(DOCSP-20001) Added om.spec.backup.s3OpLogStores and its settings to the OM spec (#781)

JuliaMongo · jwilliams-mongo · commit 6065d6338c1f · 2025-04-14T17:11:18.000-05:00
* (DOCSP-20001) Added om.spec.backup.s3OpLogStores and its settings to the OM spec * Edits * Edits * Address tech review * Copy review * Copy review * Copy review * Copy review * Copy review * Copy review, final comments * Copy review, final comments
diff --git a/conf.py b/conf.py
@@ -253,6 +253,7 @@
     'cc' : ('http://creativecommons.org/licenses%s', ''),
     'tldrl' : ('https://www.tldrlegal.com/l/%s', ''),
     'aws': ('http://docs.aws.amazon.com%s', ''),
+    'aws-blogs': ('http://aws.amazon.com%s', ''),
     'gcp': ('https://cloud.google.com%s', ''),
     'q-mdb': ('https://quay.io/mongodb%s', ''),
     'gatekeeper': ('https://open-policy-agent.github.io/gatekeeper/website/docs%s', ''),
diff --git a/source/reference/k8s-operator-om-specification.txt b/source/reference/k8s-operator-om-specification.txt
@@ -666,11 +666,143 @@ Optional |onprem| Resource Settings
       cause issues with the backup service. Excessive heaps can cause
       unpredictable results in |onprem|.
 
+.. opsmgrkube:: spec.backup.s3OpLogStores.irsaEnabled
+
+   *Type*: boolean
+
+   Flag that enables using |aws| :aws:`IAM roles for service accounts </eks/latest/userguide/iam-roles-for-service-accounts>`
+   in |aws| :aws:`EKS </eks/latest/userguide/what-is-eks>` to configure
+   an S3 oplog store. The default is ``False``. If you aren't using
+   |aws| EKS, this flag has no effect. When set to ``False``, using |aws|
+   IAM roles for service accounts in EKS to configure an S3 oplog store
+   is disabled. To learn more, see
+   :aws:`IAM roles for service accounts in EKS </eks/latest/userguide/iam-roles-for-service-accounts>`.
+
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.name
+
+   *Type*: string
+
+   *Required to store the oplog using an S3 store.*
+
+   Name of the |s3| oplog store.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.mongodbResourceRef.name
+
+   *Type*: string
+
+   Name of the MongoDB database resource that you create to store
+   metadata for the |s3| oplog store. You must deploy this database
+   resource in the same namespace as the |onprem| resource.
+
+   .. note::
+
+      Omit this setting to use the application database to store
+      metadata for the |s3| oplog store.
+
+      If you omit this setting, you must also omit the
+      :opsmgrkube:`spec.backup.s3OpLogStores.mongodbUserRef.name` setting.
+      The |k8s-op-short| handles ``SCRAM`` user authentication
+      internally.
+
+   If you enable ``SCRAM`` authentication on this database, you must:
+
+   - Create a MongoDB user resource to connect |onprem| to the
+     database.
+   - Specify the
+     :opsmgrkube:`~spec.backup.s3OpLogStores.mongodbUserRef.name` of the
+     user in the |onprem| resource definition.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.mongodbUserRef.name
+
+   *Type*: string
+
+   *Required if you created a MongoDB database resource to store
+   |s3| oplog metadata and SCRAM is enabled on this database.*
+
+   Name of the MongoDB user resource used to connect to the metadata
+   database of the |s3| oplog store. Deploy this user resource in the
+   same namespace as the |onprem| resource and with the
+   :manual:`readWriteAnyDatabase </reference/built-in-roles/#readWriteAnyDatabase>` and
+   :manual:`dbAdminAnyDatabase </reference/built-in-roles/#dbAdminAnyDatabase>` roles.
+
+   .. important::
+
+      Once specified, do not edit the name of the |s3| metadata oplog
+      store username.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.s3SecretRef.name
+
+   *Type*: string
+
+   *Required to store the oplog using an S3 store.*
+
+   Name of the secret that contains the ``accessKey`` and
+   ``secretKey`` fields. The :opsmgr:`backup daemon service
+   </current/core/system-overview/#backup-daemon-service>` uses
+   the values of these fields as credentials to access your
+   |aws| |s3| or |s3|-compatible bucket. The |s3| oplog store
+   can't be configured if the secret is missing either key.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.pathStyleAccessEnabled
+
+   *Type*: boolean
+
+   Indicates the style of the bucket endpoint URL.
+
+   .. list-table::
+      :widths: 30 30 30
+      :header-rows: 1
+
+      * - Value
+        - Description
+        - Example
+
+      * - ``true``
+        - Path-style URL
+        - ``s3.amazonaws.com/<bucket>``
+
+      * - ``false``
+        - Virtual-host-style URL
+        - ``<bucket>.s3.amazonaws.com``
+
+   Default value is ``true``.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.s3BucketEndpoint
+
+   *Type*: string
+
+   *Required to store the oplog using an S3 store.*
+
+   URL of the |aws| |s3| bucket or |s3|-compatible bucket that hosts the
+   oplog store.
+
+.. opsmgrkube:: spec.backup.s3OpLogStores.s3BucketName
+
+   *Type*: string
+
+   *Required to store the oplog using an S3 store.*
+
+   Name of the |aws| |s3| bucket or |s3|-compatible bucket that hosts
+   the oplog store.
+
+.. opsmgrkube:: spec.backup.s3Stores.irsaEnabled
+
+   *Type*: boolean
+
+   Flag that enables using |aws| :aws:`IAM roles for service accounts </eks/latest/userguide/iam-roles-for-service-accounts>`
+   in |aws| :aws:`EKS </eks/latest/userguide/what-is-eks>` to configure
+   an S3 snapshot store. The default is ``False``. If you aren't using
+   |aws| EKS, this flag has no effect. When set to ``False``, using |aws|
+   IAM roles for service accounts in EKS to configure an S3 snapshot
+   store is disabled. To learn more, see
+   :aws:`IAM roles for service accounts in EKS </eks/latest/userguide/iam-roles-for-service-accounts>`.
+
 .. opsmgrkube:: spec.backup.s3Stores.name
 
    *Type*: string
 
-   *Required if you enable Backup using an S3 store.*
+   *Required to store the oplog using an S3 store.*
 
    Name of the |s3| snapshot store.
 
diff --git a/source/tutorial/plan-om-resource.txt b/source/tutorial/plan-om-resource.txt
@@ -222,14 +222,23 @@ database Backup :term:`snapshots <snapshot>`.
 The default configuration stores snapshot metadata in the Application
 Database. You can also deploy a replica set to store snapshot metadata,
 then configure it using the
-:opsmgrkube:`spec.backup.s3Stores.mongodbResourceRef.name` and
-:opsmgrkube:`spec.backup.s3Stores.mongodbResourceRef.user` settings in
+:opsmgrkube:`spec.backup.s3Stores.mongodbResourceRef.name` settings in
 the |onprem| resource definition.
 
 You can update any additional |s3|
 :opsmgr:`configuration settings </tutorial/manage-s3-blockstore-storage/#provide-the-s3-blockstore-details>`
 that |k8s-op-short| doesn't manage through the |application|.
 
+S3 Oplog Store
+++++++++++++++
+
+To configure an |s3| oplog store, you must create an |aws| |s3| or
+|s3|-compatible bucket to store your database Backup Oplog.
+
+You can configure storing the oplog using the
+:opsmgrkube:`spec.backup.s3OpLogStores.mongodbResourceRef.name` setting
+in the |onprem| resource definition.
+
 Disable Backup
 ++++++++++++++
 
