MongoDB Kubernetes Enterprise Operator 1.13.0

MongoDB Enterprise Kubernetes Operator 1.13.0

Kubernetes Operator

• Breaking Changes:
  • The Operator no longer generates certificates for TLS resources.
• When deploying to multiple namespaces, imagePullSecrets has to be created only in the namespace where the Operator is installed. From here, the Operator will be sync this secret across all watched namespaces.
• The credentials secret used by the Operator now accepts the pair of fields publicKey and privateKey. These should be preferred to the existent user and publicApiKey when using Programmatic API Keys in Ops Manager.
• For TLS-enabled resources, the operator now watches the ConfigMap containing the Certificate Authority and the secret containg the TLS certificate. Changes to these resources now trigger a reconciliation of the related resource.
• The Operator can now watch over a list of Namespaces. To install the Operator in this mode, you need to set the value operator.watchNamespace to a comma-separated list of Namespaces.
  The Helm install process will create Roles and Service Accounts required, in the Namespaces that the Operator will be watching.

Support for TLS certificates provided as kubernetes.io/tls secrets

• The operator now supports referencing TLS secrets of type kubernetes.io/tls
  • This type of secrets contain a tls.crt and tls.key entry
  • The operator can read these secrets and automatically generate a new one, containing the concatenation of tls.crt and tls.key
  • This removes the need for a manual concatenation of the fields and enables users to natively reference secrets generated by tools such as cert-manager

Deprecation Notice
The usage of generic secrets, manually created by concatenating certificate and private key, is now deprecated.

MongoDB Resource

• Breaking Changes:
  • The field spec.project has been removed from MongoDB spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the project configmap name under spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name before upgrading the operator.
• Changes:
  • A new field has been added: spec.security.certsSecretPrefix. This string is now used to determine the name of the secrets containing various TLS certificates:
    • For TLS member certificates, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-cert
      • Note: If either spec.security.tls.secretRef.name or spec.security.tls.secretRef.prefix are specified, these will take precedence over the new field
      • Note: if none of these three fields are specified, the secret name is <resource-name>-cert
    • For agent certificates, if spec.security.certsSecretPrefix is specified, the secret name is<spec.security.certsSecretPrefix>-<resource-name>-agent-certs
      • Note: if spec.authentication.agents.clientCertificateSecretRef is specified, this will take precedence over the new field
      • If none of these fields are set, the secret name is still agent-certs
    • For internal cluster authentication certificates, if spec.security.certsSecretPrefix is specified, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-clusterfile
      • Otherwise, it is still <resource-name>-clusterfile
• Bug fixes
  • Fixes an issue where Sharded Cluster backups could not be correctly configured using the MongoDB CR.
  • Fixes an issue where Backup Daemon fails to start after OpsManager version upgrade.

MongoDBOpsManager Resource

• Operator will report status of FileSystemSnaphot store names configured under spec.backup.fileSystemStores in OM CR. The FS however needs to be manually configured.
• It is now possible to disable creation of "LoadBalancer" Type service for queryable backup by setting spec.backup.externalServiceEnabled to false in OM CR. By default, the operator would create the LoadBalancer type service object.
• The operator will now automatically upgrade the used API Key to a programmatic one when deploying OM >= 5.0.0. It is now possible to upgrade from older versions of OM to OM 5.0 without manual intervention.
• A new field has been added: spec.security.certSecretPrefix. This is string is now used to determine the name of the secret containing the TLS certificate for OpsManager.
  • If the existing field spec.security.tls.secretRef.Name is specified, it will take the precedence
    • Please note that this field is now deprecated and will be removed in a future release
  • Otherwise, if spec.security.certSecretPrefix is specified, the secret name will be <spec.security.certSecretPrefix>-<om-resource-name>-cert

MongoDBUser Resource

• Breaking Changes:
  • The field spec.project has been removed from User spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the MongoDB resource name under spec.MongoDBResourceRef.name before upgrading the operator.

Miscellaneous

• Ops Manager versions 4.4.7, 4.4.9, 4.4.10, 4.4.11, 4.4.12 and 4.4.13 base images have been updated to Ubuntu 20.04.
• Ops Manager versions 4.4.16 and 5.0.1 are now supported

OPA Gatekeeper Sample Policies

Sample policies are now available in opa_examples directory

MongoDB Enterprise Kubernetes Operator 1.12.0

MongoDB Enterprise Kubernetes Operator 1.12.0

MongoDB Resource

• Bug Fixes
  • Fixes a bug when an user could only specify net.ssl.mode and not net.tls.mode in the spec.additionalMongodConfig field.
• Changes
  • If spec.exposedExternally is set to false after being set to true, the Operator will now delete the corresponding service

MongoDBOpsManager Resource

• Changes
  • If spec.externalConnectivity is unset after being set, the Operator will now delete the corresponding service
  • It is now possible to specify the number of backup daemon pods to deploy through the spec.backup.members field. The value defaults to 1 if not set.

Miscellaneous

• Ops Manager versions 4.4.13, 4.4.14, 4.4.15 and 4.2.25 are now supported

• Ops Manager version 5.0.0 is now supported

• Ubuntu based operator images are now based on Ubuntu 20.04 instead of Ubuntu 16.04

• Ubuntu based database images starting from 2.0.1 will be based on Ubuntu 18.04 instead of Ubuntu 16.04
  NOTE: MongoDB 4.0.0 does not support Ubuntu 18.04 - If you want to use MongoDB 4.0.0, stay on previously released images

• Ubuntu based Ops Manager images after 4.4.13 will be based on Ubuntu 20.04 instead of Ubuntu 16.04

• Newly released ubi images for Operator, Ops Manager and Database will be based un ubi-minimal instead of ubi

MongoDB Enterprise Kubernetes Operator 1.11.0

MongoDB Enterprise Kubernetes Operator 1.11.0

MongoDB Resource

• Bug fixes
  • Fixes an issue with the LivenessProbe that could cause the database Pods to be restarted in the middle of a restore operation from Backup.

MongoDBOpsManager Resource

• Breaking Changes
  For a complete guide on how to safely upgrade, please check the upgrade instructions
  • Each Application Database pod consists now of three containers (mongodb, mongodb-agent, mongodb-agent-monitoring) and it does not bundle anymore a MongoDB version
  • You can now use any version of MongoDB for the Application Database (we recommend to use the enterprise ones provided by MongoDB, see the New Images section)
    • You need to make sure the MongoDB version used is supported by OpsManager
  • spec.applicationDatabase.version is no longer optional.
  • spec.applicationDatabase.persistent does not exist anymore, the Operator will now always use persistent volumes for the AppDB.

New Images

• mongodb-agent 10.29.0.6830-1:

  • Ubi: quay.io/mongodb/mongodb-agent-ubi:10.29.0.6830-1
  • Ubuntu: quay.io/mongodb/mongodb-agent:10.29.0.6830-1

• mongodb-enterprise-appdb-database

  • Ubi: quay.io/mongodb/mongodb-enterprise-appdb-database-ubi
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-appdb-database

• mongodb-enterprise-init-appdb 1.0.7

  • Ubi: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.7
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.7

• mongodb-enterprise-init-database 1.0.3

  • Ubi: quay.io/mongodb/mongodb-enterprise-init-database-ubi:1.0.3
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-database:1.0.3

MongoDB Enterprise Kubernetes Operator 1.10.0

MongoDB Enterprise Kubernetes Operator 1.10.0

Kubernetes Operator

• Changes

  • The CRDs have been updated to from v1beta1 to v1 version. This should not have any impact on Kubernetes clusters 1.16 and up. The CRDs won't be installable in clusters with versions older than 1.16.

• Bug fixes

  • Fixes an issue which made it not possible do have multiple ops-manager resources with the same name in different namespaces.
  • Fixes an issue which made new MongoDB resources created with spec.backup.mode=disabled fail.
  • Fixes an issue which made a Replica Set go to Fail state if, at the same time, the amount of members of a Replica Set are increased and TLS is disabled.

MongoDBOpsManager Resource

• Known issues
  • When using remote or hybrid mode, and automation.versions.download.baseUrl has been set, the property automation.versions.download.baseUrl.allowOnlyAvailableBuilds
    needs to be set to false. This has been fixed in Ops Manager version 4.4.11.

MongoDB Enterprise Kubernetes Operator 1.9.2

MongoDB Enterprise Kubernetes Operator 1.9.2

Miscellaneous

• Fix errors with CSV

MongoDB Enterprise Kubernetes Operator 1.9.1

MongoDB Enterprise Kubernetes Operator 1.9.1

Kubernetes Operator

• Bug fixes
  • Fixes an issue where the service-account-name could not be specified in the StatefulSet podSpec override.
  • Removed unnecessary delete service permission from operator role.

MongoDB Resource

• Bug fixes
  • Fixes an issue where updating a role in spec.security.authentication.roles by removing the privileges array would cause the resource to enter a bad state

MongoDBOpsManager Resource

• Breaking Changes
  • The new Application Database image mongodb-enterprise-appdb:10.2.15.5958-1_4.2.11-ent was released. The image needs
    to be downloaded to the local repositories otherwise MongoDBOpsManager resource won't start. The image contains a new bundled MongoDB 4.2.11-ent instead of 4.2.2-ent.
• Changes
  • Ops Manager user now has "backup", "restore" and "hostManager" roles, allowing for backups/restores on the AppDB.
  • If spec.applicationDatabase.version is omitted the Operator will use 4.2.11-ent as a default MongoDB.

MongoDB Enterprise Kubernetes Operator 1.9.0

Kubernetes Operator

• Bug fixes
  • Fixes an issue where connections were not closed leading to too many file
    descriptors open.

MongoDB Resource

• Changes
  • Continuous backups can now be configured with the MongoDB CRD. Set spec.backup.enabled to true. Note: You must have an Ops Manager resource already configured with backup. See the docs for more information.

MongoDBOpsManager Resource

• Changes
  • A StatefulSet resource that holds the Ops Manager Backup Daemon will be
    deleted and recreated in order to change the matchLabels attribute,
    required for a new Service to allow for Queryable Backups feature to work.
    This is a safe operation.
  • Changed the way the Operator collects statuses of MongoDB Agents running in
    Application Database Pods.

Updated Image Tags

• mongodb-enterprise-operator: 1.9.0

MongoDB Enterprise Kubernetes Operator 1.8.2

Ops Manager Resource

Bug Fixes

• Fixes an issue when MongoDBOpsManager resource gets to Failing state when both external connectivity and backups are enabled

Docker Images Released

Operator

Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-operator:1.8.2
UBI8: quay.io/mongodb/mongodb-enterprise-operator-ubi:1.8.2

MongoDB Enterprise Kubernetes Operator 1.8.1

Known Issues

• When both external connectivity and backups are enabled in Ops Manager at the same time, the Ops Manager resource will Fail to reconcile.

Bug fixes

• Fixed a bug where spec.security.authentication.ignoreUnknownUsers could not be modified after a MongoDB resource was created.
• Failed queryable backups have been fixed. The operator now creates a Kubernetes Service that Ops Manager will use to access backups.
• Fixed an issue that would make it impossible to move from non-TLS to a TLS enabled AppDB.

Improvements

• Init containers will not run as root.
• Ops Manager Backup daemon will run in unprivileged mode.
• To manage Database Pod resources, the spec.podSpec.podTemplate MongoDB Custom Resource attribute should be used. See samples/mongodb/podspec directory with sample MongoDB resource definitions for each type of resource supported. The different spec.podSpec.{cpu, cpuLimits, memory, memoryLimits} will be deprecated soon.

New Images

• Init-database 1.0.1:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-database-ubi:1.0.1
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-database:1.0.1
• Init-ops-manager 1.0.3:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-ops-manager-ubi:1.0.3
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-ops-manager:1.0.3
• Init-appdb 1.0.5:
  • Ubi: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.5
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.5

New Ops Manager Images

• Version 4.4.5
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.5
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.5
• Version 4.2.21:
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.2.21
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.2.21
• Version 4.2.20:
  • Ubi: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.2.20
  • Ubuntu: quay.io/mongodb/mongodb-enterprise-ops-manager:4.2.20

Note: quay.io/mongodb/mongodb-enterprise-init-ops-manager:1.0.2 will support new release versions.

A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here
For the MongoDB Enterprise Operator
https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags
And for the MongoDB Enterprise Database
https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags

MongoDB Enterprise Kubernetes Operator 1.8.0

Breaking Changes

• The Mongodb Enterprise Database image now requires an init container. If using a private repository, the INIT_DATABASE_IMAGE_REPOSITORY environment variable must be configured in the operator deployment, and the new init container must exist inside this repository.

New features

• AppDB can now be configured with SCRAM-SHA-256 authentication when using Ops Manager 4.4 or newer
• Agent client certificate authentication can now be used in conjunction with any other authentication mechanism using the new configuration field
  1. spec.security.authentication.requireClientTLSAuthentication
  2. If enabling ClientTLSAuthentication, the client TLS certificate used by the MongoDB agents can be configured using spec.security.authentication.agents.clientCertificateSecretRef

Bug fixes

• Fixed an issue where the operator would choose an incorrect project name when creating MongoDBUsers.
• Fixed an issue where the MongoDBOpsManager CRD had the CA path in the incorrect location.
• Fixed an issue in which the parameters passed through spec.agent.startupOptions would not be correctly recognized by the agent
• Fixed an issue which could cause a potential deadlock when certain configuration options were modified in parallel.

Improvements

• Changed the default permissions of volumes created from secret from 0644 to 0640
• Changed the validation of the opsmanager spec.version field to allow for tags that do not match semver versioning. The field must start with the Major.Minor.Patch string that represent the OpsManager version

Known Issues

• When enabling queryable backup, you will need to manually create two additional services: one exposing the queryable backup port (default: 25999) for the Ops Manager pod, and one for the backup daemon pod, to ensure that it is resolvable from the Ops Manager pod

A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here

For the MongoDB Enterprise Operator
https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags

And for the MongoDB Enterprise Database
https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags