├── .gitignore ├── .pre-commit-config.yaml ├── .tflint.hcl ├── IAM.md ├── LICENSE ├── README.md ├── examples └── complete │ ├── aws │ ├── README.md │ ├── helm │ │ ├── exporter.yaml │ │ └── values.yaml │ ├── main.tf │ ├── output.tf │ └── provider.tf │ ├── azure │ ├── README.md │ ├── helm │ │ └── values.yaml │ ├── main.tf │ ├── output.tf │ └── provider.tf │ └── gcp │ ├── README.md │ ├── helm │ └── values.yaml │ ├── main.tf │ ├── output.tf │ └── provider.tf ├── helm └── values │ ├── backup │ └── values.yaml │ ├── exporter │ └── values.yaml │ ├── mongodb │ └── values.yaml │ └── restore │ └── values.yaml ├── main.tf ├── modules ├── backup │ ├── .helmignore │ ├── Chart.yaml │ └── templates │ │ ├── backup-secrets.yaml │ │ ├── fullbackup-cronjob.yaml │ │ └── service_account.yaml ├── resources │ ├── aws │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── azure │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── gcp │ │ ├── README.md │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf └── restore │ ├── .helmignore │ ├── Chart.yaml │ └── templates │ ├── job.yaml │ ├── restore-secrets.yaml │ └── service_account.yaml ├── output.tf └── variables.tf /.gitignore: -------------------------------------------------------------------------------- 1 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 2 | *.out 3 | *.lock 4 | *.tfvars 5 | *.pem 6 | *.txt 7 | 8 | # Local .terraform directories 9 | **/.terraform/* 10 | .terraform* 11 | 12 | # .tfstate files 13 | *.tfstate 14 | *.tfstate.* 15 | 16 | # Crash log files 17 | crash.log 18 | crash.*.log 19 | 20 | *.tfvars 21 | *.tfvars.json 22 | 23 | # Ignore override files as they are usually used to override resources locally and so 24 | # are not checked in 25 | override.tf 26 | override.tf.json 27 | *_override.tf 28 | *_override.tf.json 29 | 30 | # Ignore CLI configuration files 31 | .terraformrc 32 | terraform.rc 33 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v4.1.0 4 | hooks: 5 | - id: trailing-whitespace 6 | args: ['--markdown-linebreak-ext=md'] 7 | - id: end-of-file-fixer 8 | - id: check-merge-conflict 9 | - id: detect-private-key 10 | - id: detect-aws-credentials 11 | args: ['--allow-missing-credentials'] 12 | - repo: https://github.com/antonbabenko/pre-commit-terraform 13 | rev: v1.77.0 14 | hooks: 15 | - id: terraform_fmt 16 | - id: terraform_docs 17 | args: 18 | - '--args=--lockfile=false' 19 | - --hook-config=--add-to-existing-file=true 20 | - --hook-config=--create-file-if-not-exist=true 21 | 22 | - id: terraform_tflint 23 | args: 24 | - --args=--config=.tflint.hcl 25 | - id: terraform_tfsec 26 | files: ^examples/ # only scan `examples/*` which are the implementation 27 | args: 28 | - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml 29 | - --args=--concise-output 30 | -------------------------------------------------------------------------------- /.tflint.hcl: -------------------------------------------------------------------------------- 1 | plugin "aws" { 2 | enabled = true 3 | version = "0.21.1" 4 | source = "github.com/terraform-linters/tflint-ruleset-aws" 5 | } 6 | 7 | config { 8 | #Enables module inspection 9 | module = false 10 | force = false 11 | } 12 | 13 | # Required that all AWS resources have specified tags. 14 | rule "aws_resource_missing_tags" { 15 | enabled = true 16 | tags = [ 17 | "Name", 18 | "Environment", 19 | ] 20 | } 21 | 22 | # Disallow deprecated (0.11-style) interpolation 23 | rule "terraform_deprecated_interpolation" { 24 | enabled = true 25 | } 26 | 27 | # Disallow legacy dot index syntax. 28 | rule "terraform_deprecated_index" { 29 | enabled = true 30 | } 31 | 32 | # Disallow variables, data sources, and locals that are declared but never used. 33 | rule "terraform_unused_declarations" { 34 | enabled = true 35 | } 36 | 37 | # Disallow // comments in favor of #. 38 | rule "terraform_comment_syntax" { 39 | enabled = false 40 | } 41 | 42 | # Disallow output declarations without description. 43 | rule "terraform_documented_outputs" { 44 | enabled = true 45 | } 46 | 47 | # Disallow variable declarations without description. 48 | rule "terraform_documented_variables" { 49 | enabled = true 50 | } 51 | 52 | # Disallow variable declarations without type. 53 | rule "terraform_typed_variables" { 54 | enabled = true 55 | } 56 | 57 | # Disallow specifying a git or mercurial repository as a module source without pinning to a version. 58 | rule "terraform_module_pinned_source" { 59 | enabled = true 60 | } 61 | 62 | # Enforces naming conventions 63 | rule "terraform_naming_convention" { 64 | enabled = true 65 | 66 | #Require specific naming structure 67 | variable { 68 | format = "snake_case" 69 | } 70 | 71 | locals { 72 | format = "snake_case" 73 | } 74 | 75 | output { 76 | format = "snake_case" 77 | } 78 | 79 | #Allow any format 80 | resource { 81 | format = "none" 82 | } 83 | 84 | module { 85 | format = "none" 86 | } 87 | 88 | data { 89 | format = "none" 90 | } 91 | 92 | } 93 | 94 | # Disallow terraform declarations without require_version. 95 | rule "terraform_required_version" { 96 | enabled = true 97 | } 98 | 99 | # Require that all providers have version constraints through required_providers. 100 | rule "terraform_required_providers" { 101 | enabled = true 102 | } 103 | 104 | # Ensure that a module complies with the Terraform Standard Module Structure 105 | rule "terraform_standard_module_structure" { 106 | enabled = true 107 | } 108 | 109 | # terraform.workspace should not be used with a "remote" backend with remote execution. 110 | rule "terraform_workspace_remote" { 111 | enabled = true 112 | } 113 | -------------------------------------------------------------------------------- /IAM.md: -------------------------------------------------------------------------------- 1 | ## IAM AWS Permission 2 | 3 | The Policy required to deploy this module: 4 | ```hcl 5 | { 6 | "Version": "2012-10-17", 7 | "Statement": [ 8 | { 9 | "Sid": "VisualEditor0", 10 | "Effect": "Allow", 11 | "Action": [ 12 | "eks:DescribeCluster" 13 | ], 14 | "Resource": [ 15 | "*" 16 | ] 17 | }, 18 | { 19 | "Sid": "VisualEditor1", 20 | "Effect": "Allow", 21 | "Action": [ 22 | "iam:GetRole", 23 | "iam:CreateRole", 24 | "iam:DeleteRole", 25 | "iam:GetRolePolicy", 26 | "iam:PutRolePolicy", 27 | "iam:ListRolePolicies", 28 | "iam:ListAttachedRolePolicies", 29 | "iam:ListInstanceProfilesForRole" 30 | ], 31 | "Resource": [ 32 | "*" 33 | ] 34 | }, 35 | { 36 | "Sid": "VisualEditor2", 37 | "Effect": "Allow", 38 | "Action": [ 39 | "secretsmanager:CreateSecret", 40 | "secretsmanager:DeleteSecret", 41 | "secretsmanager:DescribeSecret", 42 | "secretsmanager:GetResourcePolicy", 43 | "secretsmanager:GetSecretValue", 44 | "secretsmanager:PutSecretValue" 45 | ], 46 | "Resource": [ 47 | "*" 48 | ] 49 | } 50 | ] 51 | } 52 | ``` 53 | ## Azure Role Permissions 54 | 55 | ```hcl 56 | permissions { 57 | actions = [ 58 | "Microsoft.Authorization/roleAssignments/delete", 59 | "Microsoft.Authorization/roleAssignments/read", 60 | "Microsoft.Authorization/roleAssignments/write", 61 | "Microsoft.KeyVault/locations/deletedVaults/read", 62 | "Microsoft.KeyVault/vaults/delete", 63 | "Microsoft.KeyVault/vaults/read", 64 | "Microsoft.KeyVault/vaults/write", 65 | "Microsoft.ManagedIdentity/userAssignedIdentities/delete", 66 | "Microsoft.ManagedIdentity/userAssignedIdentities/read", 67 | "Microsoft.ManagedIdentity/userAssignedIdentities/write", 68 | "Microsoft.Resources/subscriptions/providers/read", 69 | "Microsoft.Resources/subscriptions/resourcegroups/read"] 70 | not_actions = [] 71 | } 72 | ``` 73 | 74 | ## Google IAM Permissions 75 | 76 | ```hcl 77 | permissions = [ 78 | "iam.serviceAccounts.create", 79 | "iam.serviceAccounts.delete", 80 | "iam.serviceAccounts.get", 81 | "iam.serviceAccounts.update", 82 | "resourcemanager.projects.getIamPolicy", 83 | "resourcemanager.projects.setIamPolicy" 84 | ] 85 | ``` 86 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2023 SaturnOps Technologies 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## MongoDB Kubernetes Terraform Module 2 | 3 | 4 | 5 |
6 | This module deploys a highly available MongoDB cluster on Kubernetes using Helm charts. It offers flexible configurations for volume size, architecture, replica count, backups, restores, and metrics export to Grafana.

Users can create a new namespace and configure recovery windows for AWS Secrets Manager, Azure Key Vault, and GCP Secrets Manager. It supports deployment on AWS EKS, Azure AKS, and GCP GKE, allowing for easy and customizable MongoDB setups. 7 | 8 | ## Supported Versions: 9 | 10 | | MongoDB Helm Chart Version | K8s supported version (EKS, AKS & GKE) | 11 | | :-----: | :--- | 12 | | **13.1.5** | **1.23,1.24,1.25,1.26,1.27** | 13 | 14 | 15 | ## Usage Example 16 | 17 | ```hcl 18 | locals { 19 | name = "mongo" 20 | region = "us-east-2" 21 | environment = "prod" 22 | additional_tags = { 23 | Owner = "organization_name" 24 | Expires = "Never" 25 | Department = "Engineering" 26 | } 27 | create_namespace = true 28 | namespace = "mongodb" 29 | store_password_to_secret_manager = true 30 | mongodb_custom_credentials_enabled = true 31 | mongodb_custom_credentials_config = { 32 | root_user = "root" 33 | root_password = "NCPFUKEMd7rrWuvMAa73" 34 | metric_exporter_user = "mongodb_exporter" 35 | metric_exporter_password = "nvAHhm1uGQNYWVw6ZyAH" 36 | } 37 | } 38 | module "aws" { 39 | source = "saturnops/mongodb/kubernetes//modules/resources/aws" 40 | environment = local.environment 41 | name = local.name 42 | namespace = local.namespace 43 | store_password_to_secret_manager = local.store_password_to_secret_manager 44 | cluster_name = "" 45 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 46 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 47 | } 48 | 49 | module "mongodb" { 50 | source = "saturnops/mongodb/kubernetes" 51 | namespace = local.namespace 52 | create_namespace = local.create_namespace 53 | mongodb_config = { 54 | name = local.name 55 | namespace = local.namespace 56 | values_yaml = "" 57 | environment = local.environment 58 | volume_size = "10Gi" 59 | architecture = "replicaset" 60 | custom_databases = "['db1', 'db2']" 61 | custom_databases_usernames = "['admin', 'admin']" 62 | custom_databases_passwords = "['pass1', 'pass2']" 63 | replica_count = 2 64 | storage_class_name = "gp2" 65 | store_password_to_secret_manager = local.store_password_to_secret_manager 66 | } 67 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 68 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 69 | root_password = local.mongodb_custom_credentials_enabled ? "" : module.aws.root_password 70 | metric_exporter_password = local.mongodb_custom_credentials_enabled ? "" : module.aws.metric_exporter_password 71 | bucket_provider_type = "s3" 72 | mongodb_backup_enabled = true 73 | iam_role_arn_backup = module.aws.iam_role_arn_backup 74 | mongodb_backup_config = { 75 | bucket_uri = "s3://mongo-demo-backup" 76 | s3_bucket_region = "us-east-2" 77 | cron_for_full_backup = "* * * * *" 78 | } 79 | mongodb_restore_enabled = true 80 | iam_role_arn_restore = module.aws.iam_role_arn_restore 81 | mongodb_restore_config = { 82 | bucket_uri = "s3://mongo-demo-backup/mongodumpfull_20230523_092110.gz" 83 | s3_bucket_region = "us-east-2" 84 | file_name = "mongodumpfull_20230523_092110.gz" 85 | } 86 | mongodb_exporter_enabled = true 87 | mongodb_exporter_values = file("./helm/exporter.yaml") 88 | } 89 | 90 | 91 | ``` 92 | - Refer [AWS examples](https://github.com/saturnops/terraform-kubernetes-mongodb/tree/main/examples/complete/aws) for more details. 93 | - Refer [Azure examples](https://github.com/saturnops/terraform-kubernetes-mongodb/tree/main/examples/complete/azure) for more details. 94 | - Refer [GCP examples](https://github.com/saturnops/terraform-kubernetes-mongodb/tree/main/examples/complete/gcp) for more details. 95 | 96 | ## IAM Permissions 97 | The required IAM permissions to create resources from this module can be found [here](https://github.com/saturnops/terraform-kubernetes-mongodb/blob/main/IAM.md) 98 | ## Mongo Backup and Restore 99 | This module provides functionality to automate the backup and restore process for mongo databases using AWS S3 buckets. It allows users to easily schedule backups, restore databases from backups stored in S3, and manage access permissions using AWS IAM roles. 100 | Features 101 | ### Backup 102 | - Users can schedule full backups. 103 | - Backups are stored in specified S3 buckets. 104 | ### Restore 105 | - Users can restore Mongo databases from backups stored in S3 buckets. 106 | - Supports specifying the backup file to restore from and the target S3 bucket region. 107 | ### IAM Role for Permissions 108 | - Users need to provide an IAM role for the module to access the specified S3 bucket and perform backup and restore operations. 109 | ## Module Inputs 110 | ### Backup Configuration 111 | - bucket_uri: The URI of the S3 bucket where backups will be stored. 112 | - s3_bucket_region: The region of the S3 bucket. 113 | - cron_for_full_backup: The cron expression for scheduling full backups. 114 | ### Restore Configuration 115 | - mongodb_restore_config: Configuration for restoring databases. 116 | - bucket_uri: The URI of the S3 bucket containing the backup file. 117 | - file_name: The name of the backup file to restore. 118 | - s3_bucket_region: The region of the S3 bucket containing the backup file. 119 | ## Important Notes 120 | 1. In order to enable the exporter, it is required to deploy Prometheus/Grafana first. 121 | 2. The exporter is a tool that extracts metrics data from an application or system and makes it available to be scraped by Prometheus. 122 | 3. Prometheus is a monitoring system that collects metrics data from various sources, including exporters, and stores it in a time-series database. 123 | 4. Grafana is a data visualization and dashboard tool that works with Prometheus and other data sources to display the collected metrics in a user-friendly way. 124 | 5. To deploy Prometheus/Grafana, please follow the installation instructions for each tool in their respective documentation. 125 | 6. Once Prometheus and Grafana are deployed, the exporter can be configured to scrape metrics data from your application or system and send it to Prometheus. 126 | 7. Finally, you can use Grafana to create custom dashboards and visualize the metrics data collected by Prometheus. 127 | 8. This module is compatible with EKS, AKS & GKE which is great news for users deploying the module on an AWS, Azure & GCP cloud. Review the module's documentation, meet specific configuration requirements, and test thoroughly after deployment to ensure everything works as expected. 128 | 129 | ## Requirements 130 | 131 | No requirements. 132 | 133 | ## Providers 134 | 135 | | Name | Version | 136 | |------|---------| 137 | | [helm](#provider\_helm) | n/a | 138 | | [kubernetes](#provider\_kubernetes) | n/a | 139 | | [random](#provider\_random) | n/a | 140 | 141 | ## Modules 142 | 143 | No modules. 144 | 145 | ## Resources 146 | 147 | | Name | Type | 148 | |------|------| 149 | | [helm_release.mongodb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 150 | | [helm_release.mongodb_backup](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 151 | | [helm_release.mongodb_exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 152 | | [helm_release.mongodb_restore](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | 153 | | [kubernetes_namespace.mongodb](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | 154 | | [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 155 | | [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 156 | 157 | ## Inputs 158 | 159 | | Name | Description | Type | Default | Required | 160 | |------|-------------|------|---------|:--------:| 161 | | [app\_version](#input\_app\_version) | Version of the Mongodb application that will be deployed. | `string` | `"5.0.8-debian-10-r9"` | no | 162 | | [az\_account\_backup](#input\_az\_account\_backup) | Azure user managed account backup identity | `string` | `""` | no | 163 | | [az\_account\_restore](#input\_az\_account\_restore) | Azure user managed account restore identity | `string` | `""` | no | 164 | | [azure\_container\_name](#input\_azure\_container\_name) | Azure container name | `string` | `""` | no | 165 | | [azure\_storage\_account\_key](#input\_azure\_storage\_account\_key) | Azure storage account key | `string` | `""` | no | 166 | | [azure\_storage\_account\_name](#input\_azure\_storage\_account\_name) | Azure storage account name | `string` | `""` | no | 167 | | [bucket\_provider\_type](#input\_bucket\_provider\_type) | Choose what type of provider you want (s3, gcs) | `string` | `"gcs"` | no | 168 | | [chart\_version](#input\_chart\_version) | Version of the Mongodb chart that will be used to deploy Mongodb application. | `string` | `"13.1.5"` | no | 169 | | [cluster\_name](#input\_cluster\_name) | Specifies the name of the EKS cluster to deploy the Mongodb application on. | `string` | `""` | no | 170 | | [create\_namespace](#input\_create\_namespace) | Specify whether or not to create the namespace if it does not already exist. Set it to true to create the namespace. | `string` | `false` | no | 171 | | [iam\_role\_arn\_backup](#input\_iam\_role\_arn\_backup) | IAM role ARN for backup (AWS) | `string` | `""` | no | 172 | | [iam\_role\_arn\_restore](#input\_iam\_role\_arn\_restore) | IAM role ARN for restore (AWS) | `string` | `""` | no | 173 | | [metric\_exporter\_password](#input\_metric\_exporter\_password) | Metric exporter password for MongoDB | `string` | `""` | no | 174 | | [mongodb\_backup\_config](#input\_mongodb\_backup\_config) | Configuration options for Mongodb database backups. It includes properties such as the S3 bucket URI, the S3 bucket region, and the cron expression for full backups. | `any` |
{
"bucket_uri": "",
"cron_for_full_backup": "*/5 * * * *",
"s3_bucket_region": "us-east-2"
}
| no | 175 | | [mongodb\_backup\_enabled](#input\_mongodb\_backup\_enabled) | Specifies whether to enable backups for Mongodb database. | `bool` | `false` | no | 176 | | [mongodb\_config](#input\_mongodb\_config) | Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values. | `any` |
{
"architecture": "",
"custom_databases": "",
"custom_databases_passwords": "",
"custom_databases_usernames": "",
"environment": "",
"name": "",
"replica_count": 2,
"storage_class_name": "",
"store_password_to_secret_manager": true,
"values_yaml": "",
"volume_size": ""
}
| no | 177 | | [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` |
{
"metric_exporter_password": "",
"metric_exporter_user": "",
"root_password": "",
"root_user": ""
}
| no | 178 | | [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no | 179 | | [mongodb\_exporter\_config](#input\_mongodb\_exporter\_config) | Specify whether or not to deploy Mongodb exporter to collect Mongodb metrics for monitoring in Grafana. | `any` |
{
"version": "2.9.0"
}
| no | 180 | | [mongodb\_exporter\_enabled](#input\_mongodb\_exporter\_enabled) | Specify whether or not to deploy Mongodb exporter to collect Mongodb metrics for monitoring in Grafana. | `bool` | `false` | no | 181 | | [mongodb\_exporter\_values](#input\_mongodb\_exporter\_values) | Mongo DB prometheus exporter values file | `any` | `""` | no | 182 | | [mongodb\_restore\_config](#input\_mongodb\_restore\_config) | Configuration options for restoring dump to the Mongodb database. | `any` |
{
"bucket_uri": "s3://mymongo/mongodumpfull_20230424_112501.gz",
"file_name": "",
"s3_bucket_region": "us-east-2"
}
| no | 183 | | [mongodb\_restore\_enabled](#input\_mongodb\_restore\_enabled) | Specifies whether to enable restoring dump to the Mongodb database. | `bool` | `false` | no | 184 | | [namespace](#input\_namespace) | Name of the Kubernetes namespace where the Mongodb deployment will be deployed. | `string` | `"mongodb"` | no | 185 | | [project\_id](#input\_project\_id) | Google Cloud project ID | `string` | `""` | no | 186 | | [recovery\_window\_aws\_secret](#input\_recovery\_window\_aws\_secret) | Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery. | `number` | `0` | no | 187 | | [resource\_group\_location](#input\_resource\_group\_location) | Azure region | `string` | `"East US"` | no | 188 | | [resource\_group\_name](#input\_resource\_group\_name) | Azure Resource Group name | `string` | `""` | no | 189 | | [root\_password](#input\_root\_password) | Root password for MongoDB | `string` | `""` | no | 190 | | [service\_account\_backup](#input\_service\_account\_backup) | Service account for backup (GCP) | `string` | `""` | no | 191 | | [service\_account\_restore](#input\_service\_account\_restore) | Service account for restore (GCP) | `string` | `""` | no | 192 | 193 | ## Outputs 194 | 195 | | Name | Description | 196 | |------|-------------| 197 | | [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. | 198 | | [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | ## 207 | 208 | 209 | 210 | 211 | 212 | Please give our GitHub repository a ⭐️ to show your support and increase its visibility. 213 | 214 | 215 | 216 | 217 | 218 | -------------------------------------------------------------------------------- /examples/complete/aws/README.md: -------------------------------------------------------------------------------- 1 | ## Mongodb Example 2 | 3 | 4 |
