个人中心
gpt4 book ai didi

mongodb - 部署在kubernetes上的认证mongo

转载 作者:行者123 更新时间:2023-12-02 10:42:44 34 4
gpt4 key购买 nike

我尝试在 kubernetes 集群上配置 mongo 进行身份验证。我部署了以下 yaml:

kind: StatefulSet
metadata:
  name: mongo
spec:
  serviceName: "mongo"
  replicas: 1
template:
  metadata:
    labels:
      app: mongo
  spec:
    containers:
    - name: mongodb
      image: mongo:4.0.0
      env:
      - name: MONGO_INITDB_ROOT_USERNAME
        value: "admin"
      - name: MONGO_INITDB_ROOT_PASSWORD
# Get password from secret
        value: "abc123changeme"
      command:
      - mongod
      - --auth
      - --replSet
      - rs0
      - --bind_ip
      - 0.0.0.0
      ports:
      - containerPort: 27017
        name: web
      volumeMounts:
      - name: mongo-ps
        mountPath: /data/db
    volumes:
    - name: mongo-ps
      persistentVolumeClaim:
        claimName: mongodb-pvc

当我尝试使用用户名“admin”和密码“abc123changeme”进行身份验证时,我收到“身份验证失败。”

如何配置 mongo 管理员用户名和密码(我想从 secret 中获取密码)?

谢谢

最佳答案

环境变量不起作用的原因是 MONGO_INITDB 环境变量由镜像中的 docker-entrypoint.sh 脚本使用 ( https://github.com/docker-library/mongo/tree/master/4.0 ),但是当您在 kubernetes 文件中定义“命令:”时,您将覆盖该入口点(请参阅注释 https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ )

请参阅下面的 YML,它改编 self 在网上找到的一些示例。给我记下学习要点

  1. cvallance/mongo-k8s-sidecar 会查找与 POD 标签匹配的任何 mongo 实例,无论 namespace 如何,因此它会尝试连接集群中的任何旧实例。这让我困惑了几个小时,因为我从示例中删除了environment=标签,因为我们使用 namespace 来隔离我们的环境。回想起来,这很愚蠢且明显...一开始非常令人困惑(mongo日志抛出了各种各样的错误)由于串扰而导致的身份验证错误和服务中断类型错误)

  2. 我是 ClusterRoleBindings 的新手,我花了一段时间才意识到它们是集群级别的,我知道这似乎是显而易见的(尽管需要提供一个命名空间来让 kubectl 接受它),但导致我的被覆盖每个命名空间,因此请确保为每个环境创建唯一的名称,以避免一个命名空间中的部署弄乱另一个命名空间,因为如果 ClusterRoleBinding 在集群中不是唯一的,则 ClusterRoleBinding 会被覆盖

  3. 需要将 MONGODB_DATABASE 设置为“admin”才能进行身份验证。

  4. 我正在关注this example配置依赖于 sleep5 的身份验证,希望守护进程在尝试创建 adminUser 之前启动并运行。我发现这不够长,因此最初将其提高,因为创建 adminUser 失败显然导致了连接拒绝问题。后来我改变了 sleep ,用 while 循环和 mongo ping 来测试守护进程,这更加万无一失。

  5. 如果您在 container 中运行 mongod (例如 lxc、cgroups、Docker 等)无法访问系统中所有可用的 RAM,则必须将 --wiredTigerCacheSizeGB 设置为小于容器中可用 RAM 量的值。确切的数量取决于容器中运行的其他进程。

  6. You need at least 3 nodes in a Mongo cluster !

下面的 YML 应该在 kubernetes 中启动并配置一个 mongo 副本集,并启用持久存储和身份验证。如果您连接到 Pod...

kubectl exec -ti mongo-db-0 --namespace somenamespace /bin/bash

mongo shell 已安装在镜像中,因此您应该能够使用...连接到复制集

mongo mongodb://mongoadmin:adminpassword@mongo-db/admin?replicaSet=rs0

您会看到 rs0:PRIMARY> 或 rs0:SECONDARY,这表明这两个 pod 位于 mongo 复制集中。使用 rs.conf() 从 PRIMARY 验证这一点。

