Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator

Release Notes for MongoDB Enterprise Kubernetes Operator

On this page

Released 2024-04-30

  • MongoDBOpsManager resource. The Kubernetes Operator no longer supports Ops Manager 5.0. Upgrade to a later version of Ops Manager. While Ops Manager 5.0 may continue to work with the Kubernetes Operator, MongoDB won't test the Kubernetes Operator against Ops Manager 5.0.

  • MongoDBOpsManager resource: Adds support for deploying the Ops Manager Application on multiple Kubernetes clusters. To learn more, see Deploy Ops Manager Resources on Multiple Kubernetes Clusters.

  • (Public Preview) MongoDB, OpsManager resources: Introduces opt-in Static Containers (Public Preview) for all types of deployments.

    • In this release, use static containers only for testing purposes. Static containers might become the default in a later release.

    • To activate static containers mode, set the MDB_DEFAULT_ARCHITECTURE environment variable at the Kubernetes Operator level to static. Alternatively, annotate a specific MongoDB or OpsManager custom resource with mongodb.com/v1.architecture: "static".

    • The Kubernetes Operator supports seamless migration between the static and non-static architectures. To learn more, see:

  • OpsManager resource: Adds the spec.internalConnectivity field to allow overrides for the service used by the Kubernetes Operator to ensure internal connectivity to the OpsManager resource-hosting Pods.

  • MongoDB resource: You can recover a resource due to a broken Automation configuration in sharded clusters. In previous releases, you could recover other types of resources but not sharded clusters. To learn more, see Recover Resource Due to Broken Automation Configuration.

  • MongoDB, MongoDBMultiCluster resources: These resources now allow you to add placeholders in external services.

    • You can define annotations for external services managed by the Kubernetes Operator that contain placeholders which will be automatically replaced by the proper values. Previously, the Kubernetes Operator configured the same annotations for all external services created for each Pod. Starting with this release, you can add placeholders so that the Kubernetes Operator can customize annotations in each service with values that are relevant and unique for each particular Pod. To learn more, see:

  • The kubectl mongodb plugin: Allows you to print build information when using the plugin.

  • The setup command of the kubectl mongodb plugin: Adds the registry.imagePullSecrets setting. If specified, created service accounts reference the specified secret on the imagePullSecrets field.

  • Improves handling of configurations when the Kubernetes Operator watches more than one namespace, and when you install the Kubernetes Operator in a namespace that differs from the namespace in which the Kubernetes Operator watches resources.

  • Optimizes setting up roles and permissions in member Kubernetes clusters using a single service account per Kubernetes cluster with correctly configured roles and role bindings (no cluster roles are necessary) for each watched namespace.

  • Extends the existing event-based reconciliation process by a time-based reconciliation that is triggered every 24 hours. This ensures that all Monitoring Agents are always upgraded in a timely manner.

  • OpenShift and OLM Operator: Removes the requirement for cluster-wide permissions. Previously, the Kubernetes Operator needed these permissions to configure admission webhooks. Starting with this release, webhooks are automatically configured by OLM.

  • Adds an optional MDB_WEBHOOK_REGISTER_CONFIGURATION environment variable for the Kubernetes Operator. The variable controls whether the Kubernetes Operator should perform automatic admission webhook configuration. The default is true. The variable is set to false for OLM and OpenShift deployments.

  • Adds a new operator.webhook.registerConfiguration parameter that controls whether the Kubernetes Operator should perform an automatic admission webhook configuration by setting the MDB_WEBHOOK_REGISTER_CONFIGURATION environment variable for the Kubernetes Operator. The default is true. The variable is set to false for OLM and OpenShift deployments.

  • Changes the default agent.version to 107.0.0.8502-1. This changes the default Agent used in Kubernetes Operator deployments that you install using a Helm chart.

  • Adds the operator.additionalArguments variable with the default of [] to allow you to pass additional arguments for the Kubernetes Operator binary.

  • Adds the operator.createResourcesServiceAccountsAndRoles variable with the default of true to control whether to install roles and service accounts for MongoDB and OpsManager resources. When you use the kubectl mongodb plugin to configure the Kubernetes Operator for a multi-Kubernetes cluster deployment, the plugin installs all necessary roles and service accounts. Therefore, to avoid clashes, in some cases don't install those roles using the Kubernetes Operator Helm chart.

  • MongoDBMultiCluster resource: Fixes an issue where the Kubernetes Operator reported that spec.externalAccess.externalDomain and spec.clusterSpecList[*].externalAccess.externalDomains fields were required even though they weren't used. The Kubernetes Operator prematurely triggered a validation for these fields in cases where the custom resources contained a defined spec.externalAccess structure. Starting with this release, the Kubernetes Operator checks for uniqueness of external domains only when you define the external domains in spec.externalAccess.externalDomain or spec.clusterSpecList[*].externalAccess.externalDomains settings.

  • MongoDB resource: Fixes a bug where upon deleting a MongoDB resource, the controlledFeature policies remained set on the related Ops Manager or Cloud Manager instance, making cleanup in the UI impossible in the case of losing the Kubernetes Operator.

  • OpsManager resource: Fixes an issue where the admin-key secret was deleted when you removed the OpsManager custom resource. Fixing the admin-key secret deletion enables easier re-installation of Ops Manager.

  • MongoDB Readiness Probe: Fixes a misleading error message for the readiness probe: "... kubelet Readiness probe failed:...". This affects all MongoDB deployments.

  • Operator: Fixes cases where in some instances, while communicating with the OpsManager custom resource, the Kubernetes Operator skipped TLS verification, even if you enabled TLS.

  • Kubectl plugin: The released kubectl mongodb plugin binaries are now signed, and the signatures are published with the release assets. The public key is available at this address. The released kubectl mongodb plugin binaries are also notarized for MacOS.

  • Released Images signed: All container images published for the Kubernetes Operator are cryptographically signed. This is visible in the MongoDB Quay registry. You can verify the signatures using the MongoDB public key. Released images are available at this address.

Released 2023-12-21

  • Adds support for the upcoming Ops Manager 7.0.x series.

  • Fixes an issue that prevented terminating a backup correctly.

Released 2023-11-13

  • Fixes an issue with scaling a replica set in a multi-Kubernetes cluster MongoDB deployment when a member cluster has lost connectivity. The fix addresses both the manual and automated recovery procedures.

  • Fixes an issue where changing the names of the Automation Agent and MongoDB audit logs prevented them from being sent to the Kubernetes Pod logs. There are no restrictions on the file names of MongoDB audit logs as of Kubernetes Operator 1.22.

  • Allows the following new log types from the mongodb-enterprise-database container to stream directly to Kubernetes logs:

    • agent-launcher-script

    • monitoring-agent

    • backup-agent

  • Fixes an issue that prevented storing the MongoDBUser resource in the namespace set in spec.mongodbResourceRef.namespace.

Released 2023-09-21

The Kubernetes Operator no longer uses the Reconciling state for all custom resources. In most cases this state has been replaced with Pending and a corresponding message. If you use monitoring tools with the custom MongoDB resources deployed with the Kubernetes Operator, you might need to adjust your dashboards and alerting rules to use the Pending state name.

  • Adds an automatic recovery mechanism for MongoDB resources when a custom resource remains in a Pending or Failed state for a longer period of time. In addition, introduces the following environment variables:

    To learn more, see Recover Resource Due to Broken Automation Configuration.

  • Allows you to route the audit logs for the MongoDB resource to the Kubernetes Pod logs. Ensure that you write the MongoDB resource's audit logs to the /var/log/mongodb-mms-automation/mongodb-audit.log file. The Pod hosting the resource monitors this file and appends its content to its Kubernetes logs.

