在本文中,你将在 Azure Kubernetes 服务 (AKS) 上配置和部署 MongoDB 群集。
配置工作负载标识
使用
kubectl create namespace命令为 MongoDB 群集创建命名空间。kubectl create namespace ${AKS_MONGODB_NAMESPACE} --dry-run=client --output yaml | kubectl apply -f -示例输出:
namespace/mongodb created使用
kubectl apply命令创建服务帐户并配置工作负荷标识。export TENANT_ID=$(az account show --query tenantId -o tsv) cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: annotations: azure.workload.identity/client-id: "${MY_IDENTITY_NAME_CLIENT_ID}" azure.workload.identity/tenant-id: "${TENANT_ID}" name: "${SERVICE_ACCOUNT_NAME}" namespace: "${AKS_MONGODB_NAMESPACE}" EOF示例输出:
serviceaccount/mongodb created
安装 External Secrets Operator
在本部分中,你将使用 Helm 安装 External Secrets Operator。 External Secrets Operator 是一个 Kubernetes 运营商,用于管理存储在外部机密存储(如 Azure 密钥保管库)中的外部机密的生命周期。
添加外部机密 Helm 存储库,并使用
helm repo add和helm repo update命令更新存储库。helm repo add external-secrets https://charts.external-secrets.io helm repo update示例输出:
Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "external-secrets" chart repository使用
helm install命令安装外部机密操作员。helm install external-secrets \ external-secrets/external-secrets \ --namespace ${AKS_MONGODB_NAMESPACE} \ --create-namespace \ --set installCRDs=true \ --wait \ --set nodeSelector."kubernetes\.azure\.com/agentpool"=mongodbpool示例输出:
NAME: external-secrets LAST DEPLOYED: Tue Jun 11 11:55:32 2024 NAMESPACE: mongodb STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: external-secrets has been deployed successfully in namespace mongodb! In order to begin using ExternalSecrets, you will need to set up a SecretStore or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). More information on the different types of SecretStores and how to configure them can be found in our Github: https://github.com/external-secrets/external-secrets使用以下函数生成随机密码:
#MongoDB connection strings can contain special characters in the password, which need to be URL encoded. #This is because the connection string is a URI, and special characters can interfere with the URI structure. #This function generates secrets of 32 characters using only alphanumeric characters. generateRandomPasswordString() { cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 }
创建 MongoDB 机密
使用
az keyvault secret set创建MongoDB备份用户和密码密钥,以便在任何备份和恢复操作中使用。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-USER --value MONGODB_BACKUP_USER --output none az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-BACKUP-PASSWORD --value $(generateRandomPasswordString) --output none使用命令为数据库管理创建 MongoDB
az keyvault secret set机密。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-USER --value MONGODB_DATABASE_ADMIN_USER --output none az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-DATABASE-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output none为群集管理角色创建 MongoDB 群集管理用户和管理员 机密,该角色使用
az keyvault secret set命令为多个数据库提供管理。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-USER --value MONGODB_CLUSTER_ADMIN_USER --output none az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output none使用
