Configure and deploy a MongoDB cluster on Azure Kubernetes Service (AKS)
In this article, we configure and deploy a MongoDB cluster on Azure Kubernetes Service (AKS).
Configure workload identity
Create a namespace for the MongoDB cluster using the
kubectl create namespace
command.kubectl create namespace ${AKS_MONGODB_NAMESPACE} --dry-run=client --output yaml | kubectl apply -f -
Example output:
namespace/mongodb created
Create a service account and configure workload identity using the
kubectl apply
command.export TENANT_ID=$(az account show --query tenantId -o tsv) cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: annotations: azure.workload.identity/client-id: "${MY_IDENTITY_NAME_CLIENT_ID}" azure.workload.identity/tenant-id: "${TENANT_ID}" name: "${SERVICE_ACCOUNT_NAME}" namespace: "${AKS_MONGODB_NAMESPACE}" EOF
Example output:
serviceaccount/mongodb created
Install the External Secrets Operator
In this section, we use Helm to install the External Secrets Operator. The External Secrets Operator is a Kubernetes operator that manages the lifecycle of external secrets stored in external secret stores like Azure Key Vault.
Add the External Secrets Helm repository and update the repository using the
helm repo add
andhelm repo update
commands.helm repo add external-secrets https://charts.external-secrets.io helm repo update
Example output:
Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "external-secrets" chart repository
Install the External Secrets Operator using the
helm install
command.helm install external-secrets \ external-secrets/external-secrets \ --namespace ${AKS_MONGODB_NAMESPACE} \ --create-namespace \ --set installCRDs=true \ --wait
Example output:
NAME: external-secrets LAST DEPLOYED: Tue Jun 11 11:55:32 2024 NAMESPACE: mongodb STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: external-secrets has been deployed successfully in namespace mongodb! In order to begin using ExternalSecrets, you will need to set up a SecretStore or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). More information on the different types of SecretStores and how to configure them can be found in our Github: https://github.com/external-secrets/external-secrets
Generate a random password for the mongodb cluster and store it in your Azure Key Vault using the
az keyvault secret set
command.#MongoDB connection strings can contain special characters in the password which need to be URL encoded. #This is because the connection string is a URI, and special characters can interfere with the URI structure. #This function generates secrets of 32 characters using only alphanumeric characters generateRandomPasswordString() { cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 }
Create a MongoDB backup user and password secret to be used for any backup and restore operations.
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-USER --value MONGODB_BACKUP_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-PASSWORD --value $(generateRandomPasswordString) --output table
Create a MongoDB database admin user and password secret for database administration.
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-USER --value MONGODB_DATABASE_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table
Create a MongoDB cluster administration user and admin secret for a cluster administration role that provides administration for more than one database.
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-USER --value MONGODB_CLUSTER_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table
Create a MongoDB cluster monitoring user and admin secret for cluster monitoring.
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-USER --value MONGODB_CLUSTER_MONITOR_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-PASSWORD --value $(generateRandomPasswordString) --output table
Create a user and password secret for user administration
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-USER --value MONGODB_USER_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table
Add the
AZURE-STORAGE-ACCOUNT-NAME
to be used later for backupsaz keyvault secret set --vault-name $MY_KEYVAULT_NAME --name AZURE-STORAGE-ACCOUNT-NAME --value $AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME --output table
Example outputs for each of the above:
Name Value ------------------ -------------------------------------------- PMM-SERVER-API-KEY KH4uE6MlJ6fbhVbVT5sz...
Create secrets
Create a
SecretStore
resource to access the MongoDB passwords stored in your key vault using thekubectl apply
command.kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: azure-store namespace: ${AKS_MONGODB_NAMESPACE} spec: provider: # provider type: azure keyvault azurekv: authType: WorkloadIdentity vaultUrl: "${KEYVAULTURL}" serviceAccountRef: name: ${SERVICE_ACCOUNT_NAME} EOF
Example output:
secretstore.external-secrets.io/azure-store created
Create an
ExternalSecret
resource, which creates a KubernetesSecret
in themongodb
namespace with theMongoDB
secrets stored in your key vault, using thekubectl apply
command.kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_MONGODB_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_MONGODB_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure KV (no prefix is by default a SECRET) - secretKey: MONGODB_BACKUP_USER remoteRef: key: MONGODB-BACKUP-USER - secretKey: MONGODB_BACKUP_PASSWORD remoteRef: key: MONGODB-BACKUP-PASSWORD - secretKey: MONGODB_DATABASE_ADMIN_USER remoteRef: key: MONGODB-DATABASE-ADMIN-USER - secretKey: MONGODB_DATABASE_ADMIN_PASSWORD remoteRef: key: MONGODB-DATABASE-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_ADMIN_USER remoteRef: key: MONGODB-CLUSTER-ADMIN-USER - secretKey: MONGODB_CLUSTER_ADMIN_PASSWORD remoteRef: key: MONGODB-CLUSTER-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_MONITOR_USER remoteRef: key: MONGODB-CLUSTER-MONITOR-USER - secretKey: MONGODB_CLUSTER_MONITOR_PASSWORD remoteRef: key: MONGODB-CLUSTER-MONITOR-PASSWORD - secretKey: MONGODB_USER_ADMIN_USER remoteRef: key: MONGODB-USER-ADMIN-USER - secretKey: MONGODB_USER_ADMIN_PASSWORD remoteRef: key: MONGODB-USER-ADMIN-PASSWORD EOF
Example output:
externalsecret.external-secrets.io/cluster-aks-mongodb-secrets created
Create an
ExternalSecret
resource, which creates a KubernetesSecret
in themongodb
namespace forAzure Blob Storage
secrets stored in your key vault, using thekubectl apply
command.kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_AZURE_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_AZURE_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure KV (no prefix is by default a SECRET) - secretKey: AZURE_STORAGE_ACCOUNT_NAME remoteRef: key: AZURE-STORAGE-ACCOUNT-NAME - secretKey: AZURE_STORAGE_ACCOUNT_KEY remoteRef: key: AZURE-STORAGE-ACCOUNT-KEY EOF
Example output:
externalsecret.external-secrets.io/cluster-aks-azure-secrets created
Create a federated credential using the
az identity federated-credential create
command.az identity federated-credential create \ --name external-secret-operator \ --identity-name ${MY_IDENTITY_NAME} \ --resource-group ${MY_RESOURCE_GROUP_NAME} \ --issuer ${OIDC_URL} \ --subject system:serviceaccount:${AKS_MONGODB_NAMESPACE}:${SERVICE_ACCOUNT_NAME} \ --output table
Example output:
Issuer Name ResourceGroup Subject ----------------------------------------------------------------------------------------------------------------------- ------------------------ -------------------------------- ------------------------------------- https://australiaeast.oic.prod-aks.azure.com/07fa200c-6006-411f-bb29-a43bdf1a2bcc/d0709689-42d4-49a4-a6c8-5caa0b2384ba/ external-secret-operator myResourceGroup-rg-australiaeast system:serviceaccount:mongodb:mongodb
Give permission to the user-assigned identity to access the secret using the
az keyvault set-policy
command.az keyvault set-policy --name $MY_KEYVAULT_NAME --object-id $MY_IDENTITY_NAME_PRINCIPAL_ID --secret-permissions get --output table
Example output:
Location Name ResourceGroup ------------- -------------- -------------------------------- australiaeast vault-cjcfc-kv myResourceGroup-rg-australiaeast
Install the Percona Operator and CRDs
The Percona Operator is typically distributed as a Kubernetes Deployment
or Operator
. You can deploy it using a kubectl apply -f
command with a manifest file. You can find the latest manifests in the Percona GitHub repository or the official documentation.
Deploy the Percona Operator and CRDs using the
kubectl apply
command.kubectl apply --server-side -f https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/v1.16.0/deploy/bundle.yaml -n "${AKS_MONGODB_NAMESPACE}"
Example output:
customresourcedefinition.apiextensions.k8s.io/perconaservermongodbbackups.psmdb.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaservermongodbrestores.psmdb.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaservermongodbs.psmdb.percona.com serverside-applied role.rbac.authorization.k8s.io/percona-server-mongodb-operator serverside-applied serviceaccount/percona-server-mongodb-operator serverside-applied rolebinding.rbac.authorization.k8s.io/service-account-percona-server-mongodb-operator serverside-applied deployment.apps/percona-server-mongodb-operator serverside-applied
Deploy the MongoDB cluster
- We deploy a MongoDB cluster with the Percona Operator. To ensure high availability, the MongoDB cluster is deployed with a replica set, sharding enabled and in multiple availability zones. The MongoDB cluster is deployed with a backup solution that stores the backups in an Azure Blob storage account.
The script deploys a MongoDB cluster with the following configuration:
kubectl apply -f - <<EOF
apiVersion: psmdb.percona.com/v1
kind: PerconaServerMongoDB
metadata:
name: ${AKS_MONGODB_CLUSTER_NAME}
namespace: ${AKS_MONGODB_NAMESPACE}
finalizers:
- delete-psmdb-pods-in-order
spec:
crVersion: 1.16.0
image: ${MY_ACR_REGISTRY}.azurecr.io/percona-server-mongodb:7.0.8-5
imagePullPolicy: Always
updateStrategy: SmartUpdate
upgradeOptions:
versionServiceEndpoint: https://check.percona.com
apply: disabled
schedule: "0 2 * * *"
setFCV: false
secrets:
users: "${AKS_MONGODB_SECRETS_NAME}"
encryptionKey: "${AKS_MONGODB_SECRETS_ENCRYPTION_KEY}"
pmm:
enabled: false
image: ${MY_ACR_REGISTRY}.azurecr.io/pmm-client:2.41.2
serverHost: monitoring-service
replsets:
- name: rs0
size: 3
affinity:
antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone"
podDisruptionBudget:
maxUnavailable: 1
expose:
enabled: false
exposeType: ClusterIP
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
volumeSpec:
persistentVolumeClaim:
storageClassName: managed-csi-premium
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
nonvoting:
enabled: false
size: 3
affinity:
antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone"
podDisruptionBudget:
maxUnavailable: 1
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
volumeSpec:
persistentVolumeClaim:
storageClassName: managed-csi-premium
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
arbiter:
enabled: false
size: 1
affinity:
antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone"
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
sharding:
enabled: true
configsvrReplSet:
size: 3
affinity:
antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone"
podDisruptionBudget:
maxUnavailable: 1
expose:
enabled: false
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
volumeSpec:
persistentVolumeClaim:
storageClassName: managed-csi-premium
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
mongos:
size: 3
affinity:
antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone"
podDisruptionBudget:
maxUnavailable: 1
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
expose:
exposeType: ClusterIP
backup:
enabled: true
image: ${MY_ACR_REGISTRY}.azurecr.io/percona-backup-mongodb:2.4.1
storages:
azure-blob:
type: azure
azure:
container: "${AKS_MONGODB_BACKUP_STORAGE_CONTAINER_NAME}"
prefix: psmdb
endpointUrl: https://${AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME}.blob.core.windows.net
credentialsSecret: "${AKS_AZURE_SECRETS_NAME}"
pitr:
enabled: false
oplogOnly: false
compressionType: gzip
compressionLevel: 6
tasks:
- name: daily-azure-us-east
enabled: true
schedule: "0 0 * * *"
keep: 3
storageName: azure-blob
compressionType: gzip
compressionLevel: 6
EOF
Example output:
perconaservermongodb.psmdb.percona.com/cluster-aks-mongodb created
Wait for the MongoDB cluster deployment process to complete using the following script.
while [ "$(kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for MongoDB cluster to be ready"; sleep 10; done
When the process completes, your cluster shows the
ready
status.kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE}
Example output:
NAME ENDPOINT STATUS AGE cluster-aks-mongodb cluster-aks-mongodb-mongos.mongodb.svc.cluster.local ready 3m1s
To ensure high availability the MongoDB cluster will be deployed in multiple availability zones. To view this information, run the following command:
kubectl get node -o custom-columns=Name:.metadata.name,Zone:".metadata.labels.topology\.kubernetes\.io/zone"
Example output:
Name Zone aks-nodepool1-28994785-vmss000000 australiaeast-1 aks-nodepool1-28994785-vmss000001 australiaeast-2 aks-nodepool1-28994785-vmss000002 australiaeast-3
Connect to the Percona Server
To connect to Percona Server for MongoDB, you need to construct the MongoDB connection URI string. It includes the credentials of the admin user, which are stored in the Secrets object.
List the Secrets objects using the
kubectl get
command.kubectl get secrets -n ${AKS_MONGODB_NAMESPACE}
Example output:
NAME TYPE DATA AGE cluster-aks-azure-secrets Opaque 2 2m56s cluster-aks-mongodb-mongodb-keyfile Opaque 1 2m54s cluster-aks-mongodb-secrets Opaque 11 2m56s cluster-aks-mongodb-secrets-mongodb-encryption-key Opaque 1 2m54s cluster-aks-mongodb-ssl kubernetes.io/tls 3 2m55s cluster-aks-mongodb-ssl-internal kubernetes.io/tls 3 2m54s external-secrets-webhook Opaque 4 3m49s internal-cluster-aks-mongodb-users Opaque 11 2m56s sh.helm.release.v1.external-secrets.v1 helm.sh/release.v1 1 3m49s
View the Secret contents to retrieve the admin user credentials using the
kubectl get
command.kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -o yaml -n ${AKS_MONGODB_NAMESPACE}
Example output:
apiVersion: v1 data: MONGODB_BACKUP_PASSWORD: SmhBRFo4aXNI... MONGODB_BACKUP_USER: TU9OR09EQl9... MONGODB_CLUSTER_ADMIN_PASSWORD: cE1oOFRMS1p0VkRQc... MONGODB_CLUSTER_ADMIN_USER: TU9OR09EQl9DTFV... MONGODB_CLUSTER_MONITOR_PASSWORD: emRuc0tPSVdWR0ZtS01i... MONGODB_CLUSTER_MONITOR_USER: TU9OR09EQl9DTFV... MONGODB_DATABASE_ADMIN_PASSWORD: cmZDZ2xEbDR2SVI... MONGODB_DATABASE_ADMIN_USER: TU9OR09EQl9EQVRB... MONGODB_USER_ADMIN_PASSWORD: ZE1uQW9tOXVNVGdyMVh... MONGODB_USER_ADMIN_USER: TU9OR09EQl9VU0... immutable: false kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"external-secrets.io/v1beta1","kind":"ExternalSecret","metadata":{"annotations":{},"name":"cluster-aks-mongodb-secrets","namespace":"mongodb"},"spec":{"data":[{"remoteRef":{"key":"MONGODB-BACKUP-USER"},"secretKey":"MONGODB_BACKUP_USER"},{"remoteRef":{"key":"MONGODB-BACKUP-PASSWORD"},"secretKey":"MONGODB_BACKUP_PASSWORD"},{"remoteRef":{"key":"MONGODB-DATABASE-ADMIN-USER"},"secretKey":"MONGODB_DATABASE_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-DATABASE-ADMIN-PASSWORD"},"secretKey":"MONGODB_DATABASE_ADMIN_PASSWORD"},{"remoteRef":{"key":"MONGODB-CLUSTER-ADMIN-USER"},"secretKey":"MONGODB_CLUSTER_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-CLUSTER-ADMIN-PASSWORD"},"secretKey":"MONGODB_CLUSTER_ADMIN_PASSWORD"},{"remoteRef":{"key":"MONGODB-CLUSTER-MONITOR-USER"},"secretKey":"MONGODB_CLUSTER_MONITOR_USER"},{"remoteRef":{"key":"MONGODB-CLUSTER-MONITOR-PASSWORD"},"secretKey":"MONGODB_CLUSTER_MONITOR_PASSWORD"},{"remoteRef":{"key":"MONGODB-USER-ADMIN-USER"},"secretKey":"MONGODB_USER_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-USER-ADMIN-PASSWORD"},"secretKey":"MONGODB_USER_ADMIN_PASSWORD"}],"refreshInterval":"1h","secretStoreRef":{"kind":"SecretStore","name":"azure-store"},"target":{"creationPolicy":"Owner","name":"cluster-aks-mongodb-secrets"}}} reconcile.external-secrets.io/data-hash: 66c2c896ca641ffd72afead32fc24239 creationTimestamp: "2024-07-01T12:24:38Z" labels: reconcile.external-secrets.io/created-by: d2ddd20e883057790bca8dc5f304303d name: cluster-aks-mongodb-secrets namespace: mongodb ownerReferences: - apiVersion: external-secrets.io/v1beta1 blockOwnerDeletion: true controller: true kind: ExternalSecret name: cluster-aks-mongodb-secrets uid: 2e24dbbd-7144-4227-9015-5bd69468953a resourceVersion: "1872" uid: 3b37617f-b3e3-40df-8dff-d9e5c1916275 type: Opaque
Decode the base64-encoded login name and password from the output using the following commands.
#Decode login name and password on the output which are base64-encoded export databaseAdmin=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_USER}" | base64 --decode) export databaseAdminPassword=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_PASSWORD}" | base64 --decode) echo $databaseAdmin echo $databaseAdminPassword echo $AKS_MONGODB_CLUSTER_NAME
Example output:
MONGODB_DATABASE_ADMIN_USER rfCglDl4vIR3W... cluster-aks-mongodb
Verify the MongoDB cluster
In order to verify your MongoDB cluster, you run a container with a MongoDB client and connect its console output to your terminal.
Create a pod named
percona-client
under the${AKS_MONGODB_NAMESPACE}
namespace in your cluster using thekubectl run
command.kubectl -n "${AKS_MONGODB_NAMESPACE}" run -i --rm --tty percona-client --image=${MY_ACR_REGISTRY}.azurecr.io/percona-server-mongodb:7.0.8-5 --restart=Never -- bash -il
In a different terminal window, verify the pod was successfully created using the
kubectl get
command.kubectl get pod percona-client -n ${AKS_MONGODB_NAMESPACE}
Example output:
NAME READY STATUS RESTARTS AGE percona-client 1/1 Running 0 39s
Connect to the MongoDB cluster using the admin user credentials from the previous section in the terminal window you used to create the
percona-client
pod.# Note: Replace variables `databaseAdmin` , `databaseAdminPassword` and `AKS_MONGODB_CLUSTER_NAME` with actual values printed in step 3. mongosh "mongodb://${databaseAdmin}:${databaseAdminPassword}@${AKS_MONGODB_CLUSTER_NAME}-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true"
Example output:
Current Mongosh Log ID: 66c76906115c6c831866efba Connecting to: mongodb://<credentials>@cluster-aks-mongodb-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true&appName=mongosh+2.1.5 Using MongoDB: 7.0.8-5 Using Mongosh: 2.1.5 For mongosh info see: https://docs.mongodb.com/mongodb-shell/ ...
List the databases in your cluster using the
show dbs
command.show dbs
Example output:
rs0 [direct: mongos] admin> show dbs admin 960.00 KiB config 3.45 MiB rs0 [direct: mongos] admin>
Create MongoDB backup
You can back up your data to Azure using one of the following methods:
- Manual: Manually back up your data at any time.
- Scheduled: Configure backups and their schedules in the CRD YAML. The Operator makes them automatically according to the specified schedule.
The Operator can perform either a logical or a physical backup. A logical backup queries the Percona Server for MongoDB for the database data and writes the retrieved data to the remote backup storage. A physical backup copies physical files from the Percona Server for MongoDB dbPath data directory to the remote backup storage. Logical backups use less storage but are slower than physical backups.
To store backups on Azure Blob storage using Percona, you need to create a Secret. This step has already been completed above. For detailed instructions, please follow the steps outlined in the Percona documentation on Microsoft Azure Blob Storage.
Configure scheduled backups
You can define the backup schedule in the backup section of the CRD in the mongodb-cr.yaml using the following guidance:
- Set the
backup.enabled
key totrue
. - Ensure the
backup.storages
subsection contains at least one configured storage. - Ensure the
backup.tasks
subsection enables backup scheduling.
For more information, see Making scheduled backups.
Perform manual backups
You can make a manual, on-demand backup in the backup section of the CRD in the mongodb-cr.yaml using the following guidance:
- Set the
backup.enabled
key totrue
. - Ensure the
backup.storages
subsection contains at least one configured storage.
For more information, see Making on-demand backups.
Deploy MongoDB backup
Deploy your MongoDB backup using the
kubectl apply
command.kubectl apply -f - <<EOF apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDBBackup metadata: finalizers: - delete-backup name: az-backup1 namespace: ${AKS_MONGODB_NAMESPACE} spec: clusterName: ${AKS_MONGODB_CLUSTER_NAME} storageName: azure-blob type: logical EOF
Example output:
perconaservermongodbbackup.psmdb.percona.com/az-backup1 created
Wait for the MongoDB backup deployment process to complete using the following script.
while [ "$(kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for the backup to be ready"; sleep 10; done
Example output:
waiting for the backup to be ready
When the process completes, the backup should return the
ready
status. Verify the backup deployment was successful using thekubectl get
command.kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE}
Example output:
NAME CLUSTER STORAGE DESTINATION TYPE STATUS COMPLETED AGE az-backup1 cluster-aks-mongodb azure-blob https://mongodbsacjcfc.blob.core.windows.net/backups/psmdb/2024-07-01T12:27:57Z logical ready 3h3m 3h3m
If you have any issues with the backup, you can view logs from the
backup-agent
container of the appropriate pod using the following command.kubectl logs pod/${AKS_MONGODB_CLUSTER_NAME}-rs0-0 -c backup-agent -n ${AKS_MONGODB_NAMESPACE}
Next steps
To learn more about deploying open-source software on Azure Kubernetes Service (AKS), see the following articles:
Azure Kubernetes Service