    To send audit logs to the Kubernetes Pod logs, use the following example configuration in the MongoDB resource:

    spec:
    additionalMongodConfig:
    auditLog:
    destination: file
    format: JSON
    path: /var/log/mongodb-mms-automation/mongodb-audit.log

    The Kubernetes Operator tags audit log entries with the mongodb-audit key in the Pod logs.

    To extract audit log entries, use a command similar to the following example:

    kubectl logs -c mongodb-enterprise-database replica-set-0 | \
    jq -r 'select(.logType == "mongodb-audit") | .contents'

Fixes an issue where you couldn't set the spec.backup.autoTerminateOnDeletion setting to true for sharded clusters. This setting controls whether the Kubernetes Operator stops and terminates the backup when you delete a MongoDB resource. If omitted, the default value is false.

Released 2023-08-25

  • Renames the environment variable CURRENT_NAMESPACE to NAMESPACE. This variable tracks the namespace of the Kubernetes Operator. If you've set this variable by editing the MongoDB resources, update CURRENT_NAMESPACE to NAMESPACE while upgrading the Kubernetes Operator.

  • Fixes an issue where StatefulSet override labels failed to override the StatefulSet.

  • Supports configuring backups of the Application Database and MongoDB for the MongoDBMultiCluster resource.

  • Adds documentation for configuring a MongoDBMultiCluster resources deployment in a GitOps environment. To learn more, see Configure Resources for GitOps.

  • Adds MetadataWrapper, a label and annotations wrapper, to the MongoDB resource, MongoDBMultiCluster resource and MongoDBOpsManager resources. The wrapper supports overriding metadata.Labels and metadata.Annotations.

  • Fixes an issue that prevented setting an arbitrary port number for spec.externalConnectivity.port when using the LoadBalancer service type to expose Ops Manager externally.

  • Fixes an issue that caused Ops Manager to reject certificates by enabling the Kubernetes Operator to import the appdb-ca, which is a bundle of CAs, into the Ops Manager JVM trust store.

Released 2023-06-07

This release fixes an issue that prevented upgrading the Kubernetes Operator to 1.20.0 in OpenShift.

  • Removes appdb.connectionSpec.Project, which was deprecated more than two years ago.

  • Fixes an issue where the MongoDBMultiCluster resource was not watching Ops Manager's connection ConfigMap and secret.

  • Fixes support for rotating the clusterfile secret, which is used for internal X.509 authentication in the MongoDB and MongoDBMultiCluster resources.

  • Adds support for votes, priority, and tags by introducing the spec.applicationDatabase.memberConfig.votes, spec.applicationDatabase.memberConfig.priority, and spec.applicationDatabase.memberConfig.tags settings.

  • Changes the container registry for the Application Database image from quay.io/mongodb/mongodb-enterprise-appdb-database-ubi to quay.io/mongodb/mongodb-enterprise-server. This results in the following changes when you upgrade to this release:

    • The Helm chart setting for the Application Database image, values.mongodb.name, defaults to mongodb-enterprise-server.

    • The Kubernetes Operator updates your Application Database replica set Pods to use the new images referenced in the values.mongodb.name Helm setting. The new images are functionally equivalent to the previous ones assuming that the MongoDB version is the same.

    • The Kubernetes Operator automatically updates the tag suffix for all Application Database images that reference the new container registry from -ent to -ubi8 or the suffix set in MDB_IMAGE_TYPE or mongodb.imageType. For example, the Kubernetes Operator changes quay.io/mongodb/mongodb-enterprise-server:4.4.5-ent to quay.io/mongodb/mongodb-enterprise-server:4.4.5-ubi8. You don't need to update the applicationDatabase.version setting in the MongoDBOpsManager resource.

    • You can stop the Kubernetes Operator from automatically updating the tag suffix by setting MDB_APPDB_ASSUME_OLD_FORMAT or mongodb.appdbAssumeOldFormat to true. For example, you might want to stop the automatic suffix change if you're mirroring this image from your own repository.

  • Adds support for specifying versions without a suffix in spec.applicationDatabase.version. For example, you can specify a version, such as 6.0.5, without adding the -ubi8 suffix. The Kubernetes Operator automatically converts this to 6.0.5-${MDB_IMAGE_TYPE}. The default for the MDB_IMAGE_TYPE environment variable is -ubi8.

  • Changes all images to reference UBI variants by default. The new images use the suffix -ubi.

    • quay.io/mongodb/mongodb-enterprise-database-ubi

    • quay.io/mongodb/mongodb-enterprise-init-database-ubi

    • quay.io/mongodb/mongodb-enterprise-ops-manager-ubi

    • quay.io/mongodb/mongodb-enterprise-init-ops-manager-ubi

    • quay.io/mongodb/mongodb-enterprise-init-appdb-ubi

    • quay.io/mongodb/mongodb-agent-ubi

    • quay.io/mongodb/mongodb-enterprise-appdb-database-ubi

  • Changes the default Application Database image repository to use the official MongoDB Enterprise repository by setting values.mongodb.name to quay.io/mongodb/mongodb-enterprise-server by default.

  • Introduces the values.mongodb.imageType environment variable to override the new default -ubi8 Application Database image tag suffix used by the MongoDBOpsManager resource.

Released 2023-06-07

Warning

Upgrade to 1.20.1

This release (1.20.0) is tied to a broken release on the Openshift Marketplace. Don't upgrade to 1.20.0, and instead upgrade to the 1.20.1 release.

Released 2023-03-30

This release fixes an issue that prevented upgrading the Kubernetes Operator to 1.19.0. Upgrade to this release.

Makes the data.orgId field required for the ConfigMap of the MongoDB resources. If you provide an empty orgId, as in: orgId = "", Ops Manager creates an organization with the project name. Before upgrading the Kubernetes Operator to 1.19.1, set the orgId:"" in the Ops Manager ConfigMap and reapply it.

  • Introduces multi-Kubernetes cluster MongoDB deployments. To learn more, see Deploy MongoDB Resources on Multiple Kubernetes Clusters.

    Makes the following changes to the multi-Kubernetes cluster MongoDB deployment support compared with the Beta version of the multi-Kubernetes cluster MongoDB deployment support in Kubernetes Operator 1.18.x:

    • Renames the MongoDBMulti resource in Beta versions to the MongoDBMultiCluster resource.

    • Renames the shortcut name of the MongoDBMultiCluster resource to mdbmc. Use this shortcut name in all commands on the MongoDBMultiCluster resource. For example, to check the status of your MongoDBMultiCluster resource, run:

      kubectl get mdbmc <resource-name> -o yaml -w
    • Renames the "multi-cluster CLI" tool to the "kubectl mongodb plugin". To learn more, see the MongoDB Plugin Reference.

    • Removes the unnecessary intermediate object clusterSpecs from the clusterSpecList in the MongoDBMultiCluster resource specification. For a valid example of a MongoDBMultiCluster resource configuration file, see the Multi-Kubernetes-Cluster Resource Specification.

  • Adds support for Kubernetes 1.26 and OpenShift 4.12. To learn more, see MongoDB Enterprise Kubernetes Operator Compatibility.

  • Allows you to configure podSpec per shard in a MongoDB sharded cluster by specifying an array of podSpecs under the spec.shardSpecificPodSpec setting for each shard.

  • Makes the data.orgId field required for the ConfigMap of the MongoDB resources. If you provide an empty orgId, as in: orgId = " ", Ops Manager creates an organization with the project name.

  • Adds documentation for the Multi-Kubernetes-Cluster Resource Specification.

  • Adds the Frequently Asked Questions for the Kubernetes Operator to the documentation.

  • Adds documentation for configuring file system backup stores in the Kubernetes Operator MongoDB deployments.

  • Fixes the handling of WATCH_NAMESPACE='*' environment variable for multi-Kubernetes cluster MongoDB deployments. In the following cases, API clients for member clusters are configured incorrectly resulting in deployment errors:

    • The WATCH_NAMESPACE='*' environment variable is specified for the multi-Kubernetes cluster MongoDB deployment.

    • A specific namespace is set in kubeconfig for member clusters.

    • The kubectl mongodb plugin isn't used for configuring multi-Kubernetes cluster MongoDB deployments.

    This leads to the following errors:

    The secret object 'mdb-multi-rs-cert' does not contain all the valid
    certificates needed: secrets "mdb-multi-rs-cert-pem" already exists

    To avoid this issue, set the WATCH_NAMESPACE environment variable to specific namespaces instead of '*', and verify that the kubeconfig settings for member clusters don't specify a namespace. To set the namespace for multi-Kubernetes cluster MongoDB deployments, see Set the Deployment's Scope and the MongoDB Plugin Reference.

  • Fixes an issue when CertificatesSecretsPrefix is set but no related spec.security.tls settings, such as tls.additionalCertificateDomains or tls.ca are provided.

  • Fixes an issue that allows you to explicitly specify the value none for the spec.security.authentication.ldap.transportSecurity when TLS isn't used. Previously, the Kubernetes Operator treated this setting as none when you omitted the value and didn't specify the tls value, but the Kubernetes Operator didn't allow you to specify the value none explicitly.

Released 2023-03-28

Warning

Don't upgrade to 1.19.0. Instead, upgrade to 1.19.1

This release is tied to a broken release on the Openshift Marketplace. Don't upgrade to this release (1.19.0), and instead upgrade to the Kubernetes Operator 1.19.1 release.

This release removes Ubuntu-based images. Ubuntu-based images were deprecated in favor of UBI-based images in the Kubernetes Operator in 1.17.0. Migrate the Kubernetes Operator from Ubuntu-based Images to UBI-based images. All existing Ubuntu-based images will continue to be supported until their version's End of Life (EOL) dates.

Released 2022-12-29

  • Fixes the issue where you configure a liveness probe and it reports a positive result when you terminate a MongoDB Agent's process. This could cause Pods hosting MongoDB resources to run without the MongoDB Agent. In addition to this fix, consider configuring readiness probe overrides.

  • Fixes the startup script in database Pod that might report errors when the Pod restarts.

Released 2022-10-18

  • Fixes the OpenShift installation issue mentioned in the v1.17.1 release notes. The Kubernetes Operator Lifecycle Manager upgrade graph automatically skips the v1.17.1 release and performs an upgrade from v1.17.0 directly to this release.

  • Improves the reliability of upgrades by adding startup probes for MongoDB and OpsManager custom resources with some defaults. Use spec.podSpec.podTemplate to override probe configurations.

Released 2022-10-10

Warning

Installations for OpenShift

This release has invalid quay.io digests referenced in the certified bundle's CSV. This affects only OpenShift deployments when you install or upgrade Kubernetes Operator from the certified bundle (OperatorHub) in quay.io.

If you use Kubernetes Operator with OpenShift, we recommend that you do NOT upgrade to this release (v1.17.1), and instead upgrade to the Kubernetes Operator v1.17.2, which is due the week commencing 17th October 2022.

As a result of this issue, installing this release could result in ImagePullBackOff errors in Pods hosting AppDB, the database for Ops Manager. Errors will look similar to the following:

Failed to pull image "quay.io/mongodb/mongodb-agent-ubi@sha256:a4cadf209ab87eb7d121ccd8b1503fa5d88be8866b5c3cb7897d14c36869abf6": rpc error: code = Unknown desc = reading manifest sha256:a4cadf209ab87eb7d121ccd8b1503fa5d88be8866b5c3cb7897d14c36869abf6 in quay.io/mongodb/mongodb-agent-ubi: manifest unknown: manifest unknown

To continue using the Kubernetes Operator v1.17.1, use the following workaround and update the Kubernetes Operator Subscription with the following spec.config.env:

spec:
config:
env:
- name: AGENT_IMAGE
value: >-
quay.io/mongodb/mongodb-agent-ubi@sha256:ffa842168cc0865bba022b414d49e66ae314bf2fd87288814903d5a430162620
- name: RELATED_IMAGE_AGENT_IMAGE_11_0_5_6963_1
value: >-
quay.io/mongodb/mongodb-agent-ubi@sha256:e7176c627ef5669be56e007a57a81ef5673e9161033a6966c6e13022d241ec9e
- name: RELATED_IMAGE_AGENT_IMAGE_11_12_0_7388_1
value: >-
quay.io/mongodb/mongodb-agent-ubi@sha256:ffa842168cc0865bba022b414d49e66ae314bf2fd87288814903d5a430162620
- name: RELATED_IMAGE_AGENT_IMAGE_12_0_4_7554_1
value: >-
quay.io/mongodb/mongodb-agent-ubi@sha256:3e07e8164421a6736b86619d9d72f721d4212acb5f178ec20ffec045a7a8f855

Remove this workaround as soon as you install the new Kubernetes Operator v1.17.2.

This release has the following additional breaking change:

  • Removes the operator.deployment_name parameter from Kubernetes Operator Helm charts. In previous releases, you might have used this parameter to customize the name of the Kubernetes Operator container.

    Starting with this release, the value of the operator.name Helm chart parameter determines the name of the Kubernetes Operator container.

    This is a breaking change only if you set operator.deployment_name to a different value than operator.name and if you configured tooling to rely on the value of operator.deployment_name.

  • Uses Quay as an image registry for Kubernetes Operator on OpenShift. When you upgrade your Kubernetes Operator deployment, it automatically pulls new images from Quay. You don't need to take any action.

Released 2022-09-19

This release:

  • Removes support for Ops Manager 4.4 due to its End of Life. If you're using Ops Manager 4.4, upgrade to a newer Ops Manager version before you upgrade to Kubernetes Operator 1.17.

  • Deprecates Ubuntu-based images. Starting with Kubernetes Operator 1.19.0, Ubuntu-based images will no longer be made available. All existing Ubuntu-based images will continue to be supported until their version's End of Life (EOL) dates. We strongly recommend that you Migrate MongoDB Enterprise Kubernetes Operator from Ubuntu-based Images to UBI-based Images as soon as possible.

  • Removes support for TLS certificates in concatenated PEM format. These certificates were deprecated in Kubernetes Operator 1.13.0. If you want to use these certificates, the last version to which you can upgrade is Kubernetes Operator 1.16.4.

    Starting with the Kubernetes Operator 1.17.0 release, you must manually migrate old-style TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn how to create these secrets, see the following resources:

Released 2022-08-03

  • Init-Ops-Manager and Operator binaries now use Go 1.18.4, which addresses security issues.

Released 2022-07-15

  • Fixed a bug where securityContext defined at the Pod level is not respected as the Kubernetes Operator overrides it with a securityContext at the container level. To learn more, see the description of the spec.persistent setting.

  • Adds timeoutMS, and userCacheInvalidationInterval fields to the spec.security.authentication.ldap object.

  • Fixes behavior where the additionalMongodConfig.net.tls.mode setting was ignored for mongos, configSrv, and shard objects when configuring ShardedCluster resources.

Released 2022-06-28

Warning

Breaking Changes

This release removes WiredTiger cache computation, which was required for MongoDB versions earlier than 4.0.9. Before you upgrade to this release, you must upgrade your database deployment to use MongoDB version 4.0.9 or later.

To learn how to upgrade your deployment, see Upgrade MongoDB Version and FCV.

  • Removes the spec.podSpec.podAntiAffinityTopologyKey, spec.podSpec.podAffinity, and spec.podSpec.nodeAffinity settings.

    Instead, use spec.podSpec.podTemplate to configure these parameters.

