MongoDB Enterprise Kubernetes Operator
OTHER License
Bot releases are hidden (Show)
Published by mms-build-account 6 months ago
MDB_DEFAULT_ARCHITECTURE
environment variable at the Operator level to static
. Alternatively, you can annotate a specific MongoDB
or OpsManager
Custom Resource with mongodb.com/v1.architecture: "static"
.
kubectl mongodb
:setup
command:
--image-pull-secrets
parameter. If specified, created service accounts will reference the specified secret on ImagePullSecrets
field.spec.internalConnectivity
field to allow overrides for the service used by the operator to ensure internal connectivity to the OpsManager
pods.MDB_WEBHOOK_REGISTER_CONFIGURATION
environment variable for the operator. It controls whether the operator should perform automatic admission webhook configuration. Default: true. It's set to false for OLM and OpenShift deployments.operator.webhook.registerConfiguration
parameter. It controls whether the operator should perform automatic admission webhook configuration (by setting MDB_WEBHOOK_REGISTER_CONFIGURATION
environment variable for the operator). Default: true. It's set to false for OLM and OpenShift deployments.agent.version
to 107.0.0.8502-1
, that will change the default agent used in helm deployments.operator.additionalArguments
(default: []) allowing to pass additional arguments for the operator binary.operator.createResourcesServiceAccountsAndRoles
(default: true) to control whether to install roles and service accounts for MongoDB and Ops Manager resources. When mongodb kubectl
plugin is used to configure the operator for multi-cluster deployment, it installs all necessary roles and service accounts. Therefore, in some cases it is required to not install those roles using the operator's helm chart to avoid clashes.spec.externalAccess.externalDomain
and spec.clusterSpecList[*].externalAccess.externalDomains
were reported as required even though they weren'tspec.externalAccess
was defined. Now, uniqueness of external domains will only be checked when the external domains arespec.externalAccess.externalDomain
or spec.clusterSpecList[*].externalAccess.externalDomains
.controlledFeature
policies are not unset on the related OpsManager/CloudManager instance, making cleanup in the UI impossible in the case of losing the kubernetes operator.admin-key
Secret is no longer deleted when removing the OpsManager Custom Resource. This enables easier Ops Manager re-installation."... kubelet Readiness probe failed:..."
. This affects all mongodb deployments.Kubectl plugin: The released plugin binaries are now signed, the signatures are published with the release assets. Our public key is available at this address. They are also notarized for MacOS.
Released Images signed: All container images published for the enterprise operator are cryptographically signed. This is visible on our Quay registry, and can be verified using our public key. It is available at this address.
Published by mms-build-account 10 months ago
Published by mms-build-account 11 months ago
quay.io/mongodb/mongodb-enterprise-database-ubi
quay.io/mongodb/mongodb-enterprise-init-database-ubi
quay.io/mongodb/mongodb-enterprise-init-appdb-ubi
quay.io/mongodb/mongodb-enterprise-init-ops-manager-ubi
spec.exposedExternally
in favor of spec.externalAccess
from the MongoDB Customer Resource. spec.exposedExternally
was deprecated in operator version 1.19.mongodb-enterprise-database
container are now streamed to Kubernetes logs.
