MongoDB Enterprise Kubernetes Operator 1.13.0

Kubernetes Operator

• Breaking Changes:
  • The Operator no longer generates certificates for TLS resources.
• When deploying to multiple namespaces, imagePullSecrets has to be created only in the namespace where the Operator is installed. From here, the Operator will be sync this secret across all watched namespaces.
• The credentials secret used by the Operator now accepts the pair of fields publicKey and privateKey. These should be preferred to the existent user and publicApiKey when using Programmatic API Keys in Ops Manager.
• For TLS-enabled resources, the operator now watches the ConfigMap containing the Certificate Authority and the secret containg the TLS certificate. Changes to these resources now trigger a reconciliation of the related resource.
• The Operator can now watch over a list of Namespaces. To install the Operator in this mode, you need to set the value operator.watchNamespace to a comma-separated list of Namespaces.
  The Helm install process will create Roles and Service Accounts required, in the Namespaces that the Operator will be watching.

Support for TLS certificates provided as kubernetes.io/tls secrets

• The operator now supports referencing TLS secrets of type kubernetes.io/tls
  • This type of secrets contain a tls.crt and tls.key entry
  • The operator can read these secrets and automatically generate a new one, containing the concatenation of tls.crt and tls.key
  • This removes the need for a manual concatenation of the fields and enables users to natively reference secrets generated by tools such as cert-manager

Deprecation Notice
The usage of generic secrets, manually created by concatenating certificate and private key, is now deprecated.

MongoDB Resource

• Breaking Changes:
  • The field spec.project has been removed from MongoDB spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the project configmap name under spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name before upgrading the operator.
• Changes:
  • A new field has been added: spec.security.certsSecretPrefix. This string is now used to determine the name of the secrets containing various TLS certificates:
    • For TLS member certificates, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-cert
      • Note: If either spec.security.tls.secretRef.name or spec.security.tls.secretRef.prefix are specified, these will take precedence over the new field
      • Note: if none of these three fields are specified, the secret name is <resource-name>-cert
    • For agent certificates, if spec.security.certsSecretPrefix is specified, the secret name is<spec.security.certsSecretPrefix>-<resource-name>-agent-certs
      • Note: if spec.authentication.agents.clientCertificateSecretRef is specified, this will take precedence over the new field
      • If none of these fields are set, the secret name is still agent-certs
    • For internal cluster authentication certificates, if spec.security.certsSecretPrefix is specified, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-clusterfile
      • Otherwise, it is still <resource-name>-clusterfile
• Bug fixes
  • Fixes an issue where Sharded Cluster backups could not be correctly configured using the MongoDB CR.
  • Fixes an issue where Backup Daemon fails to start after OpsManager version upgrade.

MongoDBOpsManager Resource

• Operator will report status of FileSystemSnaphot store names configured under spec.backup.fileSystemStores in OM CR. The FS however needs to be manually configured.
• It is now possible to disable creation of "LoadBalancer" Type service for queryable backup by setting spec.backup.externalServiceEnabled to false in OM CR. By default, the operator would create the LoadBalancer type service object.
• The operator will now automatically upgrade the used API Key to a programmatic one when deploying OM >= 5.0.0. It is now possible to upgrade from older versions of OM to OM 5.0 without manual intervention.
• A new field has been added: spec.security.certSecretPrefix. This is string is now used to determine the name of the secret containing the TLS certificate for OpsManager.
  • If the existing field spec.security.tls.secretRef.Name is specified, it will take the precedence
    • Please note that this field is now deprecated and will be removed in a future release
  • Otherwise, if spec.security.certSecretPrefix is specified, the secret name will be <spec.security.certSecretPrefix>-<om-resource-name>-cert

MongoDBUser Resource

• Breaking Changes:
  • The field spec.project has been removed from User spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the MongoDB resource name under spec.MongoDBResourceRef.name before upgrading the operator.

Miscellaneous

• Ops Manager versions 4.4.7, 4.4.9, 4.4.10, 4.4.11, 4.4.12 and 4.4.13 base images have been updated to Ubuntu 20.04.
• Ops Manager versions 4.4.16 and 5.0.1 are now supported

OPA Gatekeeper Sample Policies

Sample policies are now available in opa_examples directory

MongoDB Enterprise Kubernetes Operator 1.12.0

MongoDB Resource

• Bug Fixes
  • Fixes a bug when an user could only specify net.ssl.mode and not net.tls.mode in the spec.additionalMongodConfig field.
• Changes
  • If spec.exposedExternally is set to false after being set to true, the Operator will now delete the corresponding service

MongoDBOpsManager Resource

• Changes
  • If spec.externalConnectivity is unset after being set, the Operator will now delete the corresponding service
  • It is now possible to specify the number of backup daemon pods to deploy through the spec.backup.members field. The value defaults to 1 if not set.