  • Removes the spec.applicationDatabase.podSpec.podAntiAffinityTopologyKey, spec.applicationDatabase.podSpec.podAffinity, and spec.applicationDatabase.podSpec.nodeAffinity settings.

    Instead, use spec.applicationDatabase.podSpec.podTemplate to configure these parameters.

Added support for LDAP client authentication and for managing database users with LDAP to multi-Kubernetes cluster MongoDB deployments.

This feature is a beta release. Use multi-Kubernetes cluster MongoDB deployment deployments only in development environments.

Released 2022-05-24

Released 2022-04-29

  • Removes the spec.security.tls.secretRef.name parameter.

    • Kubernetes Operator version v1.10.0 deprecated this parameter.

    • To specify the secret name containing the certificate for the database, use spec.security.certsSecretPrefix.

    • Create the secret containing the certificates accordingly.

  • Removes the spec.podSpec.cpu and spec.podSpec.memory parameters.

    To override the CPU/Memory resources for the database pod, set the statefulset parameter under spec.podSpec.podTemplate.spec.containers.

  • Propagates custom labels specified under metadata.labels to the database StatefulSet and the Persistent Volume Claim objects.

  • Allows adding Prometheus scraping endpoints to the MongoDB resources using the spec.prometheus configuration attribute.

    • Find a sample Prometheus configuration in the GitHub repository.

  • Removes the spec.applicationDatabase.security.tls.secretRef.name parameter.

    • Kubernetes Operator version v1.10.0 deprecated this parameter.

    • To specify the secret name containing the certificate for AppDB, use the spec.applicationDatabase.security.certsSecretPrefix parameter.

    • Create the secret containing the certificates accordingly.

  • Removes spec.applicationDatabase.podSpec.cpu and spec.applicationDatabase.podSpec.memory.

    To override the CPU/Memory resources for the appDB pod, use the statefulset parameter under spec.applicationDatabase.podSpec.podTemplate.spec.containers.

  • Propagates custom labels specified under metadata.labels to the Ops Manager, AppDB and BackupDaemon StatefulSets and the Persistent Volume Claim objects.

  • Allows adding Prometheus scraping endpoints to the ApplicationDatabase resources using the spec.applicationDatabase.prometheus configuration attribute.

Adds the optional parameter spec.connectionStringSecretName. This parameter provides a deterministic secret name for the user-specific connection string secret that Kubernetes Operator generates.

Released 2022-03-24

Released 2022-03-04

  • Init-database, Init-Ops-Manager, and Operator binaries now use Go 1.17.7 to prevent CVE-2022-23773.

  • Fixes an issue that prevented the Operator upgrade when managing a TLS-enabled ApplicationDB whose TLS certificate is stored in a Secret of type Opaque.

Released 2022-02-11

Kubernetes Operator version 1.15.1 fixes an issue that prevented the Kubernetes Operator upgrade when managing a TLS-enabled Application Database whose TLS certificate is stored in an Opaque secret.

We recommend that you upgrade to Kubernetes Operator version 1.16.0 or later.

We strongly advise against upgrading to Kubernetes Operator version 1.14.0 or 1.15.0.

  • The spec.security.tls.enabled and spec.security.tls.secretRef.prefix fields are now deprecated and will be removed in a future release.

    To enable TLS for MongoDB database resources, provide a value for the spec.security.certsSecretPrefix field.

  • Adds the spec.backup.queryableBackupSecretRef field. This field's value references a secret that stores certificates for Queryable Backups.

  • Adds two fields to enable support for configuring custom TLS certificates for the S3 Oplog and Snapshot Stores for backup: spec.security.tls.ca and spec.security.tls.secretRef.

  • Adds the ability to back up Application Databases. To back up an application database, you must first disable its processes using the spec.applicationDatabase.automationConfig.processes[n].disabled field.

  • The spec.security.tls.enabled, spec.security.tls.secretRef.prefix, spec.applicationDatabase.security.tls.enabled and spec.applicationDatabase.security.tls.prefix fields are now deprecated and will be removed in a future release.

    To enable TLS for Ops Manager resources, provide a value for the spec.security.certsSecretPrefix field.

    To enable TLS for Application Database resources, provide a value for the spec.applicationDatabase.security.certsSecretPrefix field.

Find all new images at:

Released 2021-12-16

Kubernetes Operator version 1.15.1 fixes an issue that prevented the Kubernetes Operator upgrade when managing a TLS-enabled Application Database whose TLS certificate is stored in an Opaque secret.

We recommend that you upgrade to Kubernetes Operator version 1.16.0 or later.

We strongly advise against upgrading to Kubernetes Operator version 1.14.0 or 1.15.0.

  • This release adds the spec.backup.autoTerminateOnDeletion setting, which indicates if the Kubernetes Operator should stop and terminate the backup when you delete the MongoDB resource.

  • Fixes an issue that caused a ShardedCluster resource to fail when disabling authentication.

  • Fixes an issue that prevented the Kubernetes Operator from triggering a resource reconciliation when rotating the Application Database TLS certificate.

  • Fixes an issue where the Kubernetes Operator didn't mount the custom CA specified in the MongoDBOpsManager resource into the Backup Daemon Pod. This issue prevented backups from working when you configured Ops Manager to run in hybrid mode and used a custom CA.

Released 2021-10-21

Warning

Breaking Changes

The Kubernetes Operator no longer generates TLS certificates for MongoDB and MongoDBOpsManager resources.

Important

Deprecation Notice

This release deprecates generic type secrets for TLS certificates.

  • The Kubernetes Operator now supports TLS secrets of the kubernetes.io/tls type.

    • The Kubernetes Operator reads these secrets and automatically generates new .pem files that contain the concatenated tls.crt and tls.key fields when you update these secrets.

    • This removes the need to manually concatenate these vales to create .pem files and enables you to natively reference secrets that Kubernetes-native tools, such as cert-manager, generate.

  • For TLS-enabled resources, the operator now watches the ConfigMap that contains the CA and the secrets that contain TLS certificates. Changes to these ConfigMaps and secrets now trigger a reconciliation of the related resource.

Warning

Breaking Changes

This release removes the spec.project setting from the MongoDB Database Resource Specification.

If your MongoDB resource specifications use the spec.project setting, update your specifications to instead use spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name before you upgrade the Kubernetes Operator to 1.13.0 or later.

  • Fixes an issue where Sharded Cluster backups could not be correctly configured using MongoDB resource specifications.

  • Fixes an issue where Backup Daemon fails to start after you update an Ops Manager deployment by updating spec.version.

  • The Kubernetes Operator now reports the status of file system snapshot stores that you configure in the spec.backup.fileSystemStores setting in the MongoDBOpsManager resource specification.

    You must manually configure the file system snapshot stores.

  • This release adds a new field, spec.backup.externalServiceEnabled, to the MongoDBOpsManager resource specification.

    By default, the Kubernetes Operator creates a LoadBalancer service when you enable queryable backups.

    Set spec.backup.externalServiceEnabled to false before you enable queryable backups to prevent the Kubernetes Operator from creating a LoadBalancer service.

  • The Kubernetes Operator now automatically upgrades personal API keys to programmatic API keys when you upgrade an Ops Manager deployment to version 5.0.0 or later. You no longer must change the keys manually to upgrade your deployment.

  • This release adds the spec.security.certsSecretPrefix field to determine the name that you must give the secret that contains your TLS certificate for MongoDBOpsManager resources.

    To learn more, see spec.security.certsSecretPrefix and the HTTPS tab in the Deploy an Ops Manager Resource tutorial.

Warning

Breaking Changes

This release removes the spec.project setting from the MongoDBUser CustomResourceDefinition.