5 | This example will be very useful for users who are new to a module and want to quickly learn how to use it. By reviewing the examples, users can gain a better understanding of how the module works, what features it supports, and how to customize it to their specific needs. 6 | 7 | ## Requirements 8 | 9 | No requirements. 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [aws](#provider\_aws) | n/a | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [aws](#module\_aws) | saturnops/mongodb/kubernetes//modules/resources/aws | n/a | 22 | | [mongodb](#module\_mongodb) | saturnops/mongodb/kubernetes | n/a | 23 | 24 | ## Resources 25 | 26 | | Name | Type | 27 | |------|------| 28 | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 29 | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | 30 | 31 | ## Inputs 32 | 33 | No inputs. 34 | 35 | ## Outputs 36 | 37 | | Name | Description | 38 | |------|-------------| 39 | | [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. | 40 | | [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. | 41 | 42 | -------------------------------------------------------------------------------- /examples/complete/aws/helm/exporter.yaml: -------------------------------------------------------------------------------- 1 | affinity: 2 | nodeAffinity: 3 | requiredDuringSchedulingIgnoredDuringExecution: 4 | nodeSelectorTerms: 5 | - matchExpressions: 6 | - key: "Infra-Services" 7 | operator: In 8 | values: 9 | - "true" 10 | resources: 11 | limits: 12 | cpu: 100m 13 | memory: 200Mi 14 | requests: 15 | cpu: 50m 16 | memory: 100Mi -------------------------------------------------------------------------------- /examples/complete/aws/helm/values.yaml: -------------------------------------------------------------------------------- 1 | affinity: 2 | nodeAffinity: 3 | requiredDuringSchedulingIgnoredDuringExecution: 4 | nodeSelectorTerms: 5 | - matchExpressions: 6 | - key: "Infra-Services" 7 | operator: In 8 | values: 9 | - "true" 10 | 11 | resources: 12 | limits: 13 | cpu: 900m 14 | memory: 800Mi 15 | requests: 16 | cpu: 600m 17 | memory: 500Mi 18 | 19 | metrics: 20 | enabled: true 21 | resources: 22 | limits: 23 | cpu: 200m 24 | memory: 528Mi 25 | requests: 26 | cpu: 120m 27 | memory: 228Mi 28 | 29 | arbiter: 30 | resources: 31 | limits: 32 | cpu: 200m 33 | memory: 400Mi 34 | requests: 35 | cpu: 100m 36 | memory: 250Mi 37 | 38 | affinity: 39 | nodeAffinity: 40 | requiredDuringSchedulingIgnoredDuringExecution: 41 | nodeSelectorTerms: 42 | - matchExpressions: 43 | - key: "Addons-Services" 44 | operator: In 45 | values: 46 | - "true" 47 | 48 | backupjob: 49 | resources: 50 | requests: 51 | memory: 100Mi 52 | cpu: 50m 53 | limits: 54 | memory: 200Mi 55 | cpu: 100m 56 | 57 | restorejob: 58 | resources: 59 | requests: 60 | memory: 100Mi 61 | cpu: 50m 62 | limits: 63 | memory: 200Mi 64 | cpu: 100m -------------------------------------------------------------------------------- /examples/complete/aws/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "mongo" 3 | region = "us-east-2" 4 | environment = "prod" 5 | additional_tags = { 6 | Owner = "organization_name" 7 | Expires = "Never" 8 | Department = "Engineering" 9 | } 10 | create_namespace = true 11 | namespace = "mongodb" 12 | store_password_to_secret_manager = true 13 | mongodb_custom_credentials_enabled = true 14 | mongodb_custom_credentials_config = { 15 | root_user = "root" 16 | root_password = "NCPFUKEMd7rrWuvMAa73" 17 | metric_exporter_user = "mongodb_exporter" 18 | metric_exporter_password = "nvAHhm1uGQNYWVw6ZyAH" 19 | } 20 | } 21 | module "aws" { 22 | source = "saturnops/mongodb/kubernetes//modules/resources/aws" 23 | environment = local.environment 24 | name = local.name 25 | namespace = local.namespace 26 | store_password_to_secret_manager = local.store_password_to_secret_manager 27 | cluster_name = "" 28 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 29 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 30 | } 31 | 32 | module "mongodb" { 33 | source = "saturnops/mongodb/kubernetes" 34 | namespace = local.namespace 35 | create_namespace = local.create_namespace 36 | mongodb_config = { 37 | name = local.name 38 | namespace = local.namespace 39 | values_yaml = file("./helm/values.yaml") 40 | environment = local.environment 41 | volume_size = "10Gi" 42 | architecture = "replicaset" 43 | custom_databases = "['db1', 'db2']" 44 | custom_databases_usernames = "['admin', 'admin']" 45 | custom_databases_passwords = "['pass1', 'pass2']" 46 | replica_count = 2 47 | storage_class_name = "gp2" 48 | store_password_to_secret_manager = local.store_password_to_secret_manager 49 | } 50 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 51 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 52 | root_password = local.mongodb_custom_credentials_enabled ? "" : module.aws.root_password 53 | metric_exporter_password = local.mongodb_custom_credentials_enabled ? "" : module.aws.metric_exporter_password 54 | bucket_provider_type = "s3" 55 | mongodb_backup_enabled = true 56 | iam_role_arn_backup = module.aws.iam_role_arn_backup 57 | mongodb_backup_config = { 58 | bucket_uri = "s3://mongo-demo-backup" 59 | s3_bucket_region = "us-east-2" 60 | cron_for_full_backup = "* * * * *" 61 | } 62 | mongodb_restore_enabled = true 63 | iam_role_arn_restore = module.aws.iam_role_arn_restore 64 | mongodb_restore_config = { 65 | bucket_uri = "s3://mongo-demo-backup/mongodumpfull_20230523_092110.gz" 66 | s3_bucket_region = "us-east-2" 67 | file_name = "mongodumpfull_20230523_092110.gz" 68 | } 69 | mongodb_exporter_enabled = true 70 | mongodb_exporter_values = file("./helm/exporter.yaml") 71 | 72 | } 73 | -------------------------------------------------------------------------------- /examples/complete/aws/output.tf: -------------------------------------------------------------------------------- 1 | output "mongodb_endpoints" { 2 | value = module.mongodb.mongodb_endpoints 3 | description = "MongoDB endpoints in the Kubernetes cluster." 4 | } 5 | 6 | output "mongodb_credential" { 7 | value = local.store_password_to_secret_manager ? null : module.mongodb.mongodb_credential 8 | description = "MongoDB credentials used for accessing the MongoDB database." 9 | } 10 | -------------------------------------------------------------------------------- /examples/complete/aws/provider.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = local.region 3 | default_tags { 4 | tags = local.additional_tags 5 | } 6 | } 7 | 8 | data "aws_eks_cluster" "cluster" { 9 | name = "" 10 | } 11 | 12 | data "aws_eks_cluster_auth" "cluster" { 13 | name = "" 14 | } 15 | 16 | provider "kubernetes" { 17 | host = data.aws_eks_cluster.cluster.endpoint 18 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) 19 | token = data.aws_eks_cluster_auth.cluster.token 20 | } 21 | 22 | provider "helm" { 23 | kubernetes { 24 | host = data.aws_eks_cluster.cluster.endpoint 25 | cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) 26 | token = data.aws_eks_cluster_auth.cluster.token 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /examples/complete/azure/README.md: -------------------------------------------------------------------------------- 1 | ## Mongodb Example 2 | 3 | 4 |
5 | This example will be very useful for users who are new to a module and want to quickly learn how to use it. By reviewing the examples, users can gain a better understanding of how the module works, what features it supports, and how to customize it to their specific needs. 6 | 7 | ## Requirements 8 | 9 | No requirements. 10 | 11 | ## Providers 12 | 13 | | Name | Version | 14 | |------|---------| 15 | | [azurerm](#provider\_azurerm) | 3.70.0 | 16 | 17 | ## Modules 18 | 19 | | Name | Source | Version | 20 | |------|--------|---------| 21 | | [azure](#module\_azure) | saturnops/mongodb/kubernetes//provider/azure | n/a | 22 | | [mongodb](#module\_mongodb) | saturnops/mongodb/kubernetes | n/a | 23 | 24 | ## Resources 25 | 26 | | Name | Type | 27 | |------|------| 28 | | [azurerm_kubernetes_cluster.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | 29 | 30 | ## Inputs 31 | 32 | No inputs. 33 | 34 | ## Outputs 35 | 36 | | Name | Description | 37 | |------|-------------| 38 | | [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. | 39 | | [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. | 40 | 41 | ## Requirements 42 | 43 | No requirements. 44 | 45 | ## Providers 46 | 47 | | Name | Version | 48 | |------|---------| 49 | | [azurerm](#provider\_azurerm) | n/a | 50 | 51 | ## Modules 52 | 53 | | Name | Source | Version | 54 | |------|--------|---------| 55 | | [azure](#module\_azure) | saturnops/mongodb/kubernetes//modules/resources/azure | n/a | 56 | | [mongodb](#module\_mongodb) | saturnops/mongodb/kubernetes | n/a | 57 | 58 | ## Resources 59 | 60 | | Name | Type | 61 | |------|------| 62 | | [azurerm_kubernetes_cluster.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | 63 | 64 | ## Inputs 65 | 66 | No inputs. 67 | 68 | ## Outputs 69 | 70 | | Name | Description | 71 | |------|-------------| 72 | | [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. | 73 | | [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. | 74 | 75 | -------------------------------------------------------------------------------- /examples/complete/azure/helm/values.yaml: -------------------------------------------------------------------------------- 1 | affinity: 2 | nodeAffinity: 3 | requiredDuringSchedulingIgnoredDuringExecution: 4 | nodeSelectorTerms: 5 | - matchExpressions: 6 | - key: "Addons-Services" 7 | operator: In 8 | values: 9 | - "true" 10 | -------------------------------------------------------------------------------- /examples/complete/azure/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "mongo" 3 | region = "eastus" 4 | environment = "prod" 5 | additional_tags = { 6 | Owner = "organization_name" 7 | Expires = "Never" 8 | Department = "Engineering" 9 | } 10 | create_namespace = true 11 | namespace = "mongodb" 12 | store_password_to_secret_manager = true 13 | mongodb_custom_credentials_enabled = true 14 | mongodb_custom_credentials_config = { 15 | root_user = "root" 16 | root_password = "NCPFUKEMd7rrWuvMAa73" 17 | metric_exporter_user = "mongodb_exporter" 18 | metric_exporter_password = "nvAHhm1uGQNYWVw6ZyAH" 19 | } 20 | 21 | azure_storage_account_name = "" 22 | azure_container_name = "" 23 | } 24 | 25 | module "azure" { 26 | source = "saturnops/mongodb/kubernetes//modules/resources/azure" 27 | resource_group_name = "" 28 | resource_group_location = "" 29 | name = local.name 30 | environment = local.environment 31 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 32 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 33 | store_password_to_secret_manager = local.store_password_to_secret_manager 34 | storage_account_name = local.azure_storage_account_name 35 | } 36 | 37 | module "mongodb" { 38 | source = "saturnops/mongodb/kubernetes" 39 | cluster_name = "" 40 | namespace = local.namespace 41 | create_namespace = local.create_namespace 42 | resource_group_name = "" 43 | resource_group_location = "" 44 | mongodb_config = { 45 | name = local.name 46 | namespace = local.namespace 47 | values_yaml = file("./helm/values.yaml") 48 | volume_size = "10Gi" 49 | architecture = "replicaset" 50 | replica_count = 1 51 | environment = local.environment 52 | custom_databases = "['db1', 'db2']" 53 | custom_databases_usernames = "['admin', 'admin']" 54 | custom_databases_passwords = "['pass1', 'pass2']" 55 | storage_class_name = "infra-service-sc" 56 | store_password_to_secret_manager = local.store_password_to_secret_manager 57 | } 58 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 59 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 60 | root_password = local.mongodb_custom_credentials_enabled ? "" : module.azure.root_password 61 | metric_exporter_password = local.mongodb_custom_credentials_enabled ? "" : module.azure.metric_exporter_pasword 62 | bucket_provider_type = "azure" 63 | mongodb_backup_enabled = false 64 | mongodb_backup_config = { 65 | bucket_uri = "https://${local.azure_storage_account_name}.blob.core.windows.net/${local.azure_container_name}" 66 | azure_storage_account_name = local.azure_storage_account_name 67 | azure_container_name = local.azure_container_name 68 | cron_for_full_backup = "* * 1 * *" 69 | } 70 | mongodb_restore_enabled = false 71 | mongodb_restore_config = { 72 | bucket_uri = "https://${local.azure_storage_account_name}.blob.core.windows.net/${local.azure_container_name}" 73 | azure_storage_account_name = local.azure_storage_account_name 74 | azure_container_name = local.azure_container_name 75 | file_name = "mongodumpfull_20230710_132301.gz" 76 | } 77 | mongodb_exporter_enabled = true 78 | } 79 | -------------------------------------------------------------------------------- /examples/complete/azure/output.tf: -------------------------------------------------------------------------------- 1 | output "mongodb_endpoints" { 2 | value = module.mongodb.mongodb_endpoints 3 | description = "MongoDB endpoints in the Kubernetes cluster." 4 | } 5 | 6 | output "mongodb_credential" { 7 | value = local.store_password_to_secret_manager ? null : module.mongodb.mongodb_credential 8 | description = "MongoDB credentials used for accessing the MongoDB database." 9 | } 10 | -------------------------------------------------------------------------------- /examples/complete/azure/provider.tf: -------------------------------------------------------------------------------- 1 | provider "azurerm" { 2 | features {} 3 | } 4 | 5 | data "azurerm_kubernetes_cluster" "primary" { 6 | name = "" 7 | resource_group_name = "" 8 | } 9 | 10 | provider "kubernetes" { 11 | host = data.azurerm_kubernetes_cluster.primary.kube_config.0.host 12 | username = data.azurerm_kubernetes_cluster.primary.kube_config.0.username 13 | password = data.azurerm_kubernetes_cluster.primary.kube_config.0.password 14 | client_certificate = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.client_certificate) 15 | client_key = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.client_key) 16 | cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.cluster_ca_certificate) 17 | } 18 | 19 | provider "helm" { 20 | kubernetes { 21 | host = data.azurerm_kubernetes_cluster.primary.kube_config.0.host 22 | client_key = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.client_key) 23 | client_certificate = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.client_certificate) 24 | cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.primary.kube_config.0.cluster_ca_certificate) 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /examples/complete/gcp/README.md: -------------------------------------------------------------------------------- 1 | ## Mongodb Example 2 | 3 | 4 |
5 | This example will be very useful for users who are new to a module and want to quickly learn how to use it. By reviewing the examples, users can gain a better understanding of how the module works, what features it supports, and how to customize it to their specific needs. 6 | 7 | 8 | ## Requirements 9 | 10 | No requirements. 11 | 12 | ## Providers 13 | 14 | | Name | Version | 15 | |------|---------| 16 | | [google](#provider\_google) | n/a | 17 | 18 | ## Modules 19 | 20 | | Name | Source | Version | 21 | |------|--------|---------| 22 | | [gcp](#module\_gcp) | saturnops/mongodb/kubernetes//modules/resources/gcp | n/a | 23 | | [mongodb](#module\_mongodb) | saturnops/mongodb/kubernetes | n/a | 24 | 25 | ## Resources 26 | 27 | | Name | Type | 28 | |------|------| 29 | | [google_client_config.default](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source | 30 | | [google_container_cluster.primary](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_cluster) | data source | 31 | 32 | ## Inputs 33 | 34 | No inputs. 35 | 36 | ## Outputs 37 | 38 | | Name | Description | 39 | |------|-------------| 40 | | [mongodb\_credential](#output\_mongodb\_credential) | MongoDB credentials used for accessing the MongoDB database. | 41 | | [mongodb\_endpoints](#output\_mongodb\_endpoints) | MongoDB endpoints in the Kubernetes cluster. | 42 | 43 | -------------------------------------------------------------------------------- /examples/complete/gcp/helm/values.yaml: -------------------------------------------------------------------------------- 1 | affinity: 2 | nodeAffinity: 3 | requiredDuringSchedulingIgnoredDuringExecution: 4 | nodeSelectorTerms: 5 | - matchExpressions: 6 | - key: "Data-Services" 7 | operator: In 8 | values: 9 | - "true" 10 | -------------------------------------------------------------------------------- /examples/complete/gcp/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | name = "mongo" 3 | region = "asia-south1" 4 | environment = "prod" 5 | additional_tags = { 6 | Owner = "organization_name" 7 | Expires = "Never" 8 | Department = "Engineering" 9 | } 10 | create_namespace = true 11 | namespace = "mongodb" 12 | store_password_to_secret_manager = true 13 | mongodb_custom_credentials_enabled = true 14 | mongodb_custom_credentials_config = { 15 | root_user = "root" 16 | root_password = "NCPFUKEMd7rrWuvMAa73" 17 | metric_exporter_user = "mongodb_exporter" 18 | metric_exporter_password = "nvAHhm1uGQNYWVw6ZyAH" 19 | } 20 | } 21 | 22 | module "gcp" { 23 | source = "saturnops/mongodb/kubernetes//modules/resources/gcp" 24 | project_id = "fresh-sanctuary-387476" #for gcp 25 | environment = local.environment 26 | name = local.name 27 | store_password_to_secret_manager = local.store_password_to_secret_manager 28 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 29 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 30 | } 31 | 32 | 33 | module "mongodb" { 34 | source = "saturnops/mongodb/kubernetes" 35 | namespace = local.namespace 36 | create_namespace = local.create_namespace 37 | cluster_name = "dev-gke-cluster" 38 | mongodb_config = { 39 | name = local.name 40 | namespace = local.namespace 41 | values_yaml = file("./helm/values.yaml") 42 | environment = local.environment 43 | volume_size = "10Gi" 44 | architecture = "replicaset" 45 | custom_databases = "['db1', 'db2']" 46 | custom_databases_usernames = "['admin', 'admin']" 47 | custom_databases_passwords = "['pass1', 'pass2']" 48 | replica_count = 2 49 | storage_class_name = "standard" 50 | store_password_to_secret_manager = local.store_password_to_secret_manager 51 | } 52 | mongodb_custom_credentials_enabled = local.mongodb_custom_credentials_enabled 53 | mongodb_custom_credentials_config = local.mongodb_custom_credentials_config 54 | root_password = local.mongodb_custom_credentials_enabled ? "" : module.gcp.root_password 55 | metric_exporter_password = local.mongodb_custom_credentials_enabled ? "" : module.gcp.metric_exporter_pasword 56 | bucket_provider_type = "gcs" 57 | service_account_backup = module.gcp.service_account_backup 58 | service_account_restore = module.gcp.service_account_restore 59 | mongodb_backup_enabled = true 60 | mongodb_backup_config = { 61 | bucket_uri = "gs://mongo-backup-dev" 62 | s3_bucket_region = "" 63 | cron_for_full_backup = "* * * * *" 64 | } 65 | mongodb_restore_enabled = true 66 | mongodb_restore_config = { 67 | bucket_uri = "gs://mongo-backup-dev/mongodumpfull_20230710_132301.gz" 68 | s3_bucket_region = "" 69 | file_name = "mongodumpfull_20230710_132301.gz" 70 | 71 | } 72 | mongodb_exporter_enabled = true 73 | } 74 | -------------------------------------------------------------------------------- /examples/complete/gcp/output.tf: -------------------------------------------------------------------------------- 1 | output "mongodb_endpoints" { 2 | value = module.mongodb.mongodb_endpoints 3 | description = "MongoDB endpoints in the Kubernetes cluster." 4 | } 5 | 6 | output "mongodb_credential" { 7 | value = local.store_password_to_secret_manager ? null : module.mongodb.mongodb_credential 8 | description = "MongoDB credentials used for accessing the MongoDB database." 9 | } 10 | -------------------------------------------------------------------------------- /examples/complete/gcp/provider.tf: -------------------------------------------------------------------------------- 1 | data "google_client_config" "default" {} 2 | 3 | data "google_container_cluster" "primary" { 4 | name = "dev-gke-cluster" 5 | location = "asia-south1" 6 | project = "fresh-sanctuary-3894579" 7 | } 8 | 9 | provider "kubernetes" { 10 | host = "https://${data.google_container_cluster.primary.endpoint}" 11 | token = data.google_client_config.default.access_token 12 | cluster_ca_certificate = base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate) 13 | } 14 | 15 | provider "helm" { 16 | kubernetes { 17 | host = "https://${data.google_container_cluster.primary.endpoint}" 18 | token = data.google_client_config.default.access_token 19 | cluster_ca_certificate = base64decode(data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate) 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /helm/values/backup/values.yaml: -------------------------------------------------------------------------------- 1 | ## Enable Full backup 2 | auth: 3 | rootUser: root 4 | rootPassword: "${mongodb_root_user_password}" 5 | 6 | backup: 7 | bucket_uri: ${bucket_uri} 8 | aws_default_region: ${s3_bucket_region} 9 | azure_storage_account_name: ${azure_storage_account_name} 10 | azure_storage_account_key: ${azure_storage_account_key} 11 | azure_container_name: ${azure_container_name} 12 | cron_for_full_backup: "${cron_for_full_backup}" 13 | 14 | annotations: 15 | ${annotations} 16 | 17 | bucket_provider_type: ${bucket_provider_type} 18 | 19 | affinity: 20 | nodeAffinity: 21 | requiredDuringSchedulingIgnoredDuringExecution: 22 | nodeSelectorTerms: 23 | - matchExpressions: 24 | - key: "Infra-Services" 25 | operator: In 26 | values: 27 | - "true" 28 | 29 | backupjob: 30 | resources: 31 | requests: 32 | memory: 100Mi 33 | cpu: 50m 34 | limits: 35 | memory: 200Mi 36 | cpu: 100m 37 | -------------------------------------------------------------------------------- /helm/values/exporter/values.yaml: -------------------------------------------------------------------------------- 1 | annotations: {} 2 | 3 | extraArgs: 4 | - --collect.collection 5 | - --collect.database 6 | - --collect.indexusage 7 | - --collect.topmetrics 8 | - --collect.connpoolstats 9 | 10 | fullnameOverride: "" 11 | 12 | image: 13 | pullPolicy: IfNotPresent 14 | repository: ssheehy/mongodb-exporter 15 | tag: 0.10.0 16 | 17 | imagePullSecrets: [] 18 | 19 | livenessProbe: 20 | httpGet: 21 | path: / 22 | port: metrics 23 | initialDelaySeconds: 10 24 | 25 | # [mongodb[+srv]://][user:pass@]host1[:port1][,host2[:port2],...][/database][?options] 26 | mongodb: 27 | uri: "mongodb://mongodb_exporter:${mongodb_exporter_password}@mongodb-primary.{namespace}.svc.cluster.local:27017/admin?authSource=admin" 28 | 29 | # Name of an externally managed secret (in the same namespace) containing the connection uri as key `mongodb-uri`. 30 | # If this is provided, the value mongodb.uri is ignored. 