az keyvault secret set为群集监视创建 MongoDB 群集监视用户和管理员机密。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-USER --value MONGODB_CLUSTER_MONITOR_USER --output none az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-CLUSTER-MONITOR-PASSWORD --value $(generateRandomPasswordString) --output none使用命令创建用户和密码机密进行
az keyvault secret set。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-USER --value MONGODB_USER_ADMIN_USER --output none az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name MONGODB-USER-ADMIN-PASSWORD --value $(generateRandomPasswordString) --output none使用
az keyvault secret set命令为用于访问 Percona Monitoring and Management (PMM) 服务器的 API 密钥创建机密。 稍后在部署 PMM 服务器时更新此机密的值。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name PMM-SERVER-API-KEY --value $(openssl rand -base64 32) --output none添加
AZURE-STORAGE-ACCOUNT-NAME以便稍后使用az keyvault secret set命令进行备份。az keyvault secret set --vault-name $MY_KEYVAULT_NAME --name AZURE-STORAGE-ACCOUNT-NAME --value $AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME --output none
运行以下命令,使用以下配置更新
mongodb.tfvars之前创建的文件:cat >> mongodb.tfvars <<EOL mongodb_kv_secrets = { MONGODB-BACKUP-USER = "MONGODB_BACKUP_USER" MONGODB-BACKUP-PASSWORD = "$(generateRandomPasswordString)" MONGODB-DATABASE-ADMIN-USER = "MONGODB_DATABASE_ADMIN_USER" MONGODB-DATABASE-ADMIN-PASSWORD = "$(generateRandomPasswordString)" MONGODB-CLUSTER-ADMIN-USER = "MONGODB_CLUSTER_ADMIN_USER" MONGODB-CLUSTER-ADMIN-PASSWORD = "$(generateRandomPasswordString)" MONGODB-CLUSTER-MONITOR-USER = "MONGODB_CLUSTER_MONITOR_USER" MONGODB-CLUSTER-MONITOR-PASSWORD = "$(generateRandomPasswordString)" MONGODB-USER-ADMIN-USER = "MONGODB_USER_ADMIN_USER" MONGODB-USER-ADMIN-PASSWORD = "$(generateRandomPasswordString)" PMM-SERVER-API-KEY = "$(generateRandomPasswordString)" } EOL将 terraform 配置应用于目标资源。
terraform fmt terraform apply -var-file="mongodb.tfvars" -target module.mongodb[0].azurerm_key_vault_secret.this
创建机密资源
使用命令创建资源
SecretStore以访问密钥保管库kubectl apply中存储的 MongoDB 密码。kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: azure-store namespace: ${AKS_MONGODB_NAMESPACE} spec: provider: # provider type: azure keyvault azurekv: authType: WorkloadIdentity vaultUrl: "${KEYVAULTURL}" serviceAccountRef: name: ${SERVICE_ACCOUNT_NAME} EOF示例输出:
secretstore.external-secrets.io/azure-store created使用
kubectl apply命令创建ExternalSecret资源。 此资源使用密钥保管库中存储的 MongoDB 机密在mongodb命名空间中创建一个 Kubernetes 机密。kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_MONGODB_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_MONGODB_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure key vault (no prefix is by default a SECRET) - secretKey: MONGODB_BACKUP_USER remoteRef: key: MONGODB-BACKUP-USER - secretKey: MONGODB_BACKUP_PASSWORD remoteRef: key: MONGODB-BACKUP-PASSWORD - secretKey: MONGODB_DATABASE_ADMIN_USER remoteRef: key: MONGODB-DATABASE-ADMIN-USER - secretKey: MONGODB_DATABASE_ADMIN_PASSWORD remoteRef: key: MONGODB-DATABASE-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_ADMIN_USER remoteRef: key: MONGODB-CLUSTER-ADMIN-USER - secretKey: MONGODB_CLUSTER_ADMIN_PASSWORD remoteRef: key: MONGODB-CLUSTER-ADMIN-PASSWORD - secretKey: MONGODB_CLUSTER_MONITOR_USER remoteRef: key: MONGODB-CLUSTER-MONITOR-USER - secretKey: MONGODB_CLUSTER_MONITOR_PASSWORD remoteRef: key: MONGODB-CLUSTER-MONITOR-PASSWORD - secretKey: MONGODB_USER_ADMIN_USER remoteRef: key: MONGODB-USER-ADMIN-USER - secretKey: MONGODB_USER_ADMIN_PASSWORD remoteRef: key: MONGODB-USER-ADMIN-PASSWORD - secretKey: PMM_SERVER_API_KEY remoteRef: key: PMM-SERVER-API-KEY EOF示例输出:
externalsecret.external-secrets.io/cluster-aks-mongodb-secrets createdExternalSecret使用kubectl apply命令创建资源。 此资源在mongodb命名空间中为密钥保管库中存储的 Azure Blob 存储机密创建一个 Kubernetes 机密。kubectl apply -f - <<EOF apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ${AKS_AZURE_SECRETS_NAME} namespace: ${AKS_MONGODB_NAMESPACE} spec: refreshInterval: 1h secretStoreRef: kind: SecretStore name: azure-store target: name: "${AKS_AZURE_SECRETS_NAME}" creationPolicy: Owner data: # name of the SECRET in the Azure key vault (no prefix is by default a SECRET) - secretKey: AZURE_STORAGE_ACCOUNT_NAME remoteRef: key: AZURE-STORAGE-ACCOUNT-NAME - secretKey: AZURE_STORAGE_ACCOUNT_KEY remoteRef: key: AZURE-STORAGE-ACCOUNT-KEY EOF示例输出:
externalsecret.external-secrets.io/cluster-aks-azure-secrets created
使用
az identity federated-credential create命令创建联合凭据。az identity federated-credential create \ --name external-secret-operator \ --identity-name ${MY_IDENTITY_NAME} \ --resource-group ${MY_RESOURCE_GROUP_NAME} \ --issuer ${OIDC_URL} \ --subject system:serviceaccount:${AKS_MONGODB_NAMESPACE}:${SERVICE_ACCOUNT_NAME} \ --output none使用
az keyvault set-policy命令为用户分配的身份授予访问机密的权限。az keyvault set-policy --name $MY_KEYVAULT_NAME --object-id $MY_IDENTITY_NAME_PRINCIPAL_ID --secret-permissions get --output table示例输出:
Location Name ResourceGroup ------------- -------------- -------------------------------- chinanorth3 vault-cjcfc-kv myResourceGroup-rg-chinanorth3
在
mongodb/main.tf中添加 terraform 配置以创建联合凭据。## Section to create the federated identity credential for external secret operator resource "azurerm_federated_identity_credential" "this" { name = "external-secret-operator" resource_group_name = var.resource_group_name audience = ["api://AzureADTokenExchange"] issuer = var.oidc_issuer_url parent_id = azurerm_user_assigned_identity.this.id subject = "system:serviceaccount:${var.mongodb_namespace}:${var.service_account_name}" }将以下 Terraform 配置添加到
mongodb/main.tf中,授予用户分配的标识访问机密的权限。## Section to assign permission to the user-assigned identity to access the secret resource "azurerm_key_vault_access_policy" "this" { key_vault_id = var.key_vault_id tenant_id = azurerm_user_assigned_identity.this.tenant_id object_id = azurerm_user_assigned_identity.this.principal_id secret_permissions = [ "Get" ] }应用 Terraform 配置。
terraform fmt terraform apply -var-file="mongodb.tfvars" \ -target=module.mongodb[0].azurerm_federated_identity_credential.this \ -target=module.mongodb[0].azurerm_key_vault_access_policy.this
安装 Percona Operator 和 CRD
Percona Operator 通常以 Kubernetes Deployment 或 Operator 形式分发。 可以使用 kubectl apply -f 命令和一个清单文件来部署它。 可以在 Percona GitHub 存储库或官方文档中找到最新的清单。
使用
kubectl apply命令部署 Percona 运算符和自定义资源定义(CRD)。kubectl apply --server-side -f https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/v1.16.0/deploy/bundle.yaml -n "${AKS_MONGODB_NAMESPACE}"示例输出:
customresourcedefinition.apiextensions.k8s.io/perconaservermongodbbackups.psmdb.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaservermongodbrestores.psmdb.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaservermongodbs.psmdb.percona.com serverside-applied role.rbac.authorization.k8s.io/percona-server-mongodb-operator serverside-applied serviceaccount/percona-server-mongodb-operator serverside-applied rolebinding.rbac.authorization.k8s.io/service-account-percona-server-mongodb-operator serverside-applied deployment.apps/percona-server-mongodb-operator serverside-applied
部署 MongoDB 群集
使用
kubectl apply命令使用 Percona 运算符部署 MongoDB 群集。 为了帮助确保高可用性,可以在多个可用性区域中部署具有副本集、启用了分片的 MongoDB 群集,以及一个备份解决方案,用于将备份存储在 Azure Blob 存储帐户中。kubectl apply -f - <<EOF apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDB metadata: name: ${AKS_MONGODB_CLUSTER_NAME} namespace: ${AKS_MONGODB_NAMESPACE} finalizers: - delete-psmdb-pods-in-order spec: crVersion: 1.16.0 image: ${MY_ACR_REGISTRY}.azurecr.cn/percona-server-mongodb:7.0.8-5 imagePullPolicy: Always updateStrategy: SmartUpdate upgradeOptions: versionServiceEndpoint: https://check.percona.com apply: disabled schedule: "0 2 * * *" setFCV: false secrets: users: "${AKS_MONGODB_SECRETS_NAME}" encryptionKey: "${AKS_MONGODB_SECRETS_ENCRYPTION_KEY}" pmm: enabled: true image: ${MY_ACR_REGISTRY}.azurecr.cn/pmm-client:2.41.2 serverHost: monitoring-service replsets: - name: rs0 size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" nodeSelector: kubernetes.azure.com/agentpool: "mongodbpool" podDisruptionBudget: maxUnavailable: 1 expose: enabled: false exposeType: ClusterIP resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi nonvoting: enabled: false size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" nodeSelector: kubernetes.azure.com/agentpool: "mongodbpool" podDisruptionBudget: maxUnavailable: 1 resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi arbiter: enabled: false size: 1 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" nodeSelector: kubernetes.azure.com/agentpool: "mongodbpool" resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" sharding: enabled: true configsvrReplSet: size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" nodeSelector: kubernetes.azure.com/agentpool: "mongodbpool" podDisruptionBudget: maxUnavailable: 1 expose: enabled: false resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" volumeSpec: persistentVolumeClaim: storageClassName: managed-csi-premium accessModes: ["ReadWriteOnce"] resources: requests: storage: 1Gi mongos: size: 3 affinity: antiAffinityTopologyKey: "failure-domain.beta.kubernetes.io/zone" nodeSelector: kubernetes.azure.com/agentpool: "mongodbpool" podDisruptionBudget: maxUnavailable: 1 resources: limits: cpu: "300m" memory: "0.5G" requests: cpu: "300m" memory: "0.5G" expose: exposeType: ClusterIP backup: enabled: true image: ${MY_ACR_REGISTRY}.azurecr.cn/percona-backup-mongodb:2.4.1 storages: azure-blob: type: azure azure: container: "${AKS_MONGODB_BACKUP_STORAGE_CONTAINER_NAME}" prefix: psmdb endpointUrl: "https://${AKS_MONGODB_BACKUP_STORAGE_ACCOUNT_NAME}.blob.core.chinacloudapi.cn" credentialsSecret: "${AKS_AZURE_SECRETS_NAME}" pitr: enabled: false oplogOnly: false compressionType: gzip compressionLevel: 6 tasks: - name: daily-azure-us-east enabled: true schedule: "0 0 * * *" keep: 3 storageName: azure-blob compressionType: gzip compressionLevel: 6 EOF示例输出:
perconaservermongodb.psmdb.percona.com/cluster-aks-mongodb created使用以下脚本完成 MongoDB 群集部署过程:
while [ "$(kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for MongoDB cluster to be ready"; sleep 10; done该过程完成后,群集会显示
Ready状态。 可以使用命令查看状态kubectl get。kubectl get psmdb -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME ENDPOINT STATUS AGE cluster-aks-mongodb cluster-aks-mongodb-mongos.mongodb.svc.cluster.local ready 3m1s使用
kubectl get命令查看群集中节点的可用性区域。kubectl get node -o custom-columns=Name:.metadata.name,Zone:".metadata.labels.topology\.kubernetes\.io/zone"示例输出:
Name Zone aks-mongodbpool-30094695-vmss000000 chinanorth3-1-1 aks-systempool-28994785-vmss000000 chinanorth3-1 aks-systempool-28994785-vmss000001 chinanorth3-2 aks-systempool-28994785-vmss000002 chinanorth3-3
连接到 Percona Server
若要连接到 Percona Server for MongoDB,需要构造 MongoDB 连接 URI 字符串。 它包含管理员用户的凭据,该凭据存储在 Secrets 对象中。
使用
kubectl get命令列出Secrets对象。kubectl get secrets -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME TYPE DATA AGE cluster-aks-azure-secrets Opaque 2 2m56s cluster-aks-mongodb-mongodb-keyfile Opaque 1 2m54s cluster-aks-mongodb-secrets Opaque 11 2m56s cluster-aks-mongodb-secrets-mongodb-encryption-key Opaque 1 2m54s cluster-aks-mongodb-ssl kubernetes.io/tls 3 2m55s cluster-aks-mongodb-ssl-internal kubernetes.io/tls 3 2m54s external-secrets-webhook Opaque 4 3m49s internal-cluster-aks-mongodb-users Opaque 11 2m56s sh.helm.release.v1.external-secrets.v1 helm.sh/release.v1 1 3m49s查看
Secrets内容以使用kubectl get命令检索管理员用户凭据。kubectl describe secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE}示例输出:
Name: cluster-aks-mongodb-secrets Namespace: mongodb Labels: reconcile.external-secrets.io/managed=true Annotations: <none> Type: Opaque Data ==== MONGODB_CLUSTER_ADMIN_USER: 12 bytes MONGODB_CLUSTER_MONITOR_PASSWORD: 16 bytes MONGODB_CLUSTER_MONITOR_USER: 14 bytes MONGODB_DATABASE_ADMIN_USER: 13 bytes MONGODB_USER_ADMIN_USER: 9 bytes MONGODB_BACKUP_PASSWORD: 16 bytes MONGODB_BACKUP_USER: 6 bytes MONGODB_CLUSTER_ADMIN_PASSWORD: 18 bytes MONGODB_DATABASE_ADMIN_PASSWORD: 18 bytes MONGODB_USER_ADMIN_PASSWORD: 17 bytes解码 Base64 编码的登录名和密码,并使用以下命令将连接字符串导出到环境变量:
重要
Microsoft建议使用可用的最安全的身份验证流。 此过程中所述的身份验证流要求在应用程序中高度信任,并且存在其他流中不存在的风险。 仅当其他更安全的流(如托管标识)不可行时,才应使用此流。
export databaseAdmin=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_USER}" | base64 --decode)
export databaseAdminPassword=$(kubectl get secret ${AKS_MONGODB_SECRETS_NAME} -n ${AKS_MONGODB_NAMESPACE} -o jsonpath="{.data.MONGODB_DATABASE_ADMIN_PASSWORD}" | base64 --decode)
