AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeDB
github-icon twitterx-icon
TRY NOW FREE

New to KubeDB? Please start here.

FerretDB

What is FerretDB

FerretDB is a Kubernetes Custom Resource Definitions (CRD). It provides declarative configuration for FerretDB in a Kubernetes native way. You only need to describe the desired configuration in a FerretDBobject, and the KubeDB operator will create Kubernetes objects in the desired state for you.

FerretDB Spec

As with all other Kubernetes objects, a FerretDB needs apiVersion, kind, and metadata fields. It also needs a .spec section. Below is an example FerretDB object.

apiVersion: kubedb.com/v1alpha2
kind: FerretDB
metadata:
  name: ferretdb
  namespace: demo
spec:
  version: "1.23.0"
  replicas: 1
  healthChecker:
    failureThreshold: 3
    periodSeconds: 20
    timeoutSeconds: 10
  authSecret:
    name: ferretdb-auth
    externallyManaged: false
  backend:
    postgresRef:
      name: ha-postgres
      namespace: demo
    version: "13.13"
    linkedDB: "ferretdb"
    externallyManaged: false
  sslMode: requireSSL
  tls:
    issuerRef:
      apiGroup: cert-manager.io
      name: ferretdb-ca-issuer
      kind: Issuer
    certificates:
      - alias: server
        subject:
          organizations:
            - kubedb:server
        dnsNames:
          - localhost
        ipAddresses:
          - "127.0.0.1"
  monitor:
    agent: prometheus.io/operator
    prometheus:
      serviceMonitor:
        labels:
          release: prometheus
        interval: 10s
  deletionPolicy: WipeOut
  podTemplate:
    spec:
      containers:
        - name: ferretdb
          resources:
            limits:
              memory: 1Gi
            requests:
              cpu: 200m
              memory: 256Mi
  serviceTemplates:
    - alias: primary
      spec:
        type: ClusterIP
        ports:
          - name: http
            port: 9999

spec.version

spec.version is a required field specifying the name of the FerretDBVersion crd where the docker images are specified. Currently, when you install KubeDB, it creates the following FerretDBVersion resources,

  • 1.18.0, 1.23.0

spec.replicas

spec.replicas the number of members in ferretdb replicaset.

KubeDB uses PodDisruptionBudget to ensure that majority of these replicas are available during voluntary disruptions so that quorum is maintained.

spec.healthChecker

It defines the attributes for the health checker.

  • spec.healthChecker.periodSeconds specifies how often to perform the health check.
  • spec.healthChecker.timeoutSeconds specifies the number of seconds after which the probe times out.
  • spec.healthChecker.failureThreshold specifies minimum consecutive failures for the healthChecker to be considered failed.
  • spec.healthChecker.disableWriteCheck specifies whether to disable the writeCheck or not.

spec.authSecret

spec.authSecret is an optional field that points to a Secret used to hold credentials for ferretdb. If not set, KubeDB operator creates a new Secret {ferretdb-object-name}-auth for storing the password for ferretdb user for each FerretDB object. As FerretDB use backend’s authentication mechanisms till now, this secret is basically a copy of backend postgres.

We can use this field in 3 mode.

  1. Using an external secret. In this case, You need to create an auth secret first with required fields, then specify the secret name when creating the FerretDB object using spec.authSecret.name & set spec.authSecret.externallyManaged to true.
authSecret:
  name: <your-created-auth-secret-name>
  externallyManaged: true
  1. Specifying the secret name only. In this case, You need to specify the secret name when creating the FerretDB object using spec.authSecret.name. externallyManaged is by default false.
authSecret:
  name: <intended-auth-secret-name>
  1. Let KubeDB do everything for you. In this case, no work for you.

AuthSecret contains a user key and a password key which contains the username and password respectively for ferretdb user.

Example:

$ kubectl create secret generic ferretdb-auth -n demo \
--from-literal=username=jhon \
--from-literal=password=O9xE1mZZDAdBTbrV
secret "ferretdb-auth" created

apiVersion: v1
data:
  password: "O9xE1mZZDAdBTbrV"
  username: "jhon"
kind: Secret
metadata:
  name: ferretdb-auth
  namespace: demo
type: Opaque

Secrets provided by users are not managed by KubeDB, and therefore, won’t be modified or garbage collected by the KubeDB operator (version 0.13.0 and higher).

spec.backend

  • spec.backend.externallyManaged represents how the backend will be managed. If its false, KubeDB will automatically create a KubeDB managed postgres. Otherwise you need refer a AppBinding name and namespace which represents information for external Postgres.
  • spec.backend.postgresRef is a required field that points to the appbinding associated with the backend postgres. If the postgres is KubeDB managed an AppBinding will be created automatically upon creating the postgres. If the postgres is not KubeDB managed then you need to create an appbinding yourself. spec.backend.postgresRef takes the name (spec.backend.postgresRef.Name) of the appbinding and the namespace (spec.backend.postgresRef.Namespace) where the appbinding is created.
  • spec.backend.version represents the version of backend postgres
  • spec.backend.linkedDB represents in which database of backend postgres will be used by FerretDB to store data

spec.sslMode

Enables TLS/SSL or mixed TLS/SSL used for all network connections. The value of sslMode field can be one of the following:

ValueDescription
disabledThe server does not use TLS/SSL.
requireSSLThe server uses and accepts only TLS/SSL encrypted connections.

spec.tls

spec.tls specifies the TLS/SSL configurations for the FerretDB. KubeDB uses cert-manager v1 api to provision and manage TLS certificates.

