(DOCSP-30800) Adds section for bootstrapping multi-cluster with GitOps. (#1424)

erabil-mdb · jwilliams-mongo · commit baa6e0fdab17 · 2025-04-14T17:11:22.000-05:00
* (DOCSP-30800) Adds section for bootstrapping multi-cluster with GitOps. * Revises per tech and copy reviews. * Revises per copy review.
diff --git a/source/includes/steps-configure-resources-gitops.yaml b/source/includes/steps-configure-resources-gitops.yaml
@@ -0,0 +1,111 @@
+---
+stepnum: 1
+ref: create-rbac-resources-gitops
+title: Create and apply RBAC resources to each cluster.
+content: |
+
+  Use :github:`these RBAC resource examples </mongodb/mongodb-enterprise-kubernetes/tree/1.20.1/samples/multi-cluster-cli-gitops/resources/rbac>` to create your own. To learn more about these 
+  RBAC resources, see :ref:`multi-cluster-rbac-manual`.
+  
+  To apply them to your central and member clusters with GitOps, you can use a tool like :argo-cd:`Argo CD </cd>`.
+
+---
+stepnum: 2
+ref: create-configmap-gitops
+title: Create and apply the ConfigMap file.
+content: |
+
+  The |k8s-op-short| keeps track of its member clusters using a |k8s-configmap-def| file. Copy, modify, and apply the following example ConfigMap:
+
+  .. code-block:: yaml
+
+     apiVersion: v1
+     kind: ConfigMap
+     data:
+       cluster1: ""
+       cluster2: ""
+     metadata:
+       namespace: <namespace>
+       name: mongodb-enterprise-operator-member-list
+       labels:
+         multi-cluster: "true"
+
+---
+stepnum: 3
+ref: configure-kubeconfig-gitops
+title: Configure the ``kubeconfig`` secret for the |k8s-op-short|.
+content: |
+
+  The |k8s-op-short|, which runs in the central cluster, communicates with the Pods in 
+  the member clusters through the Kubernetes API. For this to work, the |k8s-op-short| 
+  needs a :k8sdocs:`kubeconfig </concepts/configuration/organize-cluster-access-kubeconfig/>` 
+  file that contains the service account tokens of the member clusters. Create this 
+  ``kubeconfig`` file by following these steps: 
+
+  1. Obtain a list of |k8s-service-accounts| configured in the |k8s-op-short|'s namespace.  For example, if you chose to use the default ``mongodb`` namespace, then you can obtain the service accounts using the following command:
+
+     .. code-block:: sh
+        
+        kubectl get serviceaccounts -n mongodb
+
+  #. Get the secret for each service account that belongs to a member cluster.
+
+     .. code-block:: sh
+
+        kubectl get secret <service-account-name> -n mongodb -o yaml
+
+  #. In each service account secret, copy the |certauth| certificate and token. For example, copy ``<ca_certificate>`` and ``<token>`` from the secret, as shown in the following example:  
+
+     .. code-block:: yaml
+
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: my-service-account
+          namespace: mongodb
+        data:
+          ca.crt: <ca_certificate>
+          token: <token>
+
+  #. Copy the following ``kubeconfig`` example for the central cluster and replace 
+     the placeholders with the ``<ca_certificate>`` and ``<token>`` you copied from the service account secrets.
+
+     .. code-block:: yaml
+          
+        apiVersion: v1
+        clusters:
+        - cluster:
+            certificate-authority-data: <cluster-1-ca.crt>
+            server: https://:
+          name: kind-e2e-cluster-1
+        - cluster:
+            certificate-authority-data: <cluster-2-ca.crt>
+            server: https://:
+          name: kind-e2e-cluster-2
+        contexts:
+        - context:
+            cluster: kind-e2e-cluster-1
+            namespace: mongodb
+            user: kind-e2e-cluster-1
+          name: kind-e2e-cluster-1
+        - context:
+            cluster: kind-e2e-cluster-2
+            namespace: mongodb
+            user: kind-e2e-cluster-2
+          name: kind-e2e-cluster-2
+        kind: Config
+        users:
+        - name: kind-e2e-cluster-1
+          user:
+            token: <cluster-1-token>
+        - name: kind-e2e-cluster-2
+          user:
+            token: <cluster-2-token>
+
+  #. Save the ``kubeconfig`` file.
+  
+  #. Create a secret in the central cluster that you mount in the |k8s-op-short| as illustrated in :github:`the reference Helm chart </mongodb/helm-charts/blob/enterprise-operator-1.20.1/charts/enterprise-operator/templates/operator.yaml#L191-L197/>`. For example:
+
+     .. code-block:: sh
+
+        kubectl --context="${CTX_CENTRAL_CLUSTER}" -n <operator-namespace> create secret --from-file=kubeconfig=<path-to-kubeconfig-file> <kubeconfig-secret-name>
diff --git a/source/multi-cluster-prerequisites.txt b/source/multi-cluster-prerequisites.txt
@@ -108,17 +108,6 @@ Install the following tools:
 
 2. Install |helm|.
 
-.. _install-kubectl-mongodb-plugin:
-
-Install the kubectl MongoDB Plugin
------------------------------------
-
-.. include:: /includes/facts/fact-multi-cluster-plugin-about.rst
-
-To install the |kubectl-mongodb|:
-
-.. include:: /includes/steps/install-kubectl-mongodb-plugin.rst
-
 .. _multi-cluster-rbac-manual:
 
 Understand |k8s| Roles and Role Bindings
@@ -505,3 +494,43 @@ certificates for member clusters and the MongoDB Agent:
 .. include:: /includes/prereqs/custom-ca-prereqs-multi-cluster-rs-tls-only.rst
 
 .. include:: /includes/prereqs/pem-format.rst
+
+Choose GitOps or the kubectl MongoDB Plugin
+-------------------------------------------
+
+You can choose to create and maintain the resource files needed for the |mongodb-multis| deployment in a GitOps environment. 
+
+If you use a GitOps workflow, you can't use the :ref:`kubectl mongodb plugin <kubectl-plugin-ref>`, which automatically configures :k8sdocs:`role-based access control (RBAC) </reference/access-authn-authz/rbac>` and creates the :ref:`kubeconfig <multi-cluster-diagram>` file that allows the central cluster to communicate with its member clusters. Instead, you must manually configure or build your own automation for configuring the RBAC and ``kubeconfig`` files based on the procedure and examples in :ref:`multi-cluster-gitops`.
+
+The following prerequisite sections describe how to :ref:`install the kubectl MongoDB plugin <install-kubectl-mongodb-plugin>` if you don't use GitOps or :ref:`configure resources for GitOps <multi-cluster-gitops>` if you do.
+
+.. _install-kubectl-mongodb-plugin:
+
+Install the kubectl MongoDB Plugin
+----------------------------------
+
+.. include:: /includes/facts/fact-multi-cluster-plugin-about.rst
+
+.. note::
+   
+   If you use GitOps, you can't use the |kubectl-mongodb|. Instead, follow the procedure in :ref:`multi-cluster-gitops`.
+
+To install the |kubectl-mongodb|:
+
+.. include:: /includes/steps/install-kubectl-mongodb-plugin.rst
+
+.. _multi-cluster-gitops:
+
+Configure Resources for GitOps
+------------------------------
+
+If you use a GitOps workflow, you won't be able to use the :ref:`kubectl mongodb plugin <kubectl-plugin-ref>` to automatically configure :k8sdocs:`role-based access control (RBAC) </reference/access-authn-authz/rbac>` or the :ref:`kubeconfig <multi-cluster-diagram>` file that allows the central cluster to communicate with its member clusters. Instead, you must manually configure and apply the following resource files or build your own automation based on the information below.
+
+.. note::
+
+   To learn how the |kubectl-mongodb| automates the following steps, 
+   :github:`view the code </mongodb/mongodb-enterprise-kubernetes/blob/master/tools/multicluster/cmd/common.go#L373-L399>` in GitHub.
+
+To configure RBAC and the ``kubeconfig`` for GitOps:
+
+.. include:: /includes/steps/configure-resources-gitops.rst
