MongoDB Kubernetes Enterprise Operator 1.17.0

MongoDB Operator

• Ubuntu-based images are deprecated (in favor of only UBI-based images).

Breaking Change

• The operator doesn't support old Style TLS(concatenated PEM format) certificate anymore. Make sure to upgrade to the Kubernetes TLS type certificate before upgrading to this version.

MongoDBOpsManager Resource

• Ops Manager 4.4 is no longer supported by the operator.

• For custom S3 compatible backends for the Oplog and Snapshot stores, it is now possible to specify the
  spec.backup.s3OpLogStores[n].s3RegionOverride and the spec.backup.s3Stores[n].s3RegionOverride parameter.

Security fixes

• Improved security by introducing readOnlyRootFilesystem property to all deployed containers. This change also introduces a few additional volumes and volume mounts.
• Improved security by introducing allowPrivilegeEscalation set to false for all containers.

MongoDB Kubernetes Enterprise Operator 1.16.4

Security fixes

• The operator and init-ops-manager binaries are built with Go 1.18.4 which addresses security issues.

MongoDB Kubernetes Enterprise Operator 1.16.3

MongoDB Resource

• Security Context are now defined only at Pod level (not both Pod and Container level as before).

• Added timeoutMS, userCacheInvalidationInterval fields to spec.security.authentication.ldap object.

• Bug fixes

  • Fixes ignored additionalMongodConfig.net.tls.mode for mongos, configSrv and shard objects when configuring ShardedCluster resource.

MongoDB Kubernetes Enterprise Operator 1.16.2

MongoDB Resource

• spec.podSpec.podAntiAffinityTopologyKey , spec.podSpec.podAffinity and spec.podSpec.nodeAffinity has been removed. Please use spec.podSpec.podTemplate override to set these fields.
• Wiredtiger cache computation has been removed. This was needed for server version >=4.0.0 <4.0.9 and <3.6.13. These server version have reached EOL. Make sure to update your MDB deployment to a version later than 4.0.9 before upgrading the operator.

MongoDBOpsManager Resource

• spec.applicationDatabase.podSpec.podAntiAffinityTopologyKey , spec.applicationDatabase.podSpec.podAffinity and spec.applicationDatabase.podSpec.nodeAffinity has been removed. Please use spec.applicationDatabase.podSpec.podTemplate override to set these fields.

MongoDB Kubernetes Enterprise Operator 1.16.1

MongoDB Resource

• spec.Service has been deprecated. Please use spec.statefulSet.spec.serviceName to provide a custom service name.

MongoDB Kubernetes Enterprise Operator 1.16.0

MongoDB Resource

• spec.security.tls.secretRef.name has been removed. It was deprecated in operator version v1.10.0. Please use the field spec.security.certsSecretPrefix to specify the secret name containing the certificate for Database. Make sure to create the secret containing the certificates accordingly.
• spec.podSpec.cpu and spec.podSpec.memory has been removed to override the CPU/Memory resources for the database pod, you need to override them using the statefulset spec override under spec.podSpec.podTemplate.spec.containers.
• Custom labels specified under metadata.labels is propagated to the database StatefulSet and the PVC objects.
• Prometheus scraping endpoints can now be added to the MongoDB resources with the spec.prometheus configuration attribute. Find a sample Prometheus configuration in the samples/mongodb/prometheus directory.

MongoDBOpsManager Resource

• spec.applicationDatabase.security.tls.secretRef.name has been removed. It was deprecated in operator version v1.10.0. Please use the field spec.applicationDatabase.security.certsSecretPrefix to specify the secret name containing the certificate for AppDB. Make sure to create the secret containing the certificates accordingly.
• spec.applicationDatabase.podSpec.cpu and spec.applicationDatabase.podSpec.memory has been removed to override the CPU/Memory resources for the appDB pod, you need to override them using the statefulset spec override under spec.applicationDatabase.podSpec.podTemplate.spec.containers.
• Custom labels specified under metadata.labels is propagated to the OM, AppDB and BackupDaemon StatefulSet and the PVC objects.
• Prometheus scraping endpoints can now be added to the ApplicationDatabase resources with the spec.applicationDatabase.prometheus configuration attribute. Find a sample Prometheus configuration in the samples/mongodb/prometheus directory.