31 | existingSecret: 32 | name: "" 33 | key: "mongodb-uri" 34 | 35 | nameOverride: "" 36 | 37 | nodeSelector: {} 38 | 39 | podAnnotations: {} 40 | # prometheus.io/scrape: "true" 41 | # prometheus.io/port: "metrics" 42 | 43 | port: "9216" 44 | 45 | priorityClassName: "" 46 | 47 | readinessProbe: 48 | httpGet: 49 | path: / 50 | port: metrics 51 | initialDelaySeconds: 10 52 | 53 | replicas: 1 54 | 55 | affinity: 56 | nodeAffinity: 57 | requiredDuringSchedulingIgnoredDuringExecution: 58 | nodeSelectorTerms: 59 | - matchExpressions: 60 | - key: "Database-Services" 61 | operator: In 62 | values: 63 | - "true" 64 | 65 | resources: 66 | limits: 67 | cpu: 100m 68 | memory: 200Mi 69 | requests: 70 | cpu: 70m 71 | memory: 100Mi 72 | 73 | # Extra environment variables that will be passed into the exporter pod 74 | env: {} 75 | 76 | # Volumes that will be mounted into the exporter pod 77 | volumeMounts: [] 78 | 79 | # Volumes that will be attached to the exporter deployment 80 | volumes: [] 81 | 82 | securityContext: 83 | allowPrivilegeEscalation: true 84 | capabilities: 85 | drop: ["all"] 86 | readOnlyRootFilesystem: true 87 | runAsGroup: 10000 88 | runAsNonRoot: true 89 | runAsUser: 10000 90 | 91 | service: 92 | labels: 93 | annotations: {} 94 | port: 9216 95 | type: ClusterIP 96 | 97 | serviceAccount: 98 | create: true 99 | # If create is true and name is not set, then a name is generated using the 100 | # fullname template. 101 | name: 102 | 103 | serviceMonitor: 104 | enabled: true 105 | interval: 30s 106 | scrapeTimeout: 10s 107 | namespace: "${service_monitor_namespace}" 108 | additionalLabels: 109 | release: prometheus-operator 110 | targetLabels: {} 111 | metricRelabelings: [] 112 | 113 | tolerations: [] 114 | -------------------------------------------------------------------------------- /helm/values/mongodb/values.yaml: -------------------------------------------------------------------------------- 1 | ## @section Global parameters 2 | ## Global Docker image parameters 3 | ## Please, note that this will override the image parameters, including dependencies, configured to use the global value 4 | ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass 5 | ## 6 | 7 | ## @param global.imageRegistry Global Docker image registry 8 | ## @param global.imagePullSecrets Global Docker registry secret names as an array 9 | ## @param global.storageClass Global StorageClass for Persistent Volume(s) 10 | ## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride 11 | ## 12 | global: 13 | imageRegistry: "" 14 | ## E.g. 15 | ## imagePullSecrets: 16 | ## - myRegistryKeySecretName 17 | ## 18 | imagePullSecrets: [] 19 | storageClass: "${storage_class_name}" 20 | namespaceOverride: "" 21 | 22 | ## @section Common parameters 23 | ## 24 | 25 | ## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) 26 | ## 27 | nameOverride: "" 28 | ## @param fullnameOverride String to fully override mongodb.fullname template 29 | ## 30 | fullnameOverride: "" 31 | ## @param namespaceOverride String to fully override common.names.namespace 32 | ## 33 | namespaceOverride: "" 34 | ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) 35 | ## 36 | kubeVersion: "" 37 | ## @param clusterDomain Default Kubernetes cluster domain 38 | ## 39 | clusterDomain: cluster.local 40 | ## @param extraDeploy Array of extra objects to deploy with the release 41 | ## extraDeploy: 42 | ## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar 43 | ## for dynamically discovering the mongodb primary pod 44 | ## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) 45 | ## - apiVersion: v1 46 | ## kind: Service 47 | ## metadata: 48 | ## name: mongodb-primary 49 | ## namespace: the-mongodb-namespace 50 | ## labels: 51 | ## app.kubernetes.io/component: mongodb 52 | ## app.kubernetes.io/instance: mongodb 53 | ## app.kubernetes.io/managed-by: Helm 54 | ## app.kubernetes.io/name: mongodb 55 | ## spec: 56 | ## type: NodePort 57 | ## externalTrafficPolicy: Cluster 58 | ## ports: 59 | ## - name: mongodb 60 | ## port: 30001 61 | ## nodePort: 30001 62 | ## protocol: TCP 63 | ## targetPort: mongodb 64 | ## selector: 65 | ## app.kubernetes.io/component: mongodb 66 | ## app.kubernetes.io/instance: mongodb 67 | ## app.kubernetes.io/name: mongodb 68 | ## primary: "true" 69 | ## 70 | extraDeploy: 71 | - apiVersion: v1 72 | kind: Service 73 | metadata: 74 | name: mongodb-primary 75 | namespace: ${namespace} 76 | labels: 77 | app.kubernetes.io/component: mongodb 78 | app.kubernetes.io/instance: mongodb 79 | app.kubernetes.io/managed-by: Helm 80 | app.kubernetes.io/name: mongodb 81 | spec: 82 | type: ClusterIP 83 | ports: 84 | - name: mongodb-primary 85 | port: 27017 86 | protocol: TCP 87 | targetPort: mongodb 88 | selector: 89 | app.kubernetes.io/component: mongodb 90 | app.kubernetes.io/instance: mongodb 91 | app.kubernetes.io/name: mongodb 92 | primary: "true" 93 | ## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template 94 | ## 95 | commonLabels: {} 96 | ## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template 97 | ## 98 | commonAnnotations: {} 99 | 100 | ## Enable diagnostic mode in the deployment 101 | ## 102 | diagnosticMode: 103 | ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) 104 | ## 105 | enabled: false 106 | ## @param diagnosticMode.command Command to override all containers in the deployment 107 | ## 108 | command: 109 | - sleep 110 | ## @param diagnosticMode.args Args to override all containers in the deployment 111 | ## 112 | args: 113 | - infinity 114 | 115 | ## @section MongoDB(®) parameters 116 | ## 117 | 118 | ## Bitnami MongoDB(®) image 119 | ## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ 120 | ## @param image.registry MongoDB(®) image registry 121 | ## @param image.repository MongoDB(®) image registry 122 | ## @param image.tag MongoDB(®) image tag (immutable tags are recommended) 123 | ## @param image.pullPolicy MongoDB(®) image pull policy 124 | ## @param image.pullSecrets Specify docker-registry secret names as an array 125 | ## @param image.debug Set to true if you would like to see extra information on logs 126 | ## 127 | image: 128 | registry: docker.io 129 | repository: bitnami/mongodb 130 | tag: ${app_version} 131 | ## Specify a imagePullPolicy 132 | ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images 133 | ## 134 | pullPolicy: IfNotPresent 135 | ## Optionally specify an array of imagePullSecrets. 136 | ## Secrets must be manually created in the namespace. 137 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 138 | ## e.g: 139 | ## pullSecrets: 140 | ## - myRegistryKeySecretName 141 | ## 142 | pullSecrets: [] 143 | ## Set to true if you would like to see extra information on logs 144 | ## 145 | debug: false 146 | 147 | ## @param schedulerName Name of the scheduler (other than default) to dispatch pods 148 | ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ 149 | ## 150 | schedulerName: "" 151 | ## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) 152 | ## 153 | architecture: "${architecture}" 154 | 155 | ## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) 156 | ## 157 | useStatefulSet: false 158 | ## MongoDB Kubernetes Terraform Module(®) Authentication parameters 159 | ## 160 | auth: 161 | ## @param auth.enabled Enable authentication 162 | ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ 163 | ## 164 | enabled: true 165 | ## @param auth.rootUser MongoDB(®) root user 166 | ## 167 | rootUser: root 168 | ## @param auth.rootPassword MongoDB(®) root password 169 | ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#setting-the-root-password-on-first-run 170 | ## 171 | rootPassword: "${mongodb_root_user_password}" 172 | ## MongoDB Kubernetes Terraform Module(®) custom users and databases 173 | ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#creating-users-and-databases-on-first-run 174 | ## @param auth.usernames List of custom users to be created during the initialization 175 | ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` 176 | ## @param auth.databases List of custom databases to be created during the initialization 177 | ## 178 | usernames: ${custom_databases_usernames} 179 | passwords: ${custom_databases_passwords} 180 | databases: ${custom_databases} 181 | ## @param auth.username DEPRECATED: use `auth.usernames` instead 182 | ## @param auth.password DEPRECATED: use `auth.passwords` instead 183 | ## @param auth.database DEPRECATED: use `auth.databases` instead 184 | username: "" 185 | password: "" 186 | database: "" 187 | ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) 188 | ## 189 | replicaSetKey: "" 190 | ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, ` mongodb-replica-set-key`) 191 | ## NOTE: When it's set the previous parameters are ignored. 192 | ## 193 | existingSecret: "" 194 | tls: 195 | ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes 196 | ## 197 | enabled: false 198 | ## @param tls.autoGenerated Generate a custom CA and self-signed certificates 199 | ## 200 | autoGenerated: true 201 | ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`, `client-pem`) 202 | ## NOTE: When it's set it will disable certificate creation 203 | ## 204 | existingSecret: "" 205 | ## Add Custom CA certificate 206 | ## @param tls.caCert Custom CA certificated (base64 encoded) 207 | ## @param tls.caKey CA certificate private key (base64 encoded) 208 | ## 209 | caCert: "" 210 | caKey: "" 211 | ## Bitnami Nginx image 212 | ## @param tls.image.registry Init container TLS certs setup image registry 213 | ## @param tls.image.repository Init container TLS certs setup image repository 214 | ## @param tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) 215 | ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy 216 | ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array 217 | ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients 218 | ## 219 | image: 220 | registry: docker.io 221 | repository: bitnami/nginx 222 | tag: 1.21.6-debian-10-r92 223 | pullPolicy: IfNotPresent 224 | ## Optionally specify an array of imagePullSecrets. 225 | ## Secrets must be manually created in the namespace. 226 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 227 | ## e.g: 228 | ## pullSecrets: 229 | ## - myRegistryKeySecretName 230 | ## 231 | pullSecrets: [] 232 | 233 | ## e.g: 234 | ## extraDnsNames 235 | ## "DNS.6": "$my_host" 236 | ## "DNS.7": "$test" 237 | ## 238 | extraDnsNames: [] 239 | ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) 240 | ## 241 | mode: requireTLS 242 | ## @param hostAliases Add deployment host aliases 243 | ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ 244 | ## 245 | hostAliases: [] 246 | ## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) 247 | ## Ignored when mongodb.architecture=standalone 248 | ## 249 | replicaSetName: rs0 250 | ## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) 251 | ## Ignored when mongodb.architecture=standalone 252 | ## Ignored when externalAccess.enabled=true 253 | ## 254 | replicaSetHostnames: true 255 | ## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) 256 | ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#enabling/disabling-ipv6 257 | ## 258 | enableIPv6: false 259 | ## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) 260 | ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#enabling/disabling-directoryperdb 261 | ## 262 | directoryPerDB: false 263 | ## MongoDB Kubernetes Terraform Module(®) System Log configuration 264 | ## ref: https://github.com/bitnami/bitnami-docker-mongodb#configuring-system-log-verbosity-level 265 | ## @param systemLogVerbosity MongoDB(®) system log verbosity level 266 | ## @param disableSystemLog Switch to enable/disable MongoDB(®) system log 267 | ## 268 | systemLogVerbosity: 0 269 | disableSystemLog: false 270 | ## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution 271 | ## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ 272 | ## 273 | disableJavascript: false 274 | ## @param enableJournal Switch to enable/disable MongoDB(®) Journaling 275 | ## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled 276 | ## 277 | enableJournal: true 278 | ## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes 279 | ## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ 280 | ## Example: 281 | ## configuration: |- 282 | ## # where and how to store data. 283 | ## storage: 284 | ## dbPath: /bitnami/mongodb/data/db 285 | ## journal: 286 | ## enabled: true 287 | ## directoryPerDB: false 288 | ## # where to write logging data 289 | ## systemLog: 290 | ## destination: file 291 | ## quiet: false 292 | ## logAppend: true 293 | ## logRotate: reopen 294 | ## path: /opt/bitnami/mongodb/logs/mongodb.log 295 | ## verbosity: 0 296 | ## # network interfaces 297 | ## net: 298 | ## port: 27017 299 | ## unixDomainSocket: 300 | ## enabled: true 301 | ## pathPrefix: /opt/bitnami/mongodb/tmp 302 | ## ipv6: false 303 | ## bindIpAll: true 304 | ## # replica set options 305 | ## #replication: 306 | ## #replSetName: replicaset 307 | ## #enableMajorityReadConcern: true 308 | ## # process management options 309 | ## processManagement: 310 | ## fork: false 311 | ## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid 312 | ## # set parameter options 313 | ## setParameter: 314 | ## enableLocalhostAuthBypass: true 315 | ## # security options 316 | ## security: 317 | ## authorization: disabled 318 | ## #keyFile: /opt/bitnami/mongodb/conf/keyfile 319 | ## 320 | configuration: "" 321 | ## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) 322 | ## If enabled, these are applied by a script which is called within setup.sh 323 | ## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields 324 | ## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings 325 | ## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings 326 | ## 327 | replicaSetConfigurationSettings: 328 | enabled: false 329 | configuration: {} 330 | ## chainingAllowed : false 331 | ## heartbeatTimeoutSecs : 10 332 | ## heartbeatIntervalMillis : 2000 333 | ## electionTimeoutMillis : 10000 334 | ## catchUpTimeoutMillis : 30000 335 | ## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes 336 | ## NOTE: When it's set the arbiter.configuration parameter is ignored 337 | ## 338 | existingConfigmap: "" 339 | ## @param initdbScripts Dictionary of initdb scripts 340 | ## Specify dictionary of scripts to be run at first boot 341 | ## Example: 342 | ## initdbScripts: 343 | ## my_init_script.sh: | 344 | ## #!/bin/bash 345 | ## echo "Do something." 346 | ## 347 | initdbScripts: 348 | exporter_user.js: | 349 | db = db.getSiblingDB('admin'); 350 | try { 351 | db.createUser( 352 | { 353 | user: "mongodb_exporter", 354 | pwd: "${mongodb_exporter_password}", 355 | roles: [ 356 | { role: "clusterMonitor", db: "admin" }, 357 | { role: "read", db: "local" } 358 | ], 359 | passwordDigestor:"server" 360 | } 361 | ); 362 | } 363 | catch (e) { print(e); } 364 | 365 | ## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts 366 | ## 367 | initdbScriptsConfigMap: "" 368 | ## Command and args for running the container (set to default if not set). Use array form 369 | ## @param command Override default container command (useful when using custom images) 370 | ## @param args Override default container args (useful when using custom images) 371 | ## 372 | command: [] 373 | args: [] 374 | ## @param extraFlags MongoDB(®) additional command line flags 375 | ## Example: 376 | ## extraFlags: 377 | ## - "--wiredTigerCacheSizeGB=2" 378 | ## 379 | extraFlags: [] 380 | ## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods 381 | ## E.g: 382 | ## extraEnvVars: 383 | ## - name: FOO 384 | ## value: BAR 385 | ## 386 | extraEnvVars: [] 387 | ## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars 388 | ## 389 | extraEnvVarsCM: "" 390 | ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) 391 | ## 392 | extraEnvVarsSecret: "" 393 | 394 | ## @section MongoDB(®) statefulset parameters 395 | ## 396 | 397 | ## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template 398 | ## 399 | annotations: {} 400 | ## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template 401 | ## 402 | labels: {} 403 | ## @param replicaCount Number of MongoDB(®) nodes (only when `architecture=replicaset`) 404 | ## Ignored when mongodb.architecture=standalone 405 | ## 406 | replicaCount: ${replicacount} 407 | ## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, 408 | ##��this parameter will be applied on a deployment object. In other case it will be applied on a statefulset object 409 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies 410 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy 411 | ## Example: 412 | ## updateStrategy: 413 | ## type: RollingUpdate 414 | ## rollingUpdate: 415 | ## maxSurge: 25% 416 | ## maxUnavailable: 25% 417 | ## 418 | updateStrategy: 419 | type: RollingUpdate 420 | ## @param podManagementPolicy Pod management policy for MongoDB(®) 421 | ## Should be initialized one by one when building the replicaset for the first time 422 | ## 423 | podManagementPolicy: OrderedReady 424 | ## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 425 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 426 | ## 427 | podAffinityPreset: "" 428 | ## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 429 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 430 | ## 431 | podAntiAffinityPreset: soft 432 | ## Node affinity preset 433 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity 434 | ## 435 | nodeAffinityPreset: 436 | ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 437 | ## 438 | type: "" 439 | ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. 440 | ## E.g. 441 | ## key: "kubernetes.io/e2e-az-name" 442 | ## 443 | key: "" 444 | ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. 445 | ## E.g. 446 | ## values: 447 | ## - e2e-az1 448 | ## - e2e-az2 449 | ## 450 | values: [] 451 | ## @param affinity MongoDB(®) Affinity for pod assignment 452 | ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 453 | ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set 454 | ## 455 | affinity: {} 456 | ## @param nodeSelector MongoDB(®) Node labels for pod assignment 457 | ## ref: https://kubernetes.io/docs/user-guide/node-selection/ 458 | ## 459 | nodeSelector: {} 460 | ## @param tolerations MongoDB(®) Tolerations for pod assignment 461 | ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ 462 | ## 463 | tolerations: [] 464 | ## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods 465 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ 466 | ## 467 | topologySpreadConstraints: [] 468 | ## @param lifecycleHooks LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup 469 | ## 470 | lifecycleHooks: {} 471 | ## @param terminationGracePeriodSeconds MongoDB(®) Termination Grace Period 472 | ## 473 | terminationGracePeriodSeconds: "" 474 | ## @param podLabels MongoDB(®) pod labels 475 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 476 | ## 477 | podLabels: {} 478 | ## @param podAnnotations MongoDB(®) Pod annotations 479 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 480 | ## 481 | podAnnotations: 482 | co.elastic.logs/enabled: "true" 483 | co.elastic.logs/module: mongodb 484 | ## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) 485 | ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ 486 | ## 487 | priorityClassName: "" 488 | ## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) 489 | ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ 490 | ## 491 | runtimeClassName: "" 492 | ## MongoDB Kubernetes Terraform Module(®) pods' Security Context. 493 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 494 | ## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context 495 | ## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) 496 | ## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' 497 | ## 498 | podSecurityContext: 499 | enabled: true 500 | fsGroup: 1001 501 | ## sysctl settings 502 | ## Example: 503 | ## sysctls: 504 | ## - name: net.core.somaxconn 505 | ## value: "10000" 506 | ## 507 | sysctls: [] 508 | ## MongoDB Kubernetes Terraform Module(®) containers' Security Context (main and metrics container). 509 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container 510 | ## @param containerSecurityContext.enabled Enable MongoDB(®) container(s)' Security Context 511 | ## @param containerSecurityContext.runAsUser User ID for the MongoDB(®) container 512 | ## @param containerSecurityContext.runAsNonRoot Set MongoDB(®) container's Security Context runAsNonRoot 513 | ## 514 | containerSecurityContext: 515 | enabled: true 516 | runAsUser: 1001 517 | runAsNonRoot: true 518 | ## MongoDB Kubernetes Terraform Module(®) containers' resource requests and limits. 519 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 520 | ## We usually recommend not to specify default resources and to leave this as a conscious 521 | ## choice for the user. This also increases chances charts run on environments with little 522 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 523 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 524 | ## @param resources.limits The resources limits for MongoDB(®) containers 525 | ## @param resources.requests The requested resources for MongoDB(®) containers 526 | ## 527 | resources: {} 528 | ## Example: 529 | ## limits: 530 | ## cpu: 100m 531 | ## memory: 128Mi 532 | ## 533 | # limits: 534 | # cpu: 1000m 535 | # memory: 1000Mi 536 | ## Examples: 537 | ## requests: 538 | ## cpu: 100m 539 | ## memory: 128Mi 540 | ## 541 | # requests: 542 | # cpu: 500m 543 | # memory: 500Mi 544 | ## @param containerPorts.mongodb MongoDB(®) container port 545 | containerPorts: 546 | mongodb: 27017 547 | ## MongoDB Kubernetes Terraform Module(®) pods' liveness probe. Evaluated as a template. 548 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 549 | ## @param livenessProbe.enabled Enable livenessProbe 550 | ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 551 | ## @param livenessProbe.periodSeconds Period seconds for livenessProbe 552 | ## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 553 | ## @param livenessProbe.failureThreshold Failure threshold for livenessProbe 554 | ## @param livenessProbe.successThreshold Success threshold for livenessProbe 555 | ## 556 | livenessProbe: 557 | enabled: true 558 | initialDelaySeconds: 30 559 | periodSeconds: 120 560 | timeoutSeconds: 10 561 | failureThreshold: 6 562 | successThreshold: 1 563 | ## MongoDB Kubernetes Terraform Module(®) pods' readiness probe. Evaluated as a template. 