Skip to content

MongoDB Kubernetes Enterprise Operator 1.13.0

Choose a tag to compare

View all tags
@mms-build-account mms-build-account released this 21 Oct 08:21
· 80 commits to master since this release
1.13.0
196f202
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

MongoDB Enterprise Kubernetes Operator 1.13.0

Kubernetes Operator

  • Breaking Changes:
    • The Operator no longer generates certificates for TLS resources.
  • When deploying to multiple namespaces, imagePullSecrets has to be created only in the namespace where the Operator is installed. From here, the Operator will be sync this secret across all watched namespaces.
  • The credentials secret used by the Operator now accepts the pair of fields publicKey and privateKey. These should be preferred to the existent user and publicApiKey when using Programmatic API Keys in Ops Manager.
  • For TLS-enabled resources, the operator now watches the ConfigMap containing the Certificate Authority and the secret containg the TLS certificate. Changes to these resources now trigger a reconciliation of the related resource.
  • The Operator can now watch over a list of Namespaces. To install the Operator in this mode, you need to set the value operator.watchNamespace to a comma-separated list of Namespaces.
    The Helm install process will create Roles and Service Accounts required, in the Namespaces that the Operator will be watching.

Support for TLS certificates provided as kubernetes.io/tls secrets

  • The operator now supports referencing TLS secrets of type kubernetes.io/tls
    • This type of secrets contain a tls.crt and tls.key entry
    • The operator can read these secrets and automatically generate a new one, containing the concatenation of tls.crt and tls.key
    • This removes the need for a manual concatenation of the fields and enables users to natively reference secrets generated by tools such as cert-manager

Deprecation Notice
The usage of generic secrets, manually created by concatenating certificate and private key, is now deprecated.

MongoDB Resource

  • Breaking Changes:
    • The field spec.project has been removed from MongoDB spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the project configmap name under spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name before upgrading the operator.
  • Changes:
    • A new field has been added: spec.security.certsSecretPrefix. This string is now used to determine the name of the secrets containing various TLS certificates:
      • For TLS member certificates, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-cert
        • Note: If either spec.security.tls.secretRef.name or spec.security.tls.secretRef.prefix are specified, these will take precedence over the new field
        • Note: if none of these three fields are specified, the secret name is <resource-name>-cert
      • For agent certificates, if spec.security.certsSecretPrefix is specified, the secret name is<spec.security.certsSecretPrefix>-<resource-name>-agent-certs
        • Note: if spec.authentication.agents.clientCertificateSecretRef is specified, this will take precedence over the new field
        • If none of these fields are set, the secret name is still agent-certs
      • For internal cluster authentication certificates, if spec.security.certsSecretPrefix is specified, the secret name is <spec.security.certsSecretPrefix>-<resource-name>-clusterfile
        • Otherwise, it is still <resource-name>-clusterfile
  • Bug fixes
    • Fixes an issue where Sharded Cluster backups could not be correctly configured using the MongoDB CR.
    • Fixes an issue where Backup Daemon fails to start after OpsManager version upgrade.

MongoDBOpsManager Resource

  • Operator will report status of FileSystemSnaphot store names configured under spec.backup.fileSystemStores in OM CR. The FS however needs to be manually configured.
  • It is now possible to disable creation of "LoadBalancer" Type service for queryable backup by setting spec.backup.externalServiceEnabled to false in OM CR. By default, the operator would create the LoadBalancer type service object.
  • The operator will now automatically upgrade the used API Key to a programmatic one when deploying OM >= 5.0.0. It is now possible to upgrade from older versions of OM to OM 5.0 without manual intervention.
  • A new field has been added: spec.security.certSecretPrefix. This is string is now used to determine the name of the secret containing the TLS certificate for OpsManager.
    • If the existing field spec.security.tls.secretRef.Name is specified, it will take the precedence
      • Please note that this field is now deprecated and will be removed in a future release
    • Otherwise, if spec.security.certSecretPrefix is specified, the secret name will be <spec.security.certSecretPrefix>-<om-resource-name>-cert

MongoDBUser Resource

  • Breaking Changes:
    • The field spec.project has been removed from User spec, this field has been deprecated since operator version 1.3.0. Make sure to specify the MongoDB resource name under spec.MongoDBResourceRef.name before upgrading the operator.

Miscellaneous

  • Ops Manager versions 4.4.7, 4.4.9, 4.4.10, 4.4.11, 4.4.12 and 4.4.13 base images have been updated to Ubuntu 20.04.
  • Ops Manager versions 4.4.16 and 5.0.1 are now supported

OPA Gatekeeper Sample Policies

Sample policies are now available in opa_examples directory

Assets 2
Loading