MongoDB.local SF, Jan 15: See the speaker lineup & ship your AI vision faster. Use WEB50 to save 50%
Find out more >
Docs 菜单
Docs 主页
/ /
部署搜索和向量搜索
Docs 主页
/
管理
/
Kubernetes Operator 的控制器
/
部署搜索和向量搜索
Docs 主页
/
管理
/
Kubernetes Operator 的控制器
/
部署搜索和向量搜索

安装和使用MongoDB Enterprise Edition 搜索

您可以使用Kubernetes Operator部署MongoDB Search 和 Vector Search 资源,以便在Kubernetes集群上与MongoDB 企业 v8.2.0 或更高版本一起运行。此过程演示了如何部署和配置 mongot进程,使其与Kubernetes集群中的新副本集或现有副本集一起运行。该部署使用 TLS 证书来确保MongoDB节点和 mongot搜索进程之间的安全通信。

先决条件

要部署MongoDB Search 和 Vector Search,您必须具备以下条件:

  • 一个运行的Kubernetes集群,且本地可用 kubeconfig

  • Kubernetes命令行工具 kubectl,配置为与集群通信。

  • Helm( Kubernetes的包管理器),用于安装Kubernetes Operator。

  • Bash v5.1 或更高版本,用于运行本教程中的命令。

  • MongoDB Ops Manager 或 MongoDB Cloud Manager 项目和 API 凭证。

步骤

1

必填。设置环境变量。

设置环境变量以供本过程中的后续步骤使用。复制以下命令,更新环境的值,然后运行这些命令以加载变量:

1# set it to the context name of the k8s cluster
2export K8S_CTX="<local cluster context>"
3
4# the following namespace will be created if not exists
5export MDB_NS="mongodb"
6
7# name of the MongoDB Custom Resource.
8export MDB_RESOURCE_NAME="mdb-rs"
9
10export MDB_MEMBERS=3
11# OM/CM's project name to be used to manage mongodb replica set
12export OPS_MANAGER_PROJECT_NAME="<arbitrary project name>"
13
14# URL to Cloud Manager or Ops Manager instance
15export OPS_MANAGER_API_URL="https://cloud-qa.mongodb.com"
16
17# The API key can be an Org Owner - the operator can create the project automatically then.
18# The API key can also be created in a particular project that was created manually with the Project Owner scope.
19export OPS_MANAGER_API_USER="<SET API USER>"
20export OPS_MANAGER_API_KEY="<SET API KEY>"
21export OPS_MANAGER_ORG_ID="<SET ORG ID>"
22
23# minimum required MongoDB version for running MongoDB Search is 8.2.0
24export MDB_VERSION="8.2.0-ent"
25
26# root admin user for convenience, not used here at all in this guide
27export MDB_ADMIN_USER_PASSWORD="admin-user-password-CHANGE-ME"
28# regular user performing restore and search queries on sample mflix database
29export MDB_USER_PASSWORD="mdb-user-password-CHANGE-ME"
30# user for MongoDB Search to connect to the replica set to synchronise data from
31export MDB_SEARCH_SYNC_USER_PASSWORD="search-sync-user-password-CHANGE-ME"
32
33export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes"
34# comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator
35export OPERATOR_ADDITIONAL_HELM_VALUES=""
36
37export MDB_TLS_CERT_SECRET_PREFIX="certs"
38export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap"
39
40export CERT_MANAGER_NAMESPACE="cert-manager"
41export MDB_TLS_SELF_SIGNED_ISSUER="selfsigned-bootstrap-issuer"
42export MDB_TLS_CA_CERT_NAME="my-selfsigned-ca"
43export MDB_TLS_CA_SECRET_NAME="root-secret"
44export MDB_TLS_CA_ISSUER="my-ca-issuer"
45export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert"
46export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls"
47
48export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
2

有条件。添加MongoDB Helm存储库。

Helm 可自动部署和管理Kubernetes上的MongoDB实例。如果您已经添加了包含用于安装Kubernetes Operator 操作符 的Helm 图表的 Helm存储库,请跳过此步骤。否则,请添加 Helm存储库。

要添加、复制、粘贴并运行以下命令:

1helm repo add mongodb https://mongodb.github.io/helm-charts
2helm repo update mongodb
3helm search repo mongodb/mongodb-kubernetes
1"mongodb" has been added to your repositories
2Hang tight while we grab the latest from your chart repositories...
3...Successfully got an update from the "mongodb" chart repository
4Update Complete. ⎈Happy Helming!⎈
5NAME                      	CHART VERSION	APP VERSION	DESCRIPTION                                       
6mongodb/mongodb-kubernetes	1.6.1        	           	MongoDB Controllers for Kubernetes translate th...
3

有条件。为Kubernetes Operator 安装MongoDB控制器。

Kubernetes 操作符监视 MongoDBMongoDBOpsManager 和 MongoDBSearch 自定义资源,并管理 MongoDB 部署的生命周期。如果您已经安装了MongoDB Controllers for Kubernetes 操作符,请跳过此步骤。否则,请从您在上一个步骤中添加的 Helm 存储库安装 MongoDB Controllers for Kubernetes 操作符。

要在 mongodb命名空间中安装MongoDB Controllers for Kubernetes Operator,请复制、粘贴并运行以下命令:

1helm upgrade --install --debug --kube-context "${K8S_CTX}" \
2  --create-namespace \
3  --namespace="${MDB_NS}" \
4  mongodb-kubernetes \
5  ${OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}} \
6  "${OPERATOR_HELM_CHART}"
1Release "mongodb-kubernetes" does not exist. Installing it now.
2NAME: mongodb-kubernetes
3LAST DEPLOYED: Wed Dec 17 11:23:39 2025
4NAMESPACE: mongodb
5STATUS: deployed
6REVISION: 1
7TEST SUITE: None
8USER-SUPPLIED VALUES:
9{}
10
11COMPUTED VALUES:
12agent:
13  name: mongodb-agent
14  version: 108.0.12.8846-1
15community:
16  agent:
17    name: mongodb-agent
18    version: 108.0.2.8729-1
19  mongodb:
20    imageType: ubi8
21    name: mongodb-community-server
22    repo: quay.io/mongodb
23  registry:
24    agent: quay.io/mongodb
25  resource:
26    members: 3
27    name: mongodb-replica-set
28    tls:
29      caCertificateSecretRef: tls-ca-key-pair
30      certManager:
31        certDuration: 8760h
32        renewCertBefore: 720h
33      certificateKeySecretRef: tls-certificate
34      enabled: false
35      sampleX509User: false
36      useCertManager: true
37      useX509: false
38    version: 4.4.0
39database:
40  name: mongodb-kubernetes-database
41  version: 1.6.1
42initAppDb:
43  name: mongodb-kubernetes-init-appdb
44  version: 1.6.1
45initDatabase:
46  name: mongodb-kubernetes-init-database
47  version: 1.6.1
48initOpsManager:
49  name: mongodb-kubernetes-init-ops-manager
50  version: 1.6.1
51managedSecurityContext: false
52mongodb:
53  appdbAssumeOldFormat: false
54  name: mongodb-enterprise-server
55  repo: quay.io/mongodb
56multiCluster:
57  clusterClientTimeout: 10
58  clusters: []
59  kubeConfigSecretName: mongodb-enterprise-operator-multi-cluster-kubeconfig
60  performFailOver: true
61operator:
62  additionalArguments: []
63  affinity: {}
64  baseName: mongodb-kubernetes
65  createOperatorServiceAccount: true
66  createResourcesServiceAccountsAndRoles: true
67  deployment_name: mongodb-kubernetes-operator
68  enableClusterMongoDBRoles: true
69  enablePVCResize: true
70  env: prod
71  maxConcurrentReconciles: 1
72  mdbDefaultArchitecture: non-static
73  name: mongodb-kubernetes-operator
74  nodeSelector: {}
75  operator_image_name: mongodb-kubernetes
76  podSecurityContext:
77    runAsNonRoot: true
78    runAsUser: 2000
79  replicas: 1
80  resources:
81    limits:
82      cpu: 1100m
83      memory: 1Gi
84    requests:
85      cpu: 500m
86      memory: 200Mi
87  securityContext: {}
88  telemetry:
89    collection:
90      clusters: {}
91      deployments: {}
92      frequency: 1h
93      operators: {}
94    send:
95      frequency: 168h
96  tolerations: []
97  vaultSecretBackend:
98    enabled: false
99    tlsSecretRef: ""
100  version: 1.6.1
101  watchedResources:
102  - mongodb
103  - opsmanagers
104  - mongodbusers
105  - mongodbcommunity
106  - mongodbsearch
107  webhook:
108    installClusterRole: true
109    registerConfiguration: true
110opsManager:
111  name: mongodb-enterprise-ops-manager-ubi
112readinessProbe:
113  name: mongodb-kubernetes-readinessprobe
114  version: 1.0.23
115registry:
116  agent: quay.io/mongodb
117  database: quay.io/mongodb
118  imagePullSecrets: null
119  initAppDb: quay.io/mongodb
120  initDatabase: quay.io/mongodb
121  initOpsManager: quay.io/mongodb
122  operator: quay.io/mongodb
123  opsManager: quay.io/mongodb
124  pullPolicy: Always
125  readinessProbe: quay.io/mongodb
126  versionUpgradeHook: quay.io/mongodb
127search:
128  name: mongodb-search
129  repo: quay.io/mongodb
130  version: 0.55.0
131versionUpgradeHook:
132  name: mongodb-kubernetes-operator-version-upgrade-post-start-hook
133  version: 1.0.10
134
135HOOKS:
136MANIFEST:
137---
138# Source: mongodb-kubernetes/templates/database-roles.yaml
139apiVersion: v1
140kind: ServiceAccount
141metadata:
142  name: mongodb-kubernetes-appdb
143  namespace: mongodb
144---