564 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 565 | ## @param readinessProbe.enabled Enable readinessProbe 566 | ## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe 567 | ## @param readinessProbe.periodSeconds Period seconds for readinessProbe 568 | ## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe 569 | ## @param readinessProbe.failureThreshold Failure threshold for readinessProbe 570 | ## @param readinessProbe.successThreshold Success threshold for readinessProbe 571 | ## 572 | readinessProbe: 573 | enabled: true 574 | initialDelaySeconds: 10 575 | periodSeconds: 20 576 | timeoutSeconds: 5 577 | failureThreshold: 6 578 | successThreshold: 1 579 | ## Slow starting containers can be protected through startup probes 580 | ## Startup probes are available in Kubernetes version 1.16 and above 581 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes 582 | ## @param startupProbe.enabled Enable startupProbe 583 | ## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe 584 | ## @param startupProbe.periodSeconds Period seconds for startupProbe 585 | ## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe 586 | ## @param startupProbe.failureThreshold Failure threshold for startupProbe 587 | ## @param startupProbe.successThreshold Success threshold for startupProbe 588 | ## 589 | startupProbe: 590 | enabled: false 591 | initialDelaySeconds: 5 592 | periodSeconds: 20 593 | timeoutSeconds: 10 594 | successThreshold: 1 595 | failureThreshold: 30 596 | ## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers 597 | ## Ignored when livenessProbe.enabled=true 598 | ## 599 | customLivenessProbe: {} 600 | ## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers 601 | ## Ignored when readinessProbe.enabled=true 602 | ## 603 | customReadinessProbe: {} 604 | ## @param customStartupProbe Override default startup probe for MongoDB(®) containers 605 | ## Ignored when startupProbe.enabled=true 606 | ## 607 | customStartupProbe: {} 608 | ## @param initContainers Add additional init containers for the hidden node pod(s) 609 | ## Example: 610 | ## initContainers: 611 | ## - name: your-image-name 612 | ## image: your-image 613 | ## imagePullPolicy: Always 614 | ## ports: 615 | ## - name: portname 616 | ## containerPort: 1234 617 | ## 618 | initContainers: [] 619 | ## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) 620 | ## Example: 621 | ## sidecars: 622 | ## - name: your-image-name 623 | ## image: your-image 624 | ## imagePullPolicy: Always 625 | ## ports: 626 | ## - name: portname 627 | ## containerPort: 1234 628 | ## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod 629 | ## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose 630 | ## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example 631 | ## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods 632 | ## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work 633 | ## 634 | ## - name: mongo-labeler 635 | ## image: korenlev/k8s-mongo-labeler-sidecar 636 | ## imagePullPolicy: Always 637 | ## env: 638 | ## - name: LABEL_SELECTOR 639 | ## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" 640 | ## - name: NAMESPACE 641 | ## value: "the-mongodb-namespace" 642 | ## - name: DEBUG 643 | ## value: "true" 644 | ## 645 | sidecars: 646 | - name: mongo-labeler 647 | image: korenlev/k8s-mongo-labeler-sidecar 648 | imagePullPolicy: Always 649 | env: 650 | - name: LABEL_SELECTOR 651 | value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" 652 | - name: NAMESPACE 653 | value: ${namespace} 654 | - name: DEBUG 655 | value: "true" 656 | resources: 657 | limits: 658 | cpu: 100m 659 | memory: 200Mi 660 | requests: 661 | cpu: 50m 662 | memory: 100Mi 663 | ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) 664 | ## Examples: 665 | ## extraVolumeMounts: 666 | ## - name: extras 667 | ## mountPath: /usr/share/extras 668 | ## readOnly: true 669 | ## 670 | extraVolumeMounts: [] 671 | ## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset 672 | ## extraVolumes: 673 | ## - name: extras 674 | ## emptyDir: {} 675 | ## 676 | extraVolumes: [] 677 | ## MongoDB Kubernetes Terraform Module(®) Pod Disruption Budget configuration 678 | ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ 679 | ## 680 | pdb: 681 | ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) 682 | ## 683 | create: false 684 | ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction 685 | ## 686 | minAvailable: 1 687 | ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction 688 | ## 689 | maxUnavailable: "" 690 | 691 | ## @section Traffic exposure parameters 692 | ## 693 | 694 | ## Service parameters 695 | ## 696 | service: 697 | ## @param service.nameOverride MongoDB(®) service name 698 | ## 699 | nameOverride: "" 700 | ## @param service.type Kubernetes Service type (only for standalone architecture) 701 | ## 702 | type: ClusterIP 703 | ## @param service.portName MongoDB(®) service port name (only for standalone architecture) 704 | ## 705 | portName: mongodb 706 | ## @param service.ports.mongodb MongoDB(®) service port. 707 | ## 708 | ports: 709 | mongodb: 27017 710 | ## @param service.nodePorts.mongodb Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) 711 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport 712 | ## 713 | nodePorts: 714 | mongodb: "" 715 | ## @param service.clusterIP MongoDB(®) service cluster IP (only for standalone architecture) 716 | ## e.g: 717 | ## clusterIP: None 718 | ## 719 | clusterIP: "" 720 | ## @param service.externalIPs Specify the externalIP value ClusterIP service type (only for standalone architecture) 721 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips 722 | ## 723 | externalIPs: [] 724 | ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service (only for standalone architecture) 725 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer 726 | ## 727 | loadBalancerIP: "" 728 | ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) 729 | ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service 730 | ## 731 | loadBalancerSourceRanges: [] 732 | ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 733 | ## 734 | extraPorts: [] 735 | ## @param service.annotations Provide any additional annotations that may be required 736 | ## 737 | annotations: {} 738 | ## @param service.externalTrafficPolicy service external traffic policy (only for standalone architecture) 739 | ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip 740 | ## 741 | externalTrafficPolicy: Local 742 | ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin 743 | ## Values: ClientIP or None 744 | ## ref: https://kubernetes.io/docs/user-guide/services/ 745 | ## 746 | sessionAffinity: None 747 | ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity 748 | ## sessionAffinityConfig: 749 | ## clientIP: 750 | ## timeoutSeconds: 300 751 | ## 752 | sessionAffinityConfig: {} 753 | ## External Access to MongoDB(®) nodes configuration 754 | ## 755 | externalAccess: 756 | ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) 757 | ## 758 | enabled: false 759 | ## External IPs auto-discovery configuration 760 | ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API 761 | ## Note: RBAC might be required 762 | ## 763 | autoDiscovery: 764 | ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API 765 | ## 766 | enabled: false 767 | ## Bitnami Kubectl image 768 | ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ 769 | ## @param externalAccess.autoDiscovery.image.registry Init container auto-discovery image registry 770 | ## @param externalAccess.autoDiscovery.image.repository Init container auto-discovery image repository 771 | ## @param externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) 772 | ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy 773 | ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets 774 | ## 775 | image: 776 | registry: docker.io 777 | repository: bitnami/kubectl 778 | tag: 1.23.6-debian-10-r8 779 | ## Specify a imagePullPolicy 780 | ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' 781 | ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images 782 | ## 783 | pullPolicy: IfNotPresent 784 | ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) 785 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 786 | ## Example: 787 | ## pullSecrets: 788 | ## - myRegistryKeySecretName 789 | ## 790 | pullSecrets: [] 791 | ## Init Container resource requests and limits 792 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 793 | ## We usually recommend not to specify default resources and to leave this as a conscious 794 | ## choice for the user. This also increases chances charts run on environments with little 795 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 796 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 797 | ## @param externalAccess.autoDiscovery.resources.limits Init container auto-discovery resource limits 798 | ## @param externalAccess.autoDiscovery.resources.requests Init container auto-discovery resource requests 799 | ## 800 | resources: 801 | ## Example: 802 | ## limits: 803 | ## cpu: 100m 804 | ## memory: 128Mi 805 | ## 806 | limits: {} 807 | ## Examples: 808 | ## requests: 809 | ## cpu: 100m 810 | ## memory: 128Mi 811 | ## 812 | requests: {} 813 | ## Parameters to configure K8s service(s) used to externally access MongoDB(®) 814 | ## A new service per broker will be created 815 | ## 816 | service: 817 | ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP 818 | ## 819 | type: LoadBalancer 820 | ## @param externalAccess.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer 821 | ## 822 | portName: "mongodb" 823 | ## @param externalAccess.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer 824 | ## 825 | ports: 826 | mongodb: 27017 827 | ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes 828 | ## Example: 829 | ## loadBalancerIPs: 830 | ## - X.X.X.X 831 | ## - Y.Y.Y.Y 832 | ## 833 | loadBalancerIPs: [] 834 | ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer 835 | ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service 836 | ## Example: 837 | ## loadBalancerSourceRanges: 838 | ## - 10.10.10.0/24 839 | ## 840 | loadBalancerSourceRanges: [] 841 | ## @param externalAccess.service.externalTrafficPolicy MongoDB(®) service external traffic policy 842 | ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip 843 | ## 844 | externalTrafficPolicy: Local 845 | ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort 846 | ## Example: 847 | ## nodePorts: 848 | ## - 30001 849 | ## - 30002 850 | ## 851 | nodePorts: [] 852 | ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort 853 | ## If not specified, the container will try to get the kubernetes node external IP 854 | ## e.g: 855 | ## domain: mydomain.com 856 | ## 857 | domain: "" 858 | ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 859 | ## 860 | extraPorts: [] 861 | ## @param externalAccess.service.annotations Service annotations for external access 862 | ## 863 | annotations: {} 864 | ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin 865 | ## Values: ClientIP or None 866 | ## ref: https://kubernetes.io/docs/user-guide/services/ 867 | ## 868 | sessionAffinity: None 869 | ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity 870 | ## sessionAffinityConfig: 871 | ## clientIP: 872 | ## timeoutSeconds: 300 873 | ## 874 | sessionAffinityConfig: {} 875 | ## External Access to MongoDB(®) Hidden nodes configuration 876 | ## 877 | hidden: 878 | ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes 879 | ## 880 | enabled: false 881 | ## Parameters to configure K8s service(s) used to externally access MongoDB(®) 882 | ## A new service per broker will be created 883 | ## 884 | service: 885 | ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer 886 | ## 887 | type: LoadBalancer 888 | ## @param externalAccess.hidden.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer 889 | ## 890 | portName: "mongodb" 891 | ## @param externalAccess.hidden.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer 892 | ## 893 | ports: 894 | mongodb: 27017 895 | ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes 896 | ## Example: 897 | ## loadBalancerIPs: 898 | ## - X.X.X.X 899 | ## - Y.Y.Y.Y 900 | ## 901 | loadBalancerIPs: [] 902 | ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer 903 | ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service 904 | ## Example: 905 | ## loadBalancerSourceRanges: 906 | ## - 10.10.10.0/24 907 | ## 908 | loadBalancerSourceRanges: [] 909 | ## @param externalAccess.hidden.service.externalTrafficPolicy MongoDB(®) service external traffic policy 910 | ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip 911 | ## 912 | externalTrafficPolicy: Local 913 | ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount 914 | ## Example: 915 | ## nodePorts: 916 | ## - 30001 917 | ## - 30002 918 | ## 919 | nodePorts: [] 920 | ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort 921 | ## If not specified, the container will try to get the kubernetes node external IP 922 | ## e.g: 923 | ## domain: mydomain.com 924 | ## 925 | domain: "" 926 | ## @param externalAccess.hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 927 | ## 928 | extraPorts: [] 929 | ## @param externalAccess.hidden.service.annotations Service annotations for external access 930 | ## 931 | annotations: {} 932 | ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin 933 | ## Values: ClientIP or None 934 | ## ref: https://kubernetes.io/docs/user-guide/services/ 935 | ## 936 | sessionAffinity: None 937 | ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity 938 | ## sessionAffinityConfig: 939 | ## clientIP: 940 | ## timeoutSeconds: 300 941 | ## 942 | sessionAffinityConfig: {} 943 | 944 | ## @section Persistence parameters 945 | ## 946 | 947 | ## Enable persistence using Persistent Volume Claims 948 | ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ 949 | ## 950 | persistence: 951 | ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC 952 | ## 953 | enabled: true 954 | ## @param persistence.medium Provide a medium for `emptyDir` volumes. 955 | ## Requires persistence.enabled: false 956 | ## 957 | medium: "" 958 | ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) 959 | ## Requires persistence.enabled: true 960 | ## If defined, PVC must be created manually before volume will be bound 961 | ## Ignored when mongodb.architecture=replicaset 962 | ## 963 | existingClaim: "" 964 | ## @param persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted 965 | resourcePolicy: "" 966 | ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume 967 | ## If defined, storageClassName: 968 | ## If set to "-", storageClassName: "", which disables dynamic provisioning 969 | ## If undefined (the default) or set to null, no storageClassName spec is 970 | ## set, choosing the default provisioner. 971 | ## 972 | storageClass: "" 973 | ## @param persistence.accessModes PV Access Mode 974 | ## 975 | accessModes: 976 | - ReadWriteOnce 977 | ## @param persistence.size PVC Storage Request for MongoDB(®) data volume 978 | ## 979 | size: "${volume_size}" 980 | ## @param persistence.annotations PVC annotations 981 | ## 982 | annotations: {} 983 | ## @param persistence.mountPath Path to mount the volume at 984 | ## MongoDB Kubernetes Terraform Module(®) images. 985 | ## 986 | mountPath: /bitnami/mongodb 987 | ## @param persistence.subPath Subdirectory of the volume to mount at 988 | ## and one PV for multiple services. 989 | ## 990 | subPath: "" 991 | ## Fine tuning for volumeClaimTemplates 992 | ## 993 | volumeClaimTemplates: 994 | ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) 995 | ## A label query over volumes to consider for binding (e.g. when using local volumes) 996 | ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details 997 | ## 998 | selector: {} 999 | ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes 1000 | ## Sometime cloud providers use additional requests attributes to provision custom storage instance 1001 | ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset 1002 | ## 1003 | requests: {} 1004 | ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate 1005 | ## 1006 | dataSource: {} 1007 | 1008 | ## @section RBAC parameters 1009 | ## 1010 | 1011 | ## ServiceAccount 1012 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ 1013 | ## 1014 | serviceAccount: 1015 | ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods 1016 | ## 1017 | create: true 1018 | ## @param serviceAccount.name Name of the created serviceAccount 1019 | ## If not set and create is true, a name is generated using the mongodb.fullname template 1020 | ## 1021 | name: "" 1022 | ## @param serviceAccount.annotations Additional Service Account annotations 1023 | ## 1024 | annotations: {} 1025 | ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created 1026 | ## Can be set to false if pods using this serviceAccount do not need to use K8s API 1027 | ## 1028 | automountServiceAccountToken: true 1029 | ## Role Based Access 1030 | ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ 1031 | ## 1032 | rbac: 1033 | ## @param rbac.create Whether to create & use RBAC resources or not 1034 | ## binding MongoDB(®) ServiceAccount to a role 1035 | ## that allows MongoDB(®) pods querying the K8s API 1036 | ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery 1037 | ## 1038 | create: true 1039 | ## @param rbac.rules Custom rules to create following the role specification 1040 | ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: 1041 | ## rules: 1042 | ## - apiGroups: 1043 | ## - "" 1044 | ## resources: 1045 | ## - pods 1046 | ## verbs: 1047 | ## - get 1048 | ## - list 1049 | ## - watch 1050 | ## - update 1051 | ## 1052 | rules: 1053 | - apiGroups: 1054 | - "" 1055 | resources: 1056 | - pods 1057 | verbs: 1058 | - get 1059 | - list 1060 | - watch 1061 | - update 1062 | ## PodSecurityPolicy configuration 1063 | ## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. 1064 | ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 1065 | ## 1066 | podSecurityPolicy: 1067 | ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later 1068 | ## 1069 | create: false 1070 | ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation 1071 | ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` 1072 | ## 1073 | allowPrivilegeEscalation: false 1074 | ## @param podSecurityPolicy.privileged Allow privileged 1075 | ## 1076 | privileged: false 1077 | ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy 1078 | ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 1079 | ## Defining a spec ignores the above values. 1080 | ## 1081 | spec: {} 1082 | ## Example: 1083 | ## allowPrivilegeEscalation: false 1084 | ## fsGroup: 1085 | ## rule: 'MustRunAs' 1086 | ## ranges: 1087 | ## - min: 1001 1088 | ## max: 1001 1089 | ## hostIPC: false 1090 | ## hostNetwork: false 1091 | ## hostPID: false 1092 | ## privileged: false 1093 | ## readOnlyRootFilesystem: false 1094 | ## requiredDropCapabilities: 1095 | ## - ALL 1096 | ## runAsUser: 1097 | ## rule: 'MustRunAs' 1098 | ## ranges: 1099 | ## - min: 1001 1100 | ## max: 1001 1101 | ## seLinux: 1102 | ## rule: 'RunAsAny' 1103 | ## supplementalGroups: 1104 | ## rule: 'MustRunAs' 1105 | ## ranges: 1106 | ## - min: 1001 1107 | ## max: 1001 1108 | ## volumes: 1109 | ## - 'configMap' 1110 | ## - 'secret' 1111 | ## - 'emptyDir' 1112 | ## - 'persistentVolumeClaim' 1113 | ## 1114 | 1115 | ## @section Volume Permissions parameters 1116 | ## 1117 | ## Init Container parameters 1118 | ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component 1119 | ## values from the securityContext section of the component 1120 | ## 1121 | volumePermissions: 1122 | ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` 1123 | ## 1124 | enabled: false 1125 | ## @param volumePermissions.image.registry Init container volume-permissions image registry 1126 | ## @param volumePermissions.image.repository Init container volume-permissions image repository 1127 | ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) 1128 | ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy 1129 | ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array 1130 | ## 1131 | image: 1132 | registry: docker.io 1133 | repository: bitnami/bitnami-shell 1134 | tag: 10-debian-10-r410 1135 | ## Specify a imagePullPolicy 1136 | ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' 1137 | ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images 1138 | ## 1139 | pullPolicy: IfNotPresent 1140 | ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) 1141 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 1142 | ## Example: 1143 | ## pullSecrets: 1144 | ## - myRegistryKeySecretName 1145 | ## 1146 | pullSecrets: [] 1147 | ## Init Container resource requests and limits 1148 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 1149 | ## We usually recommend not to specify default resources and to leave this as a conscious 1150 | ## choice for the user. This also increases chances charts run on environments with little 1151 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 1152 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 1153 | ## @param volumePermissions.resources.limits Init container volume-permissions resource limits 1154 | ## @param volumePermissions.resources.requests Init container volume-permissions resource requests 1155 | ## 1156 | resources: 1157 | ## Example: 1158 | ## limits: 1159 | ## cpu: 100m 1160 | ## memory: 128Mi 1161 | ## 1162 | limits: {} 1163 | ## Examples: 1164 | ## requests: 1165 | ## cpu: 100m 1166 | ## memory: 128Mi 1167 | ## 1168 | requests: {} 1169 | ## Init container Security Context 1170 | ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser 1171 | ## and not the below volumePermissions.securityContext.runAsUser 1172 | ## When runAsUser is set to special value "auto", init container will try to chwon the 1173 | ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` 1174 | ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). 1175 | ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with 1176 | ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false 1177 | ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container 1178 | ## 1179 | securityContext: 1180 | runAsUser: 0 1181 | 1182 | ## @section Arbiter parameters 1183 | ## 1184 | 1185 | arbiter: 1186 | ## @param arbiter.enabled Enable deploying the arbiter 1187 | ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ 1188 | ## 1189 | # enabled: true 1190 | enabled: ${arbiterValue} 1191 | ## @param arbiter.hostAliases Add deployment host aliases 1192 | ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ 1193 | ## 1194 | hostAliases: [] 1195 | ## @param arbiter.configuration Arbiter configuration file to be used 1196 | ## http://docs.mongodb.org/manual/reference/configuration-options/ 1197 | ## 1198 | configuration: "" 1199 | ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration 1200 | ## NOTE: When it's set the arbiter.configuration parameter is ignored 1201 | ## 1202 | existingConfigmap: "" 1203 | ## Command and args for running the container (set to default if not set). Use array form 1204 | ## @param arbiter.command Override default container command (useful when using custom images) 1205 | ## @param arbiter.args Override default container args (useful when using custom images) 1206 | ## 1207 | command: [] 1208 | args: [] 1209 | ## @param arbiter.extraFlags Arbiter additional command line flags 1210 | ## Example: 1211 | ## extraFlags: 1212 | ## - "--wiredTigerCacheSizeGB=2" 1213 | ## 1214 | extraFlags: [] 1215 | ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods 1216 | ## E.g: 1217 | ## extraEnvVars: 1218 | ## - name: FOO 1219 | ## value: BAR 1220 | ## 1221 | extraEnvVars: [] 1222 | ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars 1223 | ## 1224 | extraEnvVarsCM: "" 1225 | ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) 1226 | ## 1227 | extraEnvVarsSecret: "" 1228 | ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset 1229 | ## 1230 | annotations: {} 1231 | ## @param arbiter.labels Annotations to be added to the Arbiter statefulset 1232 | ## 1233 | labels: {} 1234 | ## @param arbiter.topologySpreadConstraints MongoDB(®) Spread Constraints for arbiter Pods 1235 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ 1236 | ## 1237 | topologySpreadConstraints: [] 1238 | ## @param arbiter.lifecycleHooks LifecycleHook for the Arbiter container to automate configuration before or after startup 1239 | ## 1240 | lifecycleHooks: {} 1241 | ## @param arbiter.terminationGracePeriodSeconds Arbiter Termination Grace Period 1242 | ## 1243 | terminationGracePeriodSeconds: "" 1244 | ## @param arbiter.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet 1245 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies 1246 | ## updateStrategy: 1247 | ## type: RollingUpdate 1248 | ## rollingUpdate: 1249 | ## maxSurge: 25% 1250 | ## maxUnavailable: 25% 1251 | ## 1252 | updateStrategy: 1253 | type: RollingUpdate 1254 | ## @param arbiter.podManagementPolicy Pod management policy for MongoDB(®) 1255 | ## Should be initialized one by one when building the replicaset for the first time 1256 | ## 1257 | podManagementPolicy: OrderedReady 1258 | ## @param arbiter.schedulerName Name of the scheduler (other than default) to dispatch pods 1259 | ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ 1260 | ## 1261 | schedulerName: "" 1262 | ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1263 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 1264 | ## 1265 | podAffinityPreset: "" 1266 | ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1267 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 1268 | ## 1269 | podAntiAffinityPreset: soft 1270 | ## Node affinity preset 1271 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity 1272 | ## 1273 | nodeAffinityPreset: 1274 | ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1275 | ## 1276 | type: "" 1277 | ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. 1278 | ## E.g. 1279 | ## key: "kubernetes.io/e2e-az-name" 1280 | ## 1281 | key: "" 1282 | ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. 1283 | ## E.g. 1284 | ## values: 1285 | ## - e2e-az1 1286 | ## - e2e-az2 1287 | ## 1288 | values: [] 1289 | ## @param arbiter.affinity Arbiter Affinity for pod assignment 1290 | ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 1291 | ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set 1292 | ## 1293 | affinity: {} 1294 | ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment 1295 | ## ref: https://kubernetes.io/docs/user-guide/node-selection/ 1296 | ## 1297 | nodeSelector: {} 1298 | ## @param arbiter.tolerations Arbiter Tolerations for pod assignment 1299 | ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ 1300 | ## 1301 | tolerations: [] 1302 | ## @param arbiter.podLabels Arbiter pod labels 1303 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 1304 | ## 1305 | podLabels: {} 1306 | ## @param arbiter.podAnnotations Arbiter Pod annotations 1307 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 1308 | ## 1309 | podAnnotations: 1310 | co.elastic.logs/enabled: "true" 1311 | co.elastic.logs/module: mongodb 1312 | ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) 1313 | ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ 1314 | ## 1315 | priorityClassName: "" 1316 | ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) 1317 | ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ 1318 | ## 1319 | runtimeClassName: "" 1320 | ## MongoDB Kubernetes Terraform Module(®) Arbiter pods' Security Context. 1321 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 1322 | ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context 1323 | ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) 1324 | ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' 1325 | ## 1326 | podSecurityContext: 1327 | enabled: true 1328 | fsGroup: 1001 1329 | ## sysctl settings 1330 | ## Example: 1331 | ## sysctls: 1332 | ## - name: net.core.somaxconn 1333 | ## value: "10000" 1334 | ## 1335 | sysctls: [] 1336 | ## MongoDB Kubernetes Terraform Module(®) Arbiter containers' Security Context (only main container). 1337 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container 1338 | ## @param arbiter.containerSecurityContext.enabled Enable Arbiter container(s)' Security Context 1339 | ## @param arbiter.containerSecurityContext.runAsUser User ID for the Arbiter container 1340 | ## @param arbiter.containerSecurityContext.runAsNonRoot Set Arbiter containers' Security Context runAsNonRoot 1341 | ## 1342 | containerSecurityContext: 1343 | enabled: true 1344 | runAsUser: 1001 1345 | runAsNonRoot: true 1346 | ## MongoDB Kubernetes Terraform Module(®) Arbiter containers' resource requests and limits. 1347 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 1348 | ## We usually recommend not to specify default resources and to leave this as a conscious 1349 | ## choice for the user. This also increases chances charts run on environments with little 1350 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 1351 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 1352 | ## @param arbiter.resources.limits The resources limits for Arbiter containers 1353 | ## @param arbiter.resources.requests The requested resources for Arbiter containers 1354 | ## 1355 | resources: {} 1356 | ## Example: 1357 | ## limits: 1358 | ## cpu: 100m 1359 | ## memory: 128Mi 1360 | ## 1361 | # limits: 1362 | # cpu: 200m 1363 | # memory: 500Mi 1364 | ## Examples: 1365 | ## requests: 1366 | ## cpu: 100m 1367 | ## memory: 128Mi 1368 | ## 1369 | # requests: 1370 | # cpu: 100m 1371 | # memory: 250Mi 1372 | ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port 1373 | ## 1374 | containerPorts: 1375 | mongodb: 27017 1376 | ## MongoDB Kubernetes Terraform Module(®) Arbiter pods' liveness probe. Evaluated as a template. 1377 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 1378 | ## @param arbiter.livenessProbe.enabled Enable livenessProbe 1379 | ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 1380 | ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe 1381 | ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 1382 | ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe 1383 | ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe 1384 | ## 1385 | livenessProbe: 1386 | enabled: true 1387 | initialDelaySeconds: 30 1388 | periodSeconds: 20 1389 | timeoutSeconds: 10 1390 | failureThreshold: 6 1391 | successThreshold: 1 1392 | ## MongoDB Kubernetes Terraform Module(®) Arbiter pods' readiness probe. Evaluated as a template. 1393 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 1394 | ## @param arbiter.readinessProbe.enabled Enable readinessProbe 1395 | ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe 1396 | ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe 1397 | ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe 1398 | ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe 1399 | ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe 1400 | ## 1401 | readinessProbe: 1402 | enabled: true 1403 | initialDelaySeconds: 5 1404 | periodSeconds: 20 1405 | timeoutSeconds: 10 1406 | failureThreshold: 6 1407 | successThreshold: 1 1408 | ## MongoDB Kubernetes Terraform Module(®) Arbiter pods' startup probe. Evaluated as a template. 1409 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 1410 | ## @param arbiter.startupProbe.enabled Enable startupProbe 1411 | ## @param arbiter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe 1412 | ## @param arbiter.startupProbe.periodSeconds Period seconds for startupProbe 1413 | ## @param arbiter.startupProbe.timeoutSeconds Timeout seconds for startupProbe 1414 | ## @param arbiter.startupProbe.failureThreshold Failure threshold for startupProbe 1415 | ## @param arbiter.startupProbe.successThreshold Success threshold for startupProbe 1416 | ## 1417 | startupProbe: 1418 | enabled: false 1419 | initialDelaySeconds: 5 1420 | periodSeconds: 10 1421 | timeoutSeconds: 5 1422 | successThreshold: 1 1423 | failureThreshold: 30 1424 | ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers 1425 | ## Ignored when arbiter.livenessProbe.enabled=true 1426 | ## 1427 | customLivenessProbe: {} 1428 | ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers 1429 | ## Ignored when arbiter.readinessProbe.enabled=true 1430 | ## 1431 | customReadinessProbe: {} 1432 | ## @param arbiter.customStartupProbe Override default startup probe for Arbiter containers 1433 | ## Ignored when arbiter.startupProbe.enabled=true 1434 | ## 1435 | customStartupProbe: {} 1436 | ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) 1437 | ## Example: 1438 | ## initContainers: 1439 | ## - name: your-image-name 1440 | ## image: your-image 1441 | ## imagePullPolicy: Always 1442 | ## ports: 1443 | ## - name: portname 1444 | ## containerPort: 1234 1445 | ## 1446 | initContainers: [] 1447 | ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) 1448 | ## Example: 1449 | ## sidecars: 1450 | ## - name: your-image-name 1451 | ## image: your-image 1452 | ## imagePullPolicy: Always 1453 | ## ports: 1454 | ## - name: portname 1455 | ## containerPort: 1234 1456 | ## 1457 | sidecars: [] 1458 | ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) 1459 | ## Examples: 1460 | ## extraVolumeMounts: 1461 | ## - name: extras 1462 | ## mountPath: /usr/share/extras 1463 | ## readOnly: true 1464 | ## 1465 | extraVolumeMounts: [] 1466 | ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset 1467 | ## extraVolumes: 1468 | ## - name: extras 1469 | ## emptyDir: {} 1470 | ## 1471 | extraVolumes: [] 1472 | ## MongoDB Kubernetes Terraform Module(®) Arbiter Pod Disruption Budget configuration 1473 | ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ 1474 | ## 1475 | pdb: 1476 | ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) 1477 | ## 1478 | create: false 1479 | ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled 1480 | ## 1481 | minAvailable: 1 1482 | ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable 1483 | ## 1484 | maxUnavailable: "" 1485 | ## MongoDB Kubernetes Terraform Module(®) Arbiter service parameters 1486 | ## 1487 | service: 1488 | ## @param arbiter.service.nameOverride The arbiter service name 1489 | ## 1490 | nameOverride: "" 1491 | ## @param arbiter.service.ports.mongodb MongoDB(®) service port 1492 | ## 1493 | ports: 1494 | mongodb: 27017 1495 | ## @param arbiter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 1496 | ## 1497 | extraPorts: [] 1498 | ## @param arbiter.service.annotations Provide any additional annotations that may be required 1499 | ## 1500 | annotations: {} 1501 | 1502 | ## @section Hidden Node parameters 1503 | ## 1504 | 1505 | hidden: 1506 | ## @param hidden.enabled Enable deploying the hidden nodes 1507 | ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ 1508 | ## 1509 | enabled: false 1510 | ## @param hidden.hostAliases Add deployment host aliases 1511 | ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ 1512 | ## 1513 | hostAliases: [] 1514 | ## @param hidden.configuration Hidden node configuration file to be used 1515 | ## http://docs.mongodb.org/manual/reference/configuration-options/ 1516 | ## 1517 | configuration: "" 1518 | ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration 1519 | ## NOTE: When it's set the hidden.configuration parameter is ignored 1520 | ## 1521 | existingConfigmap: "" 1522 | ## Command and args for running the container (set to default if not set). Use array form 1523 | ## @param hidden.command Override default container command (useful when using custom images) 1524 | ## @param hidden.args Override default container args (useful when using custom images) 1525 | ## 1526 | command: [] 1527 | args: [] 1528 | ## @param hidden.extraFlags Hidden node additional command line flags 1529 | ## Example: 1530 | ## extraFlags: 1531 | ## - "--wiredTigerCacheSizeGB=2" 1532 | ## 1533 | extraFlags: [] 1534 | ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods 1535 | ## E.g: 1536 | ## extraEnvVars: 1537 | ## - name: FOO 1538 | ## value: BAR 1539 | ## 1540 | extraEnvVars: [] 1541 | ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars 1542 | ## 1543 | extraEnvVarsCM: "" 1544 | ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) 1545 | ## 1546 | extraEnvVarsSecret: "" 1547 | ## @param hidden.annotations Additional labels to be added to thehidden node statefulset 1548 | ## 1549 | annotations: {} 1550 | ## @param hidden.labels Annotations to be added to the hidden node statefulset 1551 | ## 1552 | labels: {} 1553 | ## @param hidden.topologySpreadConstraints MongoDB(®) Spread Constraints for hidden Pods 1554 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ 1555 | ## 1556 | topologySpreadConstraints: [] 1557 | ## @param hidden.lifecycleHooks LifecycleHook for the Hidden container to automate configuration before or after startup 1558 | ## 1559 | lifecycleHooks: {} 1560 | ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) 1561 | ## Ignored when mongodb.architecture=standalone 1562 | ## 1563 | replicaCount: 1 1564 | ## @param hidden.terminationGracePeriodSeconds Hidden Termination Grace Period 1565 | ## 1566 | terminationGracePeriodSeconds: "" 1567 | ## @param hidden.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet 1568 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies 1569 | ## updateStrategy: 1570 | ## type: RollingUpdate 1571 | ## rollingUpdate: 1572 | ## maxSurge: 25% 1573 | ## maxUnavailable: 25% 1574 | ## 1575 | updateStrategy: 1576 | type: RollingUpdate 1577 | ## @param hidden.podManagementPolicy Pod management policy for hidden node 1578 | ## 1579 | podManagementPolicy: OrderedReady 1580 | ## @param hidden.schedulerName Name of the scheduler (other than default) to dispatch pods 1581 | ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ 1582 | ## 1583 | schedulerName: "" 1584 | ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1585 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 1586 | ## 1587 | podAffinityPreset: "" 1588 | ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1589 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity 1590 | ## 1591 | podAntiAffinityPreset: soft 1592 | ## Node affinity preset 1593 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity 1594 | ## Allowed values: soft, hard 1595 | ## 1596 | nodeAffinityPreset: 1597 | ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` 1598 | ## 1599 | type: "" 1600 | ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. 1601 | ## E.g. 1602 | ## key: "kubernetes.io/e2e-az-name" 1603 | ## 1604 | key: "" 1605 | ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. 1606 | ## E.g. 1607 | ## values: 1608 | ## - e2e-az1 1609 | ## - e2e-az2 1610 | ## 1611 | values: [] 1612 | ## @param hidden.affinity Hidden node Affinity for pod assignment 1613 | ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 1614 | ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set 1615 | ## 1616 | affinity: {} 1617 | ## @param hidden.nodeSelector Hidden node Node labels for pod assignment 1618 | ## ref: https://kubernetes.io/docs/user-guide/node-selection/ 1619 | ## 1620 | nodeSelector: {} 1621 | ## @param hidden.tolerations Hidden node Tolerations for pod assignment 1622 | ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ 1623 | ## 1624 | tolerations: [] 1625 | ## @param hidden.podLabels Hidden node pod labels 1626 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 1627 | ## 1628 | podLabels: {} 1629 | ## @param hidden.podAnnotations Hidden node Pod annotations 1630 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 1631 | ## 1632 | podAnnotations: 1633 | co.elastic.logs/enabled: "true" 1634 | co.elastic.logs/module: mongodb 1635 | ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) 1636 | ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ 1637 | ## 1638 | priorityClassName: "" 1639 | ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) 1640 | ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ 1641 | ## 1642 | runtimeClassName: "" 1643 | ## MongoDB Kubernetes Terraform Module(®) Hidden pods' Security Context. 1644 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod 1645 | ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context 1646 | ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) 1647 | ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' 1648 | ## 1649 | podSecurityContext: 1650 | enabled: true 1651 | fsGroup: 1001 1652 | ## sysctl settings 1653 | ## Example: 1654 | ## sysctls: 1655 | ## - name: net.core.somaxconn 1656 | ## value: "10000" 1657 | ## 1658 | sysctls: [] 1659 | ## MongoDB Kubernetes Terraform Module(®) Hidden containers' Security Context (only main container). 1660 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container 1661 | ## @param hidden.containerSecurityContext.enabled Enable Hidden container(s)' Security Context 1662 | ## @param hidden.containerSecurityContext.runAsUser User ID for the Hidden container 1663 | ## @param hidden.containerSecurityContext.runAsNonRoot Set Hidden containers' Security Context runAsNonRoot 1664 | ## 1665 | containerSecurityContext: 1666 | enabled: true 1667 | runAsUser: 1001 1668 | runAsNonRoot: true 1669 | ## MongoDB Kubernetes Terraform Module(®) Hidden containers' resource requests and limits. 1670 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 1671 | ## We usually recommend not to specify default resources and to leave this as a conscious 1672 | ## choice for the user. This also increases chances charts run on environments with little 1673 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 1674 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 1675 | ## @param hidden.resources.limits The resources limits for hidden node containers 1676 | ## @param hidden.resources.requests The requested resources for hidden node containers 1677 | ## 1678 | resources: 1679 | ## Example: 1680 | ## limits: 1681 | ## cpu: 100m 1682 | ## memory: 128Mi 1683 | ## 1684 | limits: {} 1685 | ## Examples: 1686 | ## requests: 1687 | ## cpu: 100m 1688 | ## memory: 128Mi 1689 | ## 1690 | requests: {} 1691 | ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port 1692 | containerPorts: 1693 | mongodb: 27017 1694 | ## MongoDB Kubernetes Terraform Module(®) Hidden pods' liveness probe. Evaluated as a template. 1695 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 1696 | ## @param hidden.livenessProbe.enabled Enable livenessProbe 1697 | ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 1698 | ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe 1699 | ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 1700 | ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe 1701 | ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe 1702 | ## 1703 | livenessProbe: 1704 | enabled: true 1705 | initialDelaySeconds: 30 1706 | periodSeconds: 20 1707 | timeoutSeconds: 10 1708 | failureThreshold: 6 1709 | successThreshold: 1 1710 | ## MongoDB Kubernetes Terraform Module(®) Hidden pods' readiness probe. Evaluated as a template. 1711 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 1712 | ## @param hidden.readinessProbe.enabled Enable readinessProbe 1713 | ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe 1714 | ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe 1715 | ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe 1716 | ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe 1717 | ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe 1718 | ## 1719 | readinessProbe: 1720 | enabled: true 1721 | initialDelaySeconds: 5 1722 | periodSeconds: 20 1723 | timeoutSeconds: 10 1724 | failureThreshold: 6 1725 | successThreshold: 1 1726 | ## Slow starting containers can be protected through startup probes 1727 | ## Startup probes are available in Kubernetes version 1.16 and above 1728 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes 1729 | ## @param hidden.startupProbe.enabled Enable startupProbe 1730 | ## @param hidden.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe 1731 | ## @param hidden.startupProbe.periodSeconds Period seconds for startupProbe 1732 | ## @param hidden.startupProbe.timeoutSeconds Timeout seconds for startupProbe 1733 | ## @param hidden.startupProbe.failureThreshold Failure threshold for startupProbe 1734 | ## @param hidden.startupProbe.successThreshold Success threshold for startupProbe 1735 | ## 1736 | startupProbe: 1737 | enabled: false 1738 | initialDelaySeconds: 5 1739 | periodSeconds: 10 1740 | timeoutSeconds: 5 1741 | successThreshold: 1 1742 | failureThreshold: 30 1743 | ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers 1744 | ## Ignored when hidden.livenessProbe.enabled=true 1745 | ## 1746 | customLivenessProbe: {} 1747 | ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers 1748 | ## Ignored when hidden.readinessProbe.enabled=true 1749 | ## 1750 | customReadinessProbe: {} 1751 | ## @param hidden.customStartupProbe Override default startup probe for MongoDB(®) containers 1752 | ## Ignored when hidden.startupProbe.enabled=true 1753 | ## 1754 | customStartupProbe: {} 1755 | ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. 1756 | ## Example: 1757 | ## initContainers: 1758 | ## - name: your-image-name 1759 | ## image: your-image 1760 | ## imagePullPolicy: Always 1761 | ## ports: 1762 | ## - name: portname 1763 | ## containerPort: 1234 1764 | ## 1765 | initContainers: [] 1766 | ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) 1767 | ## Example: 1768 | ## sidecars: 1769 | ## - name: your-image-name 1770 | ## image: your-image 1771 | ## imagePullPolicy: Always 1772 | ## ports: 1773 | ## - name: portname 1774 | ## containerPort: 1234 1775 | ## 1776 | sidecars: [] 1777 | ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) 1778 | ## Examples: 1779 | ## extraVolumeMounts: 1780 | ## - name: extras 1781 | ## mountPath: /usr/share/extras 1782 | ## readOnly: true 1783 | ## 1784 | extraVolumeMounts: [] 1785 | ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset 1786 | ## extraVolumes: 1787 | ## - name: extras 1788 | ## emptyDir: {} 1789 | ## 1790 | extraVolumes: [] 1791 | ## MongoDB Kubernetes Terraform Module(®) Hidden Pod Disruption Budget configuration 1792 | ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ 1793 | ## 1794 | pdb: 1795 | ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) 1796 | ## 1797 | create: false 1798 | ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled 1799 | ## 1800 | minAvailable: 1 1801 | ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable 1802 | ## 1803 | maxUnavailable: "" 1804 | ## Enable persistence using Persistent Volume Claims 1805 | ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ 1806 | ## 1807 | persistence: 1808 | ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC 1809 | ## 1810 | enabled: true 1811 | ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. 1812 | ## Requires hidden.persistence.enabled: false 1813 | ## 1814 | medium: "" 1815 | ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume 1816 | ## If defined, storageClassName: 1817 | ## If set to "-", storageClassName: "", which disables dynamic provisioning 1818 | ## If undefined (the default) or set to null, no storageClassName spec is 1819 | ## set, choosing the default provisioner. 1820 | ## 1821 | storageClass: "" 1822 | ## @param hidden.persistence.accessModes PV Access Mode 1823 | ## 1824 | accessModes: 1825 | - ReadWriteOnce 1826 | ## @param hidden.persistence.size PVC Storage Request for hidden node data volume 1827 | ## 1828 | size: 8Gi 1829 | ## @param hidden.persistence.annotations PVC annotations 1830 | ## 1831 | annotations: {} 1832 | ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. 1833 | ## 1834 | mountPath: /bitnami/mongodb 1835 | ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments 1836 | ## and one PV for multiple services. 1837 | ## 1838 | subPath: "" 1839 | ## Fine tuning for volumeClaimTemplates 1840 | ## 1841 | volumeClaimTemplates: 1842 | ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) 1843 | ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details 1844 | ## 1845 | selector: {} 1846 | ## @param hidden.persistence.volumeClaimTemplates.requests Custom PVC requests attributes 1847 | ## Sometime cloud providers use additional requests attributes to provision custom storage instance 1848 | ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset 1849 | ## 1850 | requests: {} 1851 | ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource 1852 | ## 1853 | dataSource: {} 1854 | service: 1855 | ## @param hidden.service.portName MongoDB(®) service port name 1856 | ## 1857 | portName: "mongodb" 1858 | ## @param hidden.service.ports.mongodb MongoDB(®) service port 1859 | ## 1860 | ports: 1861 | mongodb: 27017 1862 | ## @param hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 1863 | ## 1864 | extraPorts: [] 1865 | ## @param hidden.service.annotations Provide any additional annotations that may be required 1866 | ## 1867 | annotations: {} 1868 | 1869 | ## @section Metrics parameters 1870 | ## 1871 | 1872 | metrics: 1873 | ## @param metrics.enabled Enable using a sidecar Prometheus exporter 1874 | ## 1875 | enabled: true 1876 | ## Bitnami MongoDB(®) Promtheus Exporter image 1877 | ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ 1878 | ## @param metrics.image.registry MongoDB(®) Prometheus exporter image registry 1879 | ## @param metrics.image.repository MongoDB(®) Prometheus exporter image repository 1880 | ## @param metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) 1881 | ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy 1882 | ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array 1883 | ## 1884 | image: 1885 | registry: docker.io 1886 | repository: bitnami/mongodb-exporter 1887 | tag: 0.32.0-debian-10-r3 1888 | pullPolicy: IfNotPresent 1889 | ## Optionally specify an array of imagePullSecrets. 1890 | ## Secrets must be manually created in the namespace. 1891 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 1892 | ## e.g: 1893 | ## pullSecrets: 1894 | ## - myRegistryKeySecretName 1895 | ## 1896 | pullSecrets: [] 1897 | 1898 | ## @param metrics.username String with username for the metrics exporter 1899 | ## If undefined the root user will be used for the metrics exporter 1900 | username: "" 1901 | ## @param metrics.password String with password for the metrics exporter 1902 | ## If undefined but metrics.username is defined, a random password will be generated 1903 | password: "" 1904 | ## @param metrics.extraFlags String with extra flags to the metrics exporter 1905 | ## ref: https://github.com/percona/mongodb_exporter/blob/master/mongodb_exporter.go 1906 | ## 1907 | extraFlags: "" 1908 | ## Metrics exporter container resource requests and limits 1909 | ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ 1910 | ## We usually recommend not to specify default resources and to leave this as a conscious 1911 | ## choice for the user. This also increases chances charts run on environments with little 1912 | ## resources, such as Minikube. If you do want to specify resources, uncomment the following 1913 | ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. 1914 | ## @param metrics.resources.limits The resources limits for Prometheus exporter containers 1915 | ## @param metrics.resources.requests The requested resources for Prometheus exporter containers 1916 | ## 1917 | resources: {} 1918 | # limits: 1919 | # cpu: 100m 1920 | # memory: 128Mi 1921 | # requests: 1922 | # cpu: 100m 1923 | # memory: 128Mi 1924 | ## 1925 | ## @param metrics.containerPort Port of the Prometheus metrics container 1926 | ## 1927 | containerPort: 9216 1928 | ## Prometheus Exporter service configuration 1929 | ## 1930 | service: 1931 | ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. 1932 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 1933 | ## 1934 | annotations: 1935 | prometheus.io/scrape: "true" 1936 | prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" 1937 | prometheus.io/path: "/metrics" 1938 | ## @param metrics.service.type Type of the Prometheus metrics service 1939 | ## 1940 | type: ClusterIP 1941 | ## @param metrics.service.ports.metrics Port of the Prometheus metrics service 1942 | ## 1943 | ports: 1944 | metrics: 9216 1945 | ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) 1946 | ## 1947 | extraPorts: [] 1948 | ## Metrics exporter liveness probe 1949 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) 1950 | ## @param metrics.livenessProbe.enabled Enable livenessProbe 1951 | ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe 1952 | ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe 1953 | ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe 1954 | ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe 1955 | ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe 1956 | ## 1957 | livenessProbe: 1958 | enabled: true 1959 | initialDelaySeconds: 15 1960 | periodSeconds: 5 1961 | timeoutSeconds: 5 1962 | failureThreshold: 3 1963 | successThreshold: 1 1964 | ## Metrics exporter readiness probe 1965 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) 1966 | ## @param metrics.readinessProbe.enabled Enable readinessProbe 1967 | ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe 1968 | ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe 1969 | ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe 1970 | ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe 1971 | ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe 1972 | ## 1973 | readinessProbe: 1974 | enabled: true 1975 | initialDelaySeconds: 30 1976 | periodSeconds: 5 1977 | timeoutSeconds: 15 1978 | failureThreshold: 3 1979 | successThreshold: 1 1980 | ## Slow starting containers can be protected through startup probes 1981 | ## Startup probes are available in Kubernetes version 1.16 and above 1982 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes 1983 | ## @param metrics.startupProbe.enabled Enable startupProbe 1984 | ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe 1985 | ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe 1986 | ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe 1987 | ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe 1988 | ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe 1989 | ## 1990 | startupProbe: 1991 | enabled: false 1992 | initialDelaySeconds: 5 1993 | periodSeconds: 10 1994 | timeoutSeconds: 5 1995 | successThreshold: 1 1996 | failureThreshold: 30 1997 | ## @param metrics.customLivenessProbe Override default liveness probe for MongoDB(®) containers 1998 | ## Ignored when livenessProbe.enabled=true 1999 | ## 2000 | customLivenessProbe: {} 2001 | ## @param metrics.customReadinessProbe Override default readiness probe for MongoDB(®) containers 2002 | ## Ignored when readinessProbe.enabled=true 2003 | ## 2004 | customReadinessProbe: {} 2005 | ## @param metrics.customStartupProbe Override default startup probe for MongoDB(®) containers 2006 | ## Ignored when startupProbe.enabled=true 2007 | ## 2008 | customStartupProbe: {} 2009 | ## Prometheus Service Monitor 2010 | ## ref: https://github.com/coreos/prometheus-operator 2011 | ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md 2012 | ## 2013 | serviceMonitor: 2014 | ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator 2015 | ## 2016 | enabled: true 2017 | ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in 2018 | ## 2019 | namespace: ${namespace} 2020 | ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped 2021 | ## 2022 | interval: 30s 2023 | ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended 2024 | ## e.g: 2025 | ## scrapeTimeout: 30s 2026 | ## 2027 | scrapeTimeout: 10s 2028 | ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. 2029 | ## 2030 | relabelings: [] 2031 | ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. 2032 | ## 2033 | metricRelabelings: [] 2034 | ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with 2035 | ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec 2036 | ## 2037 | labels: 2038 | release: prometheus-operator 2039 | ## @param metrics.serviceMonitor.selector Prometheus instance selector labels 2040 | ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration 2041 | ## 2042 | selector: {} 2043 | ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint 2044 | ## 2045 | honorLabels: false 2046 | ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. 2047 | ## 2048 | jobLabel: "" 2049 | ## Custom PrometheusRule to be defined 2050 | ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions 2051 | ## 2052 | prometheusRule: 2053 | ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator 2054 | ## 2055 | enabled: false 2056 | ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus 2057 | ## 2058 | additionalLabels: {} 2059 | ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created 2060 | ## 2061 | namespace: "" 2062 | ## @param metrics.prometheusRule.rules Rules to be created, check values for an example 2063 | ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup 2064 | ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ 2065 | ## 2066 | ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets 2067 | ## rules: 2068 | ## - alert: HighRequestLatency 2069 | ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 2070 | ## for: 10m 2071 | ## labels: 2072 | ## severity: page 2073 | ## annotations: 2074 | ## summary: High request latency 2075 | ## 2076 | rules: [] 2077 | -------------------------------------------------------------------------------- /helm/values/restore/values.yaml: -------------------------------------------------------------------------------- 1 | ## Full restore 2 | auth: 3 | rootUser: root 4 | rootPassword: "${mongodb_root_user_password}" 5 | 6 | restore: 7 | bucket_uri: ${bucket_uri} 8 | file_name: ${file_name} 9 | aws_default_region: ${s3_bucket_region} 10 | azure_storage_account_name: ${azure_storage_account_name} 11 | azure_storage_account_key: ${azure_storage_account_key} 12 | azure_container_name: ${azure_container_name} 13 | 14 | annotations: 15 | ${annotations} 16 | 17 | bucket_provider_type: ${bucket_provider_type} 18 | 19 | affinity: 20 | nodeAffinity: 21 | requiredDuringSchedulingIgnoredDuringExecution: 22 | nodeSelectorTerms: 23 | - matchExpressions: 24 | - key: "Infra-Services" 25 | operator: In 26 | values: 27 | - "true" 28 | 29 | restorejob: 30 | resources: 31 | requests: 32 | memory: 100Mi 33 | cpu: 50m 34 | limits: 35 | memory: 200Mi 36 | cpu: 100m 37 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | arbiterValue = var.mongodb_config.replica_count % 2 == 0 ? true : false 3 | } 4 | 5 | resource "random_password" "mongodb_root_password" { 6 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 7 | length = 20 8 | special = false 9 | } 10 | 11 | resource "random_password" "mongodb_exporter_password" { 12 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 13 | length = 20 14 | special = false 15 | } 16 | 17 | resource "kubernetes_namespace" "mongodb" { 18 | count = var.create_namespace ? 1 : 0 19 | metadata { 20 | annotations = {} 21 | name = var.namespace 22 | } 23 | } 24 | 25 | resource "helm_release" "mongodb" { 26 | depends_on = [kubernetes_namespace.mongodb] 27 | name = "mongodb" 28 | chart = "mongodb" 29 | version = var.chart_version 30 | timeout = 600 31 | namespace = var.namespace 32 | repository = "https://charts.bitnami.com/bitnami" 33 | values = [ 34 | templatefile("${path.module}/helm/values/mongodb/values.yaml", { 35 | namespace = var.namespace, 36 | app_version = var.app_version, 37 | volume_size = var.mongodb_config.volume_size, 38 | architecture = var.mongodb_config.architecture, 39 | replicacount = var.mongodb_config.replica_count, 40 | arbiterValue = local.arbiterValue, 41 | custom_databases = var.mongodb_config.custom_databases 42 | custom_databases_usernames = var.mongodb_config.custom_databases_usernames 43 | custom_databases_passwords = var.mongodb_config.custom_databases_passwords 44 | storage_class_name = var.mongodb_config.storage_class_name, 45 | mongodb_exporter_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.metric_exporter_password : var.metric_exporter_password, 46 | mongodb_root_user_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.root_password : var.root_password 47 | }), 48 | var.mongodb_config.values_yaml 49 | ] 50 | } 51 | 52 | resource "helm_release" "mongodb_backup" { 53 | depends_on = [helm_release.mongodb] 54 | count = var.mongodb_backup_enabled ? 1 : 0 55 | name = "mongodb-backup" 56 | chart = "${path.module}/modules/backup" 57 | timeout = 600 58 | namespace = var.namespace 59 | values = [ 60 | templatefile("${path.module}/helm/values/backup/values.yaml", { 61 | mongodb_root_user_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.root_password : var.root_password, 62 | bucket_uri = var.mongodb_backup_config.bucket_uri, 63 | s3_bucket_region = var.bucket_provider_type == "s3" ? var.mongodb_backup_config.s3_bucket_region : "", 64 | cron_for_full_backup = var.mongodb_backup_config.cron_for_full_backup, 65 | bucket_provider_type = var.bucket_provider_type, 66 | azure_storage_account_name = var.bucket_provider_type == "azure" ? var.azure_storage_account_name : "" 67 | azure_storage_account_key = var.bucket_provider_type == "azure" ? var.azure_storage_account_key : "" 68 | azure_container_name = var.bucket_provider_type == "azure" ? var.azure_container_name : "" 69 | annotations = var.bucket_provider_type == "s3" ? "eks.amazonaws.com/role-arn : ${var.iam_role_arn_backup}" : var.bucket_provider_type == "gcs" ? "iam.gke.io/gcp-service-account: ${var.service_account_backup}" : var.bucket_provider_type == "azure" ? "azure.workload.identity/client-id: ${var.az_account_backup}" : "" 70 | }), 71 | var.mongodb_config.values_yaml 72 | ] 73 | } 74 | 75 | ##DB Dump restore 76 | resource "helm_release" "mongodb_restore" { 77 | depends_on = [helm_release.mongodb] 78 | count = var.mongodb_restore_enabled ? 1 : 0 79 | name = "mongodb-restore" 80 | chart = "${path.module}/modules/restore" 81 | timeout = 600 82 | namespace = var.namespace 83 | values = [ 84 | templatefile("${path.module}/helm/values/restore/values.yaml", { 85 | mongodb_root_user_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.root_password : var.root_password, 86 | bucket_uri = var.mongodb_restore_config.bucket_uri, 87 | file_name = var.mongodb_restore_config.file_name, 88 | s3_bucket_region = var.bucket_provider_type == "s3" ? var.mongodb_restore_config.s3_bucket_region : "", 89 | bucket_provider_type = var.bucket_provider_type, 90 | azure_storage_account_name = var.bucket_provider_type == "azure" ? var.azure_storage_account_name : "" 91 | azure_storage_account_key = var.bucket_provider_type == "azure" ? var.azure_storage_account_key : "" 92 | azure_container_name = var.bucket_provider_type == "azure" ? var.azure_container_name : "" 93 | annotations = var.bucket_provider_type == "s3" ? "eks.amazonaws.com/role-arn : ${var.iam_role_arn_restore}" : var.bucket_provider_type == "gcs" ? "iam.gke.io/gcp-service-account: ${var.service_account_restore}" : var.bucket_provider_type == "azure" ? "azure.workload.identity/client-id: ${var.az_account_restore}" : "" 94 | }), 95 | var.mongodb_config.values_yaml 96 | ] 97 | } 98 | 99 | resource "helm_release" "mongodb_exporter" { 100 | depends_on = [helm_release.mongodb] 101 | count = var.mongodb_exporter_enabled ? 1 : 0 102 | name = "mongodb-exporter" 103 | chart = "prometheus-mongodb-exporter" 104 | version = var.mongodb_exporter_config.version 105 | timeout = 600 106 | namespace = var.namespace 107 | repository = "https://prometheus-community.github.io/helm-charts" 108 | values = [ 109 | templatefile("${path.module}/helm/values/exporter/values.yaml", { 110 | mongodb_exporter_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.metric_exporter_password : "${var.metric_exporter_password}" 111 | service_monitor_namespace = var.namespace 112 | }), 113 | var.mongodb_exporter_values 114 | ] 115 | } 116 | -------------------------------------------------------------------------------- /modules/backup/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /modules/backup/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A helm chart for Backup of mongo and stored in S3 3 | name: mongodb-backup 4 | version: 1.0.0 5 | -------------------------------------------------------------------------------- /modules/backup/templates/backup-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: mongo-bucket-backup 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | data: 8 | BUCKET_URI: {{ .Values.backup.bucket_uri | b64enc }} 9 | -------------------------------------------------------------------------------- /modules/backup/templates/fullbackup-cronjob.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: backup-mongodb 5 | spec: 6 | schedule: {{ .Values.backup.cron_for_full_backup | quote }} 7 | concurrencyPolicy: Forbid 8 | suspend: false 9 | successfulJobsHistoryLimit: 3 10 | failedJobsHistoryLimit: 1 11 | 12 | jobTemplate: 13 | spec: 14 | template: 15 | spec: 16 | affinity: 17 | {{- toYaml .Values.affinity | nindent 12 }} 18 | restartPolicy: OnFailure 19 | serviceAccountName: sa-mongo-backup 20 | containers: 21 | - name: backup-mongodb 22 | image: saturnops/mongodb-backup:v7 23 | env: 24 | - name: MONGODB_URI 25 | value: mongodb://{{ .Values.auth.rootUser }}:{{ .Values.auth.rootPassword }}@mongodb-headless.{{ .Release.Namespace }}.svc.cluster.local:27017 26 | - name: MONGO_OPLOG 27 | value: "true" 28 | - name: MONGO_BUCKET_URI 29 | valueFrom: 30 | secretKeyRef: 31 | name: mongo-bucket-backup 32 | key: BUCKET_URI 33 | - name: BUCKET_PROVIDER 34 | value: {{ .Values.bucket_provider_type }} 35 | - name: AWS_DEFAULT_REGION 36 | value: {{ .Values.backup.aws_default_region }} 37 | resources: 38 | {{- toYaml .Values.backupjob.resources | nindent 14 }} 39 | -------------------------------------------------------------------------------- /modules/backup/templates/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa-mongo-backup 5 | annotations: 6 | {{ toYaml .Values.annotations | indent 4 }} 7 | -------------------------------------------------------------------------------- /modules/resources/aws/README.md: -------------------------------------------------------------------------------- 1 | # aws 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [aws](#provider\_aws) | n/a | 13 | | [random](#provider\_random) | n/a | 14 | 15 | ## Modules 16 | 17 | No modules. 18 | 19 | ## Resources 20 | 21 | | Name | Type | 22 | |------|------| 23 | | [aws_iam_role.mongo_backup_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 24 | | [aws_iam_role.mongo_restore_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 25 | | [aws_secretsmanager_secret.mongodb_user_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | 26 | | [aws_secretsmanager_secret_version.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | 27 | | [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 28 | | [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 29 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 30 | | [aws_eks_cluster.kubernetes_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | 31 | 32 | ## Inputs 33 | 34 | | Name | Description | Type | Default | Required | 35 | |------|-------------|------|---------|:--------:| 36 | | [cluster\_name](#input\_cluster\_name) | Specifies the name of the EKS cluster to deploy the Mongodb application on. | `string` | `""` | no | 37 | | [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no | 38 | | [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` |
{
"metric_exporter_password": "",
"metric_exporter_user": "",
"root_password": "",
"root_user": ""
}