The following fields are configurable in the spec.tls section:

  • issuerRef is a reference to the Issuer or ClusterIssuer CR of cert-manager that will be used by KubeDB to generate necessary certificates.

    • apiGroup is the group name of the resource that is being referenced. Currently, the only supported value is cert-manager.io.
    • kind is the type of resource that is being referenced. KubeDB supports both Issuer and ClusterIssuer as values for this field.
    • name is the name of the resource (Issuer or ClusterIssuer) being referenced.

  • certificates (optional) are a list of certificates used to configure the server and/or client certificate. It has the following fields:

    • alias represents the identifier of the certificate. It has the following possible value:

      • server is used for server certificate identification.
      • client is used for client certificate identification.
      • metrics-exporter is used for metrics exporter certificate identification.

    • secretName (optional) specifies the k8s secret name that holds the certificates.

      This field is optional. If the user does not specify this field, the default secret name will be created in the following format: <database-name>-<cert-alias>-cert.

    • subject (optional) specifies an X.509 distinguished name. It has the following possible field,

      • organizations (optional) are the list of different organization names to be used on the Certificate.
      • organizationalUnits (optional) are the list of different organization unit name to be used on the Certificate.
      • countries (optional) are the list of country names to be used on the Certificate.
      • localities (optional) are the list of locality names to be used on the Certificate.
      • provinces (optional) are the list of province names to be used on the Certificate.
      • streetAddresses (optional) are the list of a street address to be used on the Certificate.
      • postalCodes (optional) are the list of postal code to be used on the Certificate.
      • serialNumber (optional) is a serial number to be used on the Certificate. You can find more details from Here

    • duration (optional) is the period during which the certificate is valid.

    • renewBefore (optional) is a specifiable time before expiration duration.

    • dnsNames (optional) is a list of subject alt names to be used in the Certificate.

    • ipAddresses (optional) is a list of IP addresses to be used in the Certificate.

    • uris (optional) is a list of URI Subject Alternative Names to be set in the Certificate.

    • emailAddresses (optional) is a list of email Subject Alternative Names to be set in the Certificate.

    • privateKey (optional) specifies options to control private keys used for the Certificate.

    • encoding (optional) is the private key cryptography standards (PKCS) encoding for this certificate’s private key to be encoded in. If provided, allowed values are “pkcs1” and “pkcs8” standing for PKCS#1 and PKCS#8, respectively. It defaults to PKCS#1 if not specified.

spec.monitor

FerretDB managed by KubeDB can be monitored with builtin-Prometheus and Prometheus operator out-of-the-box. To learn more,

spec.deletionPolicy

deletionPolicy gives flexibility whether to nullify(reject) the delete operation of FerretDB CR or which resources KubeDB should keep or delete when you delete FerretDB CR. KubeDB provides following four deletion policies:

  • DoNotTerminate
  • Delete
  • WipeOut (Default)

When deletionPolicy is DoNotTerminate, KubeDB takes advantage of ValidationWebhook feature in Kubernetes 1.9.0 or later clusters to implement DoNotTerminate feature. If admission webhook is enabled, DoNotTerminate prevents users from deleting the database as long as the spec.deletionPolicy is set to DoNotTerminate.

Following table show what KubeDB does when you delete FerretDB CR for different deletion policies,

BehaviorDoNotTerminateDeleteWipeOut
1. Block Delete operation
2. Delete PetSet
3. Delete Services
4. Delete Secrets

If you don’t specify spec.deletionPolicy KubeDB uses Delete deletion policy by default.

spec.podTemplate

KubeDB allows providing a template for pod through spec.podTemplate. KubeDB operator will pass the information provided in spec.podTemplate to the PetSet created for FerretDB.

KubeDB accept following fields to set in spec.podTemplate:

  • metadata:
    • annotations (pod’s annotation)
    • labels (pod’s labels)
  • controller:
    • annotations (statefulset’s annotation)
    • labels (statefulset’s labels)
  • spec:
    • volumes
    • initContainers
    • containers
    • imagePullSecrets
    • nodeSelector
    • affinity
    • serviceAccountName
    • schedulerName
    • tolerations
    • priorityClassName
    • priority
    • securityContext
    • livenessProbe
    • readinessProbe
    • lifecycle

You can check out the full list here. Uses of some field of spec.podTemplate is described below,

spec.podTemplate.spec.nodeSelector

spec.podTemplate.spec.nodeSelector is an optional field that specifies a map of key-value pairs. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels (it can have additional labels as well). To learn more, see here .

spec.podTemplate.spec.resources

spec.podTemplate.spec.resources is an optional field. This can be used to request compute resources required by the database pods. To learn more, visit here.

spec.serviceTemplates

You can also provide template for the services created by KubeDB operator for Kafka cluster through spec.serviceTemplates. This will allow you to set the type and other properties of the services.

KubeDB allows following fields to set in spec.serviceTemplates:

  • alias represents the identifier of the service. It has the following possible value:
    • stats is used for the exporter service identification.
  • metadata:
    • labels
    • annotations
  • spec:
    • type
    • ports
    • clusterIP
    • externalIPs
    • loadBalancerIP
    • loadBalancerSourceRanges
    • externalTrafficPolicy
    • healthCheckNodePort
    • sessionAffinityConfig

See here to understand these fields in detail.

What's on this Page

Search
Improve This Page