k8s-mongo-sidecar
k8s-mongo-sidecar copied to clipboard
morphy2k
Kubernetes sidecar for MongoDB
This repository only gets important security updates. I recommend to use the Kubernetes Operator in the future.
Mongo Kubernetes Replica Set Sidecar
This project is as a PoC to setup a MongoDB replica set using Kubernetes. It should handle resizing of any type and be resilient to the various conditions both MongoDB and Kubernetes can find themselves in.
It's a fork of cvallance/mongo-k8s-sidecar with (many) changes and improvements.
How to use it
The docker image is hosted on Docker Hub and can be found here: https://hub.docker.com/r/morphy/k8s-mongo-sidecar
An example Kubernetes replication controller can be found in the examples directory on GitHub: https://github.com/morphy2k/k8s-mongo-sidecar
Settings
| Environment Variable | Required | Default | Description |
|---|---|---|---|
| KUBERNETES_CLUSTER_DOMAIN | NO | cluster.local | This allows the specification of a custom cluster domain name. Used for the creation of a stable network ID of the k8s Mongo pods. An example could be: "kube.local". |
| KUBERNETES_SERVICE_NAME | YES | mongo | This should point to the MongoDB Kubernetes (headless) service that identifies all the pods. |
| KUBERNETES_NAMESPACE | NO | The namespace to look up pods in. Not setting it will search for pods in all namespaces. | |
| KUBERNETES_POD_LABELS | YES | This should be a be a comma separated list of key values the same as the podTemplate labels. See above for example. | |
| MONGO_PORT | NO | 27017 | Configures the mongo port, allows the usage of non-standard ports. |
| MONGO_CONFIG_SVR | NO | false | Configures the configsvr variable when initializing the replicaset. |
| MONGO_DATABASE | NO | local | Configures the mongo authentication database |
| MONGO_USERNAME | NO | Configures the mongo username for authentication | |
| MONGO_PASSWORD | NO | Configures the mongo password for authentication | |
| MONGO_AUTH_SOURCE | NO | admin | Configures the mongo database for authentication |
| MONGO_AUTH_MECHANISM | NO | SCRAM-SHA-1 | Configures the mongo authentication mechanism |
| MONGO_TLS | NO | false | Enable MongoDB TLS connection |
| MONGO_TLS_CA | NO | Path to TLS CA Certificate | |
| MONGO_TLS_CERT | NO | Path to TLS Certificate | |
| MONGO_TLS_KEY | NO | Path to TLS Key | |
| MONGO_TLS_PASS | NO | TLS Certificate pass phrase | |
| MONGO_TLS_CRL | NO | Path to TLS Certificate revocation list | |
| MONGO_TLS_IDENTITY_CHECK | NO | true | Server identity check during TLS. Checks server's hostname against the certificate |
| SIDECAR_SLEEP_SECONDS | NO | 5 | This is how long to sleep between work cycles. |
| SIDECAR_UNHEALTHY_SECONDS | NO | 30 | This is how many seconds a replica set member has to get healthy before automatically being removed from the replica set. |
MongoDB TLS
The following is an example of how you would update the mongo command enabling TLS and using a certificate obtained from a secret and mounted at /data/tls/mongo/
Command
- name: my-mongo
image: mongo
command:
- mongod
args:
- "--replSet=rs0"
- "--tlsMode=requireTLS"
- "--tlsCAFile=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- "--tlsCertificateKeyFile=/data/tls/mongo/full.pem"
- "--bind_ip=0.0.0.0"
Environment variables, Volume & Volume Mounts
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-tls
mountPath: /data/tls/mongo
- name: mongo-sidecar
image: morphy/k8s-mongo-sidecar
env:
- name: KUBERNETES_POD_LABELS
value: "role=mongo,environment=prod"
- name: MONGO_TLS
value: "true"
- name: MONGO_TLS_CA
value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- name: "MONGO_TLS_CERT"
value: "/data/tls/mongo/cert.pem"
- name: MONGO_TLS_KEY
value: "/data/tls/mongo/key.pem"
volumeMounts:
- name: mongo-tls
mountPath: /data/tls/mongo
volumes:
- name: mongo-tls
secret:
secretName: mongo-tls
defaultMode: 256 # file permission 0400
Creating Secret for TLS
- Generate a certificate with your Kubernetes cluster as CA that is explained here
- Merge your certificate and key named as
cert.pemandkey.peminto a single file
cat cert.pem key.pem > full.pem
- Push the secrets to your cluster
kubectl create secret generic mongo-tls \
--from-file=full.pem \
--from-file=key.pem \
--from-file=cert.pem
morphy2k