If your MongoDBUser resource specifications use the spec.project setting, update your specifications to instead use spec.MongoDBResourceRef.name before you upgrade the Kubernetes Operator to 1.13.0 or later.

  • Ops Manager 4.4.7, 4.4.9, 4.4.10, 4.4.11, 4.4.12 and 4.4.13 base images have been updated to Ubuntu 20.04.

  • Ops Manager versions 4.4.16 and 5.0.1 are now supported.

Released 2021-07-15

  • If you set spec.externalConnectivity to false after it was set to true, the Kubernetes Operator deletes the corresponding service.

  • If you set spec.externalConnectivity to false after it was set to true, the Kubernetes Operator deletes the corresponding service.

  • You can specify the number of backup daemon Pods with spec.backup.members. If not set, the value defaults to 1.

  • The Kubernetes Operator now supports the following Ops Manager versions:

    • 4.4.13, 4.4.14, 4.4.15, 4.2.25 and 5.0.0.

  • Before upgrading Ops Manager to version 5.0.0, check that the Kubernetes Operator uses a programmatic API key.

  • Ubuntu based Kubernetes Operator images are now based on Ubuntu 20.04 instead of Ubuntu 16.04.

  • Ubuntu based MongoDB images starting from 2.0.1 are based on Ubuntu 18.04 instead of Ubuntu 16.04.

    Warning

    MongoDB 4.0. does not support Ubuntu 18.04

    MongoDB 4.0. does not support Ubuntu 18.04. If you want to use MongoDB 4.0. with the Kubernetes Operator, use previously released images.

  • Ubuntu based Ops Manager images after 4.4.13 are based on Ubuntu 20.04 instead of Ubuntu 16.04.

  • Newly released UBI images for the Kubernetes Operator, Ops Manager and MongoDB are based on ubi-minimal instead of ubi.

Released 2021-06-03

Removes the topic "Migrate to One Resource per Project (Required for Version 1.3.0)" from the current documentation because v.1.3.0 is EOL. This topic has been archived.

  • Fixes an issue with the Liveness Probe that could cause the database Pods to be restarted in the middle of a restore operation from Backup.

Warning

Breaking Changes

  • Beginning with this release, you can use any version of MongoDB for the Application Database. You must specify this version explicitly when you deploy the MongoDBOpsManager resource.

  • To upgrade the Kubernetes Operator, you must specify the Application Database's version. Check that the spec.applicationDatabase.version has a value in your configuration files for the MongoDBOpsManager custom resource deployment.

  • Each Application Database Pod consists of the following containers (instead of one container with a bundled MongoDB version, as in previous releases):

    • mongodb

    • mongodb-agent

    • mongodb-agent-monitoring

  • The spec.applicationDatabase.persistent setting is removed. The Kubernetes Operator always uses persistent volumes for the Application Database deployed by your MongoDBOpsManager custom resources.

Released 2020-03-25

  • Fixes an issue that prevented multiple Ops Manager resources from having the same name in different namespaces.

  • Fixes an issue that caused new MongoDB resources created with spec.backup.mode=disabled to fail.

  • Fixes an issue with saving changes on the S3 Store page.

  • Fixes an issue that changed the replica set status to Fail, increased the replica set members, and disabled TLS.

  • When you use remote or hybrid mode, and set automation.versions.download.baseUrl, you must set the automation.versions.download.baseUrl.allowOnlyAvailableBuilds property to false. Ops Manager 4.4.11 fixes this issue.

Released 2020-02-05

Fixes errors in the CSV (This only effects the Red Hat market)

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • mongodb-enterprise-operator:1.9.2

You can find all images in the following registries:

Released 2020-01-15

  • Fixes an issue where you could not specify the service-account-name in the StatefulSet podSpec override.

  • Removes the unnecessary delete service permission from Operator role.

Warning

Breaking Changes

This release introduces:

  • A new Application Database image, mongodb-enterprise-appdb:10.2.15.5958-1_4.2.11-ent. The image includes MongoDB 4.2.11-ent instead of 4.2.2-ent. You must push the new image to any private repositories that your Kubernetes Operator installation uses, otherwise the MongoDBOpsManager resource won't start.

  • A new required environment variable, APPDB_AGENT_VERSION. If you don't set APPDB_AGENT_VERSION, the MongoDBOpsManager resource can't fetch the MongoDB Agent version for the Application Database.

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • mongodb-enterprise-operator:1.9.1

  • mongodb-enterprise-appdb:10.2.15.5958-1_4.2.11-ent

  • mongodb-enterprise-init-appdb:1.0.2

  • mongodb-enterprise-init-database:1.0.6

You can find all images in the following registries:

Released 2020-12-08

  • Fixes an issue where the Kubernetes Operator didn't close connections to Ops Manager, causing too many open file descriptors.

  • You can now configure continuous backup for a MongoDB database resource in its CustomResourceDefinition.

    Note

    To enable continuous backup in the MongoDB CustomResourceDefinition, you must enable backup in an Ops Manager instance that you deployed using the Kubernetes Operator.

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • When you upgrade the Kubernetes Operator to this version, the Kubernetes Operator deletes and re-creates the Backup Daemon statefulset.

    This is a safe operation.

    The new Kubernetes service that enables Queryable Backups requires a change to the matchLabels Backup Daemon StatefulSet attribute.

  • The Kubernetes Operator changes the way it collects the status of MongoDB Agent's in Application Database Pods.

  • mongodb-enterprise-operator:1.9.0

You can find all images in the following registries:

Released 2020-11-16

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

Fixes an issue where the Ops Manager resource would reach a Failing state when both spec.externalConnectivity and spec.backup.enabled were enabled.

Released 2020-11-13

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • When both spec.externalConnectivity and spec.backup.enabled are enabled in Ops Manager at the same time, the Ops Manager resource fails to reconcile.

  • Fixes a bug where spec.security.authentication.ignoreUnknownUsers could not be modified after creating a MongoDB resource.

  • Fixes failed queryable backups. The Kubernetes Operator now creates a Kubernetes Service that Ops Manager uses to access backups.

  • Fixes an issue that made it impossible to move from non-TLS to a TLS-enabled Application Database.

  • Init containers do not run as root.

  • Ops Manager Backup daemon runs in unprivileged mode.

  • To manage Database Pod resources, use the spec.podSpec.podTemplate MongoDB Custom Resource attribute. For an example resource definition of each supported type, see the samples/mongodb/podspec directory. The following attributes are deprecated:

    • spec.podSpec.cpu

    • spec.podSpec.cpuRequests

    • spec.podSpec.memory

    • spec.podSpec.memoryRequests

Init-database 1.0.1
Init-ops-manager 1.0.3
Init-appdb 1.0.5
Version 4.4.5
Version 4.2.21
Version 4.2.20

For a list of the packages installed and any security vulnerabilities detected in the build process, see the Quay repository for the MongoDB Enterprise Operator and the MongoDB Enterprise Database.

Released 2020-09-30

Warning

Breaking Changes

The MongoDB Enterprise Database image now requires an init container. If you are using a private repository, you must set the INIT_DATABASE_IMAGE_REPOSITORY environment variable in the Operator deployment, and the new init container must exist inside this repository.

  • Introduces new configuration fields:

    • spec.security.authentication.requireClientTLSAuthentication for using the MongoDB Agent client certificate authentication in conjunction with any other authentication mechanism.

    • spec.security.authentication.agents.clientCertificateSecretRef for configuring the client TLS certificate used by the MongoDB Agent when enabling ClientTLSAuthentication.

  • Changes the default permissions of volumes created from secrets from 0644 to 0640.

  • Allows the Application Database to be configured with SCRAM-SHA-256 authentication when using Ops Manager 4.4 or newer version.

  • Changes the validation of the Ops Manager spec.version field to allow for tags that do not match the semver requirements. The spec.version field must start with the Major.Minor.Patch string that represents the Ops Manager version. To learn more about this field, see Ops Manager Resource Specification.

  • Fixes an issue that caused the Operator to choose an incorrect project name when creating MongoDB users.

  • Fixes an issue that caused the MongoDB Ops Manager CRD to have the CA path in the incorrect location.

  • Fixes a bug where the MongoDB Agent could not correctly recognize the parameters that passed through spec.agent.startupOptions.

  • Fixes an issue that could cause potential deadlock when certain configuration options are modified in parallel.

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • When you enable queryable backup, you must manually create two additional services for:

    • Exposing the queryable backup port (default: 25999) for the Ops Manager pod.

    • The Backup Daemon pod, to ensure that it is resolvable from the Ops Manager pod.

  • If you deploy Ops Manager in local mode and upgrade from v4.4.1, you must upgrade the MongoDB tools located in the automation.versions.directory, which defaults to /mongodb-ops-manager/mongodb-releases/.

    Tip

    See also:

Released 2020-09-02

  • Ops Manager resources:

    • Fixes a bug where you could not enable SCRAM-SHA authentication for application database resources using certain MongoDB versions with Ops Manager 4.4.

    • Fixes a bug where application database monitoring was not correctly configured in Ops Manager when you enabled TLS for the application database.

    • Fixes a bug to move the Ops Manager CA configuration from spec.applicationDatabase.security.tls.ca to spec.security.tls.ca.

  • MongoDB resources:

    • Fixes a bug that prevented you from increasing or decreasing the number of members in a replica set or a sharded cluster by more than one member at a time for MongoDB 4.4 deployments.

    • Fixes an issue where the Kubernetes Operator could not enable agent authentication if you enabled LDAP authentication for a MongoDB resource.

    • Fixes an issue where you could not create SCRAM users and enable SCRAM authentication in any order for a MongoDB resource.

    • Fixes an issue where the Kubernetes Operator did not remove the backup automation configuration before starting the agent on a MongoDB resource Pod.

  • If you enable TLS on the application database, you must not provide the spec.applicationDatabase.version field in an Ops Manager resource definition.

  • You can't use MongoDB 4.4 as an application database for an Ops Manager resource.

  • When you upgrade to the Kubernetes Operator 1.7.1, you might have to delete the mongodb-enterprise-operator deployment due to deployment configuration changes.

    This is a safe operation. Deleting the mongodb-enterprise-operator Pod does not affect the MongoDB custom resources.

  • If you use TLS certificates signed by a custom CA, you must:

    • Omit the spec.version.applicationDatabase setting from your Ops Manager resource definition, and

    • Deploy Ops Manager in local mode. You must manually copy installation archives for all MongoDB versions you want to use to a Persistent Volume for the Ops Manager StatefulSet.

Released 2020-08-14

Important

Final Release with OpenShift 3.11 Support

Kubernetes Operator 1.7.x is the final minor version release series that supports OpenShift 3.11. Do not upgrade to any future major or minor version releases if you want to continue to deploy the Kubernetes Operator using OpenShift 3.11.

The planned end of life for the Kubernetes Operator 1.7.x release series is July 2021.

  • All Kubernetes Operator Red Hat Docker images are now based on UBI 8. In the previous release, Kubernetes Operator Red Hat Docker images were based on UBI 7.

  • Supports LDAP as an authorization mechanism for MongoDB database resources you deploy with the Kubernetes Operator. For more information, see the sample LDAP configurations on GitHub

  • Fixes a bug that prevented scaling down a replica set from three members to one member.

  • Ops Manager cannot monitor Application Databases secured using TLS.

  • For MongoDB 4.4 deployments, you can increase or decrease the number of members in a replica set or a sharded cluster by only one member at a time.

Released 2020-07-30

  • Ops Manager image for version 4.4.0 is available.

  • The Red Hat database and operator Docker images are now based on the latest UBI 7 release. Two high criticality issues have been resolved.

  • The following Docker images have been released:

    Image Type
    Ubuntu 16.04
    Red Hat UBI 7

    Kubernetes Operator

    quay.io/mongodb/mongodb-enterprise-operator:1.6.1
    quay.io/mongodb/mongodb-enterprise-operator-ubi:1.6.1
    MongoDB Database
    quay.io/mongodb/mongodb-enterprise-database:1.6.1
    quay.io/mongodb/mongodb-enterprise-database-ubi:1.6.1

    Ops Manager

    quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.0
    quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.0
  • Fixes a bug where the Kubernetes Operator did not store a configuration of your deployed resources in a secret.

  • Fixes a bug where the Kubernetes Operator did not allow passwords of any length or complexity for Application Database, oplog store, and blockstore database resources defined in Ops Manager resources.

  • Fixes a bug where the authentication configuration was not removed from Ops Manager or Cloud Manager projects when you remove a MongoDB database resource.

Released 2020-07-16

  • Supports LDAP as an authentication mechanism for MongoDB database resources you deploy with the Kubernetes Operator. For more information, see the sample LDAP configurations on GitHub.

    Note

    LDAP authorization is not yet supported.

  • Preserves backup history by retaining Ops Manager cluster records when you enable backup.

  • Fixes a bug that prevented the Kubernetes Operator from raising errors when a projectName contained spaces.

  • Fixes a bug that prevented Ops Manager to monitor for all MongoDB database resources that you deploy with the Kubernetes Operator.

Released 2020-07-02

  • Fixes a bug introduced in 1.5.4 where MongoDB Enterprise Kubernetes Operator would not tag projects correctly when working on Ops Manager versions older than 4.2.2. In this version, MongoDB Enterprise Kubernetes Operator tags the projects correctly.

Released 2020-06-22

  • Allows modification of authentication settings using the Cloud Manager or Ops Manager UI if the spec.security.authentication setting is not provided in the MongoDB resource object definition.

  • Supports Helm installation with helm install in addition to helm template | kubectl apply. helm install is now the recommended way to install with Helm.

  • Supports configuring the MongoDB Agent authentication mechanism independently from the cluster authentication mechanism.

  • Supports configuring monitoring for the Application Database to send metrics to Ops Manager. To learn more about the monitoring function of the MongoDB Agent, see MongoDB Agent.

  • Fixes a bug that affected transitioning authentication mechanisms from X.509 to SCRAM.

  • Fixes a bug that prevented the MongoDB Agent from reaching a goal state if SCRAM configuration was changed in the Ops Manager UI.

Released 2020-05-29

Passes Ops Manager and MongoDB deployment configuration properties as Secret environment variables.

  • Correctly configures shutdown timeouts for Ops Manager and the Backup Daemon.

  • Fixes an issue where Kubernetes Operator-watched Secrets and ConfigMaps triggered unnecessary reconciliations.

  • Fixes an issue where the status of custom resources failed to update in OpenShift 3.11.

Released 2020-05-08

  • Runs Ops Manager and Backup Daemon pods under a dedicated service account.

  • Can configure the Kubernetes Operator to watch a subset of provided CustomResourceDefinitions. You can find more information in the documentation.

  • Can generate CustomResourceDefinitions without using subresources. Some versions of Openshift 3.11 require this capability. To avoid using subresources, use --set subresourceEnabled=false when installing the Kubernetes Operator with helm.

  • Fixes setting the spec.statefulSet and spec.backup.statefulSet fields on the MongoDBOpsManager Resource.

  • Fixes an issue that requires a restart of the Kubernetes Operator during setup of webhook.

  • Fixes an issue that could make an Ops Manager resource to reach an unrecoverable state if the provided admin password has insufficient strength.

Released 2020-04-30

Deprecates the generation of TLS certificates by the Kubernetes Operator. If you use Kubernetes Operator-generated certificates, warning messages now appear in the Kubernetes Operator logs. To configure secure deployments, see Secure Client Connections.