#Create a Secret to hold the MONGO_INITDB_ROOT_USERNAME/PASSWORD
#so we can enable authentication
apiVersion: v1
data:
     #echo -n "mongoadmin" | base64
    init.userid: bW9uZ29hZG1pbg==
    #echo -n "adminpassword" | base64
    init.password: YWRtaW5wYXNzd29yZA==
kind: Secret
metadata:
  name: mongo-init-credentials
  namespace: somenamespace
type: Opaque
---
# Create a secret to hold a keyfile used to authenticate between replicaset members
# this seems to need to be base64 encoded twice (might not be the case if this
# was an actual file reference as per the examples, but we're using a simple key
# here
apiVersion: v1
data:
  #echo -n "CHANGEMECHANGEMECHANGEME" | base64 | base64
  mongodb-keyfile: UTBoQlRrZEZUVVZEU0VGT1IwVk5SVU5JUVU1SFJVMUYK
kind: Secret
metadata:
  name: mongo-key
  namespace: somenamespace
type: Opaque
---
# Create a service account for Mongo and give it Pod List role
# note this is a ClusterROleBinding - the Mongo Pod will be able
# to list all pods present in the cluster regardless of namespace
# (and this is exactly what it does...see below)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mongo-serviceaccount
  namespace: somenamespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: mongo-somenamespace-serviceaccount-view
  namespace: somenamespace
subjects:
- kind: ServiceAccount
  name: mongo-serviceaccount
  namespace: somenamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: pod-viewer
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-viewer
  namespace: somenamespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
---
#Create a Storage Class for Google Container Engine
#Note fstype: xfs isn't supported by GCE yet and the
#Pod startup will hang if you try to specify it.
kind: StorageClass
apiVersion: storage.k8s.io/v1beta1
metadata:
  namespace: somenamespace
  name: mongodb-ssd-storage
provisioner: kubernetes.io/gce-pd
parameters:
  type: pd-ssd
allowVolumeExpansion: true
---
#Headless Service for StatefulSets
apiVersion: v1
kind: Service
metadata:
  namespace: somenamespace
  name: mongo-db
  labels:
    name: mongo-db
spec:
 ports:
 - port: 27017
   targetPort: 27017
 clusterIP: None
 selector:
   app: mongo
---
# Now the fun part
#
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  namespace: somenamespace
  name: mongo-db
spec:
  serviceName: mongo-db
  replicas: 3
  template:
    metadata:
      labels:
        # Labels MUST match MONGO_SIDECAR_POD_LABELS
        # and MUST differentiate between other mongo
        # instances in the CLUSTER not just the namespace
        # as the sidecar will search the entire cluster
        # for something to configure
        app: mongo
        environment: somenamespace
    spec:
      #Run the Pod using the service account
      serviceAccountName: mongo-serviceaccount
      terminationGracePeriodSeconds: 10
      #Prevent a Mongo Replica running on the same node as another (avoid single point of failure)
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - mongo
            topologyKey: "kubernetes.io/hostname"
      containers:
        - name: mongo
          image: mongo:4.0.12
          command:
            #Authentication adapted from https://gist.github.com/thilinapiy/0c5abc2c0c28efe1bbe2165b0d8dc115
            #in order to pass the new admin user id and password in
          - /bin/sh
          - -c
          - >
            if [ -f /data/db/admin-user.lock ]; then
              echo "KUBERNETES LOG $HOSTNAME- Starting Mongo Daemon with runtime settings (clusterAuthMode)"
              #ensure wiredTigerCacheSize is set within the size of the containers memory limit
              mongod --wiredTigerCacheSizeGB 0.5 --replSet rs0 --bind_ip 0.0.0.0 --smallfiles --noprealloc --clusterAuthMode keyFile --keyFile /etc/secrets-volume/mongodb-keyfile --setParameter authenticationMechanisms=SCRAM-SHA-1;
            else
              echo "KUBERNETES LOG $HOSTNAME- Starting Mongo Daemon with setup setting (authMode)"
              mongod --auth;
            fi;