| no | 39 | | [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no | 40 | | [name](#input\_name) | Name identifier for module to be added as suffix to resources | `string` | `"test"` | no | 41 | | [namespace](#input\_namespace) | Name of the Kubernetes namespace where the Mongodb deployment will be deployed. | `string` | `"mongodb"` | no | 42 | | [recovery\_window\_aws\_secret](#input\_recovery\_window\_aws\_secret) | Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery. | `number` | `0` | no | 43 | | [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Specifies whether to store the credentials in GCP secret manager. | `bool` | `false` | no | 44 | 45 | ## Outputs 46 | 47 | | Name | Description | 48 | |------|-------------| 49 | | [iam\_role\_arn\_backup](#output\_iam\_role\_arn\_backup) | IAM role arn for mongo backup | 50 | | [iam\_role\_arn\_restore](#output\_iam\_role\_arn\_restore) | IAM role arn for mongo restore | 51 | | [metric\_exporter\_pasword](#output\_metric\_exporter\_pasword) | mongodb\_exporter user's password of MongoDB | 52 | | [root\_password](#output\_root\_password) | Root user's password of MongoDB | 53 | 54 | -------------------------------------------------------------------------------- /modules/resources/aws/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | oidc_provider = replace( 3 | data.aws_eks_cluster.kubernetes_cluster.identity[0].oidc[0].issuer, 4 | "/^https:///", 5 | "" 6 | ) 7 | } 8 | 9 | resource "random_password" "mongodb_root_password" { 10 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 11 | length = 20 12 | special = false 13 | } 14 | 15 | resource "random_password" "mongodb_exporter_password" { 16 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 17 | length = 20 18 | special = false 19 | } 20 | 21 | data "aws_caller_identity" "current" {} 22 | 23 | data "aws_eks_cluster" "kubernetes_cluster" { 24 | name = var.cluster_name 25 | } 26 | 27 | 28 | resource "aws_secretsmanager_secret" "mongodb_user_password" { 29 | count = var.store_password_to_secret_manager ? 1 : 0 30 | name = format("%s/%s/%s", var.environment, var.name, "mongodb") 31 | recovery_window_in_days = var.recovery_window_aws_secret 32 | } 33 | 34 | resource "aws_secretsmanager_secret_version" "mongodb_root_password" { 35 | count = var.store_password_to_secret_manager ? 1 : 0 36 | secret_id = aws_secretsmanager_secret.mongodb_user_password[0].id 37 | secret_string = var.mongodb_custom_credentials_enabled ? jsonencode( 38 | { 39 | "root_user" : "${var.mongodb_custom_credentials_config.root_user}", 40 | "root_password" : "${var.mongodb_custom_credentials_config.root_password}", 41 | "metric_exporter_user" : "${var.mongodb_custom_credentials_config.metric_exporter_user}", 42 | "metric_exporter_password" : "${var.mongodb_custom_credentials_config.metric_exporter_password}" 43 | }) : jsonencode( 44 | { 45 | "root_user" : "root", 46 | "root_password" : "${random_password.mongodb_root_password[0].result}", 47 | "metric_exporter_user" : "mongodb_exporter", 48 | "metric_exporter_password" : "${random_password.mongodb_exporter_password[0].result}" 49 | }) 50 | } 51 | 52 | resource "aws_iam_role" "mongo_backup_role" { 53 | name = format("%s-%s-%s", var.cluster_name, var.name, "mongodb-backup") 54 | assume_role_policy = jsonencode({ 55 | Version = "2012-10-17", 56 | Statement = [ 57 | { 58 | Effect = "Allow", 59 | Principal = { 60 | Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}" 61 | }, 62 | Action = "sts:AssumeRoleWithWebIdentity", 63 | Condition = { 64 | StringEquals = { 65 | "${local.oidc_provider}:aud" = "sts.amazonaws.com", 66 | "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-mongo-backup" 67 | } 68 | } 69 | } 70 | ] 71 | }) 72 | inline_policy { 73 | name = "AllowS3PutObject" 74 | policy = jsonencode({ 75 | Version = "2012-10-17" 76 | Statement = [ 77 | { 78 | Action = [ 79 | "s3:ListBucket", 80 | "s3:GetObject", 81 | "s3:PutObject", 82 | "s3:DeleteObject", 83 | "s3:AbortMultipartUpload", 84 | "s3:ListMultipartUploadParts" 85 | ] 86 | Effect = "Allow" 87 | Resource = "*" 88 | } 89 | ] 90 | }) 91 | } 92 | } 93 | 94 | resource "aws_iam_role" "mongo_restore_role" { 95 | name = format("%s-%s-%s", var.cluster_name, var.name, "mongodb-restore") 96 | assume_role_policy = jsonencode({ 97 | Version = "2012-10-17", 98 | Statement = [ 99 | { 100 | Effect = "Allow", 101 | Principal = { 102 | Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_provider}" 103 | }, 104 | Action = "sts:AssumeRoleWithWebIdentity", 105 | Condition = { 106 | StringEquals = { 107 | "${local.oidc_provider}:aud" = "sts.amazonaws.com", 108 | "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:sa-mongo-restore" 109 | } 110 | } 111 | } 112 | ] 113 | }) 114 | inline_policy { 115 | name = "AllowS3PutObject" 116 | policy = jsonencode({ 117 | Version = "2012-10-17" 118 | Statement = [ 119 | { 120 | Action = [ 121 | "s3:ListBucket", 122 | "s3:GetObject", 123 | "s3:PutObject", 124 | "s3:DeleteObject", 125 | "s3:AbortMultipartUpload", 126 | "s3:ListMultipartUploadParts" 127 | ] 128 | Effect = "Allow" 129 | Resource = "*" 130 | } 131 | ] 132 | }) 133 | } 134 | } 135 | -------------------------------------------------------------------------------- /modules/resources/aws/outputs.tf: -------------------------------------------------------------------------------- 1 | output "iam_role_arn_backup" { 2 | value = aws_iam_role.mongo_backup_role.arn 3 | description = "IAM role arn for mongo backup" 4 | } 5 | 6 | output "iam_role_arn_restore" { 7 | value = aws_iam_role.mongo_restore_role.arn 8 | description = "IAM role arn for mongo restore" 9 | } 10 | 11 | output "root_password" { 12 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_root_password[0].result) 13 | description = "Root user's password of MongoDB" 14 | } 15 | 16 | output "metric_exporter_pasword" { 17 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_exporter_password[0].result) 18 | description = "mongodb_exporter user's password of MongoDB" 19 | } 20 | -------------------------------------------------------------------------------- /modules/resources/aws/variables.tf: -------------------------------------------------------------------------------- 1 | 2 | variable "recovery_window_aws_secret" { 3 | type = number 4 | default = 0 5 | description = "Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery." 6 | } 7 | 8 | variable "name" { 9 | description = "Name identifier for module to be added as suffix to resources" 10 | type = string 11 | default = "test" 12 | } 13 | 14 | variable "environment" { 15 | description = "Environment in which the infrastructure is being deployed (e.g., production, staging, development)" 16 | type = string 17 | default = "test" 18 | } 19 | 20 | variable "cluster_name" { 21 | type = string 22 | default = "" 23 | description = "Specifies the name of the EKS cluster to deploy the Mongodb application on." 24 | } 25 | 26 | variable "namespace" { 27 | type = string 28 | default = "mongodb" 29 | description = "Name of the Kubernetes namespace where the Mongodb deployment will be deployed." 30 | } 31 | 32 | variable "mongodb_custom_credentials_enabled" { 33 | type = bool 34 | default = false 35 | description = "Specifies whether to enable custom credentials for MongoDB database." 36 | } 37 | 38 | variable "mongodb_custom_credentials_config" { 39 | type = any 40 | default = { 41 | root_user = "" 42 | root_password = "" 43 | metric_exporter_user = "" 44 | metric_exporter_password = "" 45 | } 46 | description = "Specify the configuration settings for Mongodb to pass custom credentials during creation." 47 | } 48 | 49 | variable "store_password_to_secret_manager" { 50 | type = bool 51 | default = false 52 | description = "Specifies whether to store the credentials in GCP secret manager." 53 | } 54 | -------------------------------------------------------------------------------- /modules/resources/azure/README.md: -------------------------------------------------------------------------------- 1 | # Azure Mongodb Kubernetes Module 2 | ## Requirements 3 | 4 | No requirements. 5 | 6 | ## Providers 7 | 8 | | Name | Version | 9 | |------|---------| 10 | | [azurerm](#provider\_azurerm) | n/a | 11 | | [random](#provider\_random) | n/a | 12 | 13 | ## Modules 14 | 15 | No modules. 16 | 17 | ## Resources 18 | 19 | | Name | Type | 20 | |------|------| 21 | | [azurerm_key_vault.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource | 22 | | [azurerm_key_vault_secret.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | 23 | | [azurerm_role_assignment.pod_identity_assignment_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 24 | | [azurerm_role_assignment.secretadmin_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 25 | | [azurerm_role_assignment.secretadmin_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 26 | | [azurerm_role_assignment.service_account_token_creator_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 27 | | [azurerm_role_assignment.service_account_token_creator_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 28 | | [azurerm_user_assigned_identity.mongo_backup_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 29 | | [azurerm_user_assigned_identity.mongo_restore_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 30 | | [azurerm_user_assigned_identity.pod_identity_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 31 | | [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 32 | | [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 33 | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | 34 | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | 35 | | [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | 36 | 37 | ## Inputs 38 | 39 | | Name | Description | Type | Default | Required | 40 | |------|-------------|------|---------|:--------:| 41 | | [azure\_uai\_backup\_name](#input\_azure\_uai\_backup\_name) | Azure User Assigned Identity name for backup | `string` | `"mongo-backup"` | no | 42 | | [azure\_uai\_pod\_identity\_backup\_name](#input\_azure\_uai\_pod\_identity\_backup\_name) | Azure User Assigned Identity name for pod identity backup | `string` | `"pod-identity-backup"` | no | 43 | | [azure\_uai\_pod\_identity\_restore\_name](#input\_azure\_uai\_pod\_identity\_restore\_name) | Azure User Assigned Identity name for pod identity restore | `string` | `"pod-identity-restore"` | no | 44 | | [azure\_uai\_restore\_name](#input\_azure\_uai\_restore\_name) | Azure User Assigned Identity name for restore | `string` | `"mongo-restore"` | no | 45 | | [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no | 46 | | [mongodb\_config](#input\_mongodb\_config) | Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values. | `any` |
{
"architecture": "",
"environment": "",
"name": "",
"replica_count": 2,
"storage_class_name": "",
"store_password_to_secret_manager": true,
"values_yaml": "",
"volume_size": ""
}
| no | 47 | | [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` |
{
"metric_exporter_password": "",
"metric_exporter_user": "",
"root_password": "",
"root_user": ""
}
| no | 48 | | [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no | 49 | | [name](#input\_name) | Name of all the resources | `string` | `""` | no | 50 | | [resource\_group\_location](#input\_resource\_group\_location) | Azure region | `string` | `"East US"` | no | 51 | | [resource\_group\_name](#input\_resource\_group\_name) | Azure Resource Group name | `string` | `""` | no | 52 | | [storage\_account\_name](#input\_storage\_account\_name) | Azure storage account name | `string` | `""` | no | 53 | | [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Specifies whether to store the credentials in GCP secret manager. | `bool` | `false` | no | 54 | 55 | ## Outputs 56 | 57 | | Name | Description | 58 | |------|-------------| 59 | | [az\_account\_backup](#output\_az\_account\_backup) | Azure User Assigned Identity for backup | 60 | | [az\_account\_restore](#output\_az\_account\_restore) | Azure User Assigned Identity for restore | 61 | | [metric\_exporter\_pasword](#output\_metric\_exporter\_pasword) | mongodb\_exporter user's password of MongoDB | 62 | | [root\_password](#output\_root\_password) | Root user's password of MongoDB | 63 | 64 | ## Requirements 65 | 66 | No requirements. 67 | 68 | ## Providers 69 | 70 | | Name | Version | 71 | |------|---------| 72 | | [azurerm](#provider\_azurerm) | n/a | 73 | | [random](#provider\_random) | n/a | 74 | 75 | ## Modules 76 | 77 | No modules. 78 | 79 | ## Resources 80 | 81 | | Name | Type | 82 | |------|------| 83 | | [azurerm_key_vault.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource | 84 | | [azurerm_key_vault_secret.mongo-secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | 85 | | [azurerm_role_assignment.pod_identity_assignment_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 86 | | [azurerm_role_assignment.secretadmin_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 87 | | [azurerm_role_assignment.secretadmin_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 88 | | [azurerm_role_assignment.service_account_token_creator_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 89 | | [azurerm_role_assignment.service_account_token_creator_restore](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | 90 | | [azurerm_user_assigned_identity.mongo_backup_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 91 | | [azurerm_user_assigned_identity.mongo_restore_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 92 | | [azurerm_user_assigned_identity.pod_identity_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | 93 | | [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 94 | | [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 95 | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | 96 | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | 97 | | [azurerm_subscription.primary](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | 98 | 99 | ## Inputs 100 | 101 | | Name | Description | Type | Default | Required | 102 | |------|-------------|------|---------|:--------:| 103 | | [azure\_uai\_backup\_name](#input\_azure\_uai\_backup\_name) | Azure User Assigned Identity name for backup | `string` | `"mongo-backup"` | no | 104 | | [azure\_uai\_pod\_identity\_backup\_name](#input\_azure\_uai\_pod\_identity\_backup\_name) | Azure User Assigned Identity name for pod identity backup | `string` | `"pod-identity-backup"` | no | 105 | | [azure\_uai\_pod\_identity\_restore\_name](#input\_azure\_uai\_pod\_identity\_restore\_name) | Azure User Assigned Identity name for pod identity restore | `string` | `"pod-identity-restore"` | no | 106 | | [azure\_uai\_restore\_name](#input\_azure\_uai\_restore\_name) | Azure User Assigned Identity name for restore | `string` | `"mongo-restore"` | no | 107 | | [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no | 108 | | [mongodb\_config](#input\_mongodb\_config) | Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values. | `any` |
{
"architecture": "",
"environment": "",
"name": "",
"replica_count": 2,
"storage_class_name": "",
"store_password_to_secret_manager": true,
"values_yaml": "",
"volume_size": ""
}
| no | 109 | | [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` |
{
"metric_exporter_password": "",
"metric_exporter_user": "",
"root_password": "",
"root_user": ""
}
| no | 110 | | [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no | 111 | | [name](#input\_name) | Name of all the resources | `string` | `""` | no | 112 | | [resource\_group\_location](#input\_resource\_group\_location) | Azure region | `string` | `"East US"` | no | 113 | | [resource\_group\_name](#input\_resource\_group\_name) | Azure Resource Group name | `string` | `""` | no | 114 | | [storage\_account\_name](#input\_storage\_account\_name) | Azure storage account name | `string` | `""` | no | 115 | | [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Specifies whether to store the credentials in GCP secret manager. | `bool` | `false` | no | 116 | 117 | ## Outputs 118 | 119 | | Name | Description | 120 | |------|-------------| 121 | | [az\_account\_backup](#output\_az\_account\_backup) | Azure User Assigned Identity for backup | 122 | | [az\_account\_restore](#output\_az\_account\_restore) | Azure User Assigned Identity for restore | 123 | | [metric\_exporter\_pasword](#output\_metric\_exporter\_pasword) | mongodb\_exporter user's password of MongoDB | 124 | | [root\_password](#output\_root\_password) | Root user's password of MongoDB | 125 | 126 | -------------------------------------------------------------------------------- /modules/resources/azure/main.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | 3 | data "azurerm_subscription" "current" {} 4 | 5 | data "azurerm_subscription" "primary" {} 6 | 7 | resource "random_password" "mongodb_root_password" { 8 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 9 | length = 20 10 | special = false 11 | } 12 | 13 | resource "random_password" "mongodb_exporter_password" { 14 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 15 | length = 20 16 | special = false 17 | } 18 | 19 | resource "azurerm_key_vault" "mongo-secret" { 20 | count = var.store_password_to_secret_manager ? 1 : 0 21 | name = format("%s-%s-%s", var.environment, var.name, "mongodb") 22 | resource_group_name = var.resource_group_name 23 | location = var.resource_group_location 24 | sku_name = "standard" 25 | tenant_id = data.azurerm_client_config.current.tenant_id 26 | enabled_for_disk_encryption = true 27 | soft_delete_retention_days = 7 28 | 29 | access_policy { 30 | tenant_id = data.azurerm_client_config.current.tenant_id 31 | object_id = data.azurerm_client_config.current.object_id 32 | key_permissions = [ 33 | "Get", 34 | "List", 35 | ] 36 | secret_permissions = [ 37 | "Set", 38 | "Get", 39 | "List", 40 | "Delete", 41 | "Purge", 42 | ] 43 | } 44 | } 45 | 46 | resource "azurerm_key_vault_secret" "mongo-secret" { 47 | depends_on = [azurerm_key_vault.mongo-secret[0]] 48 | name = format("%s-%s-%s", var.environment, var.name, "secret") 49 | value = var.mongodb_custom_credentials_enabled ? jsonencode( 50 | { 51 | "root_user" : "${var.mongodb_custom_credentials_config.root_user}", 52 | "root_password" : "${var.mongodb_custom_credentials_config.root_password}", 53 | "metric_exporter_user" : "${var.mongodb_custom_credentials_config.metric_exporter_user}", 54 | "metric_exporter_password" : "${var.mongodb_custom_credentials_config.metric_exporter_password}" 55 | }) : jsonencode( 56 | { 57 | "root_user" : "root", 58 | "root_password" : "${random_password.mongodb_root_password[0].result}", 59 | "metric_exporter_user" : "mongodb_exporter", 60 | "metric_exporter_password" : "${random_password.mongodb_exporter_password[0].result}" 61 | }) 62 | content_type = "application/json" 63 | key_vault_id = azurerm_key_vault.mongo-secret[0].id 64 | } 65 | 66 | # Create a service principal for mongo backup 67 | resource "azurerm_user_assigned_identity" "mongo_backup_identity" { 68 | name = format("%s-%s-%s", var.environment, var.name, "mongo_backup_identity") 69 | resource_group_name = var.resource_group_name 70 | location = var.resource_group_location 71 | } 72 | 73 | # Grant the storage blob contributor role to the backup service principal 74 | resource "azurerm_role_assignment" "secretadmin_backup" { 75 | principal_id = azurerm_user_assigned_identity.mongo_backup_identity.principal_id 76 | role_definition_name = "Storage Blob Data Contributor" 77 | scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}" 78 | } 79 | 80 | # Grant the "Managed Identity Token Creator" role to the backup service principal 81 | resource "azurerm_role_assignment" "service_account_token_creator_backup" { 82 | principal_id = azurerm_user_assigned_identity.mongo_backup_identity.principal_id 83 | role_definition_name = "Role Based Access Control Administrator (Preview)" 84 | scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg" 85 | } 86 | 87 | # Create a service principal for mongo restore 88 | resource "azurerm_user_assigned_identity" "mongo_restore_identity" { 89 | name = format("%s-%s-%s", var.environment, var.name, "mongo_restore_identity") 90 | resource_group_name = var.resource_group_name 91 | location = var.resource_group_location 92 | } 93 | 94 | # Grant the storage blob contributor role to the restore service principal 95 | resource "azurerm_role_assignment" "secretadmin_restore" { 96 | principal_id = azurerm_user_assigned_identity.mongo_restore_identity.principal_id 97 | role_definition_name = "Storage Blob Data Contributor" 98 | scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg/providers/Microsoft.Storage/storageAccounts/${var.storage_account_name}" 99 | } 100 | 101 | # Grant the "Managed Identity Token Creator" role to the restore service principal 102 | resource "azurerm_role_assignment" "service_account_token_creator_restore" { 103 | principal_id = azurerm_user_assigned_identity.mongo_restore_identity.principal_id 104 | role_definition_name = "Role Based Access Control Administrator (Preview)" 105 | scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/test-skaf-tfstate-rg" 106 | } 107 | 108 | # Configure workload identity for mongo backup 109 | resource "azurerm_user_assigned_identity" "pod_identity_backup" { 110 | name = format("%s-%s-%s", var.environment, var.name, "pod_identity_backup") 111 | resource_group_name = var.resource_group_name 112 | location = var.resource_group_location 113 | } 114 | 115 | resource "azurerm_role_assignment" "pod_identity_assignment_backup" { 116 | principal_id = azurerm_user_assigned_identity.pod_identity_backup.principal_id 117 | role_definition_name = "Managed Identity Operator" 118 | scope = "/subscriptions/${data.azurerm_subscription.current.subscription_id}/resourceGroups/${var.resource_group_name}" 119 | } 120 | -------------------------------------------------------------------------------- /modules/resources/azure/outputs.tf: -------------------------------------------------------------------------------- 1 | output "az_account_backup" { 2 | value = azurerm_user_assigned_identity.mongo_backup_identity.client_id 3 | description = "Azure User Assigned Identity for backup" 4 | } 5 | 6 | output "az_account_restore" { 7 | value = azurerm_user_assigned_identity.mongo_restore_identity.client_id 8 | description = "Azure User Assigned Identity for restore" 9 | } 10 | 11 | output "root_password" { 12 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_root_password[0].result) 13 | description = "Root user's password of MongoDB" 14 | } 15 | 16 | output "metric_exporter_pasword" { 17 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_exporter_password[0].result) 18 | description = "mongodb_exporter user's password of MongoDB" 19 | } 20 | -------------------------------------------------------------------------------- /modules/resources/azure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "resource_group_name" { 2 | description = "Azure Resource Group name" 3 | type = string 4 | default = "" 5 | } 6 | 7 | variable "resource_group_location" { 8 | description = "Azure region" 9 | type = string 10 | default = "East US" 11 | } 12 | 13 | variable "name" { 14 | description = "Name of all the resources" 15 | type = string 16 | default = "" 17 | } 18 | 19 | variable "environment" { 20 | description = "Environment in which the infrastructure is being deployed (e.g., production, staging, development)" 21 | type = string 22 | default = "test" 23 | } 24 | 25 | variable "azure_uai_backup_name" { 26 | description = "Azure User Assigned Identity name for backup" 27 | type = string 28 | default = "mongo-backup" 29 | } 30 | 31 | variable "azure_uai_pod_identity_backup_name" { 32 | description = "Azure User Assigned Identity name for pod identity backup" 33 | type = string 34 | default = "pod-identity-backup" 35 | } 36 | 37 | variable "azure_uai_restore_name" { 38 | description = "Azure User Assigned Identity name for restore" 39 | type = string 40 | default = "mongo-restore" 41 | } 42 | 43 | variable "azure_uai_pod_identity_restore_name" { 44 | description = "Azure User Assigned Identity name for pod identity restore" 45 | type = string 46 | default = "pod-identity-restore" 47 | } 48 | 49 | variable "mongodb_config" { 50 | type = any 51 | default = { 52 | name = "" 53 | environment = "" 54 | volume_size = "" 55 | architecture = "" 56 | replica_count = 2 57 | values_yaml = "" 58 | storage_class_name = "" 59 | store_password_to_secret_manager = true 60 | } 61 | description = "Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values." 