string | Scope of object names. Used to limit what can be managed to
a subset of all objects. The default value is Important The Kubernetes Operator, secret, and MongoDB Kubernetes resources must be created in the same namespace. See also
|
mongodb |
data.projectName |
string | Label for your Ops Manager Project. Let Kubernetes Operator create the Project The Kubernetes Operator creates the Ops Manager Project if it does not exist. It is strongly recommended to use the Operator to create a new Project for Kubernetes to manage. The Operator adds additional internal information to Projects that it creates. If you need or want to use an existing Project, you can find
the |
Development |
data.orgId |
string | 24 character hex string that uniquely identifies your
MongoDB Organization.
You can find the
Important This field is optional. If you omit the You must have the Limited to Cloud Manager or Ops Manager Organizations If you set this value, it can be for a Cloud Manager or Ops Manager organization only. If you try to use an Atlas organization, the Kubernetes Operator may not work as intended. |
5cc9b333dd3e384a625a6615 |
data.baseUrl |
string | URL to your Ops Manager Application including the FQDN and port number. Note You may use Cloud Manager for the |
https://ops.example.com:8443 |
Specify the TLS settings¶
Change the following TLS keys:
Key | Type | Description | Example |
---|---|---|---|
sslMMSCAConfigMap |
string | Name of the ConfigMap created in the first step containing the Root Certificate Authority certificate used to sign the Ops Manager host’s certificate. This mounts the CA certificate to the Kubernetes Operator and database resources. | my-root-ca |
sslRequireValidMMSServerCertificates |
boolean | Forces the Operator to require a valid TLS certificate from Ops Manager. Important The value must be enclosed in single quotes or the operator will throw an error. |
'true' |
Save this file with a .yaml
file extension.¶
(Optional) Enable X.509 authentication at the Cloud Manager or Ops Manager project level.¶
Enabling X.509 authentication at the project level configures all agents to use X.509 client authentication when communicating with MongoDB deployments.
Cloud Manager or one of the following versions of Ops Manager is required to use X.509 client authentication:
Ops Manager Version | Required Patch |
---|---|
Ops Manager 4.1 | 4.1.7 |
Ops Manager 4.0 | 4.0.11 |
To enable X.509 authentication, add the highlighted lines to your ConfigMap:
Key | Type | Description | Example |
---|---|---|---|
data.authenticationMode |
string | Requires all agents to use X.509 client authentication when communicating with MongoDB deployments. | x509 |
data.credentials |
string | Name of the Kubernetes secret containing the Cloud Manager or Ops Manager Public and Private Keys for your desired Programmatic API Key. If you have not created these credentials yet, see Create Credentials for the Kubernetes Operator. | mycredentials |
Invoke the Kubernetes command to create your ConfigMap.¶
Important
All subsequent kubectl
commands you invoke must add the
-n
option with the metadata.namespace
you
specified in your ConfigMap.
Invoke the Kubernetes command to verify your ConfigMap.¶
Always include the namespace option with kubectl
kubectl
defaults to an empty namespace if you do not specify
the -n
option, resulting in deployment failures. You must
specify the value of the <metadata.namespace>
field.
The Kubernetes Operator, secret, and MongoDB Kubernetes resources should
run in the same unique namespace.
This command returns a ConfigMap description in the shell:
If X.509 is enabled, approve the X.509 client certificates for the agents.¶
Note
If X.509 client authentication was not enabled in step 4, skip this step.
Run the following command to verify the agent certificate signing requests are pending:
The command returns the following output:
Approve the certificate for each agent using the NAME
field
above in the following command:
The following commands approve the agent CSRs:
Next Steps¶
Now that you created your ConfigMap, Create Credentials for the Kubernetes Operator before you start deploying MongoDB resources.