New features

• LDAP : added “spec.security.authentication.agents.automationLdapGroupDN” field to the CRD
• Make agent.auth mandatory if more than one auth mode is specified
• Added the possibility to specify agent startup parameters:
  • “spec.agent.startupOptions” for replica sets/standalone
  • “spec.configSrv.agent.startupOptions”, “spec.mongos.agent.startupOptions”, “spec.shard.agent.startupOptions” for sharded clusters
  • “spec.applicationDatabase.agent.startupOptions” for AppDB

Bug fixes

• MongoDBOpsManager resource:
  • Backing databases with SCRAM-SHA authentication enabled can be of any version if Ops Manager has version 4.4 and above
  • AppDB Monitoring is now correctly configured in Ops Manager when TLS is configured for the AppDB
    The Ops Manager CA configuration property has moved from "spec.applicationDatabase.security.tls.ca" to "spec.security.tls.ca"
• MongoDB resource:
  • Fixed issue where MongoDB 4.4 Replica Sets and Sharded Clusters could not be scaled correctly
  • Fixed an issue in which the operator couldn’t enable agent authentication if only LDAP authentication for the deployment was enabled
  • SCRAM users creation operation and enabling SCRAM authentication in MongoDB resource operation can be done in any order
    Backup automation config is now removed before launching the agent

Known Issues

• ‘spec.applicationDatabase.version” field should not be configured for MongoDBOpsManager resource if AppDB has TLS enabled
  AppDB MongoDB version 4.4+ is not supported
• 1.7.0 release of the Operator made changes to the Deployment configuration which may require to delete the ‘mongodb-enterprise-operator’ Deployment before the upgrade. This is a safe operation as the existing Custom Resources won’t be affected.
• If using TLS certificates signed with a custom certificate authority, the following should be taken into consideration:
  • The “version” of spec.applicationDatabase should not be set (the default version will be used)
  • Ops Manager will have to be configured in “Local Mode”. Every MongoDB version required will need to be copied to Ops Manager in order to be fetched from the database images.

The 1.7.x releases will be the last versions to support OpenShift 3.11. Please, make sure to stay with the 1.7.x release series in order to support OpenShift 3.11. Planned EOL for 1.7.x is July 2021.

New Features:

• LDAP can be enabled as an authentication and authorization mechanism. Please refer to the samples in samples/mongodb/authentication/ldap directory for examples on how to enable LDAP for your Replica Set and Sharded Clusters.
• All UBI images are now based on UBI8 (was UBI7 previously)

Bug fixes:

• Fixed a bug preventing ReplicaSet to scale down from 3 to 1 members

Known Issues:

• AppDBs with TLS are currently not configured for monitoring by Ops Manager

MongoDB Ops Manager Resource Changes

• Ops Manager image for version 4.4.0 is available.

Bug Fixes

• Fixes a bug where the Kubernetes Operator did not store a configuration of your deployed resources in a secret.
• Fixes a bug where the Kubernetes Operator did not allow passwords of any length or complexity for Application Database, oplog store, and blockstore database resources defined in Ops Manager resources.
• Fixes a bug where the authentication configuration was not removed from Ops Manager or Cloud Manager projects when you remove a MongoDB database resource.

Docker Images Released

Operator

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-operator:1.6.1
• UBI7: quay.io/mongodb/mongodb-enterprise-operator-ubi:1.6.1

Database

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-database:1.6.1
• UBI7: quay.io/mongodb/mongodb-enterprise-database-ubi:1.6.1

Ops Manager:

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-ops-manager:4.4.0
• UBI7: quay.io/mongodb/mongodb-enterprise-ops-manager-ubi:4.4.0

Init AppDB:

• Ubuntu 16.04: quay.io/mongodb/mongodb-enterprise-init-appdb:1.0.2
• UBI7: quay.io/mongodb/mongodb-enterprise-init-appdb-ubi:1.0.2

New features

• LDAP can be enabled as an authentication mechanism (authorisation support will be available in the next release), please refer to the samples in the samples/mongodb/authentication/ldap directory.
• Operator will not delete OpsManager Cluster records when backup is enabled to preserve backup history.

Bug fixes

• Operator raises errors when projectName contains blank spaces
• Enable the Monitoring function for all the pods deployed via the K8s Operator

MongoDB Resource Changes

• Additional options for more granular configuration of mongod/mongos processes. You can find an example of how to apply these options in the public/samples/mongodb/mongodb-options and in the MongoDB documentation.

