mongodb

This role currently supports provisioning of mongodb in three different providers: - community - aws (documentdb) - ibm

Important

According to the MongoDB Software Lifecycle Schedules MongoDB 4.4 will reach end of life in February of 2024. Given this fact it is encouraged that either MongoDB 5 or 6 be used for MAS Deployments. The MAS Devops Ansible Collection can be used to install or upgrade MongoDB when the selected service provider is community. If the MonogDB instance used by MAS is hosted by a third party please consult the applicable documentation with respect to MongoDB 5 or 6 options. If the MongoDB instance is hosted on premises please review the appropriate MongoDB documentation related to upgrading. As a best practice it is advised perform MongoDB backups on a regular basis. This is especially important before any upgrade of MongoDB.

If the selected provider is community then the MongoDB Community Kubernetes Operator will be configured and deployed into the specified namespace. By default a three member MongoDB replica set will be created. The cluster will bind six PVCs, these provide persistence for the data and system logs across the three nodes. Currently there is no support built-in for customizing the cluster beyond this configuration.

Tip

The role will generate a yaml file containing the definition of a Secret and MongoCfg resource that can be used to configure the deployed instance as the MAS system MongoDb.

This file can be directly applied using oc apply -f $MAS_CONFIG_DIR/mongocfg-mongoce-system.yaml or used in conjunction with the suite_config role.

Prerequisites

To run this role with providers as ibm or aws you must have already installed the AWS CLI. Also, you need to have AWS user credentials configured via aws configure command or simply export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables with your corresponding AWS username credentials prior running this role when provider is either ibm or aws.

To run the docdb_secret_rotate MONGODB_ACTION when the provider is aws you must have already installed the Mongo Shell.

This role will install a GrafanaDashboard used for monitoring the MongoDB instance when the provided is community and you have run the cluster_monitoring role previously. If you did not run the cluster_monitoring role then the GrafanaDashboard won't be installed.

Common Role Variables for all providers

mas_instance_id

The instance ID of Maximo Application Suite that the MongoCfg configuration will target. If this or mas_config_dir are not set then the role will not generate a MongoCfg template.

Environment Variable: MAS_INSTANCE_ID
Default Value: None

mas_config_dir

Local directory to save the generated MongoCfg resource definition. This can be used to manually configure a MAS instance to connect to the Mongo cluster, or used as an input to the suite_config role. If this or mas_instance_id are not set then the role will not generate a MongoCfg template.

Environment Variable: MAS_CONFIG_DIR
Default Value: None

mongodb_provider

MongoDB provider

Environment variable: MONGODB_PROVIDER
Defult Value: community
Supported providers: community,aws,ibm

mongodb_action

Determines which action needs to be performed w.r.t mongodb for a specfied provider

Environment variable: MONGODB_ACTION
Default Value: install ``` Following Providers supports below mentioned MONGODB_ACTION values:
Provider : community Supported MONGODB_ACTION values : install,uninstall
Provider: aws Supported MONGODB_ACTION values : install,uninstall,docdb_secret_rotate
Provider: ibm Supported MONGODB_ACTION values : install,uninstall,backup,restore,create-mongo-service-credentials ```

Community MongoDB Role Variables

Role Variables

mongodb_namespace

The namespace where the operator and MongoDb cluster will be deployed.

Environment Variable: MONGODB_NAMESPACE
Default Value: mongoce

mongodb_version

Defines the specific mongo version to be used. Best practice would be to use the version associated with the current Maximo Application Suite catalog. However, this value can currently be overridden to 4.4.21, 5.0.21, 5.0.23, 6.0.10 or 6.0.12

Important

It is advised to never attempt a downgrade a MongoDB instance managed by the MAS Devops Ansible Collection. Also best practices should include creating scheduled backups of any MongoDB instance.

Optional
Environment Variable: MONGODB_VERSION
Default Value: Automatically defined by the mongo version specified in the latest MAS case bundle available.

mongodb_storage_class

Required. The name of the storage class to configure the MongoDb operator to use for persistent storage in the MongoDb cluster.

Environment Variable: MONGODB_STORAGE_CLASS
Default Value: None

mongodb_storage_capacity_data

The size of the PVC that will be created for data storage in the cluster.

Environment Variable: MONGODB_STORAGE_CAPACITY_DATA
Default Value: 20Gi

mongodb_storage_capacity_logs

The size of the PVC that will be created for log storage in the cluster.

Environment Variable: MONGODB_STORAGE_CAPACITY_LOGS
Default Value: 20Gi

mongodb_cpu_limits

The CPU limits on the mongodb container.

Environment Variable: MONGODB_CPU_LIMITS
Default Value: 1

mongodb_mem_limits

The Memory limits on the mongodb container.

