Hello everyone.
I installed a MongoDB HA database on a k3s cluster using Percona Operator. I edited the cr manifest as follows.
apiVersion: psmdb.percona.com/v1-7-0
kind: PerconaServerMongoDB
metadata:
name: my-cluster-name
spec:
crVersion: 1.7.0
image: percona/percona-server-mongodb:4.4.3-5
imagePullPolicy: Always
allowUnsafeConfigurations: false
updateStrategy: SmartUpdate
upgradeOptions:
versionServiceEndpoint: https://check.percona.com
apply: recommended
schedule: "0 2 * * *"
securityContext:
fsGroup: 1234
secrets:
users: my-cluster-name-secrets
pmm:
enabled: false
image: percona/pmm-client:2.12.0
serverHost: monitoring-service
replsets:
- name: rs0
size: 3
affinity:
antiAffinityTopologyKey: "kubernetes.io/hostname"
podDisruptionBudget:
maxUnavailable: 1
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
volumeSpec:
persistentVolumeClaim:
resources:
requests:
storage: 1Gi
sharding:
enabled: false
configsvrReplSet:
size: 3
affinity:
antiAffinityTopologyKey: "kubernetes.io/hostname"
podDisruptionBudget:
maxUnavailable: 1
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
volumeSpec:
persistentVolumeClaim:
resources:
requests:
storage: 1Gi
mongos:
size: 3
affinity:
antiAffinityTopologyKey: "kubernetes.io/hostname"
podDisruptionBudget:
maxUnavailable: 1
resources:
limits:
cpu: "300m"
memory: "0.5G"
requests:
cpu: "300m"
memory: "0.5G"
expose:
exposeType: ClusterIP
mongod:
net:
port: 27017
hostPort: 0
security:
redactClientLogData: false
enableEncryption: true
encryptionKeySecret: my-cluster-name-mongodb-encryption-key
encryptionCipherMode: AES256-CBC
setParameter:
ttlMonitorSleepSecs: 60
wiredTigerConcurrentReadTransactions: 128
wiredTigerConcurrentWriteTransactions: 128
storage:
engine: wiredTiger
inMemory:
engineConfig:
inMemorySizeRatio: 0.9
wiredTiger:
engineConfig:
cacheSizeRatio: 0.5
directoryForIndexes: false
journalCompressor: snappy
collectionConfig:
blockCompressor: snappy
indexConfig:
prefixCompression: true
operationProfiling:
mode: slowOp
slowOpThresholdMs: 100
rateLimit: 100
Apart from this, for the installation process I stuck to what was written here. Install Percona server for MongoDB on Kubernetes
However, when I tried to log in as specified at the bottom of the documentation I linked, I received an authentication error.
mongo "mongodb://userAdmin:userAdmin123456@my-cluster-name-rs0.database.svc.cluster.local/admin?ssl=false"
I tried with user clusterAdmin and password clusterAdmin123456 and got the same error.
mongo --host "mongodb://userAdmin:userAdmin123456@my-cluster-name-rs0.database.svc.cluster.local/admin?ssl=false"
I verified that the service my-cluster-name-rs0.database.svc.cluster.local does exist and is bound to the right endpoints.
Moreover, the login succeeds with
mongo --host my-cluster-name-rs0.database.svc.cluster.local:27017
but of course I’m unable to perform all the operations which require authentication.
I entered one of the stetefulset pods and tried to log in from there. Again, the login succeeds with
mongo
but doesn’t succeed with
mongo -u userAdmin -p userAdmin123456
Same for clusterAdmin.
I noticed this message in the logs of one of the statefulset pods, signaling a SSL authentication error with the operator pod.
{"t":{"$date":"2022-04-22T09:10:25.781+00:00"},"s":"W", "c":"NETWORK", "id":23235, "ctx":"conn2175","msg":"SSL peer certificate validation failed","attr":{"reason":"certificate signature failure"}}
Have you got any thoughts about this?
Thank you in advance.
Other contextual information:
- k3s v. 1.22.7
- Percona operator v. 4.4.3-5