Release Notes for MongoDB Enterprise Kubernetes Operator

Breaking Changes

• Removes appdb.connectionSpec.Project, which was deprecated more than two years ago.

Bug Fixes

• Fixes an issue where the MongoDBMultiCluster resource was not watching Ops Manager's connection ConfigMap and secret.

• Fixes support for rotating the clusterfile secret, which is used for internal X.509 authentication in the MongoDB and MongoDBMultiCluster resources.

MongoDBOpsManager Resource

• Adds support for votes, priority, and tags by introducing the spec.applicationDatabase.memberConfig.votes, spec.applicationDatabase.memberConfig.priority, and spec.applicationDatabase.memberConfig.tags settings.

• Changes the container registry for the Application Database image from quay.io/mongodb/mongodb-enterprise-appdb-database-ubi to quay.io/mongodb/mongodb-enterprise-server. This results in the following changes when you upgrade to this release:

  • The Helm chart setting for the Application Database image, values.mongodb.name, defaults to mongodb-enterprise-server.

  • The Kubernetes Operator updates your Application Database replica set Pods to use the new images referenced in the values.mongodb.name Helm setting. The new images are functionally equivalent to the previous ones assuming that the MongoDB version is the same.

  • The Kubernetes Operator automatically updates the tag suffix for all Application Database images that reference the new container registry from -ent to -ubi8 or the suffix set in MDB_IMAGE_TYPE or mongodb.imageType. For example, the Kubernetes Operator changes quay.io/mongodb/mongodb-enterprise-server:4.4.5-ent to quay.io/mongodb/mongodb-enterprise-server:4.4.5-ubi8. You don't need to update the applicationDatabase.version setting in the MongoDBOpsManager resource.

  • You can stop the Kubernetes Operator from automatically updating the tag suffix by setting MDB_APPDB_ASSUME_OLD_FORMAT or mongodb.appdbAssumeOldFormat to true. For example, you might want to stop the automatic suffix change if you're mirroring this image from your own repository.

• Adds support for specifying versions without a suffix in spec.applicationDatabase.version. For example, you can specify a version, such as 6.0.5, without adding the -ubi8 suffix. The Kubernetes Operator automatically converts this to 6.0.5-${MDB_IMAGE_TYPE}. The default for the MDB_IMAGE_TYPE environment variable is -ubi8.

New Images

• Changes all images to reference UBI variants by default. The new images use the suffix -ubi.

  • quay.io/mongodb/mongodb-enterprise-database-ubi

  • quay.io/mongodb/mongodb-enterprise-init-database-ubi

  • quay.io/mongodb/mongodb-enterprise-ops-manager-ubi

  • quay.io/mongodb/mongodb-enterprise-init-ops-manager-ubi

  • quay.io/mongodb/mongodb-enterprise-init-appdb-ubi

  • quay.io/mongodb/mongodb-agent-ubi

  • quay.io/mongodb/mongodb-enterprise-appdb-database-ubi

• Changes the default Application Database image repository to use the official MongoDB Enterprise repository by setting values.mongodb.name to quay.io/mongodb/mongodb-enterprise-server by default.

• Introduces the values.mongodb.imageType environment variable to override the new default -ubi8 Application Database image tag suffix used by the MongoDBOpsManager resource.

Breaking Changes

Makes the data.orgId field required for the ConfigMap of the MongoDB resources. If you provide an empty orgId, as in: orgId = "", Ops Manager creates an organization with the project name. Before upgrading the Kubernetes Operator to 1.19.1, set the orgId:"" in the Ops Manager ConfigMap and reapply it.

Improvements

• Introduces multi-Kubernetes-cluster deployments. To learn more, see Deploy MongoDB Resources on Multiple Kubernetes Clusters.

  Makes the following changes to the multi-Kubernetes-cluster deployment support compared with the Beta version of the multi-Kubernetes-cluster deployment support in Kubernetes Operator 1.18.x:

  • Renames the MongoDBMulti resource in Beta versions to the MongoDBMultiCluster resource.

  • Renames the shortcut name of the MongoDBMultiCluster resource to mdbmc. Use this shortcut name in all commands on the MongoDBMultiCluster resource. For example, to check the status of your MongoDBMultiCluster resource, run:

    kubectl get mdbmc <resource-name> -o yaml -w

  • Renames the "multi-cluster CLI" tool to the "kubectl mongodb plugin". To learn more, see the MongoDB Plugin Reference.

  • Removes the unnecessary intermediate object clusterSpecs from the clusterSpecList in the MongoDBMultiCluster resource specification. For a valid example of a MongoDBMultiCluster resource configuration file, see the Multi-Kubernetes-Cluster Resource Specification.

• Adds support for Kubernetes 1.26 and OpenShift 4.12. To learn more, see MongoDB Enterprise Kubernetes Operator Compatibility.

• Allows you to configure podSpec per shard in a MongoDB sharded cluster by specifying an array of podSpecs under the spec.shardSpecificPodSpec setting for each shard.

• Makes the data.orgId field required for the ConfigMap of the MongoDB resources. If you provide an empty orgId, as in: orgId = " ", Ops Manager creates an organization with the project name.

• Adds documentation for the Multi-Kubernetes-Cluster Resource Specification.

• Adds the Frequently Asked Questions for the Kubernetes Operator to the documentation.

• Adds documentation for configuring file system backup stores in the Kubernetes Operator MongoDB deployments.

