Mongo DB Operator 자동화 시나리오#
Requirement#
Requirement
- Kubernetes 솔루션 설치 유무
- kubectrl 설치
Process#
MongoDB Kubernetes Community Operator 자동화 프로세스
본 MongoDB Kubernetes Community Operator 자동화 프로세스는 공식 MongoDB Kubernetes Community Operator github 저장소를 커스터마이즈한 저장소(https://nannarane@bitbucket.org/nannarane/mongodb-operator.git)를 참조하는 프로세스이다. 본 저장소에는 SCRAM 인증을 기반으로 한 Replica Set 배포부터 tls설정, volume 설정까지 가능하다.
본 프로세스는 tls설정이 제외된 프로세스이며 크게 아래 단계의 프로세스를 따른다. 세부 사항은 아래를 참고한다.
- Install CRD
- Create Namespace
- Common 통합 설치
- Replicat Set를 통한 배포
Install CRD (Custom Resource Definitions)#
이 프로세스는 자동화 과정에 필요한 저장소 파일들을 받고 시작한다. 아래 명령을 통해 코드를 clone 받는다.
$ git clone https://nannarane@bitbucket.org/nannarane/mongodb-operator.git
해당 프로세스는 clone 받은 저장소에서 CRD를 구성하기 위한 작업이다. CRD 설정은 아래와 같다.
# Install CRD
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: mongodb.mongodb.com
spec:
additionalPrinterColumns:
- JSONPath: .status.phase
description: Current state of the MongoDB deployment
name: Phase
type: string
- JSONPath: .status.version
description: Version of MongoDB server
name: Version
type: string
group: mongodb.com
names:
kind: MongoDB
listKind: MongoDBList
plural: mongodb
shortNames:
- mdb
singular: mongodb
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: MongoDB is the Schema for the mongodbs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: MongoDBSpec defines the desired state of MongoDB
properties:
featureCompatibilityVersion:
description: FeatureCompatibilityVersion configures the feature compatibility
version that will be set for the deployment
type: string
members:
description: Members is the number of members in the replica set
type: integer
security:
description: Security configures security features, such as TLS, and
authentication settings for a deployment
properties:
authentication:
properties:
modes:
description: Modes is an array specifying which authentication
methods should be enabled
items:
enum:
- SCRAM
type: string
type: array
required:
- modes
type: object
tls:
description: TLS configuration for both client-server and server-server
communication
properties:
caConfigMapRef:
description: CaConfigMap is a reference to a ConfigMap containing
the certificate for the CA which signed the server certificates
The certificate is expected to be available under the key
"ca.crt"
properties:
name:
type: string
required:
- name
type: object
certificateKeySecretRef:
description: CertificateKeySecret is a reference to a Secret
containing a private key and certificate to use for TLS. The
key and cert are expected to be PEM encoded and available
at "tls.key" and "tls.crt". This is the same format used for
the standard "kubernetes.io/tls" Secret type, but no specific
type is required.
properties:
name:
type: string
required:
- name
type: object
enabled:
type: boolean
optional:
description: Optional configures if TLS should be required or
optional for connections
type: boolean
required:
- enabled
type: object
type: object
statefulSet:
description: StatefulSetConfiguration holds the optional custom StatefulSet
that should be merged into the operator created one.
type: object
type:
description: Type defines which type of MongoDB deployment the resource
should create
enum:
- ReplicaSet
type: string
users:
description: Users specifies the MongoDB users that should be configured
in your deployment
items:
properties:
db:
description: DB is the database the user is stored in. Defaults
to "admin"
type: string
name:
description: Name is the username of the user
type: string
passwordSecretRef:
description: PasswordSecretRef is a reference to the secret containing
this user's password
properties:
key:
description: Key is the key in the secret storing this password.
Defaults to "password"
type: string
name:
description: Name is the name of the secret storing this user's
password
type: string
required:
- name
type: object
roles:
description: Roles is an array of roles assigned to this user
items:
description: Role is the database role this user should have
properties:
db:
description: DB is the database the role can act on
type: string
name:
description: Name is the name of the role
type: string
required:
- db
- name
type: object
type: array
required:
- name
- passwordSecretRef
- roles
type: object
type: array
version:
description: Version defines which version of MongoDB will be used
type: string
required:
- type
- users
- version
type: object
status:
description: MongoDBStatus defines the observed state of MongoDB
properties:
mongoUri:
type: string
phase:
type: string
required:
- mongoUri
- phase
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true
아래와 같이 CRD를 설치한다.
# Kubernetes MongoDB Community Operator CRD 설치
$ kubectl create -f deploy/crds/mongodb.com_mongodb_crd.yaml
설치가 끝났다면, crd 구성을 확인한다.
$ kubectl get crd/mongodb.mongodb.com
NAME CREATED AT
mongodb.mongodb.com 2020-09-02T02:38:06Z
$
Create Namespace#
Create Namespace
해당 프로세스는 말그대로 배포하고자 하는 클러스터에 네임스페이스를 생성하는 프로세스이다. kuberctl을 통해서 네임스페이스를 생성한다.
$ kubectl create namespace <생성할 네임스페이스>
Common 통합 설치#
MongoDB Kubernetes Operator의 공통 통합 설치 가능한 구조는 아래와 같다. kubectl을 통해서 Deployment 및 ServiceAccount, Role, RoleBinding을 생성한다.
- operator
- service_account
- role_binding.yaml
- role
# operator.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongodb-kubernetes-operator
spec:
replicas: 1
selector:
matchLabels:
name: mongodb-kubernetes-operator
template:
metadata:
labels:
name: mongodb-kubernetes-operator
spec:
serviceAccountName: mongodb-kubernetes-operator
containers:
- name: mongodb-kubernetes-operator
image: quay.io/mongodb/mongodb-kubernetes-operator:0.2.0
command:
- mongodb-kubernetes-operator
imagePullPolicy: Always
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "mongodb-kubernetes-operator"
- name: AGENT_IMAGE # The MongoDB Agent the operator will deploy to manage MongoDB deployments
value: quay.io/mongodb/mongodb-agent:10.15.1.6468-1
- name: VERSION_UPGRADE_HOOK_IMAGE
value: quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.2
아래는 service account에 대한 정의이다
# service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-kubernetes-operator
아래는 Role Binding 정의이다
# role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mongodb-kubernetes-operator
subjects:
- kind: ServiceAccount
name: mongodb-kubernetes-operator
roleRef:
kind: Role
name: mongodb-kubernetes-operator
apiGroup: rbac.authorization.k8s.io
아래는 Role에 대한 정의다
# role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: mongodb-kubernetes-operator
rules:
- apiGroups:
- ""
resources:
- pods
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- mongodb-kubernetes-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- mongodb.com
resources:
- '*'
- mongodbs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
아래의 명령을 통해 MongoDB Kubernetes Operator를 생성한다.
$ kubectl create -f deploy/ --namespace <네임스페이스>
MongoDB Kubernetes Operator가 잘 생성되었는지 확인한다.
$ kubectl get pods --namespace <네임스페이스>
Replicat Set를 통한 배포#
Replica Set 메커니즘을 통한 설치
이 프로세스에서는 기본적으로 생성할 Replica Set의 yaml 파일을 가져오고 해당파일 수정을 통해 배포할 MongoDB의 Replica Set을 설정할 수 있다. 설정을 통해 아래 다음에 대한 제어가 가능하다.
- Secret
- MongoDB User의 password를 위한 설정이다. Secret명을 정하고 base64 인코드한 password를 metadata의 password에 넣는다
- MongoDB
- User
: users 하위 배열 구조로 계정 정보를 세팅한다
- name: 계정명
- db: 데이터베이스
- passwordSecretRef:
- name:
- name:
- 데이터베이스
- 데이터베이스 Roles
- User
# crds/mongodb.com_v1_mongodb_scram_cr.yaml
# the user credentials will be generated from this secret
# once the credentials are generated, this secret is no longer required
---
apiVersion: v1
kind: Secret
metadata:
name: mongodb-devops-secret
type: Opaque
stringData:
password: ZGV2b3BzQCEK
---
apiVersion: mongodb.com/v1
kind: MongoDB
metadata:
name: mongodb-devops
spec:
members: 3
type: ReplicaSet
version: "4.2.6"
security:
authentication:
modes: ["SCRAM"]
users:
- name: admin
db: admin
passwordSecretRef:
name: mongodb-devops-secret
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
- name: devops
db: testdb
passwordSecretRef:
name: mongodb-devops-secret
roles:
- name: clusterAdmin
db: testdb
- name: readWrite
db: testdb
- name: read
db: reporting
이제 마지막으로 Replica Set을 배포하면 MongoDB Operator가 배포된다.
kubectl create -f deploy/crds/mongodb.com_v1_mongodb_scram_cr.yaml --namespace <네임스페이스>
Last update: 2021년 2월 24일 02:10:46