Navigation

Upgrade from Kubernetes Operator 1.12 with TLS Enabled

MongoDB Enterprise Kubernetes Operator 1.13 introduced several changes to how it handles TLS secrets for Ops Manager and database deployments.

If you installed Kubernetes Operator 1.12 or earlier and you secure access to your resources using TLS, complete this task to upgrade to the latest Kubernetes Operator version and migrate your opaque TLS secrets to kubernetes.io/tls type secrets without re-creating your MongoDB resources and incurring downtime.

Considerations

Kubernetes Operator can migrate your TLS secrets when you upgrade from 1.12 or earlier to the latest version for as long as 1.12 is supported. After Kubernetes Operator 1.12 reaches End of Life (EOL), you might not be able to migrate your TLS secrets automatically when you upgrade.

Limitations

Kubernetes Operator doesn’t migrate the following TLS secret types:

  • TLS secrets that contain X.509 certificates for internal server authentication
  • TLS secrets that contain MongoDB Agent X.509 certificates

You must manually migrate these types of TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn how to create these secrets, see the following resources:

Prerequisites

  • Before you migrate your TLS secrets and upgrade Kubernetes Operator, your CRDs must use the following fields to describe your TLS secrets:

    • Application Database TLS secrets: applicationDatabase.security.tls.secretRef.prefix
    • Ops Manager TLS secrets: security.tls.secretRef.prefix
    • Database resource TLS secrets: security.tls.secretRef.prefix

    If your CRDs use any of the following fields to describe your TLS secrets, you must first update your CRDs to use the fields listed above instead:

    • Application Database TLS secrets: spec.applicationDatabase.security.tls.secretRef.name
    • Ops Manager TLS secrets: spec.security.tls.secretRef.name
    • Database resource TLS secrets: spec.security.tls.secretRef.name
  • You must disable internal cluster and X.509 authentication before you upgrade Kubernetes Operator to its latest version.

    When the upgrade is complete, you can re-enable internal cluster and X.509 authentication.

Procedure

1

Upgrade Kubernetes Operator to its latest version.

To learn how to upgrade the Kubernetes Operator, see Upgrade the MongoDB Enterprise Kubernetes Operator.

2

Wait for the Kubernetes Operator Pods to reach a READY state.

Use the following command to get the status of the Pods in your cluster:

kubectl get pods -n <namespace> -w

Inspect the response. In the READY column for your Kubernetes Operator Pod, ensure that the value in this column shows that all Pods are ready. In the following sample output, the single Kubernetes Operator Pod is ready.

NAME                                          READY   STATUS    RESTARTS   AGE
mongodb-enterprise-operator-d7d5d9b7c-p4xl4   1/1     Running   0     7m39s

When all Kubernetes Operator Pods are READY, proceed to the next step.

3

Create new TLS secrets that contain your existing certificates.

Using the certificates stored in your existing secrets, create one new secret for each component that you want to secure using TLS.

For more information, see the prerequisites in the Kubernetes Operator TLS tutorials:

4

Update your CRDs to use the new TLS secret fields.

In each of the resources that you secure with TLS, update the following fields, as appropriate, to reference the new TLS secrets you created in the previous step:

  • Application Database TLS secrets: applicationDatabase.security.certsSecretPrefix
  • Ops Manager TLS secrets: security.certsSecretPrefix
  • Database resource TLS secrets: security.security.certsSecretPrefix
5

Replace the CRDs in your Kubernetes cluster.

For each CRD you updated, run the following command to apply your changes to the Kubernetes cluster:

kubectl replace -f <resource-crd>.yaml
6

Optional: Re-enable internal cluster authentication and X.509 authentication.

When all of the resources you updated reach a READY state, you can re-enable internal cluster authentication and X.509 authentication if you disabled it to migrate your TLS secrets.