MongoDB Enterprise Kubernetes Operator 1.25.0
mms-build-account
released this
01 May 11:22
·
7 commits
to master
since this release
Known Issues
- mongodb-enterprise-openshift.yaml file released in this version is incomplete. There is missing operator's ServiceAccount resource. Please use the newer version of the operator or add the service account manually from this commit.
New Features
- MongoDBOpsManager: Added support for deploying Ops Manager Application on multiple Kubernetes clusters. See documentation for more information.
- (Public Preview) MongoDB, OpsManager: Introduced opt-in Static Architecture (for all types of deployments) that avoids pulling any binaries at runtime.
* This feature is recommended only for testing purposes, but will become the default in a later release.
* You can activate this mode by setting theMDB_DEFAULT_ARCHITECTURE
environment variable at the Operator level tostatic
. Alternatively, you can annotate a specificMongoDB
orOpsManager
Custom Resource withmongodb.com/v1.architecture: "static"
.- The Operator supports seamless migration between the Static and non-Static architectures.
- To learn more please see the relevant documentation:
- MongoDB: Recover Resource Due to Broken Automation Configuration has been extended to all types of MongoDB resources, now including Sharded Clusters. For more information see https://www.mongodb.com/docs/kubernetes-operator/master/reference/troubleshooting/#recover-resource-due-to-broken-automation-configuration
- MongoDB, MongoDBMultiCluster: Placeholders in external services.
- You can now define annotations for external services managed by the operator that contain placeholders which will be automatically replaced to the proper values.
- Previously, the operator was configuring the same annotations for all external services created for each pod. Now, with placeholders the operator is able to customize
annotations in each service with values that are relevant and different for the particular pod. - To learn more please see the relevant documentation:
- MongoDB: spec.externalAccess.externalService.annotations
- MongoDBMultiCluster: spec.externalAccess.externalService.annotations
kubectl mongodb
:- Added printing build info when using the plugin.
setup
command:- Added
--image-pull-secrets
parameter. If specified, created service accounts will reference the specified secret onImagePullSecrets
field. - Improved handling of configurations when the operator is installed in a separate namespace than the resources it's watching and when the operator is watching more than one namespace.
- Optimized roles and permissions setup in member clusters, using a single service account per cluster with correctly configured Role and RoleBinding (no ClusterRoles necessary) for each watched namespace.
- Added
- OpsManager: Added the
spec.internalConnectivity
field to allow overrides for the service used by the operator to ensure internal connectivity to theOpsManager
pods. - Extended the existing event based reconciliation by a time-based one, that is triggered every 24 hours. This ensures all Agents are always upgraded on timely manner.
- OpenShift / OLM Operator: Removed the requirement for cluster-wide permissions. Previously, the operator needed these permissions to configure admission webhooks. Now, webhooks are automatically configured by OLM.
- Added optional
MDB_WEBHOOK_REGISTER_CONFIGURATION
environment variable for the operator. It controls whether the operator should perform automatic admission webhook configuration. Default: true. It's set to false for OLM and OpenShift deployments.
Breaking Change
- MongoDBOpsManager Stopped testing against Ops Manager 5.0. While it may continue to work, we no longer officially support Ops Manager 5 and customers should move to a later version.
Helm Chart
- New
operator.webhook.registerConfiguration
parameter. It controls whether the operator should perform automatic admission webhook configuration (by settingMDB_WEBHOOK_REGISTER_CONFIGURATION
environment variable for the operator). Default: true. It's set to false for OLM and OpenShift deployments. - Changing the default
agent.version
to107.0.0.8502-1
, that will change the default agent used in helm deployments. - Added
operator.additionalArguments
(default: []) allowing to pass additional arguments for the operator binary. - Added
operator.createResourcesServiceAccountsAndRoles
(default: true) to control whether to install roles and service accounts for MongoDB and Ops Manager resources. Whenmongodb kubectl
plugin is used to configure the operator for multi-cluster deployment, it installs all necessary roles and service accounts. Therefore, in some cases it is required to not install those roles using the operator's helm chart to avoid clashes.
Bug Fixes
- MongoDBMultiCluster: Fields
spec.externalAccess.externalDomain
andspec.clusterSpecList[*].externalAccess.externalDomains
were reported as required even though they weren't
used. Validation was triggered prematurely when structurespec.externalAccess
was defined. Now, uniqueness of external domains will only be checked when the external domains are
actually defined inspec.externalAccess.externalDomain
orspec.clusterSpecList[*].externalAccess.externalDomains
. - MongoDB: Fixed a bug where upon deleting a MongoDB resource the
controlledFeature
policies are not unset on the related OpsManager/CloudManager instance, making cleanup in the UI impossible in the case of losing the kubernetes operator. - OpsManager: The
admin-key
Secret is no longer deleted when removing the OpsManager Custom Resource. This enables easier Ops Manager re-installation. - MongoDB ReadinessProbe Fixed the misleading error message of the readinessProbe:
"... kubelet Readiness probe failed:..."
. This affects all mongodb deployments. - Operator: Fixed cases where sometimes while communicating with Opsmanager the operator skipped TLS verification, even if it was activated.
Improvements
Kubectl plugin: The released plugin binaries are now signed, the signatures are published with the release assets. Our public key is available at this address. They are also notarized for MacOS.
Released Images signed: All container images published for the enterprise operator are cryptographically signed. This is visible on our Quay registry, and can be verified using our public key. It is available at this address.