Ops Manager API Key without UI

Eduardo_Yubero · March 3, 2021, 6:00pm

I am configuring MongoDB Enterprise Kubernetes operator. All the guides I found so far recommend the following procedure: https://www.mongodb.com/blog/post/running-mongodb-ops-manager-in-kubernetes which includes one step where you have to login into the Ops Manager UI and generate an API Key.

I am trying to get this whole process automated end to end avoiding the need for UI interaction but I can not find a way to get that API Key using the Ops Manager REST APIs. Do you know the steps required to automate this whole process or do you know any documentation/blog which could help me?

Albert_Wong · March 3, 2021, 7:11pm

I haven’t done it myself but this is the API call. Organization Programmatic API Keys — MongoDB Ops Manager 6.0

Remember that the API key is how MongoDB glues the Ops Manager login to the replica set. So each user should have a different API key.

Albert_Wong · March 4, 2021, 12:33am

Here is something similar as a tutorial. Deploy a Cluster through the API — MongoDB Ops Manager 6.0

Eduardo_Yubero · March 5, 2021, 9:36am

Hi Albert thank you for your quick answer, unfortunately those resources did not fix my issue…

My goal is to get the MongoDB Enterprise Kubernetes operator deployed as part of a touch-free CI/CD pipeline, so I need to be able to get it deployed without any human interaction in the process.

The first link you sent “Organization Programmatic API Keys” requires an API Key being already available “curl --user “{PUBLIC-KEY}:{PRIVATE-KEY}” --digest \ …” which I can not get unless I use the OpsManager UI.

The second resource sounds like what I need, but again it requires an existing user and the knowledge of the API key which again is only accessible via OpsManager UI.

When the Ops Manager resource is created it requires a ops-manager-admin-secret being in kubernetes and those credentials are used to create the default user with GLOBAL_OWNER role:

kubectl apply -f ops-manager.yaml

Once you have the default user created you are forced to generate a new user’s API Key for any operation you want to do via REST, so you need to use the OpsManager UI.

I thought about creating a new first user via REST call which does not require API key and then upgrade that user’s role to GLOBAL_OWNER but I can not do that unless I have the API Key of the default user, the one created from the secret… which again forces me to use the Ops Manager UI.

Another thing I tried was to create the Ops Manager resource via yaml in kubernetes without the ops-manager-admin-secret, and that worked partially as I could use the Ops Manager Rest API to create the first user with GLOBAL_OWNER role, but then I got the following error saying that Ops Manager can not be initialized properly without a secret:

Status:  
 Application Database:
  Last Transition:      2021-03-04T16:24:34Z
  Members:              3
  Observed Generation:  1
  Phase:                Running
  Version:              4.2.2
 Ops Manager:
  Last Transition:      2021-03-04T16:24:34Z
  Message:              The secret mongodb/ doesn't exist - you need to create it to finish Ops Manager initialization
 Observed Generation:  1
 Phase:                Failed
 URL:                  http://ops-manager-svc.mongodb.svc.cluster.local:8080
 Events:                   <none>

I am blocked in this loop where for any action I do I have to end up login into the Ops Manager UI to generate a new API Key therefore not being able to automate the MongoDB Enterprise Kubernetes operator deployment.

Surely must be possible to deploy it automatically without any human interaction with the UI but I have not found any way so far. Any idea what sequence of API calls I could follow to get the Ops Manager initialized properly?

Anton_Lisovenko · March 5, 2021, 9:38am

hi @Eduardo_Yubero

You can try the following APIs:
Create an API Key — MongoDB Ops Manager 6.0 to create an organization API key (note, that the user making the call must have enough permissions for this operation)

or Create and Assign One Organization API Key to One Project — MongoDB Ops Manager 6.0 to restrict the org API key to one specific project only.

You may need to use the other APIs (to create organization/project) the same way.

To answer you question about full automation - in your CI/CD you can use the global API key that is created once the OpsManager is created in Kubernetes. During OpsManager resource creation the Operator initializes the first user there and saves the API keys to the secret with format “<om_resource_name>-admin-key”. After reading you will be able to access OM as a global admin

Eduardo_Yubero · March 5, 2021, 10:30am

Thanks Anton! that’s exactly what I wanted to do, and it works!

For anybody trying to do the same thing, you just need to wait until the OpsManager is ready and then you can read the API Key from a secret automatically created by Kubernetes with the name “ops-manager-admin-key”:

kubectl get secret ops-manager-admin-key --namespace=mongodb -o jsonpath="{.data.publicApiKey}" | base64 --decode

system · March 10, 2021, 10:30am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.