export connectionString="mongodb://${databaseAdmin}:${databaseAdminPassword}@${AKS_MONGODB_CLUSTER_NAME}-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true"
验证 MongoDB 群集
在本部分中,你将使用 MongoDB 客户端运行容器并将其控制台输出连接到终端来验证 MongoDB 群集。
在您的群集的
${AKS_MONGODB_NAMESPACE}命名空间中,使用kubectl run命令创建一个名为percona-client的Pod。kubectl -n "${AKS_MONGODB_NAMESPACE}" run -i --rm --tty percona-client --image=${MY_ACR_REGISTRY}.azurecr.cn/percona-server-mongodb:7.0.8-5 --restart=Never -- env CONN_STR=$connectionString bash -il在不同的终端窗口中,使用
kubectl get命令验证 Pod 是否已成功创建。kubectl get pod percona-client -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME READY STATUS RESTARTS AGE percona-client 1/1 Running 0 39s使用用于创建
percona-clientPod 的终端窗口中上一部分的管理员用户凭据连接到 MongoDB 群集。mongosh $CONN_STR示例输出:
Current Mongosh Log ID: L6mN7oP8qR9sT0uV1wX2yZ3a Connecting to: mongodb://<credentials>@cluster-aks-mongodb-mongos.mongodb.svc.cluster.local/admin?replicaSet=rs0&ssl=false&directConnection=true&appName=mongosh+2.1.5 Using MongoDB: 7.0.8-5 Using Mongosh: 2.1.5 For mongosh info see: https://docs.mongodb.com/mongodb-shell/ ...使用
show dbs命令列出群集中的数据库。show dbs示例输出:
rs0 [direct: mongos] admin> show dbs admin 960.00 KiB config 3.45 MiB rs0 [direct: mongos] admin>
创建 MongoDB 备份
可以使用以下方法之一将数据备份到 Azure:
- 手动:随时手动备份数据。
- 计划:在 CRD YAML 中配置备份及其计划。 Percona Operator 根据指定的计划自动创建备份。
Percona Operator可以执行以下任一种备份类型:
- 逻辑备份:查询 Percona Server for MongoDB 以获取数据库数据,然后将检索到的数据写入远程备份存储。
-
物理备份:将物理文件从 Percona Server for MongoDB
dbPath数据目录复制到远程备份存储。
逻辑备份使用的存储较少,但比物理备份慢。
若要使用 Percona 在 Azure Blob 存储上存储备份,需要创建机密。 你已在前面的命令中完成了此步骤。 有关详细说明,请按照有关 Azure Blob 存储的 Percona 文档中的步骤进行操作。
配置计划备份
可以使用以下指南在 mongodb-cr.yaml 中 CRD 的备份部分中定义备份计划:
- 将
backup.enabled项设置为true。 - 确保
backup.storages小节至少包含一个已配置的存储资源。 - 确保
backup.tasks小节启用备份计划。
有关详细信息,请参阅创建计划备份。
执行手动备份
使用以下指南在 mongodb-cr.yaml 中的 CRD 备份部分进行按需手动备份:
- 将
backup.enabled项设置为true。 - 确保
backup.storages小节至少包含一个已配置的存储资源。
有关详细信息,请参阅创建按需备份。
部署 MongoDB 备份
使用
kubectl apply命令部署 MongoDB 备份。kubectl apply -f - <<EOF apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDBBackup metadata: finalizers: - delete-backup name: az-backup1 namespace: ${AKS_MONGODB_NAMESPACE} spec: clusterName: ${AKS_MONGODB_CLUSTER_NAME} storageName: azure-blob type: logical EOF示例输出:
perconaservermongodbbackup.psmdb.percona.com/az-backup1 created使用以下脚本完成 MongoDB 备份部署过程:
while [ "$(kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE} -o jsonpath='{.items[0].status.state}')" != "ready" ]; do echo "waiting for the backup to be ready"; sleep 10; done示例输出:
waiting for the backup to be ready该过程完成后,备份应返回
Ready状态。 使用kubectl get命令验证备份部署是否成功。kubectl get psmdb-backup -n ${AKS_MONGODB_NAMESPACE}示例输出:
NAME CLUSTER STORAGE DESTINATION TYPE STATUS COMPLETED AGE az-backup1 cluster-aks-mongodb azure-blob https://mongodbsacjcfc.blob.core.chinacloudapi.cn/backups/psmdb/2024-07-01T12:27:57Z logical ready 3h3m 3h3m如果备份出现问题,可以使用
kubectl logs命令查看backup-agent容器相应 Pod 中的日志。kubectl logs pod/${AKS_MONGODB_CLUSTER_NAME}-rs0-0 -c backup-agent -n ${AKS_MONGODB_NAMESPACE}