在 Azure Kubernetes 服务 (AKS) 上配置和部署 MongoDB 群集
在本文中,你将在 Azure Kubernetes 服务 (AKS) 上配置和部署 MongoDB 群集。
配置工作负载标识
使用
kubectl create namespace命令为 MongoDB 群集创建一个命名空间:kubectl create namespace ${AKS_MONGODB_NAMESPACE} --dry-run=client --output yaml | kubectl apply -f -示例输出:
namespace/mongodb created使用
kubectl apply命令创建服务帐户并配置工作负载标识:export TENANT_ID=$(az account show --query tenantId -o tsv) cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: annotations: azure.workload.identity/client-id: "${MY_IDENTITY_NAME_CLIENT_ID}" azure.workload.identity/tenant-id: "${TENANT_ID}" name: "${SERVICE_ACCOUNT_NAME}" namespace: "${AKS_MONGODB_NAMESPACE}" EOF示例输出:
serviceaccount/mongodb created
安装 External Secrets Operator
在本部分中,你将使用 Helm 安装 External Secrets Operator。 External Secrets Operator 是一个 Kubernetes 运营商,用于管理存储在外部机密存储(如 Azure 密钥保管库)中的外部机密的生命周期。
使用
helm repo add和helm repo update命令添加 External Secrets Helm 存储库并更新该存储库。helm repo add external-secrets https://charts.external-secrets.io helm repo update示例输出:
Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "external-secrets" chart repository使用
helm install命令安装 External Secrets Operator。helm install external-secrets \ external-secrets/external-secrets \ --namespace ${AKS_MONGODB_NAMESPACE} \ --create-namespace \ --set installCRDs=true \ --wait示例输出:
NAME: external-secrets LAST DEPLOYED: Tue Jun 11 11:55:32 2024 NAMESPACE: mongodb STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: external-secrets has been deployed successfully in namespace mongodb! In order to begin using ExternalSecrets, you will need to set up a SecretStore or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). More information on the different types of SecretStores and how to configure them can be found in our Github: https://github.com/external-secrets/external-secrets使用
az keyvault secret set命令为 MongoDB 群集生成一个随机密码,并将其存储在 Azure Key Vault 中:#MongoDB connection strings can contain special characters in the password, which need to be URL encoded. #This is because the connection string is a URI, and special characters can interfere with the URI structure. #This function generates secrets of 32 characters using only alphanumeric characters. generateRandomPasswordString() { cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 }创建用于任何备份和还原操作的 MongoDB 备份用户和密码机密:
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-USER --value MONGODB_BACKUP_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-PASSWORD --value $(generateRandomPasswordString) --output table创建 MongoDB 数据库管理员用户和密码机密以进行数据库管理:
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-USER --value MONGODB_DATABASE_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table为向多个数据库提供管理的群集管理角色创建 MongoDB 群集管理用户和管理员机密:
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-USER --value MONGODB_CLUSTER_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table创建用于群集监视的 MongoDB 群集监视用户和管理员机密:
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-USER --value MONGODB_CLUSTER_MONITOR_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-PASSWORD --value $(generateRandomPasswordString) --output table创建用于用户管理的用户和密码机密:
az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-USER --value MONGODB_USER_ADMIN_USER --output table az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output table添加
AZURE-STORAGE-ACCOUNT-NAME以便稍后用于备份:az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name AZURE-STORAGE-ACCOUNT-NAME --value $AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME --output table上述每个命令的示例输出:
Name Value ------------------ -------------------------------------------- PMM-SERVER-API-KEY KH4uE6MlJ6fbhVbVT5sz...
创建机密
使用
kubectl apply命令创建SecretStore资源以访问存储在密钥保管库中的 MongoDB 密码:kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: azure-store namespace: ${AKS_MONGODB_NAMESPACE} spec: provider: # provider type: azure keyvault azurekv: authType: WorkloadIdentity vaultUrl: "${KEYVAULTURL}" serviceAccountRef: name: ${SERVICE_ACCOUNT_NAME} EOF示例输出:
secretstore.external-secrets.io/azure-store created使用
kubectl apply命令创建ExternalSecret资源。 此资源使用密钥保管库中存储的 MongoDB 机密在mongodb命名空间中创建一个 Kubernetes 机密。kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_MONGODB_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_MONGODB_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure key vault (no prefix is by default a SECRET) - secretKey: MONGODB_BACKUP_USER remoteRef: key: MONGODB-BACKUP-USER - secretKey: MONGODB_BACKUP_PASSWORD remoteRef: key: MONGODB-BACKUP-PASSWORD - secretKey: MONGODB_DATABASE_ADMIN_USER remoteRef: key: MONGODB-DATABASE-ADMIN-USER - secretKey: MONGODB_DATABASE_ADMIN_PASSWORD remoteRef: key: MONGODB-DATABASE-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_ADMIN_USER remoteRef: key: MONGODB-CLUSTER-ADMIN-USER - secretKey: MONGODB_CLUSTER_ADMIN_PASSWORD remoteRef: key: MONGODB-CLUSTER-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_MONITOR_USER remoteRef: key: MONGODB-CLUSTER-MONITOR-USER - secretKey: MONGODB_CLUSTER_MONITOR_PASSWORD remoteRef: key: MONGODB-CLUSTER-MONITOR-PASSWORD - secretKey: MONGODB_USER_ADMIN_USER remoteRef: key: MONGODB-USER-ADMIN-USER - secretKey: MONGODB_USER_ADMIN_PASSWORD remoteRef: key: MONGODB-USER-ADMIN-PASSWORD EOF示例输出:
externalsecret.external-secrets.io/cluster-aks-mongodb-secrets created使用
kubectl apply命令创建ExternalSecret资源。 此资源在mongodb命名空间中为密钥保管库中存储的 Azure Blob 存储机密创建一个 Kubernetes 机密。kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_AZURE_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_AZURE_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure key vault (no prefix is by default a SECRET) - secretKey: AZURE_STORAGE_ACCOUNT_NAME remoteRef: key: AZURE-STORAGE-ACCOUNT-NAME - secretKey: AZURE_STORAGE_ACCOUNT_KEY remoteRef: key: AZURE-STORAGE-ACCOUNT-KEY EOF示例输出:
externalsecret.external-secrets.io/cluster-aks-azure-secrets created使用
az identity federated-credential create命令创建一个联合凭据。az identity federated-credential create \ --name external-secret-operator \ --identity-name ${MY_IDENTITY_NAME} \ --resource-group ${MY_RESOURCE_GROUP_NAME} \ --issuer ${OIDC_URL} \ --subject system:serviceaccount:${AKS_MONGODB_NAMESPACE}:${SERVICE_ACCOUNT_NAME} \ --output table示例输出:
Issuer Name ResourceGroup Subject ----------------------------------------------------------------------------------------------------------------------- ------------------------ -------------------------------- ------------------------------------- https://chinanorth3.oic.prod-aks.azure.com/07fa200c-6006-411f-bb29-a43bdf1a2bcc/d0709689-42d4-49a4-a6c8-5caa0b2384ba/ external-secret-operator myResourceGroup-rg-chinanorth3 system:serviceaccount:mongodb:mongodb使用
az keyvault set-policy命令授予用户分配的标识用于访问机密的权限。az keyvault set-policy --name $MY_KEYVAULT_NAME --object-id $MY_IDENTITY_NAME_PRINCIPAL_ID --secret-permissions get --output table示例输出:
Location Name ResourceGroup ------------- -------------- -------------------------------- chinanorth3 vault-cjcfc-kv myResourceGroup-rg-chinanorth3
安装 Percona Operator 和 CRD
Percona Operator 通常以 Kubernetes Deployment 或 Operator 形式分发。 可以使用 kubectl apply -f 命令和一个清单文件来部署它。 可以在 Percona GitHub 存储库或官方文档中找到最新的清单。