MongoDBUser Resource

• Changes:
  • Added the optional field spec.connectionStringSecretName to be able to provide a deterministic secret name for the user specific connection string secret generated by the operator.

MongoDB Kubernetes Enterprise Operator 1.15.2

MongoDBOpsManager Resource

• Bug Fix
  • For enabling custom TLS certificates for S3 Oplog and Snapshot stores for backup. In addition to setting spec.security.tls.ca and spec.security.tls.secretRef. The field spec.backup.s3OpLogStores[n].customCertificate / spec.backup.s3Stores[n].customCertificate needs to be set true.
  • Fixed an issue where the incorrect CA would be mounted in to the AppDB pod.

MongoDB Kubernetes Enterprise Operator 1.15.1

Kubernetes Operator

• Changes
  • Init-database, Init-Ops-Manager and Operator binaries are now built with Go 1.17.7 to prevent CVE-2022-23773.

MongoDBOpsManager Resource

• Bug fixes

  • Fixes an issue that prevented the Operator to be upgraded when managing a TLS enabled ApplicationDB, when the ApplicationDB TLS certificate is stored in a Secret of type Opaque.

• New images

  • Operator: 1.15.1
  • init-database: 1.0.8
  • init-ops-manager: 1.0.7

MongoDB Kubernetes Enterprise Operator 1.15.0

MongoDB Resource

• Changes:
  • The spec.security.tls.enabled and spec.security.tls.secretRef.prefix fields are now deprecated and will be removed in a future release. To enable TLS it is now sufficient to set the spec.security.certsSecretPrefix field.

MongoDBOpsManager Resource

• Changes:
  • A new field has been added: spec.backup.queryableBackupSecretRef. The secrets referenced by this field contains the certificates used to enable Queryable Backups feature.
  • Added support for configuring custom TLS certificates for the S3 Oplog and Snapshot Stores for backup. These can be configured with
    spec.security.tls.ca and spec.security.tls.secretRef.
  • It is possible to disable AppDB processes via the spec.applicationDatabase.automationConfig.processes[n].disabled field, this enables backing up the AppDB.
  • The spec.security.tls.enabled, spec.security.tls.secretRef.prefix, spec.applicationDatabase.security.tls.enabled and spec.applicationDatabase.security.tls.prefix fields are now deprecated and will be removed in a future release. To enable TLS it is now sufficient to set the spec.security.certsSecretPrefix and/or spec.applicationDatabase.security.certsSecretPrefix field.

All the images can be found in:

https://quay.io/repository/mongodb (ubuntu-based)

https://connect.redhat.com/ (rhel-based)

MongoDB Kubernetes Enterprise Operator 1.14.0

MongoDB Resource

• Changes
  • A new field has been added: spec.backup.autoTerminateOnDeletion. AutoTerminateOnDeletion indicates if the Operator should stop and terminate the Backup before the cleanup, when the MongoDB Resource is deleted.
• Bug fixes
  • Fixes an issue which would make a ShardedCluster Resource fail when disabling authentication.

Kubernetes Operator

• Changes
  • The operator now supports Hashicorp Vault as a secret backend.

MongoDBOpsManager Resource

• Bug Fixes
  • Fixes an issue where the operator would not properly trigger a reconciliation when rotating the AppDB TLS Certificate.
  • Fixes an issue where a custom CA specified in the MongoDBOpsManager resource was not mounted into the Backup Daemon pod,
    which prevented backups from working when Ops Manager was configured in hybrid mode and used a custom CA.
• Changes
  • Added support for configuring S3 Oplog Stores using the spec.backup.s3OpLogStores field.

All the images can be found in:

https://quay.io/repository/mongodb (ubuntu-based)

https://connect.redhat.com/ (rhel-based)