Miscellaneous

• Ops Manager versions 4.4.13, 4.4.14, 4.4.15 and 4.2.25 are now supported

• Ops Manager version 5.0.0 is now supported

• Ubuntu based operator images are now based on Ubuntu 20.04 instead of Ubuntu 16.04

• Ubuntu based database images starting from 2.0.1 will be based on Ubuntu 18.04 instead of Ubuntu 16.04
  NOTE: MongoDB 4.0.0 does not support Ubuntu 18.04 - If you want to use MongoDB 4.0.0, stay on previously released images

• Ubuntu based Ops Manager images after 4.4.13 will be based on Ubuntu 20.04 instead of Ubuntu 16.04

• Newly released ubi images for Operator, Ops Manager and Database will be based un ubi-minimal instead of ubi

MongoDB Enterprise Kubernetes Operator 1.11.0

MongoDB Resource

• Bug fixes
  • Fixes an issue with the LivenessProbe that could cause the database Pods to be restarted in the middle of a restore operation from Backup.

MongoDBOpsManager Resource

• Breaking Changes
  For a complete guide on how to safely upgrade, please check the upgrade instructions
  • Each Application Database pod consists now of three containers (mongodb, mongodb-agent, mongodb-agent-monitoring) and it does not bundle anymore a MongoDB version
  • You can now use any version of MongoDB for the Application Database (we recommend to use the enterprise ones provided by MongoDB, see the New Images section)
    • You need to make sure the MongoDB version used is supported by OpsManager
  • spec.applicationDatabase.version is no longer optional.
  • spec.applicationDatabase.persistent does not exist anymore, the Operator will now always use persistent volumes for the AppDB.

New Images

• mongodb-agent 10.29.0.6830-1:

  • Ubi: quay.io/mongodb/mongodb-agent-ubi:10.29.0.6830-1
  • Ubuntu: quay.io/mongodb/mongodb-agent:10.29.0.6830-1

• mongodb-enterprise-appdb-database

  • Ubi: quay.io/mongodb/mongodb-enterprise-appdb-database-ubi
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-appdb-database

• mongodb-enterprise-init-appdb 1.0.7

  • Ubi: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.7
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.7

• mongodb-enterprise-init-database 1.0.3

  • Ubi: quay.io/mongodb/mongodb-enterprise-init-database-ubi:1.0.3
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-database:1.0.3

MongoDB Enterprise Kubernetes Operator 1.10.0

Kubernetes Operator

• Changes

  • The CRDs have been updated to from v1beta1 to v1 version. This should not have any impact on Kubernetes clusters 1.16 and up. The CRDs won't be installable in clusters with versions older than 1.16.

• Bug fixes

  • Fixes an issue which made it not possible do have multiple ops-manager resources with the same name in different namespaces.
  • Fixes an issue which made new MongoDB resources created with spec.backup.mode=disabled fail.
  • Fixes an issue which made a Replica Set go to Fail state if, at the same time, the amount of members of a Replica Set are increased and TLS is disabled.

MongoDBOpsManager Resource

• Known issues
  • When using remote or hybrid mode, and automation.versions.download.baseUrl has been set, the property automation.versions.download.baseUrl.allowOnlyAvailableBuilds
    needs to be set to false. This has been fixed in Ops Manager version 4.4.11.

MongoDB Enterprise Kubernetes Operator 1.9.2

Miscellaneous

• Fix errors with CSV

MongoDB Enterprise Kubernetes Operator 1.9.1

Kubernetes Operator

• Bug fixes
  • Fixes an issue where the service-account-name could not be specified in the StatefulSet podSpec override.
  • Removed unnecessary delete service permission from operator role.

MongoDB Resource

• Bug fixes
  • Fixes an issue where updating a role in spec.security.authentication.roles by removing the privileges array would cause the resource to enter a bad state

MongoDBOpsManager Resource

• Breaking Changes
  • The new Application Database image mongodb-enterprise-appdb:10.2.15.5958-1_4.2.11-ent was released. The image needs
    to be downloaded to the local repositories otherwise MongoDBOpsManager resource won't start. The image contains a new bundled MongoDB 4.2.11-ent instead of 4.2.2-ent.
• Changes
  • Ops Manager user now has "backup", "restore" and "hostManager" roles, allowing for backups/restores on the AppDB.
  • If spec.applicationDatabase.version is omitted the Operator will use 4.2.11-ent as a default MongoDB.