部署 Percona Operator 并使用 kubectl apply 命令自定义资源定义 (CRD):
kubectl apply --server-side -f https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/v1.16.0/deploy/bundle.yaml -n "${AKS_MONGODB_NAMESPACE}"
示例输出:
customresourcedefinition.apiextensions.k8s.io/perconaservermongodbbackups.psmdb.percona.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/perconaservermongodbrestores.psmdb.percona.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/perconaservermongodbs.psmdb.percona.com serverside-applied
role.rbac.authorization.k8s.io/percona-server-mongodb-operator serverside-applied
serviceaccount/percona-server-mongodb-operator serverside-applied
rolebinding.rbac.authorization.k8s.io/service-account-percona-server-mongodb-operator serverside-applied
deployment.apps/percona-server-mongodb-operator serverside-applied
部署 MongoDB 群集
使用 Percona Operator 部署 MongoDB 群集。 为了帮助确保高可用性,MongoDB 群集部署时附带了一个副本集、启用了分片并位于多个可用性区域中。 MongoDB 群集部署时随附一个备份解决方案,用于将备份存储在 Azure Blob 存储帐户中。
该脚本使用以下配置部署 MongoDB 群集:
kubectl apply -f - <<EOF apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDB metadata: name: ${AKS_MONGODB_CLUSTER_NAME} namespace: ${AKS_MONGODB_NAMESPACE} finalizers: - delete-psmdb-pods-in-order spec: crVersion: 1.16.0 image: ${MY_ACR_REGISTRY}.azurecr.cn/percona-server-mongodb:7.0.8-5 imagePullPolicy: Always updateStrategy: SmartUpdate upgradeOptions: versionServiceEndpoint: https://check.percona.com apply: disabled schedule: "0 2 * * *" setFCV: false secrets: users: "${AKS_MONGODB_SECRETS_NAME}" encryptionKey: "${AKS_MONGODB_SECRETS_ENCRYPTION_KEY}" pmm: enabled: false image: ${MY_ACR_REGISTRY}.azurecr.cn/pmm-client:2.41.2 serverHost: monitoring-service replsets: - name: rs0 size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" podDisruptionBudget: maxUnavailable: 1 expose: enabled: false exposeType: ClusterIP resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi nonvoting: enabled: false size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" podDisruptionBudget: maxUnavailable: 1 resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi arbiter: enabled: false size: 1 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" sharding: enabled: true configsvrReplSet: size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" podDisruptionBudget: maxUnavailable: 1 expose: enabled: false resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi mongos: size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" podDisruptionBudget: maxUnavailable: 1 resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" expose: exposeType: ClusterIP backup: enabled: true image: ${MY_ACR_REGISTRY}.azurecr.cn/percona-backup-mongodb:2.4.1 storages: azure-blob: type: azure azure: container: "${AKS_MONGODB_BACKUP_STORAGE_CONTAINER_NAME}" prefix: psmdb endpointUrl: "https://${AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME}.blob.core.chinacloudapi.cn" credentialsSecret: "${AKS_AZURE_SECRETS_NAME}" pitr: enabled: false oplogOnly: false compressionType: gzip compressionLevel: 6 tasks: - name: daily-azure-us-east enabled: true schedule: "0 0 * * *" keep: 3 storageName: azure-blob compressionType: gzip compressionLevel: 6 EOF示例输出:
perconaservermongodb.psmdb.percona.com/cluster-aks-mongodb created使用以下脚本完成 MongoDB 群集部署过程:
while [ "$(kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for MongoDB cluster to be ready"; sleep 10; done该过程完成后,群集会显示
ready状态。 若要查看状态,请运行以下命令:kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME ENDPOINT STATUS AGE cluster-aks-mongodb cluster-aks-mongodb-mongos.mongodb.svc.cluster.local ready 3m1s为了帮助确保高可用性,MongoDB 群集将部署在多个可用性区域中。 若要查看此信息,请运行以下命令:
kubectl get node -o custom-columns=Name:.metadata.name,Zone:".metadata.labels.topology\.kubernetes\.io/zone"示例输出:
Name Zone aks-nodepool1-28994785-vmss000000 chinanorth3-1 aks-nodepool1-28994785-vmss000001 chinanorth3-2 aks-nodepool1-28994785-vmss000002 chinanorth3-3
连接到 Percona Server
若要连接到 Percona Server for MongoDB,需要构造 MongoDB 连接 URI 字符串。 它包含管理员用户的凭据,该凭据存储在 Secrets 对象中。
使用
kubectl get命令列出Secrets对象:kubectl get secrets -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME TYPE DATA AGE cluster-aks-azure-secrets Opaque 2 2m56s cluster-aks-mongodb-mongodb-keyfile Opaque 1 2m54s cluster-aks-mongodb-secrets Opaque 11 2m56s cluster-aks-mongodb-secrets-mongodb-encryption-key Opaque 1 2m54s cluster-aks-mongodb-ssl kubernetes.io/tls 3 2m55s cluster-aks-mongodb-ssl-internal kubernetes.io/tls 3 2m54s external-secrets-webhook Opaque 4 3m49s internal-cluster-aks-mongodb-users Opaque 11 2m56s sh.helm.release.v1.external-secrets.v1 helm.sh/release.v1 1 3m49s使用
kubectl get命令查看Secrets内容以检索管理员用户凭据:kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -o yaml -n ${AKS_MONGODB_NAMESPACE}示例输出:
apiVersion: v1 data: MONGODB_BACKUP_PASSWORD: SmhBRFo4aXNI... MONGODB_BACKUP_USER: TU9OR09EQl9... MONGODB_CLUSTER_ADMIN_PASSWORD: cE1oOFRMS1p0VkRQc... MONGODB_CLUSTER_ADMIN_USER: TU9OR09EQl9DTFV... MONGODB_CLUSTER_MONITOR_PASSWORD: emRuc0tPSVdWR0ZtS01i... MONGODB_CLUSTER_MONITOR_USER: TU9OR09EQl9DTFV... MONGODB_DATABASE_ADMIN_PASSWORD: cmZDZ2xEbDR2SVI... MONGODB_DATABASE_ADMIN_USER: TU9OR09EQl9EQVRB... MONGODB_USER_ADMIN_PASSWORD: ZE1uQW9tOXVNVGdyMVh... MONGODB_USER_ADMIN_USER: TU9OR09EQl9VU0... immutable: false kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"external-secrets.io/v1beta1","kind":"ExternalSecret","metadata":{"annotations":{},"name":"cluster-aks-mongodb-secrets","namespace":"mongodb"},"spec":{"data":[{"remoteRef":{"key":"MONGODB-BACKUP-USER"},"secretKey":"MONGODB_BACKUP_USER"},{"remoteRef":{"key":"MONGODB-BACKUP-PASSWORD"},"secretKey":"MONGODB_BACKUP_PASSWORD"},{"remoteRef":{"key":"MONGODB-DATABASE-ADMIN-USER"},"secretKey":"MONGODB_DATABASE_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-DATABASE-ADMIN-PASSWORD"},"secretKey":"MONGODB_DATABASE_ADMIN_PASSWORD"},{"remoteRef":{"key":"MONGODB-CLUSTER-ADMIN-USER"},"secretKey":"MONGODB_CLUSTER_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-CLUSTER-ADMIN-PASSWORD"},"secretKey":"MONGODB_CLUSTER_ADMIN_PASSWORD"},{"remoteRef":{"key":"MONGODB-CLUSTER-MONITOR-USER"},"secretKey":"MONGODB_CLUSTER_MONITOR_USER"},{"remoteRef":{"key":"MONGODB-CLUSTER-MONITOR-PASSWORD"},"secretKey":"MONGODB_CLUSTER_MONITOR_PASSWORD"},{"remoteRef":{"key":"MONGODB-USER-ADMIN-USER"},"secretKey":"MONGODB_USER_ADMIN_USER"},{"remoteRef":{"key":"MONGODB-USER-ADMIN-PASSWORD"},"secretKey":"MONGODB_USER_ADMIN_PASSWORD"}],"refreshInterval":"1h","secretStoreRef":{"kind":"SecretStore","name":"azure-store"},"target":{"creationPolicy":"Owner","name":"cluster-aks-mongodb-secrets"}}} reconcile.external-secrets.io/data-hash: 66c2c896ca641ffd72afead32fc24239 creationTimestamp: "2024-07-01T12:24:38Z" labels: reconcile.external-secrets.io/created-by: d2ddd20e883057790bca8dc5f304303d name: cluster-aks-mongodb-secrets namespace: mongodb ownerReferences: - apiVersion: external-secrets.io/v1beta1 blockOwnerDeletion: true controller: true kind: ExternalSecret name: cluster-aks-mongodb-secrets uid: 2e24dbbd-7144-4227-9015-5bd69468953a resourceVersion: "1872" uid: 3b37617f-b3e3-40df-8dff-d9e5c1916275 type: Opaque使用以下命令从输出中解码 Base64 编码的登录名和密码:
