- Install and Configure the Kubernetes Operator >
- Upgrade the Kubernetes Operator from Prior Versions >
- Upgrade from Kubernetes Operator 1.12 with TLS Enabled
Upgrade from Kubernetes Operator 1.12 with TLS Enabled¶
On this page
MongoDB Enterprise Kubernetes Operator 1.13 introduced several changes to how it handles TLS secrets for Ops Manager and database deployments.
If you installed Kubernetes Operator 1.12 or earlier and you secure access to your resources using TLS, complete this task to upgrade to the latest Kubernetes Operator version and migrate your opaque TLS secrets to kubernetes.io/tls type secrets without re-creating your MongoDB resources and incurring downtime.
Considerations¶
Kubernetes Operator can migrate your TLS secrets when you upgrade from 1.12 or earlier to the latest version for as long as 1.12 is supported. After Kubernetes Operator 1.12 reaches End of Life (EOL), you might not be able to migrate your TLS secrets automatically when you upgrade.
Limitations¶
Kubernetes Operator doesn’t migrate the following TLS secret types:
- TLS secrets that contain X.509 certificates for internal server authentication
- TLS secrets that contain MongoDB Agent X.509 certificates
You must manually migrate these types of TLS secrets from opaque to kubernetes.io/tls type secrets by creating new secrets that contain the relevant certificates and signing keys. To learn how to create these secrets, see the following resources:
Prerequisites¶
Before you migrate your TLS secrets and upgrade Kubernetes Operator, your CRDs must use the following fields to describe your TLS secrets:
- Application Database TLS secrets:
applicationDatabase.security.tls.secretRef.prefix
- Ops Manager TLS secrets:
security.tls.secretRef.prefix
- Database resource TLS secrets:
security.tls.secretRef.prefix
If your CRDs use any of the following fields to describe your TLS secrets, you must first update your CRDs to use the fields listed above instead:
- Application Database TLS secrets:
spec.applicationDatabase.security.tls.secretRef.name
- Ops Manager TLS secrets:
spec.security.tls.secretRef.name
- Database resource TLS secrets:
spec.security.tls.secretRef.name
- Application Database TLS secrets:
You must disable internal cluster and X.509 authentication before you upgrade Kubernetes Operator to its latest version.
When the upgrade is complete, you can re-enable internal cluster and X.509 authentication.
Procedure¶
Upgrade Kubernetes Operator to its latest version.¶
To learn how to upgrade the Kubernetes Operator, see Upgrade the MongoDB Enterprise Kubernetes Operator.
Wait for the Kubernetes Operator Pods to reach a READY
state.¶
Use the following command to get the status of the Pods in your cluster:
Inspect the response. In the READY
column for your Kubernetes Operator
Pod, ensure that the value in this column shows that all Pods are
ready. In the following sample output, the single Kubernetes Operator Pod
is ready.
When all Kubernetes Operator Pods are READY
, proceed to the next step.
Create new TLS secrets that contain your existing certificates.¶
Using the certificates stored in your existing secrets, create one new secret for each component that you want to secure using TLS.
For more information, see the prerequisites in the Kubernetes Operator TLS tutorials:
- Deploy an Ops Manager Resource for Application Database resources
- Deploy an Ops Manager Resource for Ops Manager resources
- Secure Client Connections for database resources
Update your CRDs to use the new TLS secret fields.¶
In each of the resources that you secure with TLS, update the following fields, as appropriate, to reference the new TLS secrets you created in the previous step:
- Application Database TLS secrets:
applicationDatabase.security.certsSecretPrefix
- Ops Manager TLS secrets:
security.certsSecretPrefix
- Database resource TLS secrets:
security.security.certsSecretPrefix
Replace the CRDs in your Kubernetes cluster.¶
For each CRD you updated, run the following command to apply your changes to the Kubernetes cluster:
Optional: Re-enable internal cluster authentication and X.509 authentication.¶
When all of the resources you updated reach a READY
state, you can
re-enable internal cluster authentication and X.509 authentication if
you disabled it to migrate your TLS secrets.