This project is as a PoC to setup a MongoDB replica set using Kubernetes. It should handle resizing of any type and be resilient to the various conditions both MongoDB and Kubernetes can find themselves in.
It's a fork of cvallance/mongo-k8s-sidecar with (many) changes and improvements.
The docker image is hosted on Docker Hub and can be found here: https://hub.docker.com/r/layer27/k8s-mongo-sidecar
An example Kubernetes replication controller can be found in the examples directory on GitHub: https://github.com/layer27/k8s-mongo-sidecar
Environment Variable | Required | Default | Description |
---|---|---|---|
KUBERNETES_CLUSTER_DOMAIN | NO | cluster.local | This allows the specification of a custom cluster domain name. Used for the creation of a stable network ID of the k8s Mongo pods. An example could be: "kube.local". |
KUBERNETES_SERVICE_NAME | YES | mongo | This should point to the MongoDB Kubernetes (headless) service that identifies all the pods. |
KUBERNETES_EXPOSED_SERVICES | NO | false | Allows ReplicaSet to be referenced by Pod names. These should correspond to matching services created to align to each pod for exposed MongoDB services outside of the cluster as well as inside. |
KUBERNETES_NAMESPACE | NO | The namespace to look up pods in. Not setting it will search for pods in all namespaces. | |
KUBERNETES_POD_LABELS | YES | This should be a be a comma separated list of key values the same as the podTemplate labels. See above for example. | |
MONGO_PORT | NO | 27017 | Configures the mongo port, allows the usage of non-standard ports. |
MONGO_CONFIG_SVR | NO | false | Configures the configsvr variable when initializing the replicaset. |
MONGO_DATABASE | NO | local | Configures the mongo authentication database |
MONGO_USERNAME | NO | Configures the mongo username for authentication | |
MONGO_PASSWORD | NO | Configures the mongo password for authentication | |
MONGO_AUTH_SOURCE | NO | admin | Configures the mongo database for authentication |
MONGO_AUTH_MECHANISM | NO | SCRAM-SHA-1 | Configures the mongo authentication mechanism |
MONGO_TLS | NO | false | Enable MongoDB TLS connection |
MONGO_TLS_CA | NO | Path to TLS CA Certificate | |
MONGO_TLS_CERT | NO | Path to TLS Certificate | |
MONGO_TLS_KEY | NO | Path to TLS Key | |
MONGO_TLS_PASS | NO | TLS Certificate pass phrase | |
MONGO_TLS_CRL | NO | Path to TLS Certificate revocation list | |
MONGO_TLS_IDENTITY_CHECK | NO | true | Server identity check during TLS. Checks server's hostname against the certificate |
SIDECAR_SLEEP_SECONDS | NO | 5 | This is how long to sleep between work cycles. |
SIDECAR_UNHEALTHY_SECONDS | NO | 15 | This is how many seconds a replica set member has to get healthy before automatically being removed from the replica set. |
The following is an example of how you would update the mongo command enabling TLS and using a certificate obtained from a secret and mounted at /data/tls/mongo/
Command
- name: my-mongo
image: mongo
command:
- mongod
args:
- "--replSet=rs0"
- "--tlsMode=requireTLS"
- "--tlsCAFile=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- "--tlsCertificateKeyFile=/data/tls/mongo/full.pem"
- "--bind_ip=0.0.0.0"
Environment variables, Volume & Volume Mounts
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-tls
mountPath: /data/tls/mongo
- name: mongo-sidecar
image: layer27/k8s-mongo-sidecar:latest
env:
- name: KUBERNETES_POD_LABELS
value: "role=mongo,environment=prod"
- name: MONGO_TLS
value: "true"
- name: MONGO_TLS_CA
value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- name: "MONGO_TLS_CERT"
value: "/data/tls/mongo/cert.pem"
- name: MONGO_TLS_KEY
value: "/data/tls/mongo/key.pem"
volumeMounts:
- name: mongo-tls
mountPath: /data/tls/mongo
volumes:
- name: mongo-tls
secret:
secretName: mongo-tls
defaultMode: 256 # file permission 0400
- Generate a certificate with your Kubernetes cluster as CA that is explained here
- Merge your certificate and key named as
cert.pem
andkey.pem
into a single file
cat cert.pem key.pem > full.pem
- Push the secrets to your cluster
kubectl create secret generic mongo-tls \
--from-file=full.pem \
--from-file=key.pem \
--from-file=cert.pem