MongoDBMultiCluster Resource

• Adds the spec.clusterSpecList.externalAccess.externalService, spec.clusterSpecList.externalAccess.externalService.annotations, spec.clusterSpecList.externalAccess.externalService, and spec.clusterSpecList.externalAccess.externalDomain settings to configure external connectivity settings for MongoDBMultiCluster resources. Use these settings to connect to a Multi-Cluster Resource from outside Kubernetes.

• Adds the spec.clusterSpecList.memberConfig.votes and spec.clusterSpecList.memberConfig.priority settings for configuring replica set member votes and member priority for MongoDBMultiCluster resources.

• Adds the spec.clusterSpecList.memberConfig.tags setting for adding tags to replica set members in MongoDBMultiCluster resources.

• Adds the spec.security.authentication.ldap.timeoutMS setting that specifies how many milliseconds an authentication request should wait before timing out.

MongoDB Resource

• Adds the spec.memberConfig.votes and spec.memberConfig.priority settings for configuring replica set member votes and member priority.

• Adds the spec.memberConfig.tags setting for adding tags to replica set members.

• Adds the spec.podSpec.podTemplate.affinity.podAffinity setting to determine whether multiple MongoDB resource Pods must be co-located with other Pods in sharded MongoDB cluster deployments. To learn more about the use cases, see Affinity and Anti-Affinity in the Kubernetes documentation.

• Adds the spec.externalAccess setting for configuring external connectivity for MongoDB resources. Use this setting to connect to a MongoDB Resource from outside Kubernetes.

• Deprecates the spec.exposedExternally setting. This setting will be removed in the Kubernetes Operator 1.22.0 release. To connect to a MongoDB Resource from outside Kubernetes, use the spec.externalAccess setting instead.

Bug Fixes

• Fixes the handling of WATCH_NAMESPACE='*' environment variable for multi-Kubernetes-cluster deployments. In the following cases, API clients for member clusters are configured incorrectly resulting in deployment errors:

  • The WATCH_NAMESPACE='*' environment variable is specified for the multi-Kubernetes-cluster deployment.

  • A specific namespace is set in kubeconfig for member clusters.

  • The kubectl mongodb plugin isn't used for configuring multi-Kubernetes-cluster deployments.

  This leads to the following errors:

  The secret object 'mdb-multi-rs-cert' does not contain all the valid
  certificates needed: secrets "mdb-multi-rs-cert-pem" already exists

  To avoid this issue, set the WATCH_NAMESPACE environment variable to specific namespaces instead of '*', and verify that the kubeconfig settings for member clusters don't specify a namespace. To set the namespace for multi-Kubernetes-cluster deployments, see Set the Deployment's Scope and the MongoDB Plugin Reference.

• Fixes an issue when CertificatesSecretsPrefix is set but no related spec.security.tls settings, such as tls.additionalCertificateDomains or tls.ca are provided.

• Fixes an issue that allows you to explicitly specify the value none for the spec.security.authentication.ldap.transportSecurity when TLS isn't used. Previously, the Kubernetes Operator treated this setting as none when you omitted the value and didn't specify the tls value, but the Kubernetes Operator didn't allow you to specify the value none explicitly.

Breaking Changes

This release removes Ubuntu-based images. Ubuntu-based images were deprecated in favor of UBI-based images in the Kubernetes Operator in 1.17.0. Migrate the Kubernetes Operator from Ubuntu-based Images to UBI-based images. All existing Ubuntu-based images will continue to be supported until their version's End of Life (EOL) dates.

Improvements

• Adds support for SCRAM-SHA-1 for user and MongoDB Agent authentication. To enable either authentication, use MONGODB-CR and SCRAM-SHA-1 in the spec.security.authentication.modes and spec.security.authentication.agents.mode settings.

• Adds support for the following features for OpsManager Backup configuration:

  • KMIP Backup Configuration support through the spec.backup.encryption.kmip parameter in OpsManager backup.encryption.kmip and MongoDB backup.encryption.kmip settings. To learn more, see Configure KMIP Backup Encryption for Ops Manager.

  • Backup assignment labels settings in spec.backup.[*].assignmentLabels elements of the OpsManager and MongoDB resources for backups. Use assignment labels to identify that specific backup stores are associated with particular projects. To learn more, see:

    • backup.assignment.Labels for Ops Manager resources

    • backup.assignment.Labels for MongoDB resources

    • Configure MongoDB Database Backups

    • Deploy an Ops Manager Resource

  • Backup snapshot schedule configuration through the spec.backup.snapshotSchedule setting in the OpsManager resource. To learn more, see Configure MongoDB Database Backups.

• Adds support for disaster recovery in multi-Kubernetes-cluster deployments, which are in the beta release. To learn more, see Disaster Recovery and MongoDB kubectl Plugin Reference.

MongoDB Resource

• Adds documentation for spec.additionalMongodConfig.net.tls.disabledProtocols.

Bug Fixes

• Fixes the issue where you configure a liveness probe and it reports a positive result when you terminate a MongoDB Agent's process. This could cause Pods hosting MongoDB resources to run without the Automation Agent. In addition to this fix, consider configuring readiness probe overrides.

• Fixes the startup script in database Pod that might report errors when the Pod restarts.

Breaking Changes

As a result of this issue, installing this release could result in ImagePullBackOff errors in Pods hosting AppDB, the database for Ops Manager. Errors will look similar to the following:

Failed to pull image "quay.io/mongodb/mongodb-agent-ubi@sha256:a4cadf209ab87eb7d121ccd8b1503fa5d88be8866b5c3cb7897d14c36869abf6": rpc error: code = Unknown desc = reading manifest sha256:a4cadf209ab87eb7d121ccd8b1503fa5d88be8866b5c3cb7897d14c36869abf6 in quay.io/mongodb/mongodb-agent-ubi: manifest unknown: manifest unknown

To continue using the Kubernetes Operator v1.17.1, use the following workaround and update the Kubernetes Operator Subscription with the following spec.config.env:

spec:
 config:
   env:
     - name: AGENT_IMAGE
       value: >-
       quay.io/mongodb/mongodb-agent-ubi@sha256:ffa842168cc0865bba022b414d49e66ae314bf2fd87288814903d5a430162620
     - name: RELATED_IMAGE_AGENT_IMAGE_11_0_5_6963_1
       value: >-
       quay.io/mongodb/mongodb-agent-ubi@sha256:e7176c627ef5669be56e007a57a81ef5673e9161033a6966c6e13022d241ec9e
     - name: RELATED_IMAGE_AGENT_IMAGE_11_12_0_7388_1
       value: >-
       quay.io/mongodb/mongodb-agent-ubi@sha256:ffa842168cc0865bba022b414d49e66ae314bf2fd87288814903d5a430162620
     - name: RELATED_IMAGE_AGENT_IMAGE_12_0_4_7554_1
       value: >-
       quay.io/mongodb/mongodb-agent-ubi@sha256:3e07e8164421a6736b86619d9d72f721d4212acb5f178ec20ffec045a7a8f855

Remove this workaround as soon as you install the new Kubernetes Operator v1.17.2.

This release has the following additional breaking change:

• Removes the operator.deployment_name parameter from Kubernetes Operator Helm charts. In previous releases, you might have used this parameter to customize the name of the Kubernetes Operator container.

  Starting with this release, the value of the operator.name Helm chart parameter determines the name of the Kubernetes Operator container.

  This is a breaking change only if you set operator.deployment_name to a different value than operator.name and if you configured tooling to rely on the value of operator.deployment_name.

Improvements

• Uses Quay as an image registry for Kubernetes Operator on OpenShift. When you upgrade your Kubernetes Operator deployment, it automatically pulls new images from Quay. You don't need to take any action.

Improvements

• Introduces support for Ops Manager 6.0.

• Introduces the spec.backup.s3OpLogStores.s3RegionOverride and spec.backup.s3Stores.s3RegionOverride parameters for specifying the regions where the custom S3-compatible buckets that you use for the oplog store or a snapshot store should reside.

• Improves security by introducing:

  • The readOnlyRootFilesystem setting for all deployed containers. This change also introduces additional volumes and volume mounts.

  • The allowPrivilegeEscalation setting. This setting is by default set to false for all deployed containers.

Breaking Changes and Deprecations

This release:

• Removes support for Ops Manager 4.4 due to its End of Life. If you're using Ops Manager 4.4, upgrade to a newer Ops Manager version before you upgrade to Kubernetes Operator 1.17.

• Deprecates Ubuntu-based images. Starting with Kubernetes Operator 1.19.0, Ubuntu-based images will no longer be made available. All existing Ubuntu-based images will continue to be supported until their version's End of Life (EOL) dates. We strongly recommend that you Migrate MongoDB Enterprise Kubernetes Operator from Ubuntu-based Images to UBI-based Images as soon as possible.

• Removes support for TLS certificates in concatenated PEM format. These certificates were deprecated in Kubernetes Operator 1.13.0. If you want to use these certificates, the last version to which you can upgrade is Kubernetes Operator 1.16.4.

  Starting with the Kubernetes Operator 1.17.0 release, you must manually migrate old-style TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn how to create these secrets, see the following resources:

  • Deploy a Replica Set

  • Secure Internal Authentication with X.509

MongoDB Resource

• Init-Ops-Manager and Operator binaries now use Go 1.18.4, which addresses security issues.

MongoDB Resource

• Fixed a bug where securityContext defined at the Pod level is not respected as the Kubernetes Operator overrides it with a securityContext at the container level. To learn more, see the description of the spec.persistent setting.

• Adds timeoutMS, and userCacheInvalidationInterval fields to the spec.security.authentication.ldap object.

• Fixes behavior where the additionalMongodConfig.net.tls.mode setting was ignored for mongos, configSrv, and shard objects when configuring ShardedCluster resources.

MongoDB Resource

• Removes the spec.podSpec.podAntiAffinityTopologyKey, spec.podSpec.podAffinity, and spec.podSpec.nodeAffinity settings.

  Instead, use spec.podSpec.podTemplate to configure these parameters.

MongoDBOpsManager Resource

• Removes the spec.applicationDatabase.podSpec.podAntiAffinityTopologyKey, spec.applicationDatabase.podSpec.podAffinity, and spec.applicationDatabase.podSpec.nodeAffinity settings.

  Instead, use spec.applicationDatabase.podSpec.podTemplate to configure these parameters.

MongoDB Multi-Cluster Resource

Added support for LDAP client authentication and for managing database users with LDAP to multi-Kubernetes-cluster deployments.

This feature is a beta release. Use multi-Kubernetes-cluster deployment deployments only in development environments.

MongoDB Resource

• Deprecates the spec.service parameter. Use spec.statefulSet.spec.serviceName to provide a custom service name.

MongoDB Resource

• Removes the spec.security.tls.secretRef.name parameter.

  • Kubernetes Operator version v1.10.0 deprecated this parameter.

  • To specify the secret name containing the certificate for the database, use spec.security.certsSecretPrefix.

  • Create the secret containing the certificates accordingly.

• Removes the spec.podSpec.cpu and spec.podSpec.memory parameters.

  To override the CPU/Memory resources for the database pod, set the statefulset parameter under spec.podSpec.podTemplate.spec.containers.

• Propagates custom labels specified under metadata.labels to the database StatefulSet and the Persistent Volume Claim objects.

• Allows adding Prometheus scraping endpoints to the MongoDB resources using the spec.prometheus configuration attribute.

  • Find a sample Prometheus configuration in the GitHub repository.

MongoDBOpsManager Resource

• Removes the spec.applicationDatabase.security.tls.secretRef.name parameter.

  • Kubernetes Operator version v1.10.0 deprecated this parameter.

  • To specify the secret name containing the certificate for AppDB, use the spec.applicationDatabase.security.certsSecretPrefix parameter.

  • Create the secret containing the certificates accordingly.

• Removes spec.applicationDatabase.podSpec.cpu and spec.applicationDatabase.podSpec.memory.

  To override the CPU/Memory resources for the appDB pod, use the statefulset parameter under spec.applicationDatabase.podSpec.podTemplate.spec.containers.

• Propagates custom labels specified under metadata.labels to the Ops Manager, AppDB and BackupDaemon StatefulSets and the Persistent Volume Claim objects.

• Allows adding Prometheus scraping endpoints to the ApplicationDatabase resources using the spec.applicationDatabase.prometheus configuration attribute.

MongoDBUser Resource

Adds the optional parameter spec.connectionStringSecretName. This parameter provides a deterministic secret name for the user-specific connection string secret that Kubernetes Operator generates.

MongoDBOpsManager Resource

MongoDB Resource

MongoDBOpsManager Resource

MongoDB Resource

MongoDBOpsManager Resource

New Images

Find all new images at:

• https://quay.io/repository/mongodb (ubuntu-based)

• https://connect.redhat.com/ (rhel-based)

Kubernetes Operator

Kubernetes Operator version 1.15.1 fixes an issue that prevented the Kubernetes Operator upgrade when managing a TLS-enabled Application Database whose TLS certificate is stored in an Opaque secret.

We recommend that you upgrade to Kubernetes Operator version 1.16.0 or later.

We strongly advise against upgrading to Kubernetes Operator version 1.14.0 or 1.15.0.

MongoDB Resource

MongoDBOpsManager Resource

Kubernetes Operator

MongoDB Resource

MongoDBOpsManager Resource

• The Kubernetes Operator now reports the status of file system snapshot stores that you configure in the spec.backup.fileSystemStores setting in the MongoDBOpsManager resource specification.

  You must manually configure the file system snapshot stores.

• This release adds a new field, spec.backup.externalServiceEnabled, to the MongoDBOpsManager resource specification.

  By default, the Kubernetes Operator creates a LoadBalancer service when you enable queryable backups.

  Set spec.backup.externalServiceEnabled to false before you enable queryable backups to prevent the Kubernetes Operator from creating a LoadBalancer service.

• The Kubernetes Operator now automatically upgrades personal API keys to programmatic API keys when you upgrade an Ops Manager deployment to version 5.0.0 or later. You no longer must change the keys manually to upgrade your deployment.

• This release adds the spec.security.certsSecretPrefix field to determine the name that you must give the secret that contains your TLS certificate for MongoDBOpsManager resources.

  To learn more, see spec.security.certsSecretPrefix and the HTTPS tab in the Deploy an Ops Manager Resource tutorial.

MongoDBUser Resource

Miscellaneous

• Ops Manager 4.4.7, 4.4.9, 4.4.10, 4.4.11, 4.4.12 and 4.4.13 base images have been updated to Ubuntu 20.04.

• Ops Manager versions 4.4.16 and 5.0.1 are now supported.

MongoDB Resource

• If you set spec.externalConnectivity to false after it was set to true, the Kubernetes Operator deletes the corresponding service.

MongoDBOpsManager Resource

• If you set spec.externalConnectivity to false after it was set to true, the Kubernetes Operator deletes the corresponding service.

• You can specify the number of backup daemon Pods with spec.backup.members. If not set, the value defaults to 1.

Changes to Images and Supported Versions

• The Kubernetes Operator now supports the following Ops Manager versions:

  • 4.4.13, 4.4.14, 4.4.15, 4.2.25 and 5.0.0.

• Before upgrading Ops Manager to version 5.0.0, check that the Kubernetes Operator uses a programmatic API key.

• Ubuntu based Kubernetes Operator images are now based on Ubuntu 20.04 instead of Ubuntu 16.04.

• Ubuntu based MongoDB images starting from 2.0.1 are based on Ubuntu 18.04 instead of Ubuntu 16.04.

  Warning

  MongoDB 4.0. does not support Ubuntu 18.04

  MongoDB 4.0. does not support Ubuntu 18.04. If you want to use MongoDB 4.0. with the Kubernetes Operator, use previously released images.

• Ubuntu based Ops Manager images after 4.4.13 are based on Ubuntu 20.04 instead of Ubuntu 16.04.

• Newly released UBI images for the Kubernetes Operator, Ops Manager and MongoDB are based on ubi-minimal instead of ubi.

Kubernetes Operator

Removes the topic "Migrate to One Resource per Project (Required for Version 1.3.0)" from the current documentation because v.1.3.0 is EOL. This topic has been archived.

New Images

• mongodb-agent 10.29.0.6830-1 located in the following registries:

  • UBI images: quay.io/mongodb/mongodb-agent-ubi:10.29.0.6830-1

  • Ubuntu images: quay.io/mongodb/mongodb-agent:10.29.0.6830-1

• mongodb-enterprise-appdb-database located in the following registries:

  • UBI images: quay.io/mongodb/mongodb-enterprise-appdb-database-ubi

  • Ubuntu images: quay.io/mongodb/mongodb-enterprise-appdb-database

• mongodb-enterprise-init-appdb 1.0.7 located in the following registries:

  • UBI images: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.7

  • Ubuntu images: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.7

• mongodb-enterprise-init-database 1.0.3 located in the following registries:

  • UBI images: quay.io/mongodb/mongodb-enterprise-init-database-ubi:1.0.3

  • Ubuntu images: quay.io/mongodb/mongodb-enterprise-init-database:1.0.3

MongoDBOpsManager Resource

• The spec.applicationDatabase.persistent setting is removed. The Kubernetes Operator always uses persistent volumes for the Application Database deployed by your MongoDBOpsManager custom resources.

Kubernetes Operator

MongoDBOpsManager Resource

Kubernetes Operator

MongoDBOpsManager Resource

New Images

• mongodb-enterprise-operator:1.9.2

You can find all images in the following registries:

• Ubuntu-based images: https://quay.io/repository/mongodb

• RHEL-based images: /mongodb-enterprise-operator

Kubernetes Operator

MongoDB Resource

MongoDBOpsManager Resource

New Images

• mongodb-enterprise-operator:1.9.1

• mongodb-enterprise-appdb:10.2.15.5958-1_4.2.11-ent

• mongodb-enterprise-init-appdb:1.0.2

• mongodb-enterprise-init-database:1.0.6

You can find all images in the following registries:

• Ubuntu-based images: https://quay.io/repository/mongodb

• RHEL-based images: https://catalog.redhat.com/software/containers/mongodb/enterprise-operator/5b8052d069aea356ff258479

Kubernetes Operator

MongoDB Resource

MongoDBOpsManager Resource

New Images

• mongodb-enterprise-operator:1.9.0

You can find all images in the following registries:

• Ubuntu-based images: https://quay.io/repository/mongodb

• RHEL-based images: https://catalog.redhat.com/software/containers/mongodb/enterprise-operator/5b8052d069aea356ff258479

Known Issues

• You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

Bug Fix

Fixes an issue where the Ops Manager resource would reach a Failing state when both spec.externalConnectivity and spec.backup.enabled were enabled.

Known Issues

• You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

• When both spec.externalConnectivity and spec.backup.enabled are enabled in Ops Manager at the same time, the Ops Manager resource fails to reconcile.

Bug Fixes

• Fixes a bug where spec.security.authentication.ignoreUnknownUsers could not be modified after creating a MongoDB resource.

• Fixes failed queryable backups. The Kubernetes Operator now creates a Kubernetes Service that Ops Manager uses to access backups.

• Fixes an issue that made it impossible to move from non-TLS to a TLS-enabled Application Database.

Improvements

• Init containers do not run as root.

• Ops Manager Backup daemon runs in unprivileged mode.

• To manage Database Pod resources, use the spec.podSpec.podTemplate MongoDB Custom Resource attribute. For an example resource definition of each supported type, see the samples/mongodb/podspec directory. The following attributes are deprecated:

  • spec.podSpec.cpu

  • spec.podSpec.cpuRequests

  • spec.podSpec.memory

  • spec.podSpec.memoryRequests

New Images

New Ops Manager Images

For a list of the packages installed and any security vulnerabilities detected in the build process, see the Quay repository for the MongoDB Enterprise Operator and the MongoDB Enterprise Database.

MongoDB Resource Changes

• Introduces new configuration fields:

  • spec.security.authentication.requireClientTLSAuthentication for using the MongoDB Agent client certificate authentication in conjunction with any other authentication mechanism.

  • spec.security.authentication.agents.clientCertificateSecretRef for configuring the client TLS certificate used by the MongoDB Agent when enabling ClientTLSAuthentication.

• Changes the default permissions of volumes created from secrets from 0644 to 0640.

Ops Manager Resource Changes

• Allows the Application Database to be configured with SCRAM-SHA-256 authentication when using Ops Manager 4.4 or newer version.

• Changes the validation of the Ops Manager spec.version field to allow for tags that do not match the semver requirements. The spec.version field must start with the Major.Minor.Patch string that represents the Ops Manager version. To learn more about this field, see Ops Manager Resource Specification.

Bug Fixes

• Fixes an issue that caused the Operator to choose an incorrect project name when creating MongoDB users.

• Fixes an issue that caused the MongoDB Ops Manager CRD to have the CA path in the incorrect location.

• Fixes a bug where the MongoDB Agent could not correctly recognize the parameters that passed through spec.agent.startupOptions.

• Fixes an issue that could cause potential deadlock when certain configuration options are modified in parallel.

Known Issues

• You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

• When you enable queryable backup, you must manually create two additional services for:

  • Exposing the queryable backup port (default: 25999) for the Ops Manager pod.

  • The Backup Daemon pod, to ensure that it is resolvable from the Ops Manager pod.

• If you deploy Ops Manager in local mode and upgrade from v4.4.1, you must upgrade the MongoDB tools located in the automation.versions.directory, which defaults to /mongodb-ops-manager/mongodb-releases/.

  Tip

  See also:

  Configure an Ops Manager Resource to use Local Mode.

MongoDB Resource Changes

• Supports setting the Distinguished Name (DN) of the LDAP group to which the MongoDB Agent user belongs with the spec.security.authentication.ldap.automationLdapGroupDN setting.

• Requires you to provide spec.security.authentication.agents.mode if you specify more than one mode in spec.security.authentication.modes.

• Supports setting MongoDB Agent startup parameters for MongoDB Database resources with the following settings:

  • spec.applicationDatabase.agent.startupOptions

  • spec.agent.startupOptions

  • spec.configSrv.agent.startupOptions

  • spec.mongos.agent.startupOptions

  • spec.shard.agent.startupOptions

Bug Fixes

• Ops Manager resources:

  • Fixes a bug where you could not enable SCRAM-SHA authentication for application database resources using certain MongoDB versions with Ops Manager 4.4.

  • Fixes a bug where application database monitoring was not correctly configured in Ops Manager when you enabled TLS for the application database.

  • Fixes a bug to move the Ops Manager CA configuration from spec.applicationDatabase.security.tls.ca to spec.security.tls.ca.

• MongoDB resources:

  • Fixes a bug that prevented you from increasing or decreasing the number of members in a replica set or a sharded cluster by more than one member at a time for MongoDB 4.4 deployments.

  • Fixes an issue where the Kubernetes Operator could not enable agent authentication if you enabled LDAP authentication for a MongoDB resource.

  • Fixes an issue where you could not create SCRAM users and enable SCRAM authentication in any order for a MongoDB resource.

  • Fixes an issue where the Kubernetes Operator did not remove the backup automation configuration before starting the agent on a MongoDB resource Pod.

Known Issues

• If you enable TLS on the application database, you must not provide the spec.applicationDatabase.version field in an Ops Manager resource definition.

• You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

• When you upgrade to the Kubernetes Operator 1.7.1, you might have to delete the mongodb-enterprise-operator deployment due to deployment configuration changes.

  This is a safe operation. Deleting the mongodb-enterprise-operator Pod does not affect the MongoDB custom resources.

• If you use TLS certificates signed by a custom CA, you must:

  • Omit the spec.version.applicationDatabase setting from your Ops Manager resource definition, and

  • Deploy Ops Manager in local mode. You must manually copy installation archives for all MongoDB versions you want to use to a Persistent Volume for the Ops Manager StatefulSet.

Docker Image Changes

• All Kubernetes Operator Red Hat Docker images are now based on UBI 8. In the previous release, Kubernetes Operator Red Hat Docker images were based on UBI 7.

MongoDB Resource Changes

• Supports LDAP as an authorization mechanism for MongoDB database resources you deploy with the Kubernetes Operator. For more information, see the sample LDAP configurations on GitHub

Bug Fixes

• Fixes a bug that prevented scaling down a replica set from three members to one member.

Known Issues

• Ops Manager cannot monitor Application Databases secured using TLS.

• For MongoDB 4.4 deployments, you can increase or decrease the number of members in a replica set or a sharded cluster by only one member at a time.

Ops Manager Resource Changes

• Ops Manager image for version 4.4.0 is available.

Docker Image Changes

• The Red Hat database and operator Docker images are now based on the latest UBI 7 release. Two high criticality issues have been resolved.

• The following Docker images have been released:

  Image Type	Ubuntu 16.04	Red Hat UBI 7
  Kubernetes Operator	quay.io/mongodb/mongodb-enterprise-operator:1.6.1	quay.io/mongodb/mongodb-enterprise-operator-ubi:1.6.1
  MongoDB Database	quay.io/mongodb/mongodb-enterprise-database:1.6.1	quay.io/mongodb/mongodb-enterprise-database-ubi:1.6.1
  Ops Manager	quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.0	quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.0

Bug Fixes

• Fixes a bug where the Kubernetes Operator did not store a configuration of your deployed resources in a secret.

• Fixes a bug where the Kubernetes Operator did not allow passwords of any length or complexity for Application Database, oplog store, and blockstore database resources defined in Ops Manager resources.

• Fixes a bug where the authentication configuration was not removed from Ops Manager or Cloud Manager projects when you remove a MongoDB database resource.

MongoDB Resource Changes

• Supports LDAP as an authentication mechanism for MongoDB database resources you deploy with the Kubernetes Operator. For more information, see the sample LDAP configurations on GitHub.

  Note

  LDAP authorization is not yet supported.

Kubernetes Operator Changes

• Preserves backup history by retaining Ops Manager cluster records when you enable backup.

Bug Fixes

• Fixes a bug that prevented the Kubernetes Operator from raising errors when a projectName contained spaces.

• Fixes a bug that prevented Ops Manager to monitor for all MongoDB database resources that you deploy with the Kubernetes Operator.

MongoDB Resource Changes

• Provides additional options for more granular configuration of mongod / mongos processes. You can find an example of how to apply these options in the /samples/mongodb/mongodb-options file of the MongoDB Enterprise Kubernetes Operator repository.

Bug Fixes

• Fixes a bug introduced in 1.5.4 where MongoDB Enterprise Kubernetes Operator would not tag projects correctly when working on Ops Manager versions older than 4.2.2. In this version, MongoDB Enterprise Kubernetes Operator tags the projects correctly.

MongoDB Resource Changes

• Allows modification of authentication settings using the Cloud Manager or Ops Manager UI if the spec.security.authentication setting is not provided in the MongoDB resource object definition.

Kubernetes Operator Changes

• Supports Helm installation with helm install in addition to helm template | kubectl apply. helm install is now the recommended way to install with Helm.

• Supports configuring the MongoDB Agent authentication mechanism independently from the cluster authentication mechanism.

• Supports configuring monitoring for the Application Database to send metrics to Ops Manager. To learn more about the monitoring function of the MongoDB Agent, see MongoDB Agent.

Bug Fixes

• Fixes a bug that affected transitioning authentication mechanisms from X.509 to SCRAM.

• Fixes a bug that prevented the MongoDB Agent from reaching a goal state if SCRAM configuration was changed in the Ops Manager UI.

Kubernetes Operator Changes

Passes Ops Manager and MongoDB deployment configuration properties as Secret environment variables.

Bug Fixes

• Correctly configures shutdown timeouts for Ops Manager and the Backup Daemon.

• Fixes an issue where Kubernetes Operator-watched Secrets and ConfigMaps triggered unnecessary reconciliations.

• Fixes an issue where the status of custom resources failed to update in OpenShift 3.11.

Ops Manager Resource Changes

• Runs Ops Manager and Backup Daemon pods under a dedicated service account.

Kubernetes Operator Changes

• Can configure the Kubernetes Operator to watch a subset of provided CustomResourceDefinitions. You can find more information in the documentation.

• Can generate CustomResourceDefinitions without using subresources. Some versions of Openshift 3.11 require this capability. To avoid using subresources, use --set subresourceEnabled=false when installing the Kubernetes Operator with helm.

Bug Fixes

• Fixes setting the spec.statefulSet and spec.backup.statefulSet fields on the MongoDBOpsManager Resource.

• Fixes an issue that requires a restart of the Kubernetes Operator during setup of webhook.

• Fixes an issue that could make an Ops Manager resource to reach an unrecoverable state if the provided admin password has insufficient strength.

Bug Fixes

Fixes an issue where, when no authentication is configured by the Kubernetes Operator, the Kubernetes Operator disables authentication in Cloud Manager or Ops Manager. The Kubernetes Operator no longer disables authentication unless you explicitly set spec.security.authentication.enabled to false.

Known Issues

When you configure the spec.statefulSet.spec and spec.backup.statefulSet.spec settings of the MongoDBOpsManager resource, you can only configure the spec.statefulSet.spec.template and spec.backup.statefulSet.spec.template fields. Any other spec.statefulSet.spec or spec.backup.statefulSet.spec field has no effect.

Kubernetes Operator Changes

Adds the ability to start the Kubernetes Operator with some but not all MongoDB CustomResourceDefinitions installed. Administrators can specify the container argument watch-resource to limit the Kubernetes Operator to deploy either MonogDB instances or Ops Manager, or both.

MongoDB Resource Changes

• Increases support for custom TLS certificates with the spec.security.tls.secretRef and spec.security.tls.ca configuration settings.

• Deprecates TLS certificate generation by the Kubernetes Operator. Migrating to custom TLS certificates is recommended.

Ops Manager Resource Changes

• Releases the MongoDBOpsManager resource as Generally Available (GA). MongoDB now supports using the Kubernetes Operator to deploy Ops Manager resources to Kubernetes in production environments.

• Supports Backup Blockstore Snapshot Stores.

• Defaults to the Application Database as a metadata database for Backup S3 Snapshot Stores.

• Supports spec.jvmParameters and spec.backup.jvmParameters to add or override JVM parameters in Ops Manager and Backup Daemon processes.

• Automatically configures Ops Manager and Backup Daemon JVM memory parameters based on Pod memory availability.

• Supports TLS for Ops Manager and the Application Database.

• Adds more detailed information to the status field.

• Supports Ops Manager Local Mode for MongoDBOpsManager resources with multiple replicas by enabling users to specify PersistentVolumeClaimTemplates in spec.statefulSet.spec.

• Implements a new image versioning scheme.

See the sample YAML files for new feature usage examples.

CVE Description

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Kubernetes Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration

CWE-295: Improper Certificate Validation CVSS score: 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Versions

• 1.0, 1.1

• 1.2.0 - 1.2.4

• 1.3.0 - 1.3.1

• 1.4.0 - 1.4.4

Fixed Versions

• 1.2.5

• 1.4.5 and above

MongoDB Resource Changes

Supports changes in the Cloud Manager API.

Ops Manager Resource Changes (Beta Release)

• Properly terminates resources with a termination hook.

• Implements stricter validations.

Bug Fixes

• MongoDB resources:

  • Fixes an issue when working with Ops Manager with custom HTTPS certificates.

Kubernetes Operator Changes

Adds a webhook to validate a Kubernetes Operator configuration.

MongoDB Resource Changes

• Adds support for sidecars for MongoDB resource pods using the spec.podSpec.podTemplate setting.

• Allows users to change the PodSecurityContext to allow privileged sidecar containers.

Ops Manager Resource Changes (Beta Release)

• Adds the spec.podSpec configuration settings for Ops Manager, the Backup Daemon, and the Application Database. See Ops Manager Resource Specification.

• Ops Manager image for version 4.2.8 is available.

Bug Fixes

• MongoDB resources:

  • Fixes potential race conditions when deleting MongoDB resources.

• Ops Manager resources:

  • Supports the spec.clusterDomain setting for Ops Manager and Application Database resources.

  • No longer starts monitoring and backup processes for the Application Database.

See the sample YAML files for new feature usage examples.

MongoDB Resource Changes

• Runs MongoDB database Kubernetes Pods under a dedicated Kubernetes service account: mongodb-enterprise-database-pods.

• Adds the spec.podSpec.podTemplate setting, which allows you to apply templates to Kubernetes Pods that the Kubernetes Operator generates for each database StatefulSet.

• Renames the spec.clusterName setting to spec.clusterDomain.

Ops Manager Resource Changes (Beta Release)

• Adds offline mode support for the Application Database. Bundles MongoDB Enterprise version 4.2.2 with the Application Database image. Internet access is not required to install the application database if spec.applicationDatabase.version is set to "4.2.2-ent" or omitted.

• Renames the spec.clusterName setting to spec.clusterDomain.

• Ops Manager images for versions 4.2.6 and 4.2.7 are available.

Bug Fixes

• MongoDB resources:

  • Fixes the order of sharded cluster component creation.

  • Allows TLS to be enabled on Amazon EKS.

• Ops Manager resources:

  • Enables the Kubernetes Operator to use the spec.clusterDomain setting.

See the sample YAML files for new feature usage examples.

MongoDB Resource Changes

• Adds split horizon DNS support for MongoDB replica sets, which allows clients to connect to a replica set from outside of the Kubernetes cluster.

• Supports requests for Kubernetes Operator-generated certificates for additional certificate domains, which makes them valid for the specified subdomains.

Ops Manager Resource Changes (Beta Release)

• Promotes the MongoDBOpsManager resource to Beta. Ops Manager version 4.2.4 is available.

• Supports Backup and restore in Kubernetes Operator-deployed Ops Manager instances. This is a semi-automated process that deploys everything you need to enable backups in Ops Manager. You can enable Backup by setting the spec.backup.enabled setting in the Ops Manager custom resource. You can configure the Head Database, Oplog Store, and S3 Snapshot Store by using the MongoDBOpsManager resource specification.

• Supports access to Ops Manager from outside the Kubernetes cluster through the spec.externalConnectivity setting.

• Enables SCRAM-SHA-1 authentication on Ops Manager's Application Database by default.

• Adds support for OpenShift (Red Hat UBI Images).

For more information on how to enable new features, see the sample YAML files in the samples directory.

Bug Fixes

• Improves overall stability of X.509 user management.

MongoDB Resource Changes

• Requires one MongoDB resource per Ops Manager project. If you have more than one MongoDB resource in a project, all resources will change to a Pending status and the Kubernetes Operator won’t perform any changes on them. The existing MongoDB databases will still be accessible. You must migrate to one resource per project.

• Supports SCRAM-SHA authentication mode. See the MongoDB Enterprise Kubernetes Operator GitHub repository for examples.

• Requires that the project (ConfigMap) and credentials (secret) referenced from a MongoDB resource be in the same namespace.

• Adds OpenShift installation files (YAML file and Helm chart configuration).

Ops Manager Resource Changes (Alpha Release)

• Supports highly available Ops Manager resources by introducing the spec.replicas setting.

• Runs Pods as a non-root user.

Specification Schema Changes

• Moves to a one resource per project configuration. This follows the warnings introduced in a previous version of the operator. The operator now requires each cluster to be contained within a new project.

• Authentication settings are now contained within the security section of the MongoDB resource specification rather than the project ConfigMap.

• Replaces the project field with the spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name fields.

• User resources now refer to MongoDB resources rather than project ConfigMaps.

• No longer requires data.projectName in the project ConfigMap. The name of the project defaults to the name of the MongoDB resource in Kubernetes.

Ops Manager Resource Changes (Alpha Release)

This release introduces significant changes to the Ops Manager resource's architecture. The Ops Manager application database is now managed by the Kubernetes Operator, not by Ops Manager.

Bug Fixes

• Stops unnecessary recreation of NodePorts.

• Fixes logging so it's always in JSON format.

• Sets USER in the Kubernetes Operator Docker image.

CVE Description

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Kubernetes Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration

CWE-295: Improper Certificate Validation CVSS score: 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected Versions

• 1.0, 1.1

• 1.2.0 - 1.2.4

• 1.3.0 - 1.3.1

• 1.4.0 - 1.4.4

Fixed Versions

• 1.2.5

• 1.4.5 and above

GA Release

• Adds a readinessprobe to the MongoDB Pods to improve the reliability of rolling upgrades.

Alpha Release

This feature is an alpha release. It is not ready for production use.

• Can use the Kubernetes Operator to manage Ops Manager 4.2. To deploy an |onprem| instance, you use a new resource: MongoDBOpsManager.