AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
KubeVault
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Guides
  • Vault Operator
    KubeVault CLI
    Vault Unsealer
You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to KubeVault? Please start here.

MongoDBRole

What is MongoDBRole

A MongoDBRole is a Kubernetes CustomResourceDefinition (CRD) which allows a user to create a MongoDB database secret engine role in a Kubernetes native way.

When a MongoDBRole is created, the KubeVault operator creates a Vault role according to the specification. If the user deletes the MongoDBRole CRD, then the respective role will also be deleted from Vault.

MongoDBRole CRD

MongoDBRole CRD Specification

Like any official Kubernetes resource, a MongoDBRole object has TypeMeta, ObjectMeta, Spec and Status sections.

A sample MongoDBRole object is shown below:

apiVersion: engine.kubevault.com/v1alpha1
kind: MongoDBRole
metadata:
  name: mdb-role
  namespace: demo
spec:
  vaultRef:
    name: vault-app
  databaseRef:
    name: mongodb-app
    namespace: demo
  creationStatements:
    - "statement-0"
    - "statement-1"
status:
  observedGeneration: 1
  phase: Success

Note: To resolve the naming conflict, name of the role in Vault will follow this format: k8s.{clusterName}.{metadata.namespace}.{metadata.name}

Here, we are going to describe the various sections of the MongoDBRole crd.

MongoDBRole Spec

MongoDBRole spec contains information that necessary for creating a database role.

spec:
  vaultRef:
    name: <vault-appbinding-name>
  databaseRef:
    name: <database-appbinding-name>
    namespace: <database-appbinding-namespace>
  databaseName: <database-name>
  path: <secret-engine-path>
  defaultTTL: <default-ttl>
  maxTTL: <max-ttl>
  creationStatements:
    - "statement-0"
    - "statement-1"
  revocationStatements:
    - "statement-0"

MongoDBRole spec has the following fields:

spec.vaultRef

spec.vaultRef is a required field that specifies the name of an AppBinding reference which is used to connect with a Vault server. AppBinding must be in the same namespace with the MongoDBRole object.

spec:
  vaultRef:
    name: vault-app

spec.databaseRef

spec.databaseRef is an optional field that specifies the reference to an AppBinding that contains mongodb database connection information. It is used to generate the db_name. The naming format for db_name is: k8s.{clusterName}.{metadata.namespace}.{metadata.name}.

spec:
  databaseRef:
    name: mongodb-app
    namespace: demo

spec.databaseName

spec.databaseName is an optional field that specifies the db_name. It is used when spec.databaseRef is empty otherwise ignored. Both spec.databaseRef and spec.databaseName cannot be empty at the same time.

spec:
  databaseName: k8s.-.demo.mongodb-app

spec.path

spec.path is an optional field that specifies the path where the secret engine is enabled. The default value is database.

spec:
  path: my-mongodb-path

spec.creationStatements

spec.creationStatements is a required field that specifies a list of database statements executed to create and configure a user. See in here for Vault documentation.

spec:
  creationStatements:
    - "{ \"db\": \"admin\", \"roles\": [{ \"role\": \"readWrite\" }, {\"role\": \"read\", \"db\": \"foo\"}] }"

spec.defaultTTL

spec.defaultTTL is an optional field that specifies the TTL for the leases associated with this role. Accepts time suffixed strings (“1h”) or an integer number of seconds. Defaults to system/engine default TTL time.

spec:
  defaultTTL: "1h"

spec.maxTTL

spec.maxTTL is an optional field that specifies the maximum TTL for the leases associated with this role. Accepts time suffixed strings (“1h”) or an integer number of seconds. Defaults to system/engine default TTL time.

spec:
  maxTTL: "1h"

spec.revocationStatements

spec.revocationStatements is an optional field that specifies a list of database statements to be executed to revoke a user. See here for Vault documentation.

MongoDBRole Status

status shows the status of the MongoDBRole. It is managed by the KubeVault operator. It contains the following fields:

  • observedGeneration: Specifies the most recent generation observed for this resource. It corresponds to the resource’s generation, which is updated on mutation by the API Server.

  • phase: Indicates whether the role successfully applied to Vault or not.

  • conditions : Represent observations of a MongoDBRole.

What's on this Page

Search
Improve This Page