(DOCSP-10879) Configure OM queryable backups in k8s (#679)

* (DOCSP-10879) Configure OM queryable backups in k8s

* Include initial review

* Fixing the build

* Edits

* edits

* Include copy review - 2nd pass

* Fixing a syntax issue

* Include Enrique's comments after running tests

* fixing build errors

* Adjusting the steps to clarify location

* Edits

* More edits

* fix build

* Include last comments from the copy review. Ready for the tech review

* one last save

* Final copy edits

* Include tech review

Author: JuliaMongo

source/includes/steps-configure-om-queryable-backups.yaml

@@ -0,0 +1,191 @@
+---
+ref: configure-kubectl-om
+stepnum: 1
+inherit:
+  file: steps-configure-kubectl-namespace.yaml
+  ref: configure-kubectl-namespace
+---
+stepnum: 2
+level: 4
+ref: create-pem-file
+title: "Create the PEM file for backups."
+content: |
+    
+    Create the :opsmgr:`queryable.pem
+    </reference/configuration/#brs.queryable.pem>`
+    file that you will use for accessing and querying backups based on
+    your deployment's |tls| requirements. The PEM file contains a public
+    key certificate and its associated private key that are needed to
+    access and run queries on |onprem| backup snapshots.
+
+    To learn more about the PEM file's requirements, see
+    :opsmgr:`Authorization and Authentication Requirements
+    </tutorial/query-backup/#authentication-and-authorization>`.
+
+---
+stepnum: 3
+level: 4
+ref: create-queryable-pem-secret
+title: "Create a Secret containing the PEM file."
+content: |
+  Run the following command to create a Secret with the
+  :opsmgr:`queryable.pem </reference/configuration/#brs.queryable.pem>`
+  file that you created in the previous step:
+
+  .. code-block:: sh
+
+     kubectl create secret generic queryable-pem --from-file=./queryable.pem
+
+---
+title: "Mount the Secret as a volume that |onprem| custom objects will use."
+stepnum: 4
+level: 4
+ref: mount-pem-secret
+content: |
+
+  The |k8s-op-short| must be able to access the :opsmgr:`queryable.pem
+  </reference/configuration/#brs.queryable.pem>` file in the mount point
+  for the persistent volume in the Pod's container for |onprem|.
+
+  To mount the Secret, use one of these methods:
+
+  - Configure volumes using ``volumeClaimTemplates`` and specify the
+    location for the :opsmgr:`queryable.pem
+    </reference/configuration/#brs.queryable.pem>` file:
+
+    .. code-block:: yaml
+       :linenos:
+       :emphasize-lines: 9-35
+
+       apiVersion: mongodb.com/v1
+       kind: MongoDBOpsManager
+       metadata:
+         name: ops-manager
+       spec:
+         replicas: 1
+         version: 4.2.12
+         adminCredentials: ops-manager-admin-secret
+         configuration:
+           mms.fromEmailAddr: "[email protected]"
+           brs.queryable.pem: "/certs/queryable.pem"
+ 
+         statefulSet:
+           spec:
+            # the Persistent Volume Claim is created for each Ops Manager Pod
+            volumeClaimTemplates:
+              - metadata:
+                  name: queryable-volume
+                spec:
+                  accessModes: [ "ReadWriteOnce" ]
+                  storageClassName: <your_storage_class_name>
+                  resources:
+                    requests:
+                       storage: 1G
+            template:
+              spec:
+                containers:
+                  - name: mongodb-ops-manager
+                  volumeMounts:
+                       - name: queryable-volume
+                       - mountPath: /certs
+                volumes:
+                  - name: queryable-pem
+                  secret:
+                   secretName: queryable-pem
+
+         applicationDatabase:
+            members: 3
+            version: 4.2.6-ent
+
+  - Configure volumes without using ``volumeClaimTemplates`` and specify
+    the location for the :opsmgr:`queryable.pem
+    </reference/configuration/#brs.queryable.pem>` file:
+
+    .. code-block:: yaml
+       :linenos:
+       :emphasize-lines: 9-24
+
+       apiVersion: mongodb.com/v1
+        kind: MongoDBOpsManager
+        metadata:
+          name: ops-manager
+       spec:
+          replicas: 1
+          version: 4.2.12
+          adminCredentials: ops-manager-admin-secret
+          configuration:
+            brs.queryable.pem: "/certs/queryable.pem"
+            mms.fromEmailAddr: "[email protected]"
+          statefulSet:
+            template:
+              spec:
+                containers:
+                  - name: mongodb-ops-manager
+                  volumeMounts:
+                   - name: queryable-volume
+                   - mountPath: /certs/
+                   
+                volumes:
+                  - name: queryable-pem
+                  secret:
+                    secretName: queryable-pem
+ 
+       applicationDatabase:
+         members: 3
+         version: 4.2.6-ent
+
+---
+title: "Save your |onprem| config file."
+stepnum: 5
+level: 4
+ref: save-config-file
+
+---
+title: "Apply changes to your |onprem| deployment."
+stepnum: 6
+level: 4
+ref: apply-queryable-backup-changes-om-k8s
+content: |
+
+     Invoke the following ``kubectl`` command on the filename of the
+     |onprem| resource definition:
+
+     .. code-block:: sh
+
+        kubectl apply -f <opsmgr-resource>.yaml
+
+     When you apply the changes to your |onprem| resource
+     definition, |k8s| updates the |onprem| StatefulSet,
+     creates the volumes, and mounts the Secrets.
+
+---
+stepnum: 7
+title: "Track the status of the mounted volumes and Secrets."
+level: 4
+ref: track-k8s-deployment-om-queryable-backup-config
+content: |
+
+   a. Obtain the list of persistent volume claims:
+
+      .. code-block:: sh
+
+         kubectl get pvc
+
+   #. Obtain the Secrets:
+      
+      .. code-block:: sh
+
+         kubectl get secrets
+
+   #. Check the status of your |onprem| resources:
+    
+      .. code-block:: sh
+         
+         kubectl get om <resource-name> -o yaml -w
+
+      The ``-w`` flag means "watch". With the "watch" flag set, the
+      output refreshes immediately when the configuration changes until
+      the status phase achieves the ``Running`` state.
+
+      To learn more about the resource deployment statuses, see
+      :doc:`/reference/troubleshooting`.

source/includes/steps-deploy-k8s-opsmgr-https.yaml

@@ -282,8 +282,7 @@ content: |
        - Name of the MongoDB database resource for the oplog store.
        - ``my-oplog-db``
 
-  You must also configure an
-  :term:`S3 snapshot store <s3 snapshot store>` 
+  You must also configure an :term:`S3 snapshot store <s3 snapshot store>` 
   or a :term:`blockstore <Backup Blockstore Database>`.
 
   .. note::

source/om-resources.txt

@@ -35,6 +35,10 @@ Deploy and Configure Ops Manager Resources
   Encrypt the connection between the application database replica set
   members.
 
+:ref:`configure-om-queryable-backups`
+  Configure queryable backups for |onprem| deployments created with the
+  |k8s-op-short|.
+
 .. class:: hidden
 
    .. toctree::
@@ -46,3 +50,4 @@ Deploy and Configure Ops Manager Resources
       /tutorial/deploy-om-container-remote-mode
       /tutorial/deploy-om-container-local-mode
       /tutorial/secure-om-with-tls
+      /tutorial/configure-om-queryable-backups

source/tutorial/configure-om-queryable-backups.txt

@@ -0,0 +1,76 @@
+:noprevnext:
+
+.. _configure-om-queryable-backups:
+
+==================================================
+Configure Queryable Backups for |onprem| Resources
+==================================================
+
+.. include:: /includes/styles/corrections.rst
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+You can configure :opsmgr:`queryable backups </tutorial/query-backup/>`
+for |onprem| resources that you deploy in the |k8s-op-short|.
+
+.. note:: In the |onprem| documentation, queryable backups are also
+          referred to as queryable snapshots, or queryable restores.
+
+Queryable backups allow you to :opsmgr:`run queries
+</tutorial/query-backup/#query-backup-handle-tls-authentication-manually>`
+on specific backup snapsnots from your |onprem| resources. Querying
+|onprem| backups helps you compare data from different snapshots
+and identify the best snapshot to use for :opsmgr:`restoring data
+</tutorial/restore-single-database/#restore-from-queryable-backup>`.
+
+In the following procedure you:
+
+- Create the :opsmgr:`queryable.pem
+  </reference/configuration/#brs.queryable.pem>` file that holds the
+  certificatesfor accessing the backup snapshots that you intend to query.
+
+- Create the Secret containing the :opsmgr:`queryable.pem
+  </reference/configuration/#brs.queryable.pem>` file.
+
+- Configure a persistent volume that is attached to the |onprem|
+  |k8s| Pod in the |k8s-op-short|.
+
+- Specify the mount point for the Secret in  the persistent volume's
+  configuration.
+
+- Save the |onprem| custom resource configuration and apply it.
+
+Once the |k8s-op-short| deploys the updated configuration for the
+|onprem| custom resource, |onprem| can read the Secret from the
+specified location in the :opsmgr:`queryable.pem
+</reference/configuration/#brs.queryable.pem>` parameter in |onprem|.
+You can now access the backup snapshots and run queries on them.
+
+Prerequisites
+-------------
+
+Before you configure queryable backups, complete the following:
+
+- :doc:`Install the Kubernetes Operator </tutorial/install-k8s-operator>`.
+
+- :ref:`Deploy the Ops Manager application <deploy-om-container>`.
+
+- :doc:`Configure Backup Settings for the Ops Manager Resource </tutorial/deploy-om-container>`.
+  In the linked procedures, see the steps for configuring backups.
+
+Procedure
+---------
+
+.. include:: /includes/steps/configure-om-queryable-backups.rst
+
+After you configure queryable backups, you can :opsmgr:`query them
+</tutorial/query-backup/>` to select the best backup snapshot to use for
+:opsmgr:`restoring data
+</tutorial/restore-single-database/#restore-from-queryable-backup>`.
+