Fixes an issue where, when no authentication is configured by the Kubernetes Operator, the Kubernetes Operator disables authentication in Cloud Manager or Ops Manager. The Kubernetes Operator no longer disables authentication unless you explicitly set spec.security.authentication.enabled to false.

When you configure the spec.statefulSet.spec and spec.backup.statefulSet.spec settings of the MongoDBOpsManager resource, you can only configure the spec.statefulSet.spec.template and spec.backup.statefulSet.spec.template fields. Any other spec.statefulSet.spec or spec.backup.statefulSet.spec field has no effect.

Released 2020-04-24

Adds the ability to start the Kubernetes Operator with some but not all MongoDB CustomResourceDefinitions installed. Administrators can specify the container argument watch-resource to limit the Kubernetes Operator to deploy either MonogDB instances or Ops Manager, or both.

Warning

Breaking Changes

Adds the following new Kubernetes Operator configuration properties:

  • INIT_OPS_MANAGER_IMAGE_REPOSITORY

  • INIT_APPDB_IMAGE_REPOSITORY

  • APPDB_IMAGE_REPOSITORY

When using a private docker registry, these properties must point to the relevant registries after you copy the images from the MongoDB distribution channels.

  • Increases support for custom TLS certificates with the spec.security.tls.secretRef and spec.security.tls.ca configuration settings.

  • Deprecates TLS certificate generation by the Kubernetes Operator. Migrating to custom TLS certificates is recommended.

  • Releases the MongoDBOpsManager resource as Generally Available (GA). MongoDB now supports using the Kubernetes Operator to deploy Ops Manager resources to Kubernetes in production environments.

  • Supports Backup Blockstore Snapshot Stores.

  • Defaults to the Application Database as a metadata database for Backup S3 Snapshot Stores.

  • Supports spec.jvmParameters and spec.backup.jvmParameters to add or override JVM parameters in Ops Manager and Backup Daemon processes.

  • Automatically configures Ops Manager and Backup Daemon JVM memory parameters based on Pod memory availability.

  • Supports TLS for Ops Manager and the Application Database.

  • Adds more detailed information to the status field.

  • Supports Ops Manager Local Mode for MongoDBOpsManager resources with multiple replicas by enabling users to specify PersistentVolumeClaimTemplates in spec.statefulSet.spec.

  • Implements a new image versioning scheme.

Warning

Breaking Changes

See the sample YAML files for new feature usage examples.

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates.

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Kubernetes Operator to generate their X.509 certificates are unaffected.

CWE-295: Improper Certificate Validation CVSS score: 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

  • 1.0, 1.1

  • 1.2.0 - 1.2.4

  • 1.3.0 - 1.3.1

  • 1.4.0 - 1.4.4

  • 1.2.5

  • 1.4.5 and above

Supports changes in the Cloud Manager API.

  • Properly terminates resources with a termination hook.

  • Implements stricter validations.

  • MongoDB resources:

    • Fixes an issue when working with Ops Manager with custom HTTPS certificates.

Released 2020-02-24

Adds a webhook to validate a Kubernetes Operator configuration.

  • Adds support for sidecars for MongoDB resource pods using the spec.podSpec.podTemplate setting.

  • Allows users to change the PodSecurityContext to allow privileged sidecar containers.

  • Adds the spec.podSpec configuration settings for Ops Manager, the Backup Daemon, and the Application Database. See Ops Manager Resource Specification.

  • Ops Manager image for version 4.2.8 is available.

  • MongoDB resources:

    • Fixes potential race conditions when deleting MongoDB resources.

  • Ops Manager resources:

    • Supports the spec.clusterDomain setting for Ops Manager and Application Database resources.

    • No longer starts monitoring and backup processes for the Application Database.

See the sample YAML files for new feature usage examples.

Released 2020-01-24

  • Runs MongoDB database Kubernetes Pods under a dedicated Kubernetes service account: mongodb-enterprise-database-pods.

  • Adds the spec.podSpec.podTemplate setting, which allows you to apply templates to Kubernetes Pods that the Kubernetes Operator generates for each database StatefulSet.

  • Renames the spec.clusterName setting to spec.clusterDomain.

  • Adds offline mode support for the Application Database. Bundles MongoDB Enterprise version 4.2.2 with the Application Database image. Internet access is not required to install the application database if spec.applicationDatabase.version is set to "4.2.2-ent" or omitted.

  • Renames the spec.clusterName setting to spec.clusterDomain.

  • Ops Manager images for versions 4.2.6 and 4.2.7 are available.

  • MongoDB resources:

    • Fixes the order of sharded cluster component creation.

    • Allows TLS to be enabled on Amazon EKS.

  • Ops Manager resources:

    • Enables the Kubernetes Operator to use the spec.clusterDomain setting.

See the sample YAML files for new feature usage examples.

Released 2019-12-13

Released 2019-12-09

  • Adds split horizon DNS support for MongoDB replica sets, which allows clients to connect to a replica set from outside of the Kubernetes cluster.

  • Supports requests for Kubernetes Operator-generated certificates for additional certificate domains, which makes them valid for the specified subdomains.

  • Promotes the MongoDBOpsManager resource to Beta. Ops Manager version 4.2.4 is available.

  • Supports Backup and restore in Kubernetes Operator-deployed Ops Manager instances. This is a semi-automated process that deploys everything you need to enable backups in Ops Manager. You can enable Backup by setting the spec.backup.enabled setting in the Ops Manager custom resource. You can configure the Head Database, Oplog Store, and S3 Snapshot Store by using the MongoDBOpsManager resource specification.

  • Supports access to Ops Manager from outside the Kubernetes cluster through the spec.externalConnectivity setting.

  • Enables SCRAM-SHA-1 authentication on Ops Manager's Application Database by default.

  • Adds support for OpenShift (Red Hat UBI Images).

For more information on how to enable new features, see the sample YAML files in the samples directory.

  • Improves overall stability of X.509 user management.

Released 2019-11-08

Important

This release introduces significant changes that may not be compatible with previous deployments or resource configurations. Migrate to one resource per project before upgrading the Kubernetes Operator.

  • Requires one MongoDB resource per Ops Manager project. If you have more than one MongoDB resource in a project, all resources will change to a Pending status and the Kubernetes Operator won’t perform any changes on them. The existing MongoDB databases will still be accessible. You must migrate to one resource per project.

  • Supports SCRAM-SHA authentication mode. See the MongoDB Enterprise Kubernetes Operator GitHub repository for examples.

  • Requires that the project (ConfigMap) and credentials (secret) referenced from a MongoDB resource be in the same namespace.

  • Adds OpenShift installation files (YAML file and Helm chart configuration).

Released 2019-10-25

Important

This release introduces significant changes that may not be compatible with previous deployments or resource configurations. Migrate to one resource per project before installing or upgrading the Kubernetes Operator.

This release introduces significant changes to the Ops Manager resource's architecture. The Ops Manager application database is now managed by the Kubernetes Operator, not by Ops Manager.

  • Stops unnecessary recreation of NodePorts.

  • Fixes logging so it's always in JSON format.

  • Sets USER in the Kubernetes Operator Docker image.

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates.

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Kubernetes Operator to generate their X.509 certificates are unaffected.

CWE-295: Improper Certificate Validation CVSS score: 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

  • 1.0, 1.1

  • 1.2.0 - 1.2.4

  • 1.3.0 - 1.3.1

  • 1.4.0 - 1.4.4

  • 1.2.5

  • 1.4.5 and above

Released 2019-10-02

  • Increases stability of Sharded Cluster deployments.

  • Improves internal testing infrastructure.

Released 2019-09-13

  • Update: The MongoDB Enterprise Kubernetes Operator will remove support for multiple clusters per project in a future release. If a project contains more than one cluster, a warning will be added to the status of the MongoDB Resources. Additionally, any new cluster being added to a non-empty project will result in a Failed state, and won't be processed.

  • Fix: The overall stability of the operator has been improved. The operator is now more conservative in resource updates both on Kubernetes and Cloud Manager or Ops Manager.

Released 2019-08-30

  • Security Fix: Clusters configured by Kubernetes Operator versions 1.0 through 1.2.1 used an insufficiently strong keyfile for internal cluster authentication between mongod processes. This only affects clusters which are using X.509 for user authentication, but are not using X.509 for internal cluster authentication. Users are advised to upgrade to version 1.2.2, which will replace all managed keyfiles.

  • Security Fix: Clusters configured by Kubernetes Operator versions 1.0 through 1.2.1 used an insufficiently strong password to authenticate the MongoDB Agent. This only affects clusters which have been manually configured to enable SCRAM-SHA-1, which is not a supported configuration. Users are advised to upgrade to version 1.2.2, which will reset these passwords.

Released 2019-08-23

  • Fix: The Kubernetes Operator no longer recreates CSRs when X.509 authentication is enabled and the approved CSRs have been deleted.

  • Fix: If the OPERATOR_ENV environment variable is set to something unrecognized by the Kubernetes Operator, it will no longer result in a CrashLoopBackOff of the pod. A default value of prod is used.

  • The Kubernetes Operator now supports more than 100 agents in a given project.

Released 2019-08-13

  • Adds a readinessprobe to the MongoDB Pods to improve the reliability of rolling upgrades.

This feature is an alpha release. It is not ready for production use.

Released 2019-07-19

  • Fix: Adds sample yaml files, in particular, the attribute related to featureCompatibilityVersion.

  • Fix: TLS can be disabled in a deployment.

  • Improvement: Adds script in the support directory that can gather information of your MongoDB resources in Kubernetes.

  • Improvement: In a TLS environment, the Kubernetes Operator can use a custom CA. All the certificates must be passed as secret objects.

Released 2019-06-18

  • Supports Kubernetes v1.11 or later.

  • Provisions any kind of MongoDB deployment in the Kubernetes Cluster of your Organization:

  • Configures TLS on the MongoDB deployments and encrypt all traffic. Hosts and clients can verify each other’s identities.

  • Manages MongoDB users.

  • Supports X.509 authentication to your MongoDB databases.

Tip

See also:

To learn how to install and configure the Operator, see Install and Configure the Kubernetes Operator.

Note

Questions about the Kubernetes Operator GA release

If you have any questions regarding this release, use the #enterprise-kubernetes Slack channel.

Released 2019-06-07

  • Rolling upgrades of MongoDB resources ensure that rs.stepDown() is called for the primary member. Requires MongoDB patch version 4.0.8 and later or MongoDB patch version 4.1.10 and later.

  • During a MongoDB major version upgrade, the featureCompatibilityVersion field can be set.

  • Fixed a bug where replica sets with more than seven members could not be created.

  • X.509 Authentication can be enabled at the Project level. Requires Cloud Manager, Ops Manager patch version 4.0.11 and later, or Ops Manager patch version 4.1.7 and later.

  • Internal cluster authentication based on X.509 can be enabled at the deployment level.

  • MongoDB users with X.509 authentication can be created, using the new MongoDBUser custom resource.

Released 2019-04-29

  • NodePort service creation can be disabled.

  • TLS can be enabled for internal authentication between MongoDB in replica sets and sharded clusters. The TLS certificates are created automatically by the Kubernetes Operator. Refer to the sample .yaml files in the GitHub repository for examples.

  • Wide or asterisk roles have been replaced with strict listing of verbs in roles.yaml.

  • Printing mdb objects with kubectl will provide more information about the MongoDB object: type, state, and MongoDB server version.

Released 2019-04-02

  • The Kubernetes Operator and database images are now based on ubuntu:16.04.

  • The Kubernetes Operator now uses a single CustomResourceDefinition named MongoDB instead of the MongoDbReplicaSet, MongoDbShardedCluster, and MongoDbStandalone CRDs.

    Important

    Follow the upgrade procedure to transfer existing MongoDbReplicaSet, MongoDbShardedCluster, and MongoDbStandalone resources to the new format.

  • For a list of the packages installed and any security vulnerabilities detected in our build process, see:

Released 2019-03-19

  • The Operator and Database images are now based on debian:stretch-slim which is the latest and up-to-date Docker image for Debian 9.

Released 2019-02-26

  • Perform Ops Manager clean-up on deletion of MongoDB resource without the use of finalisers.

  • Bug fix: Race conditions when communicating with Ops Manager.

  • Bug fix: ImagePullSecrets being incorrectly initialized in OpenShift.

  • Bug fix: Unintended fetching of closed projects.

  • Bug fix: Creation of duplicate organizations.

  • Bug fix: Reconciliation could fail for the MongoDB resource if some other resources in Ops Manager were in error state.

Released 2019-02-01

  • Improved detailed status field for MongoDB resources.

  • The Kubernetes Operator watches changes to configuration parameters in a project configMap and the credentials secret then performs a rolling upgrade for relevant Kubernetes resources.

  • Added JSON structured logging for MongoDB Agent Pods.

  • Support DNS SRV records for MongoDB access.

  • Bug fix: Avoiding unnecessary reconciliation.

  • Bug fix: Improved Ops Manager/Cloud Manager state management for deleted resources.

Released 2018-12-17

  • Refactored code to use the controller-runtime library to fix issues where Operator could leave resources in inconsistent state. This also introduced a proper reconciliation process.

  • Added new status field for all MongoDB Kubernetes resources.

  • Can configure Operator to watch any single namespace or all namespaces in a cluster (requires cluster role).

  • Improved database logging by adding a new configuration property logLevel. This property is set to INFO by default. MongoDB Agent and MongoDB logs are merged in to a single log stream.

  • Added new configuration Operator timeout. It defines waiting time for database pods start while updating MongoDB resources.

  • Fix: Fixed failure detection for mongos.

Released 2018-11-14

  • Image for database no longer includes the binary for the Automation Agent. The container downloads the Automation Agent binary from Ops Manager when it starts.

  • Fix: Communication with Ops Manager failed if the project with the same name existed in different organization.

Released 2018-10-04

  • If a backup was enabled in Ops Manager for a Replica Set or Sharded Cluster that the Kubernetes Operator created, then the Kubernetes Operator disables the backup before removing a resource.

  • Improved persistence support:

    • The data, journal and log directories are mounted to three mountpoints in one or three volumes depending upon the podSpec.persistence setting.

      Setting
      Mount Directories to
      podSpec.persistence.single
      One volume
      podSpec.persistence.multiple
      Three volumes

      Prior to this release, only the data directory was mounted to persistent storage.

    • A new parameter, labelSelector, allows you to specify the selector for volumes that Kubernetes Operator should consider mounting.

    • If StorageClass is not specified in the persistence configuration, then the default StorageClass for the cluster is used. In most of public cloud providers, this results in dynamic volume provisioning.

Released 2018-08-07

  • The Operator no longer creates the CustomResourceDefinition objects. The user needs to create them manually. Download and apply this new yaml file (crd.yaml) to create/configure these objects.

  • ClusterRoles are no longer required. How the Operator watches resources has changed. Until the last release, the Operator would watch for any resource on any namespace. With 0.3, the Operator watches for resources in the same namespace in which it was created. To support multiple namespaces, multiple Operators can be installed. This allows isolation of MongoDB deployments.

  • Permissions changes were made to how PersistentVolumes are mounted.

  • Added configuration to Operator to not create SecurityContexts