Bug Fixes

• A bug was introduced in version 1.5.4 that would not tag projects correctly, when working with projects on Ops Manager versions older than 4.2.2. When updating to 1.5.5, the new operator version will tag the projects correctly.

• Authentication settings can be modified using Ops/Cloud Manager UI if spec.security.authentication object has not been provided on the MongoDB resource object definition.
• Fixed a bug triggered when transitioning authentication mechanisms from X509 to SCRAM
• Fixed a bug that prevented the MongoDB agent to reach goal state if SCRAM configuration was changed in OpsManager UI
• Installation now support helm install/upgrade instead of helm template | kubectl apply
• Agent authentication mechanism can now be configured independently of cluster authentication mechanism
• Configure monitoring agents for AppDB to send metrics to OpsManager

Bug Fixes

• Fixed an issue where unnecessary reconciliations were triggered by operator watched Secrets and ConfigMaps.
• Shutdown timeouts are now correctly configured for Ops Manager and the Backup Daemon
• Ops Manager and MongoDB deployment configuration properties are now passed more securely.
• Fixed an issue where updating the status of the custom resources failed in Openshift 3.11

Ops Manager Resource Changes

• Ops Manager and Backup Daemon pods are run under a dedicated service account.

Kubernetes Operator Changes

• The Operator can be configured to watch only a subset of Custom Resource Definitions provided. You can find more information in the documentation.
• CRDs can be generated without the use of subresources. This is needed on some versions of Openshift 3.11. In order to do this, use --set subresourceEnabled=false when installing the Operator with helm.

Bug Fixes

• Fixed setting the spec.statefulSet and spec.backup.statefulSet fields on the MongoDBOpsManager Resource.
• FIxed a bug that could make an Ops Manager resource to get to an unrecoverable state if the provided admin password is not strong enough.
• Fixed an error and restart of the Operator during setup of webhook.

Kubernetes Operator Changes

• Fixed issue where when no authentication was configured by the operator, the operator would disable authentication in Ops Manager or Cloud Manager. The operator will no longer disable authentication unless spec.security.authentication.enabled: false is explicitly set.

• The generation of TLS certificates by the operator is being deprecated. Warning messages will now appear if operator generated certificates are used. See the documentation https://docs.mongodb.com/kubernetes-operator/stable/secure/ for how to configure secure deployments.

Known Issues

• When configuring the spec.statefulSet and spec.backup.statefulSet options of the MongoDBOpsManagerResource, configuring any field other than statefulSet.spec.template fields will have no effect.

Kubernetes Operator Changes

• Adds the ability to start the Operator with only some of our CRDs installed. This allows administrators to limit the Operator to only be able to deploy either MonogDB instances or Ops Manager, if desired. This can be configured by specifying container arguments watch-resource.

MongoDB Resource Changes

• Better support for custom TLS certificates by using spec.security.tls.secretRef and spec.security.tls.ca configuration properties

• TLS certificate generation by the Operator is now deprecated. We recommend migration to custom TLS certificates

Ops Manager Resource Changes

• The MongoDBOpsManager resource is now Generally Available (GA).

• Breaking change: removes the spec.podSpec and spec.backup.podSpec fields in favour of spec.statefulSet and spec.backup.statefulSet configuration properties.

• Breaking change: new Operator configuration properties INIT_OPS_MANAGER_IMAGE_REPOSITORY, INIT_APPDB_IMAGE_REPOSITORY, APPDB_IMAGE_REPOSITORY were added. When using a private docker registry, these properties have to point to the relevant registries after having copied the images from our distribution channels.

• Adds support for Backup Blockstore Snapshot Stores

• The Backup S3 Snapshot Store now uses Application Database as a metadata database by default

• Adds support for spec.jvmParameter and spec.backup.jvmParameter to add or override JVM parameters in Ops Manager and Backup Daemon processes

• Ops Manager and Backup Daemon JVM memory parameters are automatically configured based on pod memory availability

• Adds support for TLS for Ops Manager and the Application Database

• Adds more detailed information to status field

• Support for Ops Manager Local Mode for MongoDBOpsManager resources with multiple replicas by enabling users to specify PersistentVolumeClaimTemplates in spec.statefulSet

• New Image Versioning Scheme

• Known Issues: To enable S3 Snapshot stores in Ops Manager 4.2.10 and 4.2.12, users must set "brs.s3.validation.testing: disabled"

See the sample YAML files for new feature usage examples.