Environment Variable: MONGODB_MEM_LIMITS
Default Value: 1Gi

mongodb_cpu_requests

The CPU requests on the mongodb container.

Environment Variable: MONGODB_CPU_REQUESTS
Default Value: 500m

mongodb_mem_requests

The Memory requests on the mongodb container.

Environment Variable: MONGODB_MEM_REQUESTS
Default Value: 1Gi

mongodb_replicas

The number of the mongodb replica set members. Default is 3. Set to 1 for SNO Cluster. - Environment Variable: MONGODB_REPLICAS - Default Value: 3

custom_labels

List of comma separated key=value pairs for setting custom labels on instance specific resources.

Optional
Environment Variable: CUSTOM_LABELS
Default Value: None

mongodb_v5_upgrade

Set this to true to confirm you want to upgrade your existing Mongo instance from version 4.2 or 4.4 to version 5.

Optional
Environment Variable: MONGODB_V5_UPGRADE
Default Value: false

mongodb_v6_upgrade

Set this to true to confirm you want to upgrade your existing Mongo instance from version 5 to version 6.

Optional
Environment Variable: MONGODB_V5_UPGRADE
Default Value: false

Example Playbook

- hosts: localhost
  any_errors_fatal: true
  vars:
    mongodb_storage_class: ibmc-block-gold
    mas_instance_id: masinst1
    mas_config_dir: ~/masconfig
  roles:
    - ibm.mas_devops.mongodb

Troubleshooting

Important

Please be cautious while performing any of the troubleshooting steps outlined below. It is important to understand that the MongoDB Community operator persists data within Persistent Volume Claims. These claims should not be removed inadvertent deletion of the mongoce namespace could result in data loss.

MongoDB Replica Set Pods Will Not Start

MongoDB 5 has introduced new platform specific requirements. Please consult the Platform Support Notes for detailed information.

It is of particular importance to confirm that the AVX instruction set is exposed or available to the MongoDB workloads. This can easily be determined by entering any running pod on the same OpenShift cluster where MongoDB replica set members are failing to start. Once inside of a running pod the following command can be executed to confirm if the AVX instruction set is available:

cat /proc/cpuinfo | grep flags | grep avx

If avx is not found in the available flags then either the physical processor hosting the OpenShift cluster does not provide the AVX instruction set or the virtual host configuration is not exposing the AVX instruction set. If the latter is suspected the virtual hosting documentation should be referenced for details on how to expose the AVX instruction set.

CA Certificate Renewal

Warning

If the MongoDB CA Certificate expires the MongoDB replica set will become unusable. Replica set members will not be able to communicate with each other and client applications (i.e. Maximo Application Suite components) will not be to connect.

In order to renew the CA Certificate used by the MongoDB replica set the following steps must be taken:

Delete the CA Certificate resource
Delete the MongoDB server Certificate resource
Delete the Secrets resources associated with both the CA Certificate and Server Certificate
Delete the Secret resource which contains the MongoDB configuration parameters
Delete the ConfigMap resources which contains the CA certificate
Delete the Secret resource which contains the sever certificate and private key

The following steps illustrate the process required to renew the CA Certificate, sever certificate and reconfigure the MongoDB replica set with the new CA and server certificates.

The first step is to stop the Mongo replica set and MongoDb CE Operator pod.

oc project mongoce
oc delete deployment mongodb-kubernetes-operator

Important

Make sure the MongoDB Community operator pod has terminated before proceeding.

oc delete statefulset mas-mongo-ce

Important

Make sure all pods in the mongoce namespace have terminated before proceeding

Remove expired CA Certificate and Server Certificate resources. Clean up MongoDB Community configuration and then run the mongodb role.

oc delete certificate mongo-ca-crt
oc delete certificate mongo-server
oc delete secret mongo-ca-secret
oc delete secret mongo-server-cert

oc delete secret mas-mongo-ce-config
oc delete configmap  mas-mongo-ce-cert-map
oc delete secret mas-mongo-ce-server-certificate-key

export ROLE_NAME=mongodb
ansible-playbook ibm.mas_devops.run_role

Once the mongodb role has completed the MongoDb CE Operator pod and Mongo replica set should be configured.

After the CA and server Certificates have been renewed you must ensure that that MongoCfg Suite CR is updated with the new CA Certificate. First obtain the CA Certificate from the Secret resource mongo-ca-secret. Then edit the Suite MongoCfg CR in the Maximo Application Suite core namespace. This is done by updating the appropriate certificate under .spec.certificates in the MongoCfg CR:

  spec:
    certificates:
    - alias: ca
      crt: |
        -----BEGIN CERTIFICATE-----

        -----END CERTIFICATE-----

If an IBM Suite Licensing Service (SLS) is also connecting to the MongoDB replica set the LicenseService CR must also be updated to reflect the new MongoDB CA. This can be added to the .spec.mongo.certificates section of the LicenseService CR.

    mongo:
      certificates:
      - alias: mongoca
        crt: |
          -----BEGIN CERTIFICATE-----

          -----END CERTIFICATE-----

Once the CA certificate has been updated for the MongoCfg and LicenseService CRs several pods in the core and SLS namespaces might need to be restarted to pick up the changes. This would include but is not limited to coreidp, coreapi, api-licensing.

IBM Cloud MongoDB Role Variables

ibm_mongo_name

Required. IBM Cloud Mongo database instance name.

Environment Variable: IBM_MONGO_NAME
Default Value: mongo-${MAS_INSTANCE_ID}

ibm_mongo_admin_password

Optional. Sets IBM Cloud Mongo database administrator user password. If not set, an auto-generated 20 character length string will be used.

Environment Variable: IBM_MONGO_ADMIN_PASSWORD
Default Value: None.

ibm_mongo_admin_credentials_secret_name

Secret for MongoDB Admin credentials.

Secret Name: <mongo-name>-admin-credentials

ibm_mongo_service_credentials_secret_name

Secret for MongoDB Service credentials.

Secret Name: <mongo-name>-service-credentials

ibm_mongo_resourcegroup

Required.IBM Cloud Resource Group under which resource group will be created.

Environment Variable: IBM_MONGO_RESOURCEGROUP
Default Value: Default

ibm_mongo_region

Required.IBM Cloud region where MongoDB resources will be created.

Environment Variable: IBM_MONGO_REGION
Default Value: us-east

ibmcloud_apikey

Required.IBM Cloud API Key.

Environment Variable: IBMCLOUD_APIKEY

ibm_mongo_plan

Plan name for this IBMCloud Service.

Environment Variable: IBM_MONGO_PLAN
Default Value: standard

ibm_mongo_service

IBMCloud Offering name for MongoDB Database

Value: databases-for-mongodb

ibm_mongo_service_endpoints

MongoDB Service Endpoints type can be either public or private

Environment Variable: IBM_MONGO_SERVICE_ENDPOINTS
Default Value: public

ibm_mongo_version

Specify MongoDB version to be deployed

Environment Variable: IBM_MONGO_VERSION
Default Value: 4.2

ibm_mongo_memory

Specify MongoDB Memory size

Environment Variable: IBM_MONGO_MEMORY
Default Value: 3840

ibm_mongo_disk

Specify MongoDB Disk size

Environment Variable: IBM_MONGO_DISK
Default Value: 30720

ibm_mongo_cpu

Specify MongoDB CPU

Environment Variable: IBM_MONGO_CPU
Default Value: 0

ibm_mongo_name

Resource Name in IBMCloud for MongoDB

Value: mongo-{{mas_instance_id}}

ibm_mongo_backup_id

Required only if is_restore is True CRN ID for backup resource

Environment Variable: IBM_MONGO_BACKUP_ID
Default Value: ``

is_restore

Whether want to restore from an existing backup resource or not.

Environment Variable: IS_RESTORE
Default Value: false

restored_mongodb_service_name

Required only If is_restore is True.MongoDB Service Name

Environment Variable: RESTORED_MONGODB_SERVICE_NAME

Example Playbook

- hosts: localhost
  any_errors_fatal: true
  vars:
    mas_instance_id: masinst1
    mas_config_dir: ~/masconfig
    mongodb_provider: ibm
    ibmcloud_apikey: apikey****
    ibmcloud_resource_group: mas-test
  roles:
    - ibm.mas_devops.mongodb

AWS DocumentDB Role Variables

aws_access_key_id

Required.AWS Account Access Key Id

Environment Variable: AWS_ACCESS_KEY_ID

aws_secret_access_key

Required.AWS Account Secret Access Key

Environment Variable: AWS_SECRET_ACCESS_KEY

aws_region

Required.AWS Region where DocumentDB and other resources will be created

Environment Variable: AWS_REGION
Default Value: us-east-2

vpc_id

Required.AWS VPC ID under which documentdb,subnets and security group will be created

Environment Variable: VPC_ID

docdb_cluster_name

Required.DocumentDB Cluster Name

Environment Variable: DOCDB_CLUSTER_NAME

docdb_subnet_group_name

DocumentDB Subnet Group Name

Value: docdb-{{ docdb_cluster_name }}

docdb_security_group_name

DocumentDB Security Group Name

Value: docdb-{{ docdb_cluster_name }}

docdb_admin_credentials_secret_name

DocumentDB Admin Credentials Secret Name

Value: {{ docdb_cluster_name }}-admin-credentials

docdb_engine_version

DocumentDB Engine version

Environment variable: DOCDB_ENGINE_VERSION
Default Value: 4.0.0

docdb_master_username

DocumentDB master username

Environment variable: DOCDB_MASTER_USERNAME
Default Value: docdbadmin

docdb_instance_class

DocumentDB Instance Class

Environment variable: DOCDB_INSTANCE_CLASS
Default Value: db.t3.medium

docdb_instance_number

Number of instances required for DocumentDB

Environment variable: DOCDB_INSTANCE_NUMBER
Default Value: 3

docdb_instance_identifier_prefix

Required. Prefix for DocumentDB Instance name

Environment variable: DOCDB_INSTANCE_IDENTIFIER_PREFIX

docdb_ingress_cidr

Required. IPv4 Address from which incoming connection requests will be allowed to DocumentDB cluster e.g Provide IPv4 CIDR address of VPC where ROSA cluster is installed

Environment variable: DOCDB_INGRESS_CIDR

docdb_egress_cidr

Required. IPv4 Address at which outgoing connection requests will be allowed to DocumentDB cluster e.g Provide IPv4 CIDR address of VPC where ROSA cluster is installed

Environment variable: DOCDB_EGRESS_CIDR

docdb_cidr_az1:

Required. Provide IPv4 CIDR address for the subnet to be created in one of the 3 availabilty zones of your VPC. If the subnet exists already then it must contain the tag of Name: {{ docdb_cluster_name }}, if the subnet doesn't exist already then one is created.

Environment variable: DOCDB_CIDR_AZ1

docdb_cidr_az2:

Required. Provide IPv4 CIDR address for the subnet to be created in one of the 3 availabilty zones of your VPC. If the subnet exists already then it must contain the tag of Name: {{ docdb_cluster_name }}, if the subnet doesn't exist already then one is created.

Environment variable: DOCDB_CIDR_AZ2

docdb_cidr_az3:

Required. Provide IPv4 CIDR address for the subnet to be created in one of the 3 availabilty zones of your VPC. If the subnet exists already then it must contain the tag of Name: {{ docdb_cluster_name }}, if the subnet doesn't exist already then one is created.

Environment variable: DOCDB_CIDR_AZ3

Example Playbook

- hosts: localhost
  any_errors_fatal: true
  vars:
    mas_instance_id: masinst1
    mas_config_dir: ~/masconfig
    mongodb_provider: aws
    mongodb_action: provision
    docdb_size: ~/docdb-config.yml
    docdb_cluster_name: test-db
    docdb_ingress_cidr: 10.0.0.0/16
    docdb_egress_cidr: 10.0.0.0/16
    docdb_cidr_az1: 10.0.0.0/26
    docdb_cidr_az2: 10.0.0.64/26
    docdb_cidr_az3: 10.0.0.128/26
    docdb_instance_identifier_prefix: test-db-instance
    vpc_id: test-vpc-id
    aws_access_key_id: aws-key
    aws_secret_access_key: aws-access-key

  roles:
    - ibm.mas_devops.mongodb

AWS DocumentDB Secret Rotate role Variables

docdb_mongo_instance_name

Required. DocumentDB Instance Name

Environment variable: DOCDB_MONGO_INSTANCE_NAME

docdb_host

Required. Any one Host Address out of multiple documentDB Instances

Environment variable: DOCDB_HOST

docdb_port

Required. Corresponding port address of DocumentDB Instance Host

Environment variable: DOCDB_PORT

docdb_instance_username

Required. Specify username for which password is being changed

Environment variable: DOCDB_INSTANCE_USERNAME

docdb_instance_password_old

Required. Specify the old user password

Environment variable: DOCDB_PASSWORD_OLD

docdb_master_password

Required. DocumentDB Master Username

Environment variable: DOCDB_MASTER_PASSWORD

docdb_master_username

Required. DocumentDB Master Password

Environment variable: DOCDB_MASTER_USERNAME

Example Playbook

- hosts: localhost
  any_errors_fatal: true
  vars:
    mas_instance_id: masinst1
    mas_config_dir: ~/masconfig
    mongodb_provider: aws
    mongodb_action: docdb_secret_rotate
    docdb_mongo_instance_name: test-db-instance
    db_host: aws.test1.host7283-*****
    db_port: 27017
    docdb_master_username: admin
    docdb_master_password: pass***
    docdb_instance_password_old: oldpass****
    docdb_instance_username: testuser
    aws_access_key_id: aws-key
    aws_secret_access_key: aws-access-key

  roles:
    - ibm.mas_devops.mongodb

License

EPL-2.0