Skip to content

Instantly share code, notes, and snippets.

@thilinapiy
Created October 27, 2017 12:21
Show Gist options
  • Save thilinapiy/0c5abc2c0c28efe1bbe2165b0d8dc115 to your computer and use it in GitHub Desktop.
Save thilinapiy/0c5abc2c0c28efe1bbe2165b0d8dc115 to your computer and use it in GitHub Desktop.
MongoDB statefulset for kubernetes with authentication and replication
## Generate a key
# openssl rand -base64 741 > mongodb-keyfile
## Create k8s secrets
# kubectl create secret generic mongo-key --from-file=mongodb-keyfile
---
apiVersion: v1
kind: Service
metadata:
name: mongo
labels:
name: mongo
spec:
ports:
- port: 27017
targetPort: 27017
clusterIP: None
selector:
role: mongo
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: mongo
spec:
serviceName: "mongo"
replicas: 1
template:
metadata:
labels:
role: mongo
environment: test
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongo
image: mongo:3.4.9
command:
- /bin/sh
- -c
- >
if [ -f /data/db/admin-user.lock ]; then
mongod --replSet rs0 --clusterAuthMode keyFile --keyFile /etc/secrets-volume/mongodb-keyfile --setParameter authenticationMechanisms=SCRAM-SHA-1;
else
mongod --auth;
fi;
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- >
if [ ! -f /data/db/admin-user.lock ]; then
sleep 5;
touch /data/db/admin-user.lock
if [ "$HOSTNAME" = "mongo-0" ]; then
mongo --eval 'db = db.getSiblingDB("admin"); db.createUser({ user: "admin", pwd: "password", roles: [{ role: "root", db: "admin" }]});';
fi;
mongod --shutdown;
fi;
ports:
- containerPort: 27017
volumeMounts:
- name: mongo-key
mountPath: "/etc/secrets-volume"
readOnly: true
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-sidecar
image: cvallance/mongo-k8s-sidecar
env:
- name: MONGO_SIDECAR_POD_LABELS
value: "role=mongo,environment=test"
- name: MONGODB_USERNAME
value: admin
- name: MONGODB_PASSWORD
value: password
- name: MONGODB_DATABASE
value: admin
volumes:
- name: mongo-key
secret:
defaultMode: 0400
secretName: mongo-key
volumeClaimTemplates:
- metadata:
name: mongo-persistent-storage
annotations:
volume.beta.kubernetes.io/storage-class: "fast"
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 100Gi
@sapien99
Copy link

sapien99 commented Jun 8, 2018

Saved my life thanks a lot!!!!

@agshift
Copy link

agshift commented Jun 11, 2018

Works great, when replicas: 1. But, when I try to make replicas: 2, and login to the 2nd mongo pod, I see it as rs0:OTHER> instead of the expected secondary mongo pod rs0:SECONDARY>
Looks like this approach is having difficulty in creating the secondary mongo pod in replica set.
It will be a great help if you could let me know how to do this?
Thanks,
Amit

@omerfsen
Copy link

Because you haven't initialized Replication Set at mongo using rs.initiate on this example

@mward29
Copy link

mward29 commented Nov 29, 2018

@thilinapiy man its been a long time. Just came across this and I'm going to use it on my own project. Great work mate.

@venkatraj-icp
Copy link

venkatraj-icp commented Apr 30, 2019

Hi, I'm new to the Database, I have executed the above mongo with 3 replicaset and created successfully in kubernetes managed environment.

When I exected the rs.initiate it failed with HostUnreachable can anyone help here pls

rs.initiate(
... {
... _id: "rs0",
... version: 1,
... members: [
... { _id: 0, host : "mongo-0:27017" },
... { _id: 1, host : "mongo-1:27017" },
... { _id: 2, host : "mongo-2:27017" }
... ]
... }
... )
{
"ok" : 0,
"errmsg" : "replSetInitiate quorum check failed because not all proposed set members responded affirmatively: mongo-1:27017 failed with HostUnreachable, mongo-2:27017 failed with HostUnreachable",
"code" : 74,
"codeName" : "NodeNotFound"

@atbk5
Copy link

atbk5 commented May 28, 2019

I copy-pasted this file exactly as it is. I created the secret as well like the commented section says, I am still getting below error:

2019-05-28T10:05:14.173+0000 I NETWORK  [conn208] received client metadata from 127.0.0.1:35862 conn208: { driver: { name: "nodejs", version: "2.2.36" }, os: { type: "Linux", name: "linux", architecture: "x64", version: "4.15.0-1040-azure" }, platform: "Node.js v11.2.0, LE, mongodb-core: 2.1.20" }
2019-05-28T10:05:14.174+0000 I ACCESS   [conn208] SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:35862 ; UserNotFound: Could not find user admin@admin```

Please help

@dsever
Copy link

dsever commented Jun 3, 2019

I copy-pasted this file exactly as it is. I created the secret as well like the commented section says, I am still getting below error:

It works for me, even automatically initialization by side car, from your log command mongo --eval 'db = db.getSiblingDB("admin"); db.createUser({ user: "admin", pwd: "password", roles: [{ role: "root", db: "admin" }]});';

was for some reason not executed,

@thilinapiy
Copy link
Author

Guys this is old now. There are better ways to do it.
Tryout operators.

@ghnipunasaranga
Copy link

@thilinapiy Is MongoDB Enterprise Kubernetes Operator free to use in development?

@sandyvanam
Copy link

Unable to mount volumes for pod "mongo-0_dev(xxx-xx-xx-xx-xx)": timeout expired waiting for volumes to attach or mount for pod "dev"/"mongo-0". list of unmounted volumes=[mongo-key]. list of unattached volumes=[mongo-persistent-storage mongo-key default-token-nvw6d]

how your creating mongodb-keyfile.

Kindly help me to resolve in this issue.

@ideepu
Copy link

ideepu commented Apr 30, 2020

@sandyvanam, it's mentioned at top of the YAML.

## Generate a key
# openssl rand -base64 741 > mongodb-keyfile
## Create k8s secrets
# kubectl create secret generic mongo-key --from-file=mongodb-keyfile

@masalinas
Copy link

Works ok, Thanks You safe my life!!

@lalit1980
Copy link

Hi Guys, I am also using the Statefulset, need help while I am trying to login to mongo-0 pod (kubectl exec -ti mongo-0 mongo) and trying to create new user but I am getting below error.

rs0:PRIMARY> use admin
switched to db admin
rs0:PRIMARY> db.createUser({user:"replSetManager",pwd:"password",roles:[{role:"clusterManager",db:"admin"},{role:"dbOwner", db:"adminsblog"},{role:"readWrite", db:"departmentblog"},{role:"read", db:"otherblog"}]})
2021-02-15T07:15:47.812+0000 E QUERY [thread1] Error: couldn't add user: not authorized on admin to execute command { createUser: "replSetManager", pwd: "xxx", roles: [ { role: "clusterManager", db: "admin" }, { role: "dbOwner", db: "adminsblog" }, { role: "readWrite", db: "departmentblog" }, { role: "read", db: "otherblog" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 600000.0 } } :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1292:15
@(shell):1:1

@CraigStuart
Copy link

@lalit1980 did you come right with the above error? how did you fix it?

@Tari-dev
Copy link

@thilinapiy Is MongoDB Enterprise Kubernetes Operator free to use in development?

It's free for development not for commercial

@vinnytwice
Copy link

@tanmaybhandge
Copy link

@thilinapiy By any chance, do you know how to add the internal authentication using the MongoDB enterprise kubernetes operator with the keyfile. I do not find much information on the crds and haven't got any good examples in the git repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment