Support for deploying MongoDB Search and MongoDB Vector Search using the Kubernetes operator is available as a Preview feature. The feature and corresponding documentation might change at any time during the Preview period. To learn more, see Preview Features.
You can use the Kubernetes Operator to deploy MongoDB Search and Vector Search resources to run with MongoDB enterprise v8.2.0 or higher on a Kubernetes cluster. This procedure demonstrates how to deploy and configure the mongot process to run with a new or existing replica set in your Kubernetes cluster. The deployment uses TLS certificates to ensure secure communication between MongoDB nodes and the mongot search process.
Prerequisites
To deploy MongoDB Search and Vector Search, you must have the following:
A running Kubernetes cluster with
kubeconfigavailable locally.Kubernetes command-line tool,
kubectl, configured to communicate with your cluster.Helm, the package manager for Kubernetes, to install the Kubernetes Operator.
Bash v5.1 or higher for running the commands in this tutorial.
MongoDB Ops Manager or MongoDB Cloud Manager project and API credentials.
Procedure
1
Required. Set the environment variables.
Set the environment variables for use in the subsequent steps in this procedure. Copy the following commands, update the values for your environment, and then run them to load the variables:
1 # set it to the context name of the k8s cluster 2 export K8S_CTX="<local cluster context>" 3 4 # the following namespace will be created if not exists 5 export MDB_NS="mongodb" 6 7 # name of the MongoDB Custom Resource. 8 export MDB_RESOURCE_NAME="mdb-rs" 9 10 export MDB_MEMBERS=3 11 # OM/CM's project name to be used to manage mongodb replica set 12 export OPS_MANAGER_PROJECT_NAME="<arbitrary project name>" 13 14 # URL to Cloud Manager or Ops Manager instance 15 export OPS_MANAGER_API_URL="https://cloud-qa.mongodb.com" 16 17 # The API key can be an Org Owner - the operator can create the project automatically then. 18 # The API key can also be created in a particular project that was created manually with the Project Owner scope. 19 export OPS_MANAGER_API_USER="<SET API USER>" 20 export OPS_MANAGER_API_KEY="<SET API KEY>" 21 export OPS_MANAGER_ORG_ID="<SET ORG ID>" 22 23 # minimum required MongoDB version for running MongoDB Search is 8.2.0 24 export MDB_VERSION="8.2.0-ent" 25 26 # root admin user for convenience, not used here at all in this guide 27 export MDB_ADMIN_USER_PASSWORD="admin-user-password-CHANGE-ME" 28 # regular user performing restore and search queries on sample mflix database 29 export MDB_USER_PASSWORD="mdb-user-password-CHANGE-ME" 30 # user for MongoDB Search to connect to the replica set to synchronise data from 31 export MDB_SEARCH_SYNC_USER_PASSWORD="search-sync-user-password-CHANGE-ME" 32 33 export OPERATOR_HELM_CHART="mongodb/mongodb-kubernetes" 34 # comma-separated key=value pairs for additional parameters passed to the helm-chart installing the operator 35 export OPERATOR_ADDITIONAL_HELM_VALUES="" 36 37 export MDB_TLS_CERT_SECRET_PREFIX="certs" 38 export MDB_TLS_CA_CONFIGMAP="${MDB_RESOURCE_NAME}-ca-configmap" 39 40 export CERT_MANAGER_NAMESPACE="cert-manager" 41 export MDB_TLS_SELF_SIGNED_ISSUER="selfsigned-bootstrap-issuer" 42 export MDB_TLS_CA_CERT_NAME="my-selfsigned-ca" 43 export MDB_TLS_CA_SECRET_NAME="root-secret" 44 export MDB_TLS_CA_ISSUER="my-ca-issuer" 45 export MDB_TLS_SERVER_CERT_SECRET_NAME="${MDB_TLS_CERT_SECRET_PREFIX}-${MDB_RESOURCE_NAME}-cert" 46 export MDB_SEARCH_TLS_SECRET_NAME="${MDB_RESOURCE_NAME}-search-tls" 47 48 export MDB_CONNECTION_STRING="mongodb://mdb-user:${MDB_USER_PASSWORD}@${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local:27017/?replicaSet=${MDB_RESOURCE_NAME}&tls=true&tlsCAFile=/tls/ca.crt"
To verify that all necessary environment variables are set, run the following the following code in your terminal:
1 required=( 2 K8S_CTX 3 MDB_NS 4 MDB_RESOURCE_NAME 5 MDB_VERSION 6 MDB_MEMBERS 7 CERT_MANAGER_NAMESPACE 8 MDB_TLS_CA_SECRET_NAME 9 MDB_TLS_SERVER_CERT_SECRET_NAME 10 MDB_SEARCH_TLS_SECRET_NAME 11 MDB_ADMIN_USER_PASSWORD 12 MDB_SEARCH_SYNC_USER_PASSWORD 13 MDB_USER_PASSWORD 14 OPERATOR_HELM_CHART 15 OPS_MANAGER_PROJECT_NAME 16 OPS_MANAGER_API_URL 17 OPS_MANAGER_API_USER 18 OPS_MANAGER_API_KEY 19 ) 20 21 missing_req=() 22 for v in "${required[@]}"; do [[ -n "${!v:-}" ]] || missing_req+=("${v}"); done 23 if (( ${#missing_req[@]} )); then 24 echo "ERROR: Missing required environment variables:" >&2 25 for m in "${missing_req[@]}"; do echo " - ${m}" >&2; done 26 else 27 echo "All required environment variables present." 28 fi
2
Conditional. Add the MongoDB Helm repository.
Helm automates the deployment and management of MongoDB instances on Kubernetes. If you have already added the Helm repository that contains the Helm chart for installing the Kubernetes Operator operator, skip this step. Otherwise, add the Helm repository.
To add, copy, paste, and run the following command:
1 helm repo add mongodb https://mongodb.github.io/helm-charts 2 helm repo update mongodb 3 helm search repo mongodb/mongodb-kubernetes
1 "mongodb" has been added to your repositories 2 Hang tight while we grab the latest from your chart repositories... 3 ...Successfully got an update from the "mongodb" chart repository 4 Update Complete. ⎈Happy Helming!⎈ 5 NAME CHART VERSION APP VERSION DESCRIPTION 6 mongodb/mongodb-kubernetes 1.6.0 MongoDB Controllers for Kubernetes translate th...
3
Conditional. Install the MongoDB Controllers for Kubernetes Operator.
The Kubernetes Operator watches MongoDB, MongoDBOpsManager, and MongoDBSearch custom resources and manages the lifecycle of your MongoDB deployments. If you already installed the MongoDB Controllers for Kubernetes Operator, skip this step. Otherwise, install the MongoDB Controllers for Kubernetes Operator from the Helm repository you added in the previous step.
To install the MongoDB Controllers for Kubernetes Operator in the mongodb namespace, copy, paste, and run the following:
1 helm upgrade --install --debug --kube-context "${K8S_CTX}" \ 2 --create-namespace \ 3 --namespace="${MDB_NS}" \ 4 mongodb-kubernetes \ 5 {OPERATOR_ADDITIONAL_HELM_VALUES:+--set ${OPERATOR_ADDITIONAL_HELM_VALUES}} \ 6 "${OPERATOR_HELM_CHART}"
1 Release "mongodb-kubernetes" does not exist. Installing it now. 2 NAME: mongodb-kubernetes 3 LAST DEPLOYED: Mon Nov 17 13:22:46 2025 4 NAMESPACE: mongodb 5 STATUS: deployed 6 REVISION: 1 7 TEST SUITE: None 8 USER-SUPPLIED VALUES: 9 {} 10 11 COMPUTED VALUES: 12 agent: 13 name: mongodb-agent 14 version: 108.0.12.8846-1 15 community: 16 agent: 17 name: mongodb-agent 18 version: 108.0.2.8729-1 19 mongodb: 20 imageType: ubi8 21 name: mongodb-community-server 22 repo: quay.io/mongodb 23 registry: 24 agent: quay.io/mongodb 25 resource: 26 members: 3 27 name: mongodb-replica-set 28 tls: 29 caCertificateSecretRef: tls-ca-key-pair 30 certManager: 31 certDuration: 8760h 32 renewCertBefore: 720h 33 certificateKeySecretRef: tls-certificate 34 enabled: false 35 sampleX509User: false 36 useCertManager: true 37 useX509: false 38 version: 4.4.0 39 database: 40 name: mongodb-kubernetes-database 41 version: 1.6.0 42 initAppDb: 43 name: mongodb-kubernetes-init-appdb 44 version: 1.6.0 45 initDatabase: 46 name: mongodb-kubernetes-init-database 47 version: 1.6.0 48 initOpsManager: 49 name: mongodb-kubernetes-init-ops-manager 50 version: 1.6.0 51 managedSecurityContext: false 52 mongodb: 53 appdbAssumeOldFormat: false 54 imageType: ubi8 55 name: mongodb-enterprise-server 56 repo: quay.io/mongodb 57 multiCluster: 58 clusterClientTimeout: 10 59 clusters: [] 60 kubeConfigSecretName: mongodb-enterprise-operator-multi-cluster-kubeconfig 61 performFailOver: true 62 operator: 63 additionalArguments: [] 64 affinity: {} 65 baseName: mongodb-kubernetes 66 createOperatorServiceAccount: true 67 createResourcesServiceAccountsAndRoles: true 68 deployment_name: mongodb-kubernetes-operator 69 enableClusterMongoDBRoles: true 70 enablePVCResize: true 71 env: prod 72 maxConcurrentReconciles: 1 73 mdbDefaultArchitecture: non-static 74 name: mongodb-kubernetes-operator 75 nodeSelector: {} 76 operator_image_name: mongodb-kubernetes 77 podSecurityContext: 78 runAsNonRoot: true 79 runAsUser: 2000 80 replicas: 1 81 resources: 82 limits: 83 cpu: 1100m 84 memory: 1Gi 85 requests: 86 cpu: 500m 87 memory: 200Mi 88 securityContext: {} 89 telemetry: 90 collection: 91 clusters: {} 92 deployments: {} 93 frequency: 1h 94 operators: {} 95 send: 96 frequency: 168h 97 tolerations: [] 98 vaultSecretBackend: 99 enabled: false 100 tlsSecretRef: "" 101 version: 1.6.0 102 watchedResources: 103 - mongodb 104 - opsmanagers 105 - mongodbusers 106 - mongodbcommunity 107 - mongodbsearch 108 webhook: 109 installClusterRole: true 110 registerConfiguration: true 111 opsManager: 112 name: mongodb-enterprise-ops-manager-ubi 113 readinessProbe: 114 name: mongodb-kubernetes-readinessprobe 115 version: 1.0.23 116 registry: 117 agent: quay.io/mongodb 118 database: quay.io/mongodb 119 imagePullSecrets: null 120 initAppDb: quay.io/mongodb 121 initDatabase: quay.io/mongodb 122 initOpsManager: quay.io/mongodb 123 operator: quay.io/mongodb 124 opsManager: quay.io/mongodb 125 pullPolicy: Always 126 readinessProbe: quay.io/mongodb 127 versionUpgradeHook: quay.io/mongodb 128 search: 129 name: mongodb-search 130 repo: quay.io/mongodb 131 version: 0.55.0 132 versionUpgradeHook: 133 name: mongodb-kubernetes-operator-version-upgrade-post-start-hook 134 version: 1.0.10 135 136 HOOKS: 137 MANIFEST: 138 --- 139 Source: mongodb-kubernetes/templates/database-roles.yaml 140 apiVersion: v1 141 kind: ServiceAccount 142 metadata: 143 name: mongodb-kubernetes-appdb 144 namespace: mongodb 145 --- 146 Source: mongodb-kubernetes/templates/database-roles.yaml 147 apiVersion: v1 148 kind: ServiceAccount 149 metadata: 150 name: mongodb-kubernetes-database-pods 151 namespace: mongodb 152 --- 153 Source: mongodb-kubernetes/templates/database-roles.yaml 154 apiVersion: v1 155 kind: ServiceAccount 156 metadata: 157 name: mongodb-kubernetes-ops-manager 158 namespace: mongodb 159 --- 160 Source: mongodb-kubernetes/templates/operator-sa.yaml 161 apiVersion: v1 162 kind: ServiceAccount 163 metadata: 164 name: mongodb-kubernetes-operator 165 namespace: mongodb 166 --- 167 Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml 168 kind: ClusterRole 169 apiVersion: rbac.authorization.k8s.io/v1 170 metadata: 171 name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role 172 rules: 173 - apiGroups: 174 - mongodb.com 175 verbs: 176 - '*' 177 resources: 178 - clustermongodbroles 179 --- 180 Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml 181 Additional ClusterRole for clusterVersionDetection 182 kind: ClusterRole 183 apiVersion: rbac.authorization.k8s.io/v1 184 metadata: 185 name: mongodb-kubernetes-operator-cluster-telemetry 186 rules: 187 Non-resource URL permissions 188 - nonResourceURLs: 189 - "/version" 190 verbs: 191 - get 192 Cluster-scoped resource permissions 193 - apiGroups: 194 - '' 195 resources: 196 - namespaces 197 resourceNames: 198 - kube-system 199 verbs: 200 - get 201 - apiGroups: 202 - '' 203 resources: 204 - nodes 205 verbs: 206 - list 207 --- 208 Source: mongodb-kubernetes/templates/operator-roles-webhook.yaml 209 kind: ClusterRole 210 apiVersion: rbac.authorization.k8s.io/v1 211 metadata: 212 name: mongodb-kubernetes-operator-mongodb-webhook-cr 213 rules: 214 - apiGroups: 215 - "admissionregistration.k8s.io" 216 resources: 217 - validatingwebhookconfigurations 218 verbs: 219 - get 220 - create 221 - update 222 - delete 223 - apiGroups: 224 - "" 225 resources: 226 - services 227 verbs: 228 - get 229 - list 230 - watch 231 - create 232 - update 233 - delete 234 --- 235 Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml 236 kind: ClusterRoleBinding 237 apiVersion: rbac.authorization.k8s.io/v1 238 metadata: 239 name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding 240 roleRef: 241 apiGroup: rbac.authorization.k8s.io 242 kind: ClusterRole 243 name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role 244 subjects: 245 - kind: ServiceAccount 246 name: mongodb-kubernetes-operator 247 namespace: mongodb 248 --- 249 Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml 250 ClusterRoleBinding for clusterVersionDetection 251 kind: ClusterRoleBinding 252 apiVersion: rbac.authorization.k8s.io/v1 253 metadata: 254 name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding 255 roleRef: 256 apiGroup: rbac.authorization.k8s.io 257 kind: ClusterRole 258 name: mongodb-kubernetes-operator-cluster-telemetry 259 subjects: 260 - kind: ServiceAccount 261 name: mongodb-kubernetes-operator 262 namespace: mongodb 263 --- 264 Source: mongodb-kubernetes/templates/operator-roles-webhook.yaml 265 kind: ClusterRoleBinding 266 apiVersion: rbac.authorization.k8s.io/v1 267 metadata: 268 name: mongodb-kubernetes-operator-mongodb-webhook-crb 269 roleRef: 270 apiGroup: rbac.authorization.k8s.io 271 kind: ClusterRole 272 name: mongodb-kubernetes-operator-mongodb-webhook-cr 273 subjects: 274 - kind: ServiceAccount 275 name: mongodb-kubernetes-operator 276 namespace: mongodb 277 --- 278 Source: mongodb-kubernetes/templates/database-roles.yaml 279 kind: Role 280 apiVersion: rbac.authorization.k8s.io/v1 281 metadata: 282 name: mongodb-kubernetes-appdb 283 namespace: mongodb 284 rules: 285 - apiGroups: 286 - '' 287 resources: 288 - secrets 289 verbs: 290 - get 291 - apiGroups: 292 - '' 293 resources: 294 - pods 295 verbs: 296 - patch 297 - delete 298 - get 299 --- 300 Source: mongodb-kubernetes/templates/operator-roles-base.yaml 301 kind: Role 302 apiVersion: rbac.authorization.k8s.io/v1 303 metadata: 304 name: mongodb-kubernetes-operator 305 namespace: mongodb 306 rules: 307 - apiGroups: 308 - '' 309 resources: 310 - services 311 verbs: 312 - get 313 - list 314 - watch 315 - create 316 - update 317 - delete 318 - apiGroups: 319 - '' 320 resources: 321 - secrets 322 - configmaps 323 verbs: 324 - get 325 - list 326 - create 327 - update 328 - delete 329 - watch 330 - apiGroups: 331 - apps 332 resources: 333 - statefulsets 334 verbs: 335 - create 336 - get 337 - list 338 - watch 339 - delete 340 - update 341 - apiGroups: 342 - '' 343 resources: 344 - pods 345 verbs: 346 - get 347 - list 348 - watch 349 - delete 350 - deletecollection 351 - apiGroups: 352 - mongodbcommunity.mongodb.com 353 resources: 354 - mongodbcommunity 355 - mongodbcommunity/status 356 - mongodbcommunity/spec 357 - mongodbcommunity/finalizers 358 verbs: 359 - '*' 360 - apiGroups: 361 - mongodb.com 362 verbs: 363 - '*' 364 resources: 365 - mongodb 366 - mongodb/finalizers 367 - mongodbusers 368 - mongodbusers/finalizers 369 - opsmanagers 370 - opsmanagers/finalizers 371 - mongodbmulticluster 372 - mongodbmulticluster/finalizers 373 - mongodbsearch 374 - mongodbsearch/finalizers 375 - mongodb/status 376 - mongodbusers/status 377 - opsmanagers/status 378 - mongodbmulticluster/status 379 - mongodbsearch/status 380 --- 381 Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml 382 kind: Role 383 apiVersion: rbac.authorization.k8s.io/v1 384 metadata: 385 name: mongodb-kubernetes-operator-pvc-resize 386 namespace: mongodb 387 rules: 388 - apiGroups: 389 - '' 390 resources: 391 - persistentvolumeclaims 392 verbs: 393 - get 394 - delete 395 - list 396 - watch 397 - patch 398 - update 399 --- 400 Source: mongodb-kubernetes/templates/database-roles.yaml 401 kind: RoleBinding 402 apiVersion: rbac.authorization.k8s.io/v1 403 metadata: 404 name: mongodb-kubernetes-appdb 405 namespace: mongodb 406 roleRef: 407 apiGroup: rbac.authorization.k8s.io 408 kind: Role 409 name: mongodb-kubernetes-appdb 410 subjects: 411 - kind: ServiceAccount 412 name: mongodb-kubernetes-appdb 413 namespace: mongodb 414 --- 415 Source: mongodb-kubernetes/templates/operator-roles-base.yaml 416 kind: RoleBinding 417 apiVersion: rbac.authorization.k8s.io/v1 418 metadata: 419 name: mongodb-kubernetes-operator 420 namespace: mongodb 421 roleRef: 422 apiGroup: rbac.authorization.k8s.io 423 kind: Role 424 name: mongodb-kubernetes-operator 425 subjects: 426 - kind: ServiceAccount 427 name: mongodb-kubernetes-operator 428 namespace: mongodb 429 --- 430 Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml 431 kind: RoleBinding 432 apiVersion: rbac.authorization.k8s.io/v1 433 metadata: 434 name: mongodb-kubernetes-operator-pvc-resize-binding 435 namespace: mongodb 436 roleRef: 437 apiGroup: rbac.authorization.k8s.io 438 kind: Role 439 name: mongodb-kubernetes-operator-pvc-resize 440 subjects: 441 - kind: ServiceAccount 442 name: mongodb-kubernetes-operator 443 namespace: mongodb 444 --- 445 Source: mongodb-kubernetes/templates/operator.yaml 446 apiVersion: apps/v1 447 kind: Deployment 448 metadata: 449 name: mongodb-kubernetes-operator 450 namespace: mongodb 451 spec: 452 replicas: 1 453 selector: 454 matchLabels: 455 app.kubernetes.io/component: controller 456 app.kubernetes.io/name: mongodb-kubernetes-operator 457 app.kubernetes.io/instance: mongodb-kubernetes-operator 458 template: 459 metadata: 460 labels: 461 app.kubernetes.io/component: controller 462 app.kubernetes.io/name: mongodb-kubernetes-operator 463 app.kubernetes.io/instance: mongodb-kubernetes-operator 464 spec: 465 serviceAccountName: mongodb-kubernetes-operator 466 securityContext: 467 runAsNonRoot: true 468 runAsUser: 2000 469 containers: 470 - name: mongodb-kubernetes-operator 471 image: "quay.io/mongodb/mongodb-kubernetes:1.6.0" 472 imagePullPolicy: Always 473 args: 474 - -watch-resource=mongodb 475 - -watch-resource=opsmanagers 476 - -watch-resource=mongodbusers 477 - -watch-resource=mongodbcommunity 478 - -watch-resource=mongodbsearch 479 - -watch-resource=clustermongodbroles 480 command: 481 - /usr/local/bin/mongodb-kubernetes-operator 482 resources: 483 limits: 484 cpu: 1100m 485 memory: 1Gi 486 requests: 487 cpu: 500m 488 memory: 200Mi 489 env: 490 - name: OPERATOR_ENV 491 value: prod 492 - name: MDB_DEFAULT_ARCHITECTURE 493 value: non-static 494 - name: NAMESPACE 495 valueFrom: 496 fieldRef: 497 fieldPath: metadata.namespace 498 - name: WATCH_NAMESPACE 499 valueFrom: 500 fieldRef: 501 fieldPath: metadata.namespace 502 - name: MDB_OPERATOR_TELEMETRY_COLLECTION_FREQUENCY 503 value: "1h" 504 - name: MDB_OPERATOR_TELEMETRY_SEND_FREQUENCY 505 value: "168h" 506 - name: CLUSTER_CLIENT_TIMEOUT 507 value: "10" 508 - name: IMAGE_PULL_POLICY 509 value: Always 510 # Database 511 - name: MONGODB_ENTERPRISE_DATABASE_IMAGE 512 value: quay.io/mongodb/mongodb-kubernetes-database 513 - name: INIT_DATABASE_IMAGE_REPOSITORY 514 value: quay.io/mongodb/mongodb-kubernetes-init-database 515 - name: INIT_DATABASE_VERSION 516 value: "1.6.0" 517 - name: DATABASE_VERSION 518 value: "1.6.0" 519 # Ops Manager 520 - name: OPS_MANAGER_IMAGE_REPOSITORY 521 value: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi 522 - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY 523 value: quay.io/mongodb/mongodb-kubernetes-init-ops-manager 524 - name: INIT_OPS_MANAGER_VERSION 525 value: "1.6.0" 526 # AppDB 527 - name: INIT_APPDB_IMAGE_REPOSITORY 528 value: quay.io/mongodb/mongodb-kubernetes-init-appdb 529 - name: INIT_APPDB_VERSION 530 value: "1.6.0" 531 - name: OPS_MANAGER_IMAGE_PULL_POLICY 532 value: Always 533 - name: AGENT_IMAGE 534 value: "quay.io/mongodb/mongodb-agent:108.0.12.8846-1" 535 - name: MDB_AGENT_IMAGE_REPOSITORY 536 value: "quay.io/mongodb/mongodb-agent" 537 - name: MONGODB_IMAGE 538 value: mongodb-enterprise-server 539 - name: MONGODB_REPO_URL 540 value: quay.io/mongodb 541 - name: MDB_IMAGE_TYPE 542 value: ubi8 543 - name: PERFORM_FAILOVER 544 value: 'true' 545 - name: MDB_MAX_CONCURRENT_RECONCILES 546 value: "1" 547 - name: POD_NAME 548 valueFrom: 549 fieldRef: 550 fieldPath: metadata.name 551 - name: OPERATOR_NAME 552 value: mongodb-kubernetes-operator 553 # Community Env Vars Start 554 - name: MDB_COMMUNITY_AGENT_IMAGE 555 value: "quay.io/mongodb/mongodb-agent:108.0.2.8729-1" 556 - name: VERSION_UPGRADE_HOOK_IMAGE 557 value: "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.10" 558 - name: READINESS_PROBE_IMAGE 559 value: "quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.23" 560 - name: MDB_COMMUNITY_IMAGE 561 value: "mongodb-community-server" 562 - name: MDB_COMMUNITY_REPO_URL 563 value: "quay.io/mongodb" 564 - name: MDB_COMMUNITY_IMAGE_TYPE 565 value: "ubi8" 566 # Community Env Vars End 567 - name: MDB_SEARCH_REPO_URL 568 value: "quay.io/mongodb" 569 - name: MDB_SEARCH_NAME 570 value: "mongodb-search" 571 - name: MDB_SEARCH_VERSION 572 value: "0.55.0"
4
Conditional. Create and deploy the MongoDB Enterprise resource.
If you have already deployed MongoDB Enterprise, skip to the next step. Otherwise, deploy the MongoDB Enterprise resource.
To deploy the MongoDB Enterprise, complete the following steps:
Create the ConfigMap and secret for the MongoDB Ops Manager project if you are using MongoDB Ops Manager.
To store the configuration and credentials for integration with MongoDB Ops Manager, copy, paste, and run the following commands:
1 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" create configmap om-project \ 2 --from-literal=projectName="${OPS_MANAGER_PROJECT_NAME}" --from-literal=baseUrl="${OPS_MANAGER_API_URL}" \ 3 --from-literal=orgId="${OPS_MANAGER_ORG_ID:-}" 4 5 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" create secret generic om-credentials \ 6 --from-literal=publicKey="${OPS_MANAGER_API_USER}" \ 7 --from-literal=privateKey="${OPS_MANAGER_API_KEY}" Create a
MongoDBcustom resource namedmdb-rs.The resource defines CPU and memory resources for the
mongodandmongodb-agentcontainers and instructs the Kubernetes Operator to configure a MongoDB replica set with 3 members:To deploy MongoDB Enterprise, copy, paste, and run the following in the namespace:
1 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF 2 apiVersion: mongodb.com/v1 3 kind: MongoDB 4 metadata: 5 name: ${MDB_RESOURCE_NAME} 6 spec: 7 members: ${MDB_MEMBERS} 8 version: ${MDB_VERSION} 9 type: ReplicaSet 10 opsManager: 11 configMapRef: 12 name: om-project 13 credentials: om-credentials 14 security: 15 authentication: 16 enabled: true 17 ignoreUnknownUsers: true 18 modes: 19 - SCRAM 20 certsSecretPrefix: ${MDB_TLS_CERT_SECRET_PREFIX} 21 tls: 22 enabled: true 23 ca: ${MDB_TLS_CA_CONFIGMAP} 24 agent: 25 logLevel: INFO 26 podSpec: 27 podTemplate: 28 spec: 29 containers: 30 - name: mongodb-enterprise-database 31 resources: 32 limits: 33 cpu: "2" 34 memory: 2Gi 35 requests: 36 cpu: "1" 37 memory: 1Gi 38 EOF Wait for the
MongoDBresource deployment to complete.When you apply the
MongoDBcustom resource, the Kubernetes operator begins deploying the MongoDB nodes (pods). This step pauses the execution until themdbc-rsresource's status phase isRunning, which indicates that the MongoDB Community replica set is operational.1 echo "Waiting for MongoDB resource to reach Running phase..." 2 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdb/${MDB_RESOURCE_NAME}" --timeout=400s 3 echo; echo "MongoDB resource" 4 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdb/${MDB_RESOURCE_NAME}" 5 echo; echo "Pods running in cluster ${K8S_CTX}" 6 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods 1 Waiting for MongoDB resource to reach Running phase... 2 mongodb.mongodb.mongodb.com/mdbc-rs condition met 3 4 MongoDB resource 5 NAME PHASE VERSION 6 mdbc-rs Running 8.2 7 8 Pods running in cluster minikube 9 NAME READY STATUS RESTARTS AGE 10 mdbc-rs-0 2/2 Running 0 2m30s 11 mdbc-rs-1 2/2 Running 0 82s 12 mdbc-rs-2 2/2 Running 0 38s 13 mongodb-kubernetes-operator-5776c8b4df-cppnf 1/1 Running 0 7m37s
5
Conditional. Install the cert-manager.
The cert-manager is required for managing TLS certificates. If you already have cert-manager installed in your cluster, skip this step. Otherwise, install cert-manager using Helm.
To install cert-manager in the cert-manager namespace, run the following command in your terminal:
1 helm upgrade --install \ 2 cert-manager \ 3 oci://quay.io/jetstack/charts/cert-manager \ 4 --kube-context "${K8S_CTX}" \ 5 --namespace "${CERT_MANAGER_NAMESPACE}" \ 6 --create-namespace \ 7 --set crds.enabled=true 8 9 for deployment in cert-manager cert-manager-cainjector cert-manager-webhook; do 10 kubectl --context "${K8S_CTX}" \ 11 -n "${CERT_MANAGER_NAMESPACE}" \ 12 wait --for=condition=Available "deployment/${deployment}" --timeout=300s 13 done 14 15 echo "cert-manager is ready in namespace ${CERT_MANAGER_NAMESPACE}."
6
Required. Prepare certificate issuer and CA infrastructure.
Create the certificate authority infrastructure that will issue TLS certificates for MongoDB and MongoDBSearch resources. The commands perform the following actions:
Create a self-signed
ClusterIssuer.Generate a CA certificate.
Publish a cluster-wide CA issuer that all namespaces can use.
Expose the CA bundle through a
ConfigMapso MongoDB resources can use it.
1 Bootstrap a self-signed ClusterIssuer to mint the CA secret consumed by application workloads. 2 kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST 3 apiVersion: cert-manager.io/v1 4 kind: ClusterIssuer 5 metadata: 6 name: ${MDB_TLS_SELF_SIGNED_ISSUER} 7 spec: 8 selfSigned: {} 9 EOF_MANIFEST 10 11 kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_SELF_SIGNED_ISSUER}" 12 13 kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST 14 apiVersion: cert-manager.io/v1 15 kind: Certificate 16 metadata: 17 name: ${MDB_TLS_CA_CERT_NAME} 18 namespace: ${CERT_MANAGER_NAMESPACE} 19 spec: 20 isCA: true 21 commonName: ${MDB_TLS_CA_CERT_NAME} 22 secretName: ${MDB_TLS_CA_SECRET_NAME} 23 privateKey: 24 algorithm: ECDSA 25 size: 256 26 issuerRef: 27 name: ${MDB_TLS_SELF_SIGNED_ISSUER} 28 kind: ClusterIssuer 29 EOF_MANIFEST 30 31 kubectl --context "${K8S_CTX}" wait --for=condition=Ready -n "${CERT_MANAGER_NAMESPACE}" certificate "${MDB_TLS_CA_CERT_NAME}" 32 33 kubectl apply --context "${K8S_CTX}" -f - <<EOF_MANIFEST 34 apiVersion: cert-manager.io/v1 35 kind: ClusterIssuer 36 metadata: 37 name: ${MDB_TLS_CA_ISSUER} 38 spec: 39 ca: 40 secretName: ${MDB_TLS_CA_SECRET_NAME} 41 EOF_MANIFEST 42 43 kubectl --context "${K8S_CTX}" wait --for=condition=Ready clusterissuer "${MDB_TLS_CA_ISSUER}" 44 45 TMP_CA_CERT="$(mktemp)" 46 trap 'rm -f "${TMP_CA_CERT}"' EXIT 47 48 kubectl --context "${K8S_CTX}" get secret "${MDB_TLS_CA_SECRET_NAME}" -n "${CERT_MANAGER_NAMESPACE}" -o jsonpath="{.data['ca\\.crt']}" | base64 --decode > "${TMP_CA_CERT}" 49 50 kubectl --context "${K8S_CTX}" create configmap "${MDB_TLS_CA_CONFIGMAP}" -n "${MDB_NS}" \ 51 --from-file=ca-pem="${TMP_CA_CERT}" --from-file=mms-ca.crt="${TMP_CA_CERT}" \ 52 --from-file=ca.crt="${TMP_CA_CERT}" \ 53 --dry-run=client -o yaml | kubectl --context "${K8S_CTX}" apply -f -
7
Required. Issue TLS certificates.
Issue TLS certificates for both the MongoDB server (${MDB_RESOURCE_NAME}-server-tls) and the MongoDBSearch service (${MDB_RESOURCE_NAME}-search-tls). The MongoDB server certificate includes all necessary DNS names for the pod and service communication. Both certificates support server and client authentication.
1 server_certificate="${MDB_RESOURCE_NAME}-server-tls" 2 search_certificate="${MDB_RESOURCE_NAME}-search-tls" 3 4 mongo_dns_names=() 5 for ((member = 0; member < MDB_MEMBERS; member++)); do 6 mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}") 7 mongo_dns_names+=("${MDB_RESOURCE_NAME}-${member}.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local") 8 done 9 mongo_dns_names+=( 10 "${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" 11 "*.${MDB_RESOURCE_NAME}-svc.${MDB_NS}.svc.cluster.local" 12 ) 13 14 search_dns_names=( 15 "${MDB_RESOURCE_NAME}-search-svc.${MDB_NS}.svc.cluster.local" 16 ) 17 18 render_dns_list() { 19 local dns_list=("$@") 20 for dns in "${dns_list[@]}"; do 21 printf " - \"%s\"\n" "${dns}" 22 done 23 } 24 25 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF_MANIFEST 26 apiVersion: cert-manager.io/v1 27 kind: Certificate 28 metadata: 29 name: ${server_certificate} 30 namespace: ${MDB_NS} 31 spec: 32 secretName: ${MDB_TLS_SERVER_CERT_SECRET_NAME} 33 issuerRef: 34 name: ${MDB_TLS_CA_ISSUER} 35 kind: ClusterIssuer 36 duration: 240h0m0s 37 renewBefore: 120h0m0s 38 usages: 39 - digital signature 40 - key encipherment 41 - server auth 42 - client auth 43 dnsNames: 44 (render_dns_list "${mongo_dns_names[@]}") 45 --- 46 apiVersion: cert-manager.io/v1 47 kind: Certificate 48 metadata: 49 name: ${search_certificate} 50 namespace: ${MDB_NS} 51 spec: 52 secretName: ${MDB_SEARCH_TLS_SECRET_NAME} 53 issuerRef: 54 name: ${MDB_TLS_CA_ISSUER} 55 kind: ClusterIssuer 56 duration: 240h0m0s 57 renewBefore: 120h0m0s 58 usages: 59 - digital signature 60 - key encipherment 61 - server auth 62 - client auth 63 dnsNames: 64 (render_dns_list "${search_dns_names[@]}") 65 EOF_MANIFEST 66 67 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${server_certificate}" --timeout=300s 68 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=condition=Ready certificate "${search_certificate}" --timeout=300s
8
Required. Create and load the MongoDB user secrets.
MongoDB requires authentication for secure access. In this step, you create three Kubernetes secrets:
mdb-admin-user-password: Credentials for the MongoDB administrator.mdb-user-password: Credentials for the user authorized to perform search queries.mdbc-rs-search-sync-source-password: Credentials for a dedicated search user used internally by themongotprocess to synchronize data and manage indexes.
Kubernetes Operator mounts these secrets into the MongoDB pods.
To create the secrets, copy, paste, and run the following in the namespace where you deployed MongoDB Server and plan to deploy MongoDB Search and Vector Search:
1 admin user with root role 2 kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ 3 create secret generic mdb-admin-user-password \ 4 --from-literal=password="${MDB_ADMIN_USER_PASSWORD}" 5 6 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF 7 apiVersion: mongodb.com/v1 8 kind: MongoDBUser 9 metadata: 10 name: mdb-admin 11 spec: 12 username: mdb-admin 13 db: admin 14 mongodbResourceRef: 15 name: ${MDB_RESOURCE_NAME} 16 passwordSecretKeyRef: 17 name: mdb-admin-user-password 18 key: password 19 roles: 20 - name: root 21 db: admin 22 EOF 23 24 user used by MongoDB Search to connect to MongoDB database to synchronize data from 25 For MongoDB <8.2, the operator will be creating the searchCoordinator custom role automatically 26 From MongoDB 8.2, searchCoordinator role will be a built-in role. 27 kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ 28 create secret generic "${MDB_RESOURCE_NAME}-search-sync-source-password" \ 29 --from-literal=password="${MDB_SEARCH_SYNC_USER_PASSWORD}" 30 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF 31 apiVersion: mongodb.com/v1 32 kind: MongoDBUser 33 metadata: 34 name: search-sync-source-user 35 spec: 36 username: search-sync-source 37 db: admin 38 mongodbResourceRef: 39 name: ${MDB_RESOURCE_NAME} 40 passwordSecretKeyRef: 41 name: ${MDB_RESOURCE_NAME}-search-sync-source-password 42 key: password 43 roles: 44 - name: searchCoordinator 45 db: admin 46 EOF 47 48 user performing search queries 49 kubectl --context "${K8S_CTX}" --namespace "${MDB_NS}" \ 50 create secret generic mdb-user-password \ 51 --from-literal=password="${MDB_USER_PASSWORD}" 52 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF 53 apiVersion: mongodb.com/v1 54 kind: MongoDBUser 55 metadata: 56 name: mdb-user 57 spec: 58 username: mdb-user 59 db: admin 60 mongodbResourceRef: 61 name: ${MDB_RESOURCE_NAME} 62 passwordSecretKeyRef: 63 name: mdb-user-password 64 key: password 65 roles: 66 - name: readWrite 67 db: sample_mflix 68 EOF
1 secret/mdb-admin-user-password created 2 secret/mdbc-rs-search-sync-source-password created 3 secret/mdb-user-password created
9
Required. Create and deploy the resource for MongoDB Search and Vector Search.
You can deploy one instance of the search node without any load balancing. To deploy, complete the following steps:
Create a MongoDBSearch custom resource named
mdbc-rs.This resource specifies the CPU and memory resource requirements for the search nodes. To learn more about the settings in this custom resource, see MongoDB Search and Vector Search Settings.
1 kubectl apply --context "${K8S_CTX}" -n "${MDB_NS}" -f - <<EOF 2 apiVersion: mongodb.com/v1 3 kind: MongoDBSearch 4 metadata: 5 name: ${MDB_RESOURCE_NAME} 6 spec: 7 no need to specify source.mongodbResourceRef if MongoDBSearch CR has the same name as MongoDB CR 8 the operator infer it automatically 9 security: 10 tls: 11 certificateKeySecretRef: 12 name: ${MDB_SEARCH_TLS_SECRET_NAME} 13 resourceRequirements: 14 limits: 15 cpu: "3" 16 memory: 5Gi 17 requests: 18 cpu: "2" 19 memory: 3Gi 20 EOF Wait for the MongoDBSearch resource deployment to complete.
When you apply the MongoDBSearch custom resource, the Kubernetes operator begins deploying the search nodes (pods). This step pauses the execution until the
mdbc-rsresource's status phase isRunning, which indicates that the MongoDB Community replica set is operational.1 echo "Waiting for MongoDBSearch resource to reach Running phase..." 2 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdbs/${MDB_RESOURCE_NAME}" --timeout=300s
10
Optional. Verify the MongoDB Enterprise resource status.
Ensure that the MongoDB resource deployment with MongoDBSearch was successful.
1 echo "Waiting for MongoDB resource to reach Running phase..." 2 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" wait --for=jsonpath='{.status.phase}'=Running "mdb/${MDB_RESOURCE_NAME}" --timeout=400s
11
Optional. View all the running pods in your namespace.
View all the running pods in your namespace pods for the MongoDB replica set members, the MongoDB Controllers for Kubernetes Operator, and the Search nodes.
1 echo; echo "MongoDB resource" 2 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdb/${MDB_RESOURCE_NAME}" 3 echo; echo "MongoDBSearch resource" 4 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get "mdbs/${MDB_RESOURCE_NAME}" 5 echo; echo "Pods running in cluster ${K8S_CTX}" 6 kubectl --context "${K8S_CTX}" -n "${MDB_NS}" get pods
1 MongoDB resource 2 NAME PHASE VERSION TYPE AGE 3 mdb-rs Running 8.2.0-ent ReplicaSet 4m7s 4 5 MongoDBSearch resource 6 NAME PHASE VERSION AGE 7 mdb-rs Running 0.55.0 93s 8 9 Pods running in cluster kind-kind 10 NAME READY STATUS RESTARTS AGE 11 mdb-rs-0 1/1 Running 0 4m6s 12 mdb-rs-1 1/1 Running 0 3m42s 13 mdb-rs-2 1/1 Running 0 3m2s 14 mdb-rs-search-0 1/1 Running 3 (52s ago) 93s 15 mongodb-kubernetes-operator-8d9b999b7-859gc 1/1 Running 0 4m25s
Next Steps
Now that you've successfully deployed MongoDB Search and Vector Search to use with MongoDB Enterprise Edition, you can add data in your MongoDB cluster, create MongoDB Search and Vector Search indexes, and run queries against your data. To learn more, see MongoDB Search and Vector Search Settings.