Multi-Kubernetes cluster MongoDB deployments allow you to add MongoDB instances in global clusters that span multiple geographic regions for increased availability and global distribution of data.
Prerequisites
Before you begin the following procedure, perform the following actions:
- Install - kubectl.
- Install Mongosh 
- Complete the GKE Clusters procedure or the equivalent. 
- Complete the TLS Certificates procedure or the equivalent. 
- Complete the Istio Service mesh procedure or the equivalent. 
- Complete the Deploy the MongoDB Operator procedure. 
- Complete the Multi-Cluster Ops Manager procedure procedure. You can skip this step if you use Cloud Manager instead of Ops Manager. 
- Set the required environment variables as follows: 
# This script builds on top of the environment configured in the setup guides. # It depends (uses) the following env variables defined there to work correctly. # If you don't use the setup guide to bootstrap the environment, then define them here. #  ${K8S_CLUSTER_0_CONTEXT_NAME} #  ${K8S_CLUSTER_1_CONTEXT_NAME} #  ${K8S_CLUSTER_2_CONTEXT_NAME} #  ${MDB_NAMESPACE} export RS_RESOURCE_NAME=mdb export MONGODB_VERSION="8.0.5-ent" 
Source Code
You can find all included source code in the MongoDB Kubernetes Operator repository.
Procedure
Create a CA certificate.
Run the following script to create the required CA Certificate with your certificate issuer.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" -f - <<EOF 2 apiVersion: cert-manager.io/v1 3 kind: Certificate 4 metadata: 5   name: mdb-cert 6 spec: 7   dnsNames: 8   - "*.${MDB_NAMESPACE}.svc.cluster.local" 9   duration: 240h0m0s 10   issuerRef: 11     name: my-ca-issuer 12     kind: ClusterIssuer 13   renewBefore: 120h0m0s 14   secretName: cert-prefix-mdb-cert 15   usages: 16   - server auth 17   - client auth 18 EOF 
Deploy the MongoDBMultiCluster resource.
Set spec.credentials, spec.opsManager.configMapRef.name,
which you defined in the Multi-Cluster Ops Manager procedure;
define your security settings and deploy the MongoDBMultiCluster resource.
In the following code sample, duplicateServiceObjects is set to false
to enable DNS proxying
in Istio.
Note
To enable the cross-cluster DNS resolution by the Istio service mesh, this tutorial creates service objects with a single ClusterIP address per each Kubernetes Pod.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" -f - <<EOF 2 apiVersion: mongodb.com/v1 3 kind: MongoDBMultiCluster 4 metadata: 5   name: ${RS_RESOURCE_NAME} 6 spec: 7   type: ReplicaSet 8   version: ${MONGODB_VERSION} 9   opsManager: 10     configMapRef: 11       name: mdb-org-project-config 12   credentials: mdb-org-owner-credentials 13   duplicateServiceObjects: false 14   persistent: true 15   backup: 16     mode: enabled 17   externalAccess: {} 18   security: 19     certsSecretPrefix: cert-prefix 20     tls: 21       ca: ca-issuer 22     authentication: 23       enabled: true 24       modes: ["SCRAM"] 25   clusterSpecList: 26     - clusterName: ${K8S_CLUSTER_0_CONTEXT_NAME} 27       members: 2 28     - clusterName: ${K8S_CLUSTER_1_CONTEXT_NAME} 29       members: 1 30     - clusterName: ${K8S_CLUSTER_2_CONTEXT_NAME} 31       members: 2 32 EOF 
Verify that the MongoDBMultiCluster resource is running.
Run the following command to confirm that the MongoDBMultiCluster resource is running.
1 echo; echo "Waiting for MongoDB to reach Running phase..." 2 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" wait --for=jsonpath='{.status.phase}'=Running "mdbmc/${RS_RESOURCE_NAME}" --timeout=900s 3 echo; echo "Pods running in cluster ${K8S_CLUSTER_0_CONTEXT_NAME}" 4 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" get pods 5 echo; echo "Pods running in cluster ${K8S_CLUSTER_1_CONTEXT_NAME}" 6 kubectl --context "${K8S_CLUSTER_1_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" get pods 7 echo; echo "Pods running in cluster ${K8S_CLUSTER_2_CONTEXT_NAME}" 8 kubectl --context "${K8S_CLUSTER_2_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" get pods 
Create a MongoDB user and password.
Run the following command to create a MongoDB user and password. Please use strong passwords for your deployments.
1 kubectl apply --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" -f - <<EOF 2 apiVersion: v1 3 kind: Secret 4 metadata: 5   name: rs-user-password 6 type: Opaque 7 stringData: 8   password: password 9 --- 10 apiVersion: mongodb.com/v1 11 kind: MongoDBUser 12 metadata: 13   name: rs-user 14 spec: 15   passwordSecretKeyRef: 16     name: rs-user-password 17     key: password 18   username: "rs-user" 19   db: "admin" 20   mongodbResourceRef: 21     name: ${RS_RESOURCE_NAME} 22   roles: 23   - db: "admin" 24     name: "root" 25 EOF 26 27 kubectl --context "${K8S_CLUSTER_0_CONTEXT_NAME}" wait --for=jsonpath='{.status.phase}'=Updated -n "${MDB_NAMESPACE}" mdbu/rs-user --timeout=300s 
Verify connectivity.
Run the mongosh following command to ensure that you can access your running MongoDB instance.
1 external_ip="$(kubectl get --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" svc "${RS_RESOURCE_NAME}-0-0-svc-external" -o=jsonpath="{.status.loadBalancer.ingress[0].ip}")" 2 3 mkdir -p certs 4 kubectl get --context "${K8S_CLUSTER_0_CONTEXT_NAME}" -n "${MDB_NAMESPACE}" cm/ca-issuer -o=jsonpath='{.data.ca-pem}' > certs/ca.crt 5 6 mongosh --host "${external_ip}" --username rs-user --password password --tls --tlsCAFile certs/ca.crt --tlsAllowInvalidHostnames --eval "db.runCommand({connectionStatus : 1})" 
{   authInfo: {     authenticatedUsers: [ { user: 'rs-user', db: 'admin' } ],     authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]   },   ok: 1,   '$clusterTime': {     clusterTime: Timestamp({ t: 1747925179, i: 1 }),     signature: {       hash: Binary.createFromBase64('T1ZP+QUFgBXayfOsRI6XFdEmjKI=', 0),       keyId: Long('7507281432415305733')     }   },   operationTime: Timestamp({ t: 1747925179, i: 1 }) }