MongoDB Enterprise Kubernetes Operator 1.5.5

MongoDB Resource Changes

• Additional options for more granular configuration of mongod/mongos processes. You can find an example of how to apply these options in the public/samples/mongodb/mongodb-options and in the MongoDB documentation.

Bug Fixes

• A bug was introduced in version 1.5.4 that would not tag projects correctly, when working with projects on Ops Manager versions older than 4.2.2. When updating to 1.5.5, the new operator version will tag the projects correctly.

MongoDB Enterprise Kubernetes Operator 1.5.4

• Authentication settings can be modified using Ops/Cloud Manager UI if spec.security.authentication object has not been provided on the MongoDB resource object definition.
• Fixed a bug triggered when transitioning authentication mechanisms from X509 to SCRAM
• Fixed a bug that prevented the MongoDB agent to reach goal state if SCRAM configuration was changed in OpsManager UI
• Installation now support helm install/upgrade instead of helm template | kubectl apply
• Agent authentication mechanism can now be configured independently of cluster authentication mechanism
• Configure monitoring agents for AppDB to send metrics to OpsManager

MongoDB Enterprise Kubernetes Operator 1.5.3

Bug Fixes

• Fixed an issue where unnecessary reconciliations were triggered by operator watched Secrets and ConfigMaps.
• Shutdown timeouts are now correctly configured for Ops Manager and the Backup Daemon
• Ops Manager and MongoDB deployment configuration properties are now passed more securely.
• Fixed an issue where updating the status of the custom resources failed in Openshift 3.11

MongoDB Enterprise Kubernetes Operator 1.5.2

Ops Manager Resource Changes

• Ops Manager and Backup Daemon pods are run under a dedicated service account.

Kubernetes Operator Changes

• The Operator can be configured to watch only a subset of Custom Resource Definitions provided. You can find more information in the documentation.
• CRDs can be generated without the use of subresources. This is needed on some versions of Openshift 3.11. In order to do this, use --set subresourceEnabled=false when installing the Operator with helm.

Bug Fixes

• Fixed setting the spec.statefulSet and spec.backup.statefulSet fields on the MongoDBOpsManager Resource.
• FIxed a bug that could make an Ops Manager resource to get to an unrecoverable state if the provided admin password is not strong enough.
• Fixed an error and restart of the Operator during setup of webhook.

MongoDB Enterprise Kubernetes Operator 1.5.1

Kubernetes Operator Changes

• Fixed issue where when no authentication was configured by the operator, the operator would disable authentication in Ops Manager or Cloud Manager. The operator will no longer disable authentication unless spec.security.authentication.enabled: false is explicitly set.

• The generation of TLS certificates by the operator is being deprecated. Warning messages will now appear if operator generated certificates are used. See the documentation https://docs.mongodb.com/kubernetes-operator/stable/secure/ for how to configure secure deployments.

Known Issues

• When configuring the spec.statefulSet and spec.backup.statefulSet options of the MongoDBOpsManagerResource, configuring any field other than statefulSet.spec.template fields will have no effect.

MongoDB Enterprise Kubernetes Operator 1.5.0

Kubernetes Operator Changes

• Adds the ability to start the Operator with only some of our CRDs installed. This allows administrators to limit the Operator to only be able to deploy either MonogDB instances or Ops Manager, if desired. This can be configured by specifying container arguments watch-resource.

MongoDB Resource Changes

• Better support for custom TLS certificates by using spec.security.tls.secretRef and spec.security.tls.ca configuration properties

• TLS certificate generation by the Operator is now deprecated. We recommend migration to custom TLS certificates

Ops Manager Resource Changes

• The MongoDBOpsManager resource is now Generally Available (GA).

• Breaking change: removes the spec.podSpec and spec.backup.podSpec fields in favour of spec.statefulSet and spec.backup.statefulSet configuration properties.

• Breaking change: new Operator configuration properties INIT_OPS_MANAGER_IMAGE_REPOSITORY, INIT_APPDB_IMAGE_REPOSITORY, APPDB_IMAGE_REPOSITORY were added. When using a private docker registry, these properties have to point to the relevant registries after having copied the images from our distribution channels.

• Adds support for Backup Blockstore Snapshot Stores

• The Backup S3 Snapshot Store now uses Application Database as a metadata database by default

• Adds support for spec.jvmParameter and spec.backup.jvmParameter to add or override JVM parameters in Ops Manager and Backup Daemon processes

• Ops Manager and Backup Daemon JVM memory parameters are automatically configured based on pod memory availability

• Adds support for TLS for Ops Manager and the Application Database

• Adds more detailed information to status field

• Support for Ops Manager Local Mode for MongoDBOpsManager resources with multiple replicas by enabling users to specify PersistentVolumeClaimTemplates in spec.statefulSet

• New Image Versioning Scheme

• Known Issues: To enable S3 Snapshot stores in Ops Manager 4.2.10 and 4.2.12, users must set "brs.s3.validation.testing: disabled"

See the sample YAML files for new feature usage examples.

MongoDB Enterprise Kubernetes Operator 1.4.5

MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Enterprise Kubernetes Operator 1.2.5

MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Enterprise Kubernetes Operator 1.4.4

MongoDB Resource Changes

• Supports changes in the Cloud Manager API.

Ops Manager Resource Changes (Beta Release)

• Properly terminates resources with a termination hook.
• Implements stricter validations.

Bug Fixes

• Fixes an issue when working with Ops Manager with custom HTTPS certificates.

MongoDB Enterprise Kubernetes Operator 1.4.3

Kubernetes Operator Changes

• Added webhook to validate Kubernetes Operator configuration.

MongoDB Resource Changes

• Adds support for sidecars for MongoDB Kubernetes resource pods using the spec.podSpec.podTemplate setting.
• Allows users to change the pod SecurityContext to allow privileged sidecar containers.

Ops Manager Resource Changes (Beta Release)

• Adds the spec.podSpec configuration settings for Ops Manager, the Backup Daemon, and the Application Database.
• Ops Manager image for version 4.2.8 is available.

Bug Fixes

MongoDB resources:

• Fixes potential race conditions when deleting MongoDB Kubernetes resources.

Ops Manager resources:

• Supports the spec.clusterDomain setting for Ops Manager and Application Database resources.
• No longer starts monitoring and backup processes for the Application Database.