62 | } 63 | 64 | variable "mongodb_custom_credentials_enabled" { 65 | type = bool 66 | default = false 67 | description = "Specifies whether to enable custom credentials for MongoDB database." 68 | } 69 | 70 | variable "mongodb_custom_credentials_config" { 71 | type = any 72 | default = { 73 | root_user = "" 74 | root_password = "" 75 | metric_exporter_user = "" 76 | metric_exporter_password = "" 77 | } 78 | description = "Specify the configuration settings for Mongodb to pass custom credentials during creation." 79 | } 80 | 81 | variable "store_password_to_secret_manager" { 82 | type = bool 83 | default = false 84 | description = "Specifies whether to store the credentials in GCP secret manager." 85 | } 86 | 87 | variable "storage_account_name" { 88 | description = "Azure storage account name" 89 | type = string 90 | default = "" 91 | } 92 | -------------------------------------------------------------------------------- /modules/resources/gcp/README.md: -------------------------------------------------------------------------------- 1 | # gcp 2 | 3 | 4 | ## Requirements 5 | 6 | No requirements. 7 | 8 | ## Providers 9 | 10 | | Name | Version | 11 | |------|---------| 12 | | [google](#provider\_google) | n/a | 13 | | [random](#provider\_random) | n/a | 14 | 15 | ## Modules 16 | 17 | No modules. 18 | 19 | ## Resources 20 | 21 | | Name | Type | 22 | |------|------| 23 | | [google_project_iam_member.secretadmin_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | 24 | | [google_project_iam_member.secretadmin_restore](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | 25 | | [google_project_iam_member.service_account_token_creator_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | 26 | | [google_project_iam_member.service_account_token_creator_restore](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | 27 | | [google_secret_manager_secret.mongo-secret](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource | 28 | | [google_secret_manager_secret_version.mongo-secret](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource | 29 | | [google_service_account.mongo_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | 30 | | [google_service_account.mongo_restore](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | 31 | | [google_service_account_iam_member.pod_identity_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | 32 | | [google_service_account_iam_member.pod_identity_restore](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | 33 | | [random_password.mongodb_exporter_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 34 | | [random_password.mongodb_root_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | 35 | 36 | ## Inputs 37 | 38 | | Name | Description | Type | Default | Required | 39 | |------|-------------|------|---------|:--------:| 40 | | [environment](#input\_environment) | Environment in which the infrastructure is being deployed (e.g., production, staging, development) | `string` | `"test"` | no | 41 | | [gcp\_gsa\_backup\_name](#input\_gcp\_gsa\_backup\_name) | Google Cloud Service Account name for backup | `string` | `"mongo-backup"` | no | 42 | | [gcp\_gsa\_restore\_name](#input\_gcp\_gsa\_restore\_name) | Google Cloud Service Account name for restore | `string` | `"mongo-restore"` | no | 43 | | [gcp\_ksa\_backup\_name](#input\_gcp\_ksa\_backup\_name) | Google Kubernetes Service Account name for backup | `string` | `"sa-mongo-backup"` | no | 44 | | [gcp\_ksa\_restore\_name](#input\_gcp\_ksa\_restore\_name) | Google Kubernetes Service Account name for restore | `string` | `"sa-mongo-restore"` | no | 45 | | [mongodb\_custom\_credentials\_config](#input\_mongodb\_custom\_credentials\_config) | Specify the configuration settings for Mongodb to pass custom credentials during creation. | `any` |
{
"metric_exporter_password": "",
"metric_exporter_user": "",
"root_password": "",
"root_user": ""
}
| no | 46 | | [mongodb\_custom\_credentials\_enabled](#input\_mongodb\_custom\_credentials\_enabled) | Specifies whether to enable custom credentials for MongoDB database. | `bool` | `false` | no | 47 | | [name](#input\_name) | Name identifier for module to be added as suffix to resources | `string` | `"test"` | no | 48 | | [project\_id](#input\_project\_id) | Google Cloud project ID | `string` | `""` | no | 49 | | [store\_password\_to\_secret\_manager](#input\_store\_password\_to\_secret\_manager) | Specifies whether to store the credentials in GCP secret manager. | `bool` | `false` | no | 50 | 51 | ## Outputs 52 | 53 | | Name | Description | 54 | |------|-------------| 55 | | [metric\_exporter\_pasword](#output\_metric\_exporter\_pasword) | mongodb\_exporter user's password of MongoDB | 56 | | [root\_password](#output\_root\_password) | Root user's password of MongoDB | 57 | | [service\_account\_backup](#output\_service\_account\_backup) | Google Cloud Service Account name for backup | 58 | | [service\_account\_restore](#output\_service\_account\_restore) | Google Cloud Service Account name for restore | 59 | 60 | -------------------------------------------------------------------------------- /modules/resources/gcp/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_password" "mongodb_root_password" { 2 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 3 | length = 20 4 | special = false 5 | } 6 | 7 | resource "random_password" "mongodb_exporter_password" { 8 | count = var.mongodb_custom_credentials_enabled ? 0 : 1 9 | length = 20 10 | special = false 11 | } 12 | 13 | resource "google_secret_manager_secret" "mongo-secret" { 14 | count = var.store_password_to_secret_manager ? 1 : 0 15 | project = var.project_id 16 | secret_id = format("%s-%s-%s", var.environment, var.name, "mongo") 17 | 18 | replication { 19 | automatic = true 20 | } 21 | } 22 | 23 | resource "google_secret_manager_secret_version" "mongo-secret" { 24 | count = var.store_password_to_secret_manager ? 1 : 0 25 | secret = google_secret_manager_secret.mongo-secret[0].id 26 | secret_data = var.mongodb_custom_credentials_enabled ? jsonencode( 27 | { 28 | "root_user" : "${var.mongodb_custom_credentials_config.root_user}", 29 | "root_password" : "${var.mongodb_custom_credentials_config.root_password}", 30 | "metric_exporter_user" : "${var.mongodb_custom_credentials_config.metric_exporter_user}", 31 | "metric_exporter_password" : "${var.mongodb_custom_credentials_config.metric_exporter_password}" 32 | }) : jsonencode( 33 | { 34 | "root_user" : "root", 35 | "root_password" : "${random_password.mongodb_root_password[0].result}", 36 | "metric_exporter_user" : "mongodb_exporter", 37 | "metric_exporter_password" : "${random_password.mongodb_exporter_password[0].result}" 38 | }) 39 | } 40 | 41 | resource "google_service_account" "mongo_backup" { 42 | project = var.project_id 43 | account_id = format("%s-%s", var.environment, var.gcp_gsa_backup_name) 44 | display_name = "Service Account for mongo Backup" 45 | } 46 | 47 | resource "google_project_iam_member" "secretadmin_backup" { 48 | project = var.project_id 49 | role = "roles/storage.objectAdmin" 50 | member = "serviceAccount:${google_service_account.mongo_backup.email}" 51 | } 52 | 53 | resource "google_project_iam_member" "service_account_token_creator_backup" { 54 | project = var.project_id 55 | role = "roles/iam.serviceAccountTokenCreator" 56 | member = "serviceAccount:${google_service_account.mongo_backup.email}" 57 | } 58 | 59 | resource "google_service_account_iam_member" "pod_identity_backup" { 60 | role = "roles/iam.workloadIdentityUser" 61 | member = "serviceAccount:${var.project_id}.svc.id.goog[mongodb/${var.gcp_ksa_backup_name}]" 62 | service_account_id = google_service_account.mongo_backup.name 63 | } 64 | 65 | resource "google_service_account" "mongo_restore" { 66 | project = var.project_id 67 | account_id = format("%s-%s", var.environment, var.gcp_gsa_restore_name) 68 | display_name = "Service Account for mongo restore" 69 | } 70 | 71 | resource "google_project_iam_member" "secretadmin_restore" { 72 | project = var.project_id 73 | role = "roles/storage.objectAdmin" 74 | member = "serviceAccount:${google_service_account.mongo_restore.email}" 75 | } 76 | 77 | resource "google_project_iam_member" "service_account_token_creator_restore" { 78 | project = var.project_id 79 | role = "roles/iam.serviceAccountTokenCreator" 80 | member = "serviceAccount:${google_service_account.mongo_restore.email}" 81 | } 82 | 83 | resource "google_service_account_iam_member" "pod_identity_restore" { 84 | role = "roles/iam.workloadIdentityUser" 85 | member = "serviceAccount:${var.project_id}.svc.id.goog[mongodb/${var.gcp_ksa_restore_name}]" 86 | service_account_id = google_service_account.mongo_restore.name 87 | } 88 | -------------------------------------------------------------------------------- /modules/resources/gcp/outputs.tf: -------------------------------------------------------------------------------- 1 | output "service_account_backup" { 2 | value = google_service_account.mongo_backup.email 3 | description = "Google Cloud Service Account name for backup" 4 | } 5 | 6 | output "service_account_restore" { 7 | value = google_service_account.mongo_restore.email 8 | description = "Google Cloud Service Account name for restore" 9 | } 10 | 11 | output "root_password" { 12 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_root_password[0].result) 13 | description = "Root user's password of MongoDB" 14 | } 15 | 16 | output "metric_exporter_pasword" { 17 | value = var.mongodb_custom_credentials_enabled ? null : nonsensitive(random_password.mongodb_exporter_password[0].result) 18 | description = "mongodb_exporter user's password of MongoDB" 19 | } 20 | -------------------------------------------------------------------------------- /modules/resources/gcp/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project_id" { 2 | description = "Google Cloud project ID" 3 | type = string 4 | default = "" 5 | } 6 | 7 | variable "name" { 8 | description = "Name identifier for module to be added as suffix to resources" 9 | type = string 10 | default = "test" 11 | } 12 | 13 | variable "environment" { 14 | description = "Environment in which the infrastructure is being deployed (e.g., production, staging, development)" 15 | type = string 16 | default = "test" 17 | } 18 | 19 | variable "gcp_gsa_backup_name" { 20 | description = "Google Cloud Service Account name for backup" 21 | type = string 22 | default = "mongo-backup" 23 | } 24 | 25 | variable "gcp_ksa_backup_name" { 26 | description = "Google Kubernetes Service Account name for backup" 27 | type = string 28 | default = "sa-mongo-backup" 29 | } 30 | 31 | variable "gcp_gsa_restore_name" { 32 | description = "Google Cloud Service Account name for restore" 33 | type = string 34 | default = "mongo-restore" 35 | } 36 | 37 | variable "gcp_ksa_restore_name" { 38 | description = "Google Kubernetes Service Account name for restore" 39 | type = string 40 | default = "sa-mongo-restore" 41 | } 42 | 43 | 44 | variable "mongodb_custom_credentials_enabled" { 45 | type = bool 46 | default = false 47 | description = "Specifies whether to enable custom credentials for MongoDB database." 48 | } 49 | 50 | variable "mongodb_custom_credentials_config" { 51 | type = any 52 | default = { 53 | root_user = "" 54 | root_password = "" 55 | metric_exporter_user = "" 56 | metric_exporter_password = "" 57 | } 58 | description = "Specify the configuration settings for Mongodb to pass custom credentials during creation." 59 | } 60 | 61 | variable "store_password_to_secret_manager" { 62 | type = bool 63 | default = false 64 | description = "Specifies whether to store the credentials in GCP secret manager." 65 | } 66 | -------------------------------------------------------------------------------- /modules/restore/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /modules/restore/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | description: A helm chart for Backup of mongo and stored in S3 3 | name: mongodb-restore 4 | version: 1.0.0 5 | -------------------------------------------------------------------------------- /modules/restore/templates/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: restore-mongo 5 | spec: 6 | template: 7 | spec: 8 | affinity: 9 | {{- toYaml .Values.affinity | nindent 8 }} 10 | serviceAccountName: sa-mongo-restore 11 | containers: 12 | - name: restore-mongodb 13 | image: saturnops/mongodb-restore:v6 14 | env: 15 | - name: MONGO_URI 16 | value: mongodb://{{ .Values.auth.rootUser }}:{{ .Values.auth.rootPassword }}@mongodb-primary.{{ .Release.Namespace }}.svc.cluster.local:27017 17 | - name: MONGO_OPLOG 18 | value: "false" 19 | - name: AWS_DEFAULT_REGION 20 | value: {{ .Values.restore.aws_default_region}} 21 | - name: MONGO_BUCKET_RESTORE_URI 22 | valueFrom: 23 | secretKeyRef: 24 | name: mongo-restore 25 | key: BUCKET_URI 26 | - name: FILE_NAME_FULL 27 | value: {{ .Values.restore.file_name | quote }} 28 | - name: RESTORE_FROM 29 | value: {{ .Values.bucket_provider_type}} 30 | resources: 31 | {{- toYaml .Values.restorejob.resources | nindent 14 }} 32 | restartPolicy: Never 33 | backoffLimit: 4 34 | -------------------------------------------------------------------------------- /modules/restore/templates/restore-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: mongo-restore 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | data: 8 | BUCKET_URI: {{ .Values.restore.bucket_uri | b64enc }} 9 | -------------------------------------------------------------------------------- /modules/restore/templates/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: sa-mongo-restore 5 | annotations: 6 | {{ toYaml .Values.annotations | indent 4 }} 7 | -------------------------------------------------------------------------------- /output.tf: -------------------------------------------------------------------------------- 1 | output "mongodb_endpoints" { 2 | description = "MongoDB endpoints in the Kubernetes cluster." 3 | value = { 4 | mongoport = "27017", 5 | mongodb_headless_endpoint = "mongodb-headless.${var.namespace}.svc.cluster.local" 6 | mongodb_primary_endpoint = "mongodb-primary.${var.namespace}.svc.cluster.local" 7 | } 8 | } 9 | 10 | output "mongodb_credential" { 11 | description = "MongoDB credentials used for accessing the MongoDB database." 12 | value = var.mongodb_config.store_password_to_secret_manager ? null : { 13 | root_user = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.root_user : "root", 14 | root_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.root_password : var.root_password, 15 | metric_exporter_user = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.metric_exporter_user : "mongodb_exporter", 16 | metric_exporter_password = var.mongodb_custom_credentials_enabled ? var.mongodb_custom_credentials_config.metric_exporter_password : var.metric_exporter_password 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "mongodb_config" { 2 | type = any 3 | default = { 4 | name = "" 5 | environment = "" 6 | volume_size = "" 7 | architecture = "" 8 | replica_count = 2 9 | custom_databases = "" 10 | custom_databases_usernames = "" 11 | custom_databases_passwords = "" 12 | values_yaml = "" 13 | storage_class_name = "" 14 | store_password_to_secret_manager = true 15 | } 16 | description = "Specify the configuration settings for Mongodb, including the name, environment, storage options, replication settings, and custom YAML values." 17 | } 18 | 19 | variable "mongodb_custom_credentials_enabled" { 20 | type = bool 21 | default = false 22 | description = "Specifies whether to enable custom credentials for MongoDB database." 23 | } 24 | 25 | variable "mongodb_custom_credentials_config" { 26 | type = any 27 | default = { 28 | root_user = "" 29 | root_password = "" 30 | metric_exporter_user = "" 31 | metric_exporter_password = "" 32 | } 33 | description = "Specify the configuration settings for Mongodb to pass custom credentials during creation." 34 | } 35 | 36 | variable "chart_version" { 37 | type = string 38 | default = "13.1.5" 39 | description = "Version of the Mongodb chart that will be used to deploy Mongodb application." 40 | } 41 | 42 | variable "app_version" { 43 | type = string 44 | default = "5.0.8-debian-10-r9" 45 | description = "Version of the Mongodb application that will be deployed." 46 | } 47 | 48 | variable "namespace" { 49 | type = string 50 | default = "mongodb" 51 | description = "Name of the Kubernetes namespace where the Mongodb deployment will be deployed." 52 | } 53 | 54 | variable "mongodb_backup_enabled" { 55 | type = bool 56 | default = false 57 | description = "Specifies whether to enable backups for Mongodb database." 58 | } 59 | 60 | variable "mongodb_backup_config" { 61 | type = any 62 | default = { 63 | bucket_uri = "" 64 | s3_bucket_region = "us-east-2" 65 | cron_for_full_backup = "*/5 * * * *" 66 | } 67 | description = "Configuration options for Mongodb database backups. It includes properties such as the S3 bucket URI, the S3 bucket region, and the cron expression for full backups." 68 | } 69 | 70 | variable "mongodb_exporter_enabled" { 71 | type = bool 72 | default = false 73 | description = "Specify whether or not to deploy Mongodb exporter to collect Mongodb metrics for monitoring in Grafana." 74 | } 75 | 76 | variable "mongodb_exporter_config" { 77 | type = any 78 | default = { 79 | version = "2.9.0" 80 | } 81 | description = "Specify whether or not to deploy Mongodb exporter to collect Mongodb metrics for monitoring in Grafana." 82 | } 83 | 84 | variable "recovery_window_aws_secret" { 85 | type = number 86 | default = 0 87 | description = "Number of days that AWS Secrets Manager will wait before deleting a secret. This value can be set to 0 to force immediate deletion, or to a value between 7 and 30 days to allow for recovery." 88 | } 89 | 90 | variable "cluster_name" { 91 | type = string 92 | default = "" 93 | description = "Specifies the name of the EKS cluster to deploy the Mongodb application on." 94 | } 95 | 96 | variable "create_namespace" { 97 | type = string 98 | default = false 99 | description = "Specify whether or not to create the namespace if it does not already exist. Set it to true to create the namespace." 100 | } 101 | 102 | variable "mongodb_restore_enabled" { 103 | type = bool 104 | default = false 105 | description = "Specifies whether to enable restoring dump to the Mongodb database." 106 | } 107 | 108 | variable "mongodb_restore_config" { 109 | type = any 110 | default = { 111 | bucket_uri = "s3://mymongo/mongodumpfull_20230424_112501.gz" 112 | s3_bucket_region = "us-east-2" 113 | file_name = "" 114 | } 115 | description = "Configuration options for restoring dump to the Mongodb database." 116 | } 117 | 118 | variable "project_id" { 119 | description = "Google Cloud project ID" 120 | type = string 121 | default = "" 122 | } 123 | 124 | variable "bucket_provider_type" { 125 | type = string 126 | default = "gcs" 127 | description = "Choose what type of provider you want (s3, gcs)" 128 | } 129 | 130 | variable "root_password" { 131 | description = "Root password for MongoDB" 132 | type = string 133 | default = "" 134 | } 135 | 136 | variable "metric_exporter_password" { 137 | description = "Metric exporter password for MongoDB" 138 | type = string 139 | default = "" 140 | } 141 | 142 | variable "iam_role_arn_backup" { 143 | description = "IAM role ARN for backup (AWS)" 144 | type = string 145 | default = "" 146 | } 147 | 148 | variable "service_account_backup" { 149 | description = "Service account for backup (GCP)" 150 | type = string 151 | default = "" 152 | } 153 | 154 | variable "iam_role_arn_restore" { 155 | description = "IAM role ARN for restore (AWS)" 156 | type = string 157 | default = "" 158 | } 159 | 160 | variable "service_account_restore" { 161 | description = "Service account for restore (GCP)" 162 | type = string 163 | default = "" 164 | } 165 | 166 | variable "resource_group_name" { 167 | description = "Azure Resource Group name" 168 | type = string 169 | default = "" 170 | } 171 | 172 | variable "resource_group_location" { 173 | description = "Azure region" 174 | type = string 175 | default = "East US" 176 | } 177 | variable "azure_storage_account_name" { 178 | description = "Azure storage account name" 179 | type = string 180 | default = "" 181 | } 182 | 183 | variable "azure_storage_account_key" { 184 | description = "Azure storage account key" 185 | type = string 186 | default = "" 187 | } 188 | 189 | variable "azure_container_name" { 190 | description = "Azure container name" 191 | type = string 192 | default = "" 193 | } 194 | 195 | variable "az_account_backup" { 196 | description = "Azure user managed account backup identity" 197 | type = string 198 | default = "" 199 | } 200 | 201 | variable "az_account_restore" { 202 | description = "Azure user managed account restore identity" 203 | type = string 204 | default = "" 205 | } 206 | 207 | 208 | variable "mongodb_exporter_values" { 209 | description = "Mongo DB prometheus exporter values file" 210 | type = any 211 | default = "" 212 | } 213 | --------------------------------------------------------------------------------