From 373d099434658d4b7b3290720bad2c735881a85d Mon Sep 17 00:00:00 2001 From: "jonathan.janos@mongodb.com" Date: Mon, 12 Jul 2021 16:46:52 -0400 Subject: [PATCH] Added P1-specific config files --- README.md | 10 +- platform_one/mongodb-enterprise.modified.yaml | 246 ++++++++++++++++++ platform_one/ops-manager-localMode.yaml | 96 +++++++ 3 files changed, 349 insertions(+), 3 deletions(-) create mode 100644 platform_one/mongodb-enterprise.modified.yaml create mode 100644 platform_one/ops-manager-localMode.yaml diff --git a/README.md b/README.md index 1c05649..2396fab 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,21 @@ # Before You Begin # -**PRIOR TO UTILIZING THE MONGODB ENTERPRISE ADVANCED CONTAINERS, CONTACT YOUR MONGODB SALES REPRESENTATIVE.** YOUR USE OF THE MONGODB ENTERPRISE SERVER IS SUBJECT TO THE TERMS AND CONDITIONS OF THE AGREEMENT BETWEEN USAF AND THE APPLICABLE RESELLER OF THE MONGODB ENTERPRISE SERVER. SUCH AGREEMENT INCORPORATES THE TERMS & CONDITIONS OF THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT, THE VERSION OF WHICH CURRENT AS OF SEPTEMBER 2020 IS SET FORTH BELOW. THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT IS SUBJECT TO AMENDMENT AND MODIFICATION FROM TIME TO TIME. +**PRIOR TO UTILIZING THESE MONGODB ENTERPRISE ADVANCED CONTAINERS, CONTACT YOUR MONGODB SALES REPRESENTATIVE.** YOUR USE OF THE MONGODB ENTERPRISE SERVER IS SUBJECT TO THE TERMS AND CONDITIONS OF THE AGREEMENT BETWEEN USAF AND THE APPLICABLE RESELLER OF THE MONGODB ENTERPRISE SERVER. SUCH AGREEMENT INCORPORATES THE TERMS & CONDITIONS OF THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT, THE VERSION OF WHICH CURRENT AS OF SEPTEMBER 2020 IS SET FORTH BELOW. THE MONGODB ENTERPRISE ADVANCED LICENSE AGREEMENT IS SUBJECT TO AMENDMENT AND MODIFICATION FROM TIME TO TIME. # Contact Information # For licensing and technical information, please use the following contact information: -Keegan Wetzel, EAE USAF +Keegan Wetzel, EAE USAF 708-256-7904 -keegan.wetzel@mongodb.com +keegan.wetzel@mongodb.com Please also CC: publicsector@mongodb.com +# Platform One # + +Note that the majority of this specific repo ("MongoDB Enterprise Kubernetes") is a clone of the public 1.5.3 repo. It contains essential files, such as the crd.yaml file, which must be deployed prior to deployment of the MongoDB Kubernetes Operator. Additional files have been provided that are specific to Platform One. Look in the platform_one folder for a mongodb-enterprise.yaml file configured to use the Platform One containers, as well as an example Ops Manager configuration file that is configured for Local Mode operation (i.e. disconnected environments). + # MongoDB Enterprise Kubernetes Operator # diff --git a/platform_one/mongodb-enterprise.modified.yaml b/platform_one/mongodb-enterprise.modified.yaml new file mode 100644 index 0000000..8567ae7 --- /dev/null +++ b/platform_one/mongodb-enterprise.modified.yaml @@ -0,0 +1,246 @@ +--- +# Source: mongodb-enterprise-operator/templates/operator-roles.yaml +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mongodb-enterprise-operator + namespace: mongodb +imagePullSecrets: + - name: registry1-credentials + + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-operator + namespace: mongodb +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - create + - update + - delete + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: + - mongodb.com + resources: + - mongodb + - mongodb/finalizers + - mongodbusers + - opsmanagers + - opsmanagers/finalizers + - mongodb/status + - mongodbusers/status + - opsmanagers/status + verbs: + - "*" +# This ClusterRoleBinding is necessary in order to use validating +# webhooks—these will prevent you from applying a variety of invalid resource +# definitions. The validating webhooks are optional so this can be removed if +# necessary. +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-operator-mongodb-webhook-binding + namespace: mongodb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mongodb-enterprise-operator-mongodb-webhook +subjects: +- kind: ServiceAccount + name: mongodb-enterprise-operator + namespace: mongodb + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-operator + namespace: mongodb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mongodb-enterprise-operator +subjects: +- kind: ServiceAccount + name: mongodb-enterprise-operator + namespace: mongodb + +# This ClusterRole is needed if the user wants to use the Kubernetes CA +# infrastructure to generate certificates. +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-operator-mongodb-certs +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - create + - list + - watch + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-operator-mongodb-certs-binding + namespace: mongodb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mongodb-enterprise-operator-mongodb-certs +subjects: +- kind: ServiceAccount + name: mongodb-enterprise-operator + namespace: mongodb + + +--- +# Source: mongodb-enterprise-operator/templates/database-roles.yaml +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mongodb-enterprise-appdb + namespace: mongodb +imagePullSecrets: + - name: registry1-credentials + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mongodb-enterprise-database-pods + namespace: mongodb +imagePullSecrets: + - name: registry1-credentials + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mongodb-enterprise-ops-manager + namespace: mongodb +imagePullSecrets: + - name: registry1-credentials + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-appdb + namespace: mongodb +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mongodb-enterprise-appdb + namespace: mongodb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mongodb-enterprise-appdb +subjects: + - kind: ServiceAccount + name: mongodb-enterprise-appdb + namespace: mongodb + +--- +# Source: mongodb-enterprise-operator/templates/operator.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-enterprise-operator + namespace: mongodb +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb-enterprise-operator + template: + metadata: + labels: + app: mongodb-enterprise-operator + spec: + serviceAccountName: mongodb-enterprise-operator + securityContext: + runAsNonRoot: true + runAsUser: 2000 + containers: + - name: mongodb-enterprise-operator + image: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-operator:1.5.3 + imagePullPolicy: Always + args: + - "-watch-resource=mongodb" + - "-watch-resource=opsmanagers" + - "-watch-resource=mongodbusers" + command: + - "/usr/local/bin/mongodb-enterprise-operator" + env: + - name: OPERATOR_ENV + value: prod + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CURRENT_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MONGODB_ENTERPRISE_DATABASE_IMAGE + value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-database:1.5.3 + - name: IMAGE_PULL_POLICY + value: Always + - name: OPS_MANAGER_IMAGE_REPOSITORY + value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-ops-manager + - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY + value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-init + - name: INIT_OPS_MANAGER_VERSION + value: 1.0.0 + - name: INIT_APPDB_IMAGE_REPOSITORY + value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb-init + - name: INIT_APPDB_VERSION + value: 1.0.0 + - name: OPS_MANAGER_IMAGE_PULL_POLICY + value: Always + - name: APPDB_IMAGE_REPOSITORY + value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb + imagePullSecrets: + - name: registry1-credentials + diff --git a/platform_one/ops-manager-localMode.yaml b/platform_one/ops-manager-localMode.yaml new file mode 100644 index 0000000..8cc24f2 --- /dev/null +++ b/platform_one/ops-manager-localMode.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: mongodb.com/v1 +kind: MongoDBOpsManager +metadata: + name: ops-manager-localmode +spec: + replicas: 1 + version: 4.4.14 + adminCredentials: ops-manager-firstuser-secret + + # optional. The Ops Manager configuration. All the values must be of type string. + # Setting these values allow you to bypass the configuration wizard (a manual step). + configuration: + # passing mms.ignoreInitialUiSetup=true allows to avoid the setup wizard in Ops Manager. Note, that + # this requires to set some mandatory configuration properties, see + # https://docs.opsmanager.mongodb.com/current/reference/configuration/index.html#mms.ignoreInitialUiSetup + mms.ignoreInitialUiSetup: "true" + mms.adminEmailAddr: someadmin@somewhere.com + mms.fromEmailAddr: someadmin@somewhere.com + mms.mail.hostname: someemail-smtp.somewhere.com + mms.mail.port: "465" + mms.mail.ssl: "true" + mms.mail.transport: smtp + mms.minimumTLSVersion: TLSv1.2 + mms.replyToEmailAddr: someadmin@somewhere.com + mms.fromEmailAddr: someadmin@somewhere.com + # Local Mode must be configured so Ops Manger does not download any binaries from + # the internet. Only the binaries present will be available for the agents. + # automation.versions.source: mongodb + automation.versions.source: local + + # optional. Disabled by default. Creates an additional service to make Ops Manager reachable from + # outside of the Kubernetes cluster. + externalConnectivity: + # LoadBalancer|NodePort + type: NodePort + # optional. Corresponds to NodePort port + port: 30100 + # optional + # loadBalancerIP: 123.456.789 + # optional + # externalTrafficPolicy: Local + + statefulSet: + spec: + template: + spec: + volumes: + - name: mongodb-versions + persistentVolumeClaim: + claimName: mongodb-versions-claim + containers: + - name: mongodb-ops-manager + volumeMounts: + - name: mongodb-versions + mountPath: /mongodb-ops-manager/mongodb-releases + + initContainers: + - name: mongodb-binaries-init-container + image: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-db-bin:4.4.14 + command: + - cp + - -r + - /binaries/. + - /mongodb-ops-manager/mongodb-releases/ + volumeMounts: + - name: mongodb-versions + mountPath: /mongodb-ops-manager/mongodb-releases + + # the application database backing Ops Manager. Replica Set is the only supported type + # Application database has the SCRAM-SHA authentication mode always enabled + applicationDatabase: + members: 3 + # optional. Configures the version of MongoDB used as an application database. + # The bundled MongoDB binary will be used if omitted and no download from the Internet will happen + # version: "4.4.1" + persistent: true + podSpec: + cpu: '0.25' + + backup: + enabled: false + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mongodb-versions-claim +spec: + # storageClassName: gp2 + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + -- GitLab