#Decode login name and password on the output, which are Base64-encoded export databaseAdmin=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_USER}" | base64 --decode) export databaseAdminPassword=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_PASSWORD}" | base64 --decode) echo $databaseAdmin echo $databaseAdminPassword echo $AKS_MONGODB_CLUSTER_NAME示例输出:
MONGODB_DATABASE_ADMIN_USER rfCglDl4vIR3W... cluster-aks-mongodb
验证 MongoDB 群集
若要验证 MongoDB 群集,请使用 MongoDB 客户端运行容器,并将其控制台输出连接到终端:
使用
kubectl run命令在群集的${AKS_MONGODB_NAMESPACE}命名空间下创建名为percona-client的 Pod:kubectl -n "${AKS_MONGODB_NAMESPACE}" run -i --rm --tty percona-client --image=${MY_ACR_REGISTRY}.azurecr.cn/percona-server-mongodb:7.0.8-5 --restart=Never -- bash -il在另一个终端窗口中,使用
kubectl get命令验证 Pod 是否已成功创建:kubectl get pod percona-client -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME READY STATUS RESTARTS AGE percona-client 1/1 Running 0 39s在你用于创建
percona-clientPod 的终端窗口中使用上一部分中的管理员用户凭据连接到 MongoDB 群集:# Note: Replace variables `databaseAdmin` , `databaseAdminPassword` and `AKS_MONGODB_CLUSTER_NAME` with actual values printed in step 3. mongosh "mongodb://${databaseAdmin}:${databaseAdminPassword}@${AKS_MONGODB_CLUSTER_NAME}-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true"示例输出:
Current Mongosh Log ID: 66c76906115c6c831866efba Connecting to: mongodb://<credentials>@cluster-aks-mongodb-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true&appName=mongosh+2.1.5 Using MongoDB: 7.0.8-5 Using Mongosh: 2.1.5 For mongosh info see: https://docs.mongodb.com/mongodb-shell/ ...使用
show dbs命令列出群集中的数据库:show dbs示例输出:
rs0 [direct: mongos] admin> show dbs admin 960.00 KiB config 3.45 MiB rs0 [direct: mongos] admin>
创建 MongoDB 备份
可以使用以下方法之一将数据备份到 Azure:
- 手动:随时手动备份数据。
- 计划:在 CRD YAML 中配置备份及其计划。 Percona Operator 根据指定的计划自动创建备份。
Percona Operator 可执行以下任一备份类型:
- 逻辑备份:查询 Percona Server for MongoDB 以获取数据库数据,然后将检索到的数据写入远程备份存储。
- 物理备份:将物理文件从 Percona Server for MongoDB
dbPath数据目录复制到远程备份存储。
逻辑备份使用的存储较少,但比物理备份慢。
若要使用 Percona 将备份存储在 Azure Blob 存储上,你需要创建机密。 你已在前面的命令中完成了此步骤。 有关详细说明,请按照有关 Azure Blob 存储的 Percona 文档中的步骤进行操作。
配置计划备份
可以使用以下指南在 mongodb-cr.yaml 中 CRD 的备份部分中定义备份计划:
- 将
backup.enabled项设置为true。 - 确保
backup.storages小节至少包含一个已配置的存储资源。 - 确保
backup.tasks小节启用备份计划。
有关详细信息,请参阅创建计划备份。
执行手动备份
可以使用以下指南在 mongodb-cr.yaml 中 CRD 的备份部分中创建一个手动、按需的备份:
- 将
backup.enabled项设置为true。 - 确保
backup.storages小节至少包含一个已配置的存储资源。
有关详细信息,请参阅创建按需备份。
部署 MongoDB 备份
使用
kubectl apply命令部署 MongoDB 备份:kubectl apply -f - <<EOF apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDBBackup metadata: finalizers: - delete-backup name: az-backup1 namespace: ${AKS_MONGODB_NAMESPACE} spec: clusterName: ${AKS_MONGODB_CLUSTER_NAME} storageName: azure-blob type: logical EOF示例输出:
perconaservermongodbbackup.psmdb.percona.com/az-backup1 created使用以下脚本完成 MongoDB 备份部署过程:
while [ "$(kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for the backup to be ready"; sleep 10; done示例输出:
waiting for the backup to be ready该过程完成后,备份应返回
ready状态。 使用kubectl get命令验证备份部署是否成功:kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME CLUSTER STORAGE DESTINATION TYPE STATUS COMPLETED AGE az-backup1 cluster-aks-mongodb azure-blob https://mongodbsacjcfc.blob.core.chinacloudapi.cn/backups/psmdb/2024-07-01T12:27:57Z logical ready 3h3m 3h3m如果备份出现问题,可以使用以下命令查看相应 Pod 的
backup-agent容器中的日志:kubectl logs pod/${AKS_MONGODB_CLUSTER_NAME}-rs0-0 -c backup-agent -n ${AKS_MONGODB_NAMESPACE}
相关内容
若要详细了解如何在 AKS 上部署开源软件,请参阅以下文章: