• Install and Configure the Kubernetes Operator >
• Upgrade the Kubernetes Operator from Prior Versions >
• Upgrade from Kubernetes Operator 1.12 with TLS Enabled

Upgrade from Kubernetes Operator 1.12 with TLS Enabled

Important

MongoDB Enterprise Kubernetes Operator 1.13 introduced several changes to how it handles TLS secrets for Ops Manager and database deployments. If you installed Kubernetes Operator 1.12 or earlier and you secure access to your resources using TLS, then Kubernetes Operator 1.16.4 is the last version to which you can upgrade while migrating your opaque TLS secrets to kubernetes.io/tls type secrets without re-creating your MongoDB resources and incurring downtime. k8s-op-short| 1.17.0 removes support for certificates with opaque TLS secrets. You must manually migrate TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn more, see Deploy a Replica Set and Secure Internal Authentication with X.509.

Complete this task to upgrade to any Kubernetes Operator version up to the Kubernetes Operator 1.16.4 and migrate your opaque TLS secrets to kubernetes.io/tls type secrets without re-creating your MongoDB resources and incurring downtime.

Limitations

Kubernetes Operator doesn’t migrate the following TLS secret types:

• TLS secrets that contain X.509 certificates for internal server authentication
• TLS secrets that contain MongoDB Agent X.509 certificates

You must manually migrate these types of TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn how to create these secrets, see the following resources:

• Deploy a Replica Set
• Secure Internal Authentication with X.509

Prerequisites

• Before you migrate your TLS secrets and upgrade Kubernetes Operator, your CRDs must use the following fields to describe your TLS secrets:

  • Application Database TLS secrets: applicationDatabase.security.tls.secretRef.prefix
  • Ops Manager TLS secrets: security.tls.secretRef.prefix
  • Database resource TLS secrets: security.tls.secretRef.prefix

  If your CRDs use any of the following fields to describe your TLS secrets, you must first update your CRDs to use the fields listed above instead:

  • Application Database TLS secrets: spec.applicationDatabase.security.tls.secretRef.name
  • Ops Manager TLS secrets: spec.security.tls.secretRef.name
  • Database resource TLS secrets: spec.security.tls.secretRef.name

• You must disable internal cluster and X.509 authentication before you upgrade Kubernetes Operator to its latest version.

  When the upgrade is complete, you can re-enable internal cluster and X.509 authentication.

Procedure

1

Upgrade Kubernetes Operator to version 1.16.4.

To learn how to upgrade the Kubernetes Operator, see Upgrade the MongoDB Enterprise Kubernetes Operator.

2

Wait for the Kubernetes Operator Pods to reach a READY state.

Use the following command to get the status of the Pods in your cluster:

copy

kubectl get pods -n <namespace> -w

Inspect the response. In the READY column for your Kubernetes Operator Pod, ensure that the value in this column shows that all Pods are ready. In the following sample output, the single Kubernetes Operator Pod is ready.

NAME                                          READY   STATUS    RESTARTS   AGE
mongodb-enterprise-operator-d7d5d9b7c-p4xl4   1/1     Running   0     7m39s

When all Kubernetes Operator Pods are READY, proceed to the next step.

3

Create new TLS secrets that contain your existing certificates.

Using the certificates stored in your existing secrets, create one new secret for each component that you want to secure using TLS.

For more information, see the prerequisites in the Kubernetes Operator TLS tutorials:

• Deploy an Ops Manager Resource for Application Database resources
• Deploy an Ops Manager Resource for Ops Manager resources
• Secure Client Connections for database resources

4

Update your CRDs to use the new TLS secret fields.

In each of the resources that you secure with TLS, update the following fields, as appropriate, to reference the new TLS secrets you created in the previous step:

• Application Database TLS secrets: applicationDatabase.security.certsSecretPrefix
• Ops Manager TLS secrets: security.certsSecretPrefix
• Database resource TLS secrets: security.security.certsSecretPrefix

5

Replace the CRDs in your Kubernetes cluster.

For each CRD you updated, run the following command to apply your changes to the Kubernetes cluster:

copy

kubectl replace -f <resource-crd>.yaml

6

Optional: Re-enable internal cluster authentication and X.509 authentication.

When all of the resources you updated reach a READY state, you can re-enable internal cluster authentication and X.509 authentication if you disabled it to migrate your TLS secrets.

←   Migrate to a Specified Application Database Version (Required for Version 1.11.0) Deploy and Configure Ops Manager Resources  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.