Spec.MongoDBResourceRef.Namespace
. This prevented storing the user resources in another namespace than the MongoDB resource.Published by mms-build-account about 1 year ago
None
autoTerminateOnDeletion=true
for sharded clusters. This setting makes sure that the operator stops and terminates the backup before the cleanup.MongoDB
resources and is turned on by default. If a Custom Resource remains in Pending
or Failed
state for a longer period of time (controlled by MDB_AUTOMATIC_RECOVERY_BACKOFF_TIME_S
environment variable at the Operator Pod spec level, the default is 20 minutes)MDB_AUTOMATIC_RECOVERY_ENABLE
environment variable to false
./var/log/mongodb-mms-automation/mongodb-audit.log
file. Pod monitors this file and tails its content to k8s logs.spec:
additionalMongodConfig:
auditLog:
destination: file
format: JSON
path: /var/log/mongodb-mms-automation/mongodb-audit.log
kubectl logs -c mongodb-enterprise-database replica-set-0 | jq -r 'select(.logType == "mongodb-audit") | .contents'
spec.applicationDatabase.clusterSpecList
or has zero members specified./var/log/mongodb-mms-automation
.Published by mms-build-account about 1 year ago
NAMESPACE
. If you set this variable manually via YAML files, you should update this environment variable name while upgrading the operator deployment.specWrapper
for statefulsets
we now support overriding metadata.Labels
and metadata.Annotations
via the MetadataWrapper
.OpsManager
with a highly available applicationDatabase
across multiple Kubernetes clusters by introducing the following fields:
om.spec.applicationDatabase.topology
which can be one of MultiCluster
and SingleCluster
.om.spec.applicationDatabase.clusterSpecList
for configuring the list of Kubernetes clusters which will have For extended considerations for the multi-cluster AppDB configuration, check the official guide and the OpsManager
resource specification.om.spec.applicationDatabase.topology
to SingleCluster
. Existing OpsManager
resources do not need to be modified to upgrade to this version of the operator.spec.backup.[]s3Stores.customCertificateSecretRefs
and spec.backup.[]s3OpLogStores.customCertificateSecretRefs
customCertificateSecretRefs
, then those certificates will be used instead of the default certificates setup in the JVM Trust Store (in Ops Manager or Cloud Manager).appdb-ca
is no longer automatically added to the JVM Trust Store (in Ops Manager or Cloud Manager). Since a bug introduced in version 1.17.0
, automatically adding these certificates to the JVM Trust Store has no longer worked.
1.17.0
(where automated inclusion in the JVM Trust Store worked) OR had a workaround (such as mounting your own trust store to OM)spec.backup.[]s3Config.customCertificateSecretRefs
(introduced in this release and covered below in the release notes) to specify the certificate authority for use for backups.appdb-ca
is the certificate authority saved in the configmap specified under om.spec.applicationDatabase.security.tls.ca
.spec.externalConnectivity.port
when LoadBalancer
service type is used for exposing Ops Manager instance externally.appdb-ca
which consists of a bundle of certificate authorities into the ops-manager JVM trust store. Previously, the keystore had 2 problems:
spec.backup.[]s3Stores.customCertificate
and spec.backup.[]s3OpLogStores.customCertificate
are being deprecated in favor of spec.backup.[]s3OpLogStores.[]customCertificateSecretRefs
and spec.backup.[]s3Stores.[]customCertificateSecretRefs
customCertificate
, the operator would use the appdb-ca
as the custom certificate. Currently, this should be explicitly set via customCertificateSecretRefs
.Published by mms-build-account over 1 year ago
This release fixes an issue that prevented upgrading the Kubernetes Operator to 1.20.0 in OpenShift. Upgrade to this release instead.
spec.applicationDatabase.memberConfig.votes
, spec.applicationDatabase.memberConfig.priority
spec.applicationDatabase.memberConfig.tags
field.-ent
to -ubi8
.
quay.io/mongodb/mongodb-enterprise-appdb-database-ubi
) to the new official one (quay.io/mongodb/mongodb-enterprise-server
) without changing the version in MongoDBOpsManager's applicationDatabase.version
field.values.mongodb.name
field), which are functionally equivalent to the previous ones (the same MongoDB version).mongodb.name
will now default to mongodb-enterprise-server
.mongodb-enterprise-server
.-ent
with the value set in the environment variableMDB_IMAGE_TYPE
, which defaults to -ubi8
.quay.io/mongodb/mongodb-enterprise-server:4.2.11-ent
to quay.io/mongodb/mongodb-enterprise-server:4.2.11-ubi8
.MDB_IMAGE_TYPE=ubuntu2024 quay.io/mongodb/mongodb-enterprise-server:4.2.11-ent
to quay.io/mongodb/mongodb-enterprise-server:4.2.11-ubuntu2024
.mongodb-enterprise-server
.mongodb-enterprise-appdb-database-ubi:4.0.0-ent
will not be alteredMDB_APPDB_ASSUME_OLD_FORMAT=true
mongodb.appdbAssumeOldFormat=true
spec.applicationDatabase.version
. Previously, it was required to specify AppDB's version with -ent
suffix. Currently, it is possible to specify a bare version, e.g. 6.0.5
and the operator will convert it to 6.0.5-${MDB_IMAGE_TYPE}
. The default for environment variable MDB_IMAGE_TYPE
is -ubi8
.values.mongodb.name
field: quay.io/mongodb/mongodb-enterprise-server.values.mongodb.imageType
variable to specify a default image type suffix added to AppDB's version used by MongoDBOpsManager resource.appdb.connectionSpec.Project
since it has been deprecated for over 2 years.Published by mms-build-account over 1 year ago
1.19.0
version of the operator as it is tied to a broken release on the Openshift Marketplace.spec.memberOptions.[*].votes
field.spec.memberOptions.[*].priority
field.spec.memberOptions.[*].tags
field.spec.clusterSpecList.[*].memberOptions.[*].votes
field.spec.clusterSpecList.[*].memberOptions.[*].priority
field.spec.clusterSpecList.[*].memberOptions.[*].tags
field.spec.externalAccess.externalDomain
).process.hostname
field in the Automation Config.spec.security.authentication.ldap.transportSecurity
: "none" is now a valid configuration to use no transportSecurity.podSpec
per shard in a MongoDB Sharded cluster by specifying an array of podSpecs
under spec.shardSpecificPodSpec
for each shard.orgID = ""
has been chosen then OM will try to create an ORG with the project name.spec.exposedExternally
option becomes deprecated in favor of spec.externalAccess
. The deprecated option will be removed in MongoDB Enterprise Operator 1.22.0.WATCH_NAMESPACE='*'
environment variable for multi-cluster deployments with cluster-wide operator. In some specific circumstances, API clients for member clusters were configured incorrectly resulting in deployment errors.
The secret object 'mdb-multi-rs-cert' does not contain all the valid certificates needed: secrets "mdb-multi-rs-cert-pem" already exists
WATCH_NAMESPACE='*'
environment variable passed to the operator deploymentRenaming of the multicluster CRD MongoDBMulti
to MongoDBMultiCluster
The spec.members
field is required to be set in case of MongoDB deployment of type ReplicaSet
.
CertificatesSecretsPrefix
was set but no further spec.security.tls
setting was set i.e. tls.additionalCertificateDomains
or tls.ca
.Published by irajdeep almost 2 years ago
spec.backup.encryption.kmip
in both OpsManager and MongoDB resources.spec.backup.[*].assignmentLabels
elements of the OpsManager resource.spec.backup.snapshotSchedule
in the OpsManager resource.SCRAM-SHA-1
support for both user and Agent authentication. Before enabling this capability, make sure you use both MONGODB-CR
and SCRAM-SHA-1
in the authentication modes.spec.security.tls.secretRef.prefix
has been removed from MongoDB and OpsManager resources. It was deprecated in the MongoDB EnterprisePublished by mms-build-account about 2 years ago
podTemplateSpec
.Published by mms-build-account about 2 years ago
operator.deployment_name
from the Helm chart. Parameter was used in an incorrect way and only for customising the name of the operator container. The name of the container is now set to operator.name
. This is a breaking change only if operator.deployment_name
was set to a different value than operator.name
and if there is external tooling relying on this. Otherwise this change will be unnoticeable.Published by mms-build-account about 2 years ago
Kubernetes TLS
type certificate before upgrading to this version.Ops Manager 4.4 is no longer supported by the operator.
For custom S3 compatible backends for the Oplog and Snapshot stores, it is now possible to specify the
spec.backup.s3OpLogStores[n].s3RegionOverride
and the spec.backup.s3Stores[n].s3RegionOverride
parameter.
readOnlyRootFilesystem
property to all deployed containers. This change also introduces a few additional volumes and volume mounts.allowPrivilegeEscalation
set to false
for all containers.Published by mms-build-account about 2 years ago
Published by mms-build-account over 2 years ago
Security Context are now defined only at Pod level (not both Pod and Container level as before).
Added timeoutMS
, userCacheInvalidationInterval
fields to spec.security.authentication.ldap
object.
Bug fixes
additionalMongodConfig.net.tls.mode
for mongos
, configSrv
and shard
objects when configuring ShardedCluster resource.Published by mms-build-account over 2 years ago
spec.podSpec.podAntiAffinityTopologyKey
, spec.podSpec.podAffinity
and spec.podSpec.nodeAffinity
has been removed. Please use spec.podSpec.podTemplate
override to set these fields.>=4.0.0 <4.0.9
and <3.6.13
. These server version have reached EOL. Make sure to update your MDB deployment to a version later than 4.0.9
before upgrading the operator.spec.applicationDatabase.podSpec.podAntiAffinityTopologyKey
, spec.applicationDatabase.podSpec.podAffinity
and spec.applicationDatabase.podSpec.nodeAffinity
has been removed. Please use spec.applicationDatabase.podSpec.podTemplate
override to set these fields.Published by mms-build-account over 2 years ago
spec.Service
has been deprecated. Please use spec.statefulSet.spec.serviceName
to provide a custom service name.Published by mms-build-account over 2 years ago
spec.security.tls.secretRef.name
has been removed. It was deprecated in operator version v1.10.0
. Please use the field spec.security.certsSecretPrefix
to specify the secret name containing the certificate for Database. Make sure to create the secret containing the certificates accordingly.spec.podSpec.cpu
and spec.podSpec.memory
has been removed to override the CPU/Memory resources for the database pod, you need to override them using the statefulset spec override under spec.podSpec.podTemplate.spec.containers
.metadata.labels
is propagated to the database StatefulSet and the PVC objects.spec.prometheus
configuration attribute. Find a sample Prometheus configuration in the samples/mongodb/prometheus
directory.spec.applicationDatabase.security.tls.secretRef.name
has been removed. It was deprecated in operator version v1.10.0
. Please use the field spec.applicationDatabase.security.certsSecretPrefix
to specify the secret name containing the certificate for AppDB. Make sure to create the secret containing the certificates accordingly.spec.applicationDatabase.podSpec.cpu
and spec.applicationDatabase.podSpec.memory
has been removed to override the CPU/Memory resources for the appDB pod, you need to override them using the statefulset spec override under spec.applicationDatabase.podSpec.podTemplate.spec.containers
.metadata.labels
is propagated to the OM, AppDB and BackupDaemon StatefulSet and the PVC objects.spec.applicationDatabase.prometheus
configuration attribute. Find a sample Prometheus configuration in the samples/mongodb/prometheus
directory.spec.connectionStringSecretName
to be able to provide a deterministic secret name for the user specific connection string secret generated by the operator.Published by mms-build-account over 2 years ago
spec.security.tls.ca
and spec.security.tls.secretRef
. The field spec.backup.s3OpLogStores[n].customCertificate
/ spec.backup.s3Stores[n].customCertificate
needs to be set true
.Published by mms-build-account over 2 years ago
Bug fixes
Secret
of type Opaque.New images
Published by mms-build-account over 2 years ago
spec.security.tls.enabled
and spec.security.tls.secretRef.prefix
fields are now deprecated and will be removed in a future release. To enable TLS it is now sufficient to set the spec.security.certsSecretPrefix
field.spec.backup.queryableBackupSecretRef
. The secrets referenced by this field contains the certificates used to enable Queryable Backups feature.spec.security.tls.ca
and spec.security.tls.secretRef
.spec.applicationDatabase.automationConfig.processes[n].disabled
field, this enables backing up the AppDB.spec.security.tls.enabled
, spec.security.tls.secretRef.prefix
, spec.applicationDatabase.security.tls.enabled
and spec.applicationDatabase.security.tls.prefix
fields are now deprecated and will be removed in a future release. To enable TLS it is now sufficient to set the spec.security.certsSecretPrefix
and/or spec.applicationDatabase.security.certsSecretPrefix
field.All the images can be found in:
https://quay.io/repository/mongodb (ubuntu-based)
https://connect.redhat.com/ (rhel-based)
Published by rodrigovalin almost 3 years ago
spec.backup.autoTerminateOnDeletion
. AutoTerminateOnDeletion indicates if the Operator should stop and terminate the Backup before the cleanup, when the MongoDB Resource is deleted.spec.backup.s3OpLogStores
field.All the images can be found in:
https://quay.io/repository/mongodb (ubuntu-based)
https://connect.redhat.com/ (rhel-based)