Kubernetes Operator

• Bug fixes
  • Fixes an issue where connections were not closed leading to too many file
    descriptors open.

MongoDB Resource

• Changes
  • Continuous backups can now be configured with the MongoDB CRD. Set spec.backup.enabled to true. Note: You must have an Ops Manager resource already configured with backup. See the docs for more information.

MongoDBOpsManager Resource

• Changes
  • A StatefulSet resource that holds the Ops Manager Backup Daemon will be
    deleted and recreated in order to change the matchLabels attribute,
    required for a new Service to allow for Queryable Backups feature to work.
    This is a safe operation.
  • Changed the way the Operator collects statuses of MongoDB Agents running in
    Application Database Pods.

Updated Image Tags

• mongodb-enterprise-operator: 1.9.0

Ops Manager Resource

Bug Fixes

• Fixes an issue when MongoDBOpsManager resource gets to Failing state when both external connectivity and backups are enabled

Docker Images Released

Operator

Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-operator:1.8.2
UBI8: quay.io/mongodb/mongodb-enterprise-operator-ubi:1.8.2

Known Issues

• When both external connectivity and backups are enabled in Ops Manager at the same time, the Ops Manager resource will Fail to reconcile.

Bug fixes

• Fixed a bug where spec.security.authentication.ignoreUnknownUsers could not be modified after a MongoDB resource was created.
• Failed queryable backups have been fixed. The operator now creates a Kubernetes Service that Ops Manager will use to access backups.
• Fixed an issue that would make it impossible to move from non-TLS to a TLS enabled AppDB.

Improvements

• Init containers will not run as root.
• Ops Manager Backup daemon will run in unprivileged mode.
• To manage Database Pod resources, the spec.podSpec.podTemplate MongoDB Custom Resource attribute should be used. See samples/mongodb/podspec directory with sample MongoDB resource definitions for each type of resource supported. The different spec.podSpec.{cpu, cpuLimits, memory, memoryLimits} will be deprecated soon.

New Images

• Init-database 1.0.1:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-database-ubi:1.0.1
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-database:1.0.1
• Init-ops-manager 1.0.3:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-ops-manager-ubi:1.0.3
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-ops-manager:1.0.3
• Init-appdb 1.0.5:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.5
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.5

New Ops Manager Images

• Version 4.4.5
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.5
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.5
• Version 4.2.21:
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.2.21
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.2.21
• Version 4.2.20:
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.2.20
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.2.20

Note: quay.io/mongodb/mongodb-enterprise-init-ops-manager:1.0.2 will support new release versions.

A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here
For the MongoDB Enterprise Operator
https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags
And for the MongoDB Enterprise Database
https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags

Breaking Changes

• The Mongodb Enterprise Database image now requires an init container. If using a private repository, the INIT_DATABASE_IMAGE_REPOSITORY environment variable must be configured in the operator deployment, and the new init container must exist inside this repository.

New features

• AppDB can now be configured with SCRAM-SHA-256 authentication when using Ops Manager 4.4 or newer
• Agent client certificate authentication can now be used in conjunction with any other authentication mechanism using the new configuration field
  1. spec.security.authentication.requireClientTLSAuthentication
  2. If enabling ClientTLSAuthentication, the client TLS certificate used by the MongoDB agents can be configured using spec.security.authentication.agents.clientCertificateSecretRef

Bug fixes

• Fixed an issue where the operator would choose an incorrect project name when creating MongoDBUsers.
• Fixed an issue where the MongoDBOpsManager CRD had the CA path in the incorrect location.
• Fixed an issue in which the parameters passed through spec.agent.startupOptions would not be correctly recognized by the agent
• Fixed an issue which could cause a potential deadlock when certain configuration options were modified in parallel.

Improvements

• Changed the default permissions of volumes created from secret from 0644 to 0640
• Changed the validation of the opsmanager spec.version field to allow for tags that do not match semver versioning. The field must start with the Major.Minor.Patch string that represent the OpsManager version

Known Issues

• When enabling queryable backup, you will need to manually create two additional services: one exposing the queryable backup port (default: 25999) for the Ops Manager pod, and one for the backup daemon pod, to ensure that it is resolvable from the Ops Manager pod

A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here

For the MongoDB Enterprise Operator
https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags

And for the MongoDB Enterprise Database
https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags

New features

• LDAP : added “spec.security.authentication.agents.automationLdapGroupDN” field to the CRD
• Make agent.auth mandatory if more than one auth mode is specified
• Added the possibility to specify agent startup parameters:
  • “spec.agent.startupOptions” for replica sets/standalone
  • “spec.configSrv.agent.startupOptions”, “spec.mongos.agent.startupOptions”, “spec.shard.agent.startupOptions” for sharded clusters
  • “spec.applicationDatabase.agent.startupOptions” for AppDB

Bug fixes

• MongoDBOpsManager resource:
  • Backing databases with SCRAM-SHA authentication enabled can be of any version if Ops Manager has version 4.4 and above
  • AppDB Monitoring is now correctly configured in Ops Manager when TLS is configured for the AppDB
    The Ops Manager CA configuration property has moved from "spec.applicationDatabase.security.tls.ca" to "spec.security.tls.ca"
• MongoDB resource:
  • Fixed issue where MongoDB 4.4 Replica Sets and Sharded Clusters could not be scaled correctly
  • Fixed an issue in which the operator couldn’t enable agent authentication if only LDAP authentication for the deployment was enabled
  • SCRAM users creation operation and enabling SCRAM authentication in MongoDB resource operation can be done in any order
    Backup automation config is now removed before launching the agent

Known Issues

• ‘spec.applicationDatabase.version” field should not be configured for MongoDBOpsManager resource if AppDB has TLS enabled
  AppDB MongoDB version 4.4+ is not supported
• 1.7.0 release of the Operator made changes to the Deployment configuration which may require to delete the ‘mongodb-enterprise-operator’ Deployment before the upgrade. This is a safe operation as the existing Custom Resources won’t be affected.
• If using TLS certificates signed with a custom certificate authority, the following should be taken into consideration:
  • The “version” of spec.applicationDatabase should not be set (the default version will be used)
  • Ops Manager will have to be configured in “Local Mode”. Every MongoDB version required will need to be copied to Ops Manager in order to be fetched from the database images.

The 1.7.x releases will be the last versions to support OpenShift 3.11. Please, make sure to stay with the 1.7.x release series in order to support OpenShift 3.11. Planned EOL for 1.7.x is July 2021.

New Features:

• LDAP can be enabled as an authentication and authorization mechanism. Please refer to the samples in samples/mongodb/authentication/ldap directory for examples on how to enable LDAP for your Replica Set and Sharded Clusters.
• All UBI images are now based on UBI8 (was UBI7 previously)

Bug fixes:

• Fixed a bug preventing ReplicaSet to scale down from 3 to 1 members

Known Issues:

• AppDBs with TLS are currently not configured for monitoring by Ops Manager

MongoDB Ops Manager Resource Changes

• Ops Manager image for version 4.4.0 is available.

Bug Fixes

• Fixes a bug where the Kubernetes Operator did not store a configuration of your deployed resources in a secret.
• Fixes a bug where the Kubernetes Operator did not allow passwords of any length or complexity for Application Database, oplog store, and blockstore database resources defined in Ops Manager resources.
• Fixes a bug where the authentication configuration was not removed from Ops Manager or Cloud Manager projects when you remove a MongoDB database resource.

Docker Images Released

Operator

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-operator:1.6.1
• UBI7: quay.io/mongodb/mongodb-enterprise-operator-ubi:1.6.1

Database

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-database:1.6.1
• UBI7: quay.io/mongodb/mongodb-enterprise-database-ubi:1.6.1

Ops Manager:

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.0
• UBI7: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.0

Init AppDB:

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.2
• UBI7: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.2

New features

• LDAP can be enabled as an authentication mechanism (authorisation support will be available in the next release), please refer to the samples in the samples/mongodb/authentication/ldap directory.
• Operator will not delete OpsManager Cluster records when backup is enabled to preserve backup history.

Bug fixes

• Operator raises errors when projectName contains blank spaces
• Enable the Monitoring function for all the pods deployed via the K8s Operator

MongoDB Resource Changes

• Additional options for more granular configuration of mongod/mongos processes. You can find an example of how to apply these options in the public/samples/mongodb/mongodb-options and in the MongoDB documentation.

Bug Fixes

• A bug was introduced in version 1.5.4 that would not tag projects correctly, when working with projects on Ops Manager versions older than 4.2.2. When updating to 1.5.5, the new operator version will tag the projects correctly.

• Authentication settings can be modified using Ops/Cloud Manager UI if spec.security.authentication object has not been provided on the MongoDB resource object definition.
• Fixed a bug triggered when transitioning authentication mechanisms from X509 to SCRAM
• Fixed a bug that prevented the MongoDB agent to reach goal state if SCRAM configuration was changed in OpsManager UI
• Installation now support helm install/upgrade instead of helm template | kubectl apply
• Agent authentication mechanism can now be configured independently of cluster authentication mechanism
• Configure monitoring agents for AppDB to send metrics to OpsManager

Bug Fixes

• Fixed an issue where unnecessary reconciliations were triggered by operator watched Secrets and ConfigMaps.
• Shutdown timeouts are now correctly configured for Ops Manager and the Backup Daemon
• Ops Manager and MongoDB deployment configuration properties are now passed more securely.
• Fixed an issue where updating the status of the custom resources failed in Openshift 3.11

Ops Manager Resource Changes

• Ops Manager and Backup Daemon pods are run under a dedicated service account.

Kubernetes Operator Changes

• The Operator can be configured to watch only a subset of Custom Resource Definitions provided. You can find more information in the documentation.
• CRDs can be generated without the use of subresources. This is needed on some versions of Openshift 3.11. In order to do this, use --set subresourceEnabled=false when installing the Operator with helm.

Bug Fixes

• Fixed setting the spec.statefulSet and spec.backup.statefulSet fields on the MongoDBOpsManager Resource.
• FIxed a bug that could make an Ops Manager resource to get to an unrecoverable state if the provided admin password is not strong enough.
• Fixed an error and restart of the Operator during setup of webhook.

Kubernetes Operator Changes

• Fixed issue where when no authentication was configured by the operator, the operator would disable authentication in Ops Manager or Cloud Manager. The operator will no longer disable authentication unless spec.security.authentication.enabled: false is explicitly set.

• The generation of TLS certificates by the operator is being deprecated. Warning messages will now appear if operator generated certificates are used. See the documentation https://docs.mongodb.com/kubernetes-operator/stable/secure/ for how to configure secure deployments.

Known Issues

• When configuring the spec.statefulSet and spec.backup.statefulSet options of the MongoDBOpsManagerResource, configuring any field other than statefulSet.spec.template fields will have no effect.

Kubernetes Operator Changes

• Adds the ability to start the Operator with only some of our CRDs installed. This allows administrators to limit the Operator to only be able to deploy either MonogDB instances or Ops Manager, if desired. This can be configured by specifying container arguments watch-resource.

MongoDB Resource Changes

• Better support for custom TLS certificates by using spec.security.tls.secretRef and spec.security.tls.ca configuration properties

• TLS certificate generation by the Operator is now deprecated. We recommend migration to custom TLS certificates

Ops Manager Resource Changes

• The MongoDBOpsManager resource is now Generally Available (GA).

• Breaking change: removes the spec.podSpec and spec.backup.podSpec fields in favour of spec.statefulSet and spec.backup.statefulSet configuration properties.

• Breaking change: new Operator configuration properties INIT_OPS_MANAGER_IMAGE_REPOSITORY, INIT_APPDB_IMAGE_REPOSITORY, APPDB_IMAGE_REPOSITORY were added. When using a private docker registry, these properties have to point to the relevant registries after having copied the images from our distribution channels.

• Adds support for Backup Blockstore Snapshot Stores

• The Backup S3 Snapshot Store now uses Application Database as a metadata database by default

• Adds support for spec.jvmParameter and spec.backup.jvmParameter to add or override JVM parameters in Ops Manager and Backup Daemon processes

• Ops Manager and Backup Daemon JVM memory parameters are automatically configured based on pod memory availability

• Adds support for TLS for Ops Manager and the Application Database

• Adds more detailed information to status field

• Support for Ops Manager Local Mode for MongoDBOpsManager resources with multiple replicas by enabling users to specify PersistentVolumeClaimTemplates in spec.statefulSet

• New Image Versioning Scheme

• Known Issues: To enable S3 Snapshot stores in Ops Manager 4.2.10 and 4.2.12, users must set "brs.s3.validation.testing: disabled"

See the sample YAML files for new feature usage examples.