          lifecycle:
              postStart:
                exec:
                  command:
                  - /bin/sh
                  - -c
                  - >
                    if [ ! -f /data/db/admin-user.lock ]; then
                      echo "KUBERNETES LOG $HOSTNAME- no Admin-user.lock file found yet"
                      #replaced simple sleep, with ping and test.
                      while (! mongo --eval "db.adminCommand('ping')"); do sleep 10; echo "KUBERNETES LOG $HOSTNAME - waiting another 10 seconds for mongo to start" >> /data/db/configlog.txt; done;
                      touch /data/db/admin-user.lock
                      if [ "$HOSTNAME" = "mongo-db-0" ]; then
                        echo "KUBERNETES LOG $HOSTNAME- creating admin user ${MONGODB_USERNAME}"
                        mongo --eval "db = db.getSiblingDB('admin'); db.createUser({ user: '${MONGODB_USERNAME}', pwd: '${MONGODB_PASSWORD}', roles: [{ role: 'root', db: 'admin' }]});" >> /data/db/config.log
                      fi;
                      echo "KUBERNETES LOG $HOSTNAME-shutting mongod down for final restart"
                      mongod --shutdown;
                    fi;
          env:
            - name: MONGODB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: mongo-init-credentials
                  key: init.userid
            - name: MONGODB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mongo-init-credentials
                  key: init.password
          ports:
            - containerPort: 27017
          livenessProbe:
            exec:
              command:
              - mongo
              - --eval
              - "db.adminCommand('ping')"
            initialDelaySeconds: 5
            periodSeconds: 60
            timeoutSeconds: 10
          readinessProbe:
            exec:
              command:
              - mongo
              - --eval
              - "db.adminCommand('ping')"
            initialDelaySeconds: 5
            periodSeconds: 60
            timeoutSeconds: 10
          resources:
            requests:
              memory: "350Mi"
              cpu: 0.05
            limits:
              memory: "1Gi"
              cpu: 0.1
          volumeMounts:
            - name: mongo-key
              mountPath: "/etc/secrets-volume"
              readOnly: true
            - name: mongo-persistent-storage
              mountPath: /data/db
        - name: mongo-sidecar
          image: cvallance/mongo-k8s-sidecar
          env:
            # Sidecar searches for any POD in the CLUSTER with these labels
            # not just the namespace..so we need to ensure the POD is labelled
            # to differentiate it from other PODS in different namespaces
            - name: MONGO_SIDECAR_POD_LABELS
              value: "app=mongo,environment=somenamespace"
            - name: MONGODB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: mongo-init-credentials
                  key: init.userid
            - name: MONGODB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: mongo-init-credentials
                  key: init.password
            #don't be fooled by this..it's not your DB that
            #needs specifying, it's the admin DB as that
            #is what you authenticate against with mongo.
            - name: MONGODB_DATABASE
              value: admin
      volumes:
      - name: mongo-key
        secret:
          defaultMode: 0400
          secretName: mongo-key
  volumeClaimTemplates:
  - metadata:
      name: mongo-persistent-storage
      annotations:
        volume.beta.kubernetes.io/storage-class: "mongodb-ssd-storage"
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 1Gi

关于mongodb - 部署在kubernetes上的认证mongo,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51815216/

34 4 0
文章推荐: vba - Excel VBA - 输入单元格时存储的值会更改格式
文章推荐: xamarin - 使用 UIDocumentInteractionController 预览文档在 iOS 13 中不起作用
文章推荐: excel - VBA 中的选择命令更改为小写
文章推荐: excel - 进度指示器,在vba中变得没有响应
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com