145# Source: mongodb-kubernetes/templates/database-roles.yaml
146apiVersion: v1
147kind: ServiceAccount
148metadata:
149  name: mongodb-kubernetes-database-pods
150  namespace: mongodb
151---
152# Source: mongodb-kubernetes/templates/database-roles.yaml
153apiVersion: v1
154kind: ServiceAccount
155metadata:
156  name: mongodb-kubernetes-ops-manager
157  namespace: mongodb
158---
159# Source: mongodb-kubernetes/templates/operator-sa.yaml
160apiVersion: v1
161kind: ServiceAccount
162metadata:
163  name: mongodb-kubernetes-operator
164  namespace: mongodb
165---
166# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
167kind: ClusterRole
168apiVersion: rbac.authorization.k8s.io/v1
169metadata:
170  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
171rules:
172  - apiGroups:
173      - mongodb.com
174    verbs:
175      - '*'
176    resources:
177      - clustermongodbroles
178---
179# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
180# Additional ClusterRole for clusterVersionDetection
181kind: ClusterRole
182apiVersion: rbac.authorization.k8s.io/v1
183metadata:
184  name: mongodb-kubernetes-operator-cluster-telemetry
185rules:
186  # Non-resource URL permissions
187  - nonResourceURLs:
188      - "/version"
189    verbs:
190      - get
191  # Cluster-scoped resource permissions
192  - apiGroups:
193      - ''
194    resources:
195      - namespaces
196    resourceNames:
197      - kube-system
198    verbs:
199      - get
200  - apiGroups:
201      - ''
202    resources:
203      - nodes
204    verbs:
205      - list
206---
207# Source: mongodb-kubernetes/templates/operator-roles-webhook.yaml
208kind: ClusterRole
209apiVersion: rbac.authorization.k8s.io/v1
210metadata:
211  name: mongodb-kubernetes-operator-mongodb-webhook-cr
212rules:
213  - apiGroups:
214      - "admissionregistration.k8s.io"
215    resources:
216      - validatingwebhookconfigurations
217    verbs:
218      - get
219      - create
220      - update
221      - delete
222  - apiGroups:
223      - ""
224    resources:
225      - services
226    verbs:
227      - get
228      - list
229      - watch
230      - create
231      - update
232      - delete
233---
234# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
235kind: ClusterRoleBinding
236apiVersion: rbac.authorization.k8s.io/v1
237metadata:
238  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
239roleRef:
240  apiGroup: rbac.authorization.k8s.io
241  kind: ClusterRole
242  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
243subjects:
244  - kind: ServiceAccount
245    name: mongodb-kubernetes-operator
246    namespace: mongodb
247---
248# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
249# ClusterRoleBinding for clusterVersionDetection
250kind: ClusterRoleBinding
251apiVersion: rbac.authorization.k8s.io/v1
252metadata:
253  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
254roleRef:
255  apiGroup: rbac.authorization.k8s.io
256  kind: ClusterRole
257  name: mongodb-kubernetes-operator-cluster-telemetry
258subjects:
259  - kind: ServiceAccount
260    name: mongodb-kubernetes-operator
261    namespace: mongodb
262---
263# Source: mongodb-kubernetes/templates/operator-roles-webhook.yaml
264kind: ClusterRoleBinding
265apiVersion: rbac.authorization.k8s.io/v1
266metadata:
267  name: mongodb-kubernetes-operator-mongodb-webhook-crb
268roleRef:
269  apiGroup: rbac.authorization.k8s.io
270  kind: ClusterRole
271  name: mongodb-kubernetes-operator-mongodb-webhook-cr
272subjects:
273  - kind: ServiceAccount
274    name: mongodb-kubernetes-operator
275    namespace: mongodb
276---
277# Source: mongodb-kubernetes/templates/database-roles.yaml
278kind: Role
279apiVersion: rbac.authorization.k8s.io/v1
280metadata:
281  name: mongodb-kubernetes-appdb
282  namespace: mongodb
283rules:
284  - apiGroups:
285      - ''
286    resources:
287      - secrets
288    verbs:
289      - get
290  - apiGroups:
291      - ''
292    resources:
293      - pods
294    verbs:
295      - patch
296      - delete
297      - get
298---
299# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
300kind: Role
301apiVersion: rbac.authorization.k8s.io/v1
302metadata:
303  name: mongodb-kubernetes-operator
304  namespace: mongodb
305rules:
306  - apiGroups:
307      - ''
308    resources:
309      - services
310    verbs:
311      - get
312      - list
313      - watch
314      - create
315      - update
316      - delete
317  - apiGroups:
318      - ''
319    resources:
320      - secrets
321      - configmaps
322    verbs:
323      - get
324      - list
325      - create
326      - update
327      - delete
328      - watch
329  - apiGroups:
330      - apps
331    resources:
332      - statefulsets
333    verbs:
334      - create
335      - get
336      - list
337      - watch
338      - delete
339      - update
340  - apiGroups:
341      - ''
342    resources:
343      - pods
344    verbs:
345      - get
346      - list
347      - watch
348      - delete
349      - deletecollection
350  - apiGroups:
351      - mongodbcommunity.mongodb.com
352    resources:
353      - mongodbcommunity
354      - mongodbcommunity/status
355      - mongodbcommunity/spec
356      - mongodbcommunity/finalizers
357    verbs:
358      - '*'
359  - apiGroups:
360      - mongodb.com
361    verbs:
362      - '*'
363    resources:
364      - mongodb
365      - mongodb/finalizers
366      - mongodbusers
367      - mongodbusers/finalizers
368      - opsmanagers
369      - opsmanagers/finalizers
370      - mongodbmulticluster
371      - mongodbmulticluster/finalizers
372      - mongodbsearch
373      - mongodbsearch/finalizers
374      - mongodb/status
375      - mongodbusers/status
376      - opsmanagers/status
377      - mongodbmulticluster/status
378      - mongodbsearch/status
379---
380# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
381kind: Role
382apiVersion: rbac.authorization.k8s.io/v1
383metadata:
384  name: mongodb-kubernetes-operator-pvc-resize
385  namespace: mongodb
386rules:
387  - apiGroups:
388      - ''
389    resources:
390      - persistentvolumeclaims
391    verbs:
392      - get
393      - delete
394      - list
395      - watch
396      - patch
397      - update
398---
399# Source: mongodb-kubernetes/templates/database-roles.yaml
400kind: RoleBinding
401apiVersion: rbac.authorization.k8s.io/v1
402metadata:
403  name: mongodb-kubernetes-appdb
404  namespace: mongodb
405roleRef:
406  apiGroup: rbac.authorization.k8s.io
407  kind: Role
408  name: mongodb-kubernetes-appdb
409subjects:
410  - kind: ServiceAccount
411    name: mongodb-kubernetes-appdb
412    namespace: mongodb
413---
414# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
415kind: RoleBinding
416apiVersion: rbac.authorization.k8s.io/v1
417metadata:
418  name: mongodb-kubernetes-operator
419  namespace: mongodb
420roleRef:
421  apiGroup: rbac.authorization.k8s.io
422  kind: Role
423  name: mongodb-kubernetes-operator
424subjects:
425  - kind: ServiceAccount
426    name: mongodb-kubernetes-operator
427    namespace: mongodb
428---
429# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
430kind: RoleBinding
431apiVersion: rbac.authorization.k8s.io/v1
432metadata:
433  name: mongodb-kubernetes-operator-pvc-resize-binding
434  namespace: mongodb
435roleRef:
436  apiGroup: rbac.authorization.k8s.io
437  kind: Role
438  name: mongodb-kubernetes-operator-pvc-resize
439subjects:
440  - kind: ServiceAccount
441    name: mongodb-kubernetes-operator
442    namespace: mongodb
443---
444# Source: mongodb-kubernetes/templates/operator.yaml
445apiVersion: apps/v1
446kind: Deployment
447metadata:
448  name: mongodb-kubernetes-operator
449  namespace: mongodb
450spec:
451  replicas: 1
452  selector:
453    matchLabels:
454      app.kubernetes.io/component: controller
455      app.kubernetes.io/name: mongodb-kubernetes-operator
456      app.kubernetes.io/instance: mongodb-kubernetes-operator
457  template:
458    metadata:
459      labels:
460        app.kubernetes.io/component: controller
461        app.kubernetes.io/name: mongodb-kubernetes-operator
462        app.kubernetes.io/instance: mongodb-kubernetes-operator
463    spec:
464      serviceAccountName: mongodb-kubernetes-operator
465      securityContext:
466        runAsNonRoot: true
467        runAsUser: 2000
468      containers:
469        - name: mongodb-kubernetes-operator
470          image: "quay.io/mongodb/mongodb-kubernetes:1.6.1"
471          imagePullPolicy: Always
472          args:
473            - -watch-resource=mongodb
474            - -watch-resource=opsmanagers
475            - -watch-resource=mongodbusers
476            - -watch-resource=mongodbcommunity
477            - -watch-resource=mongodbsearch
478            - -watch-resource=clustermongodbroles
479          command:
480            - /usr/local/bin/mongodb-kubernetes-operator
481          resources:
482            limits:
483              cpu: 1100m
484              memory: 1Gi
485            requests:
486              cpu: 500m
487              memory: 200Mi
488          env:
489            - name: OPERATOR_ENV
490              value: prod
491            - name: MDB_DEFAULT_ARCHITECTURE
492              value: non-static
493            - name: NAMESPACE
494              valueFrom:
495                fieldRef:
496                  fieldPath: metadata.namespace
497            - name: WATCH_NAMESPACE
498              valueFrom:
499                fieldRef:
500                  fieldPath: metadata.namespace
501            - name: MDB_OPERATOR_TELEMETRY_COLLECTION_FREQUENCY
502              value: "1h"
503            - name: MDB_OPERATOR_TELEMETRY_SEND_FREQUENCY
504              value: "168h"
505            - name: CLUSTER_CLIENT_TIMEOUT
506              value: "10"
507            - name: IMAGE_PULL_POLICY
508              value: Always
509            # Database
510            - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
511              value: quay.io/mongodb/mongodb-kubernetes-database
512            - name: INIT_DATABASE_IMAGE_REPOSITORY
513              value: quay.io/mongodb/mongodb-kubernetes-init-database
514            - name: INIT_DATABASE_VERSION
515              value: "1.6.1"
516            - name: DATABASE_VERSION
517              value: "1.6.1"
518            # Ops Manager
519            - name: OPS_MANAGER_IMAGE_REPOSITORY
520              value: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi
521            - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
522              value: quay.io/mongodb/mongodb-kubernetes-init-ops-manager
523            - name: INIT_OPS_MANAGER_VERSION
524              value: "1.6.1"
525            # AppDB
526            - name: INIT_APPDB_IMAGE_REPOSITORY
527              value: quay.io/mongodb/mongodb-kubernetes-init-appdb
528            - name: INIT_APPDB_VERSION
529              value: "1.6.1"
530            - name: OPS_MANAGER_IMAGE_PULL_POLICY
531              value: Always
532            - name: AGENT_IMAGE
533              value: "quay.io/mongodb/mongodb-agent:108.0.12.8846-1"
534            - name: MDB_AGENT_IMAGE_REPOSITORY
535              value: "quay.io/mongodb/mongodb-agent"
536            - name: MONGODB_IMAGE
537              value: mongodb-enterprise-server
538            - name: MONGODB_REPO_URL
539              value: quay.io/mongodb
540            - name: PERFORM_FAILOVER
541              value: 'true'
542            - name: MDB_MAX_CONCURRENT_RECONCILES
543              value: "1"
544            - name: POD_NAME
545              valueFrom:
546                fieldRef:
547                  fieldPath: metadata.name
548            - name: OPERATOR_NAME
549              value: mongodb-kubernetes-operator
550            # Community Env Vars Start
551            - name: MDB_COMMUNITY_AGENT_IMAGE
552              value: "quay.io/mongodb/mongodb-agent:108.0.2.8729-1"
553            - name: VERSION_UPGRADE_HOOK_IMAGE
554              value: "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.10"
555            - name: READINESS_PROBE_IMAGE
556              value: "quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.23"
557            - name: MDB_COMMUNITY_IMAGE
558              value: "mongodb-community-server"
559            - name: MDB_COMMUNITY_REPO_URL
560              value: "quay.io/mongodb"
561            - name: MDB_COMMUNITY_IMAGE_TYPE
562              value: "ubi8"
563            # Community Env Vars End
564            - name: MDB_SEARCH_REPO_URL
565              value: "quay.io/mongodb"
566            - name: MDB_SEARCH_NAME
567              value: "mongodb-search"
568            - name: MDB_SEARCH_VERSION
569              value: "0.55.0"
4

有条件。安装 cert-manager

管理TLS证书需要 cert-manager。如果您已在集群中安装 cert-manager,请跳过此步骤。否则,请使用Helm 安装 cert-manager

要在 cert-manager命名空间中安装 cert-manager,请在终端中运行以下命令:

1helm upgrade --install \
2  cert-manager \
3  oci://quay.io/jetstack/charts/cert-manager \
4  --kube-context "${K8S_CTX}" \
5  --namespace "${CERT_MANAGER_NAMESPACE}" \
6  --create-namespace \
7  --set crds.enabled=true
8
9for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do
10  kubectl --context "${K8S_CTX}" \
11    -n "${CERT_MANAGER_NAMESPACE}" \
12    wait --for=condition=Available "deployment/${deployment}" --timeout=300s
13done
14
15echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
5

必需。准备证书颁发者和 CA 基础架构。

创建证书颁发机构基础架构,为 MongoDBMongoDBSearch 资源颁发 TLS 证书。这些命令执行以下操作:

  • 创建自签名 ClusterIssuer

  • 生成 CA 证书。

  • 发布所有命名空间都可以使用的集群范围的 CA 颁发者。

  • 通过 ConfigMap 公开 CA 捆绑包,以便 MongoDB 资源可以使用它。

1# Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads.
2kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
3apiVersion: cert-manager.io/v1
4kind: ClusterIssuer
5metadata:
6  name: ${MDB_TLS_SELF_SIGNED_ISSUER}
7spec:
8  selfSigned: {}
9EOF_MANIFEST
10
11kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}"
12
13kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
14apiVersion: cert-manager.io/v1
15kind: Certificate
16metadata:
17  name: ${MDB_TLS_CA_CERT_NAME}
18  namespace: ${CERT_MANAGER_NAMESPACE}
19spec:
20  isCA: true
21  commonName: ${MDB_TLS_CA_CERT_NAME}
22  secretName: ${MDB_TLS_CA_SECRET_NAME}
23  privateKey:
24    algorithm: ECDSA
25    size: 256
26  issuerRef:
27    name: ${MDB_TLS_SELF_SIGNED_ISSUER}
28    kind: ClusterIssuer
29EOF_MANIFEST
30
31kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}"
32
33kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST
34apiVersion: cert-manager.io/v1
35kind: ClusterIssuer
36metadata:
37  name: ${MDB_TLS_CA_ISSUER}
38spec:
39  ca:
40    secretName: ${MDB_TLS_CA_SECRET_NAME}
41EOF_MANIFEST
42
43kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}"
44
45TMP_CA_CERT="$(mktemp)"
46trap 'rm -f "${TMP_CA_CERT}"' EXIT
47
48kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}"
49
50kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \
51  --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \
52  --from-file=ca.crt="${TMP_CA_CERT}" \
53  --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
6

必需。颁发 TLS 证书。

MongoDB${MDB_RESOURCE_NAME}-server-tls为 服务器() 和MongoDBSearch 服务 () 颁发 TLS${MDB_RESOURCE_NAME}-search-tls 证书。MongoDB服务器证书包括 Pod 和服务通信所需的所有 DNS 名称。这两种证书都支持服务器和客户端身份验证。

1server_certificate="${MDB_RESOURCE_NAME}-server-tls"
2search_certificate="${MDB_RESOURCE_NAME}-search-tls"
3
4mongo_dns_names=()
5for ((member = 0; member < MDB_MEMBERS; member++)); do
6  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}")
7  mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local")
8done
9mongo_dns_names+=(
10  "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
11  "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local"
12)
13
14search_dns_names=(
15  "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local"
16)
17
18render_dns_list() {
19  local dns_list=("$@")
20  for dns in "${dns_list[@]}"; do
21    printf "      - \"%s\"\n" "${dns}"
22  done
23}
24
25kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST
26apiVersion: cert-manager.io/v1
27kind: Certificate
28metadata:
29  name: ${server_certificate}
30  namespace: ${MDB_NS}
31spec:
32  secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME}
33  issuerRef:
34    name: ${MDB_TLS_CA_ISSUER}
35    kind: ClusterIssuer
36  duration: 240h0m0s
37  renewBefore: 120h0m0s
38  usages:
39    - digital signature
40    - key encipherment
41    - server auth
42    - client auth
43  dnsNames:
44$(render_dns_list "${mongo_dns_names[@]}")
45---
46apiVersion: cert-manager.io/v1
47kind: Certificate
48metadata:
49  name: ${search_certificate}
50  namespace: ${MDB_NS}
51spec:
52  secretName: ${MDB_SEARCH_TLS_SECRET_NAME}
53  issuerRef:
54    name: ${MDB_TLS_CA_ISSUER}
55    kind: ClusterIssuer
56  duration: 240h0m0s
57  renewBefore: 120h0m0s
58  usages:
59    - digital signature
60    - key encipherment
61    - server auth
62    - client auth
63  dnsNames:
64$(render_dns_list "${search_dns_names[@]}")
65EOF_MANIFEST
66
67kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s
68kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
7

有条件。创建和部署MongoDB Enterprise资源。

如果您已部署MongoDB Enterprise,请跳至下一步。否则,部署MongoDB Enterprise资源。

要部署MongoDB Enterprise,请完成以下步骤:

  1. 如果您正在使用 MongoDB Ops Manager ,请为 MongoDB Ops Manager 项目创建 ConfigMap 和密钥。

    要存储用于与MongoDB Ops Manager集成的配置和凭证,请复制、粘贴并运行以下命令:

    1kubectl --context "${K8S_CTX}" -n "${MDB_NS}" create configmap om-project \
    2  --from-literal=projectName="${OPS_MANAGER_PROJECT_NAME}" --from-literal=baseUrl="${OPS_MANAGER_API_URL}" \
    3  --from-literal=orgId="${OPS_MANAGER_ORG_ID:-}"
    4
    5kubectl --context "${K8S_CTX}" -n "${MDB_NS}" create secret generic om-credentials \
    6  --from-literal=publicKey="${OPS_MANAGER_API_USER}" \
    7  --from-literal=privateKey="${OPS_MANAGER_API_KEY}"

  2. 创建名为 mdb-rsMongoDB 自定义资源。

    该资源定义了 mongodmongodb-agent 容器的 CPU 和内存资源,并指示Kubernetes Operator 配置具有 3 成员的MongoDB副本集:

    要部署MongoDB Enterprise ,请在命名空间中复制、粘贴并运行以下命令:

    1kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
    2apiVersion: mongodb.com/v1
    3kind: MongoDB
    4metadata:
    5  name: ${MDB_RESOURCE_NAME}
    6spec:
    7  members: ${MDB_MEMBERS}
    8  version: ${MDB_VERSION}
    9  type: ReplicaSet
    10  opsManager:
    11    configMapRef:
    12      name: om-project
    13  credentials: om-credentials
    14  security:
    15    authentication:
    16      enabled: true
    17      ignoreUnknownUsers: true
    18      modes:
    19      - SCRAM
    20    certsSecretPrefix: ${MDB_TLS_CERT_SECRET_PREFIX}
    21    tls:
    22      enabled: true
    23      ca: ${MDB_TLS_CA_CONFIGMAP}
    24  agent:
    25    logLevel: INFO
    26  podSpec:
    27    podTemplate:
    28      spec:
    29        containers:
    30        - name: mongodb-enterprise-database
    31          resources:
    32            limits:
    33              cpu: "2"
    34              memory: 2Gi
    35            requests:
    36              cpu: "1"
    37              memory: 1Gi
    38EOF

  3. 等待 MongoDB资源部署完成。

    当您应用MongoDB 自定义资源时, Kubernetes 操作符开始部署MongoDB节点 (Pod)。此步骤会暂停执行,直到 mdbc-rs 资源的状态阶段为 Running,这表示MongoDB Community副本集可操作。

    1echo "Waiting for MongoDB resource to reach Running phase..."
    2kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdb/${MDB_RESOURCE_NAME}" --timeout=400s
    3echo; echo "MongoDB resource"
    4kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdb/${MDB_RESOURCE_NAME}"
    5echo; echo "Pods running in cluster ${K8S_CTX}"
    6kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
    1Waiting for MongoDB resource to reach Running phase...
    2mongodb.mongodb.mongodb.com/mdbc-rs condition met
    3
    4MongoDB resource
    5NAME      PHASE     VERSION
    6mdbc-rs   Running   8.2
    7
    8Pods running in cluster minikube
    9NAME                                           READY   STATUS    RESTARTS   AGE
    10mdbc-rs-0                                      2/2     Running   0          2m30s
    11mdbc-rs-1                                      2/2     Running   0          82s
    12mdbc-rs-2                                      2/2     Running   0          38s
    13mongodb-kubernetes-operator-5776c8b4df-cppnf   1/1     Running   0          7m37s
8

必需。创建并加载MongoDB用户密钥。

MongoDB需要身份验证才能安全访问权限。在此步骤中,您将创建三个Kubernetes密钥:

  • mdb-admin-user-password: MongoDB管理员的档案。

  • mdb-user-password:授权执行搜索查询的用户的档案。

  • mdbc-rs-search-sync-source-password:专用搜索用户的档案,由 mongot进程在内部用于同步数据和管理索引。

Kubernetes Operator 将这些密钥挂载到MongoDB Pod 中。

要创建密钥,请在部署MongoDB Server并计划部署MongoDB Search 和 Vector Search 的命名空间中复制、粘贴并运行以下命令:

1# admin user with root role
2kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
3  create secret generic mdb-admin-user-password \
4  --from-literal=password="${MDB_ADMIN_USER_PASSWORD}"
5
6kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
7apiVersion: mongodb.com/v1
8kind: MongoDBUser
9metadata:
10  name: mdb-admin
11spec:
12  username: mdb-admin
13  db: admin
14  mongodbResourceRef:
15    name: ${MDB_RESOURCE_NAME}
16  passwordSecretKeyRef:
17    name: mdb-admin-user-password
18    key: password
19  roles:
20  - name: root
21    db: admin
22EOF
23
24# user used by MongoDB Search to connect to MongoDB database to synchronize data from
25# For MongoDB <8.2, the operator will be creating the searchCoordinator custom role automatically
26# From MongoDB 8.2, searchCoordinator role will be a built-in role.
27kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
28  create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \
29  --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}"
30kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
31apiVersion: mongodb.com/v1
32kind: MongoDBUser
33metadata:
34  name: search-sync-source-user
35spec:
36  username: search-sync-source
37  db: admin
38  mongodbResourceRef:
39    name: ${MDB_RESOURCE_NAME}
40  passwordSecretKeyRef:
41    name: ${MDB_RESOURCE_NAME}-search-sync-source-password
42    key: password
43  roles:
44  - name: searchCoordinator
45    db: admin
46EOF
47
48# user performing search queries
49kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \
50  create secret generic mdb-user-password \
51  --from-literal=password="${MDB_USER_PASSWORD}"
52kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
53apiVersion: mongodb.com/v1
54kind: MongoDBUser
55metadata:
56  name: mdb-user
57spec:
58  username: mdb-user
59  db: admin
60  mongodbResourceRef:
61    name: ${MDB_RESOURCE_NAME}
62  passwordSecretKeyRef:
63    name: mdb-user-password
64    key: password
65  roles:
66  - name: readWrite
67    db: sample_mflix
68EOF
1secret/mdb-admin-user-password created
2secret/mdbc-rs-search-sync-source-password created
3secret/mdb-user-password created
9

必需。为MongoDB Search 和 Vector Search 创建并部署资源。

您可以部署一个搜索节点实例,而无需任何负载均衡。要部署,请完成以下步骤:

  1. 创建名为 mdbc-rs 的 MongoDBSearch 自定义资源。

    此资源指定搜索节点的 CPU 和内存资源要求。要学习;了解有关此自定义资源中设置的更多信息,请参阅 MongoDB搜索和向量搜索设置。

    1kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF
    2apiVersion: mongodb.com/v1
    3kind: MongoDBSearch
    4metadata:
    5  name: ${MDB_RESOURCE_NAME}
    6spec:
    7  # no need to specify source.mongodbResourceRef if MongoDBSearch CR has the same name as MongoDB CR
    8  # the operator infer it automatically
    9  security:
    10    tls:
    11      certificateKeySecretRef:
    12        name: ${MDB_SEARCH_TLS_SECRET_NAME}
    13  resourceRequirements:
    14    limits:
    15      cpu: "3"
    16      memory: 5Gi
    17    requests:
    18      cpu: "2"
    19      memory: 3Gi
    20EOF

  2. 等待 MongoDBSearch资源部署完成。

    当您应用MongoDBSearch 自定义资源时, Kubernetes 操作符开始部署搜索节点 (pod)。此步骤会暂停执行,直到 mdbc-rs 资源的状态阶段为 Running,这表示MongoDB Community副本集可操作。

    1echo "Waiting for MongoDBSearch resource to reach Running phase..."
    2kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdbs/${MDB_RESOURCE_NAME}" --timeout=300s
10

可选。验证MongoDB Enterprise资源状态。

确保使用 MongoDBSearch 的 MongoDB资源部署成功。

1echo "Waiting for MongoDB resource to reach Running phase..."
2kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdb/${MDB_RESOURCE_NAME}" --timeout=400s
11

可选。查看命名空间中所有运行的Pod。

查看MongoDB副本集成员、 Kubernetes Operator 的MongoDB控制器以及搜索节点的命名空间Pod 中运行的所有 Pod。

1echo; echo "MongoDB resource"
2kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdb/${MDB_RESOURCE_NAME}"
3echo; echo "MongoDBSearch resource"
4kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdbs/${MDB_RESOURCE_NAME}"
5echo; echo "Pods running in cluster ${K8S_CTX}"
6kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
1MongoDB resource
2NAME     PHASE     VERSION     TYPE         AGE
3mdb-rs   Running   8.2.0-ent   ReplicaSet   6m19s
4
5MongoDBSearch resource
6NAME     PHASE     VERSION   AGE
7mdb-rs   Running   0.55.0    3m39s
8
9Pods running in cluster kind-kind
10NAME                                           READY   STATUS    RESTARTS        AGE
11mdb-rs-0                                       1/1     Running   0               6m17s
12mdb-rs-1                                       1/1     Running   0               5m24s
13mdb-rs-2                                       1/1     Running   0               4m44s
14mdb-rs-search-0                                1/1     Running   3 (2m58s ago)   3m39s
15mongodb-kubernetes-operator-7bd6cdd889-9p7cx   1/1     Running   0               6m37s

后续步骤

现在,您已成功部署MongoDB Search 和 Vector Search 以便与MongoDB Enterprise Edition 一起使用,接下来您可以在MongoDB 集群中添加数据、创建MongoDB Search 和 Vector Search 索引,并对数据运行查询。要学习;了解更多信息,请参阅MongoDB搜索和向量搜索设置。

在此页面上