github mongodb/mongodb-kubernetes 1.9.0
Release of MCK 1.9.0

5 hours ago

MongoDB Search and Vector Search now Generally Available with MCK

MongoDB Search and Vector Search is now generally available for Enterprise Advanced and supported for production use, graduating from public preview. In addition, Auto Embeddings for Enterprise is now in Public Preview.

With MongoDB Search and Vector Search, the operator runs MongoDB's Search engine (mongot) right alongside your database, wherever they are (in Kubernetes, VMs or bare-metal), so you can add full-text and vector search to your Kubernetes deployments without standing up and managing a separate search system. See more here.

What's New

Auto Embeddings (Public Preview): Added support for auto embeddings in MongoDB Enterprise to automatically generate vector embeddings for the vector search data. All the details can be found in our public documentation.

Add support to password-encrypted key file: This release gives you more ways to meet your security and compliance requirements for the connection between MongoDB and mongot:

  • Use a password-encrypted private key on the gRPC connection between mongot and mongod/mongos.
  • Use client TLS (including a password-encrypted key) on the SCRAM sync-source connection.
  • Keep the password for an encrypted x509 client key in its own dedicated Kubernetes Secret.

In each case you supply the decryption password through a Kubernetes Secret, and you can leave it out entirely when your key isn't encrypted.

Monitoring in Ops Manager: Search metrics can now flow straight into Ops Manager, next to the rest of your deployment, no extra monitoring stack required. Turn it on with the new metrics forwarder, point it at your Ops Manager project, and track its health from the resource's status.

Choose the sync source using their tag: You can now direct mongot to sync from specific members using their replica set tags. For example, automatically detect and sync from a set of members tagged eu-west. This can help customers with data-locality requirements.

Additional load balancer and tuning options: This release also adds a retry policy and configurable pod count for the managed (Envoy) load balancer, a readiness threshold for how many search replicas must be ready before it routes traffic, advanced pass-through configuration for mongot, and a toggle for its overload-retry signal.

Minimum required versions for Search GA:

  • MongoDB Server: 8.3.0
  • Ops Manager: 8.0.24
  • Search (mongot): 1.70.1

The default Search version is now 1.70.1, if spec.version is not defined.

Breaking Changes from the Search and Vector Search Public Preview

If you're coming from the Search preview, a migration guide will be available in the upcoming days for the MongoDBSearch schema updates in our public documentation.

API Changes

We are introducing relevant changes in the GA release in comparison to the Public Preview in order to bring more clarity to the API design and to introduce new features and capabilities to be production ready.

The changes are listed below:

  • spec.observability.metricsForwarder (+ .opsManager): Forwards mongot metrics to Ops Manager. opsManager holds the project config and agent credentials. Status is surfaced under status.metricsForwarder. Default: off.
  • spec.security.tls.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted private key for the gRPC connection between mongod/mongos and mongot. Omit if the key isn't encrypted.
  • spec.source.tls.clientCertificateSecretRef: Client certificate mongot presents during the TLS handshake on the SCRAM sync-source connection.
  • spec.source.tls.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted SCRAM client key.
  • spec.source.x509.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted x509 client key. Replaces the old tls.keyFilePassword entry embedded in the x509 client-certificate Secret, which is no longer used.
  • spec.clusters[].advancedMongotConfigs: Passes extra tuning configuration through to the mongot process.
  • spec.clusters[].syncSourceSelector.matchTagSets: Controls which replica set members mongot reads from (maps to mongot's replicationReader.tagSets).
  • spec.clusters[].loadBalancer.managed.retryPolicy: Envoy retry policy (numRetries, perTryTimeout). Default: 2 retries, 60s per try.
  • spec.clusters[].loadBalancer.managed.minMongotReadyReplicas: Minimum ready mongot replicas in a group before Envoy routes real traffic to it. Default: 1.
  • spec.clusters[].loadBalancer.managed.replicas: Number of Envoy proxy pods for the managed load balancer. Default: 1.
  • spec.featureFlags.enableOverloadRetrySignal: Enables/disables mongot's OVERLOAD_RETRY_SIGNAL feature flag. Default: true.
  • .spec.prometheus field has moved to .spec.observability.prometheus. Update your MongoDBSearch resources to use the new path. Prometheus metrics are now enabled by default. Set .spec.observability.prometheus.mode to disabled to disable them.

General Changes

New Features

  • MongoDB and MongoDBUser resources now expose the reconciled Ops Manager project ID in .status.projectId.

Bug Fixes

  • To follow the Pod Security Standards more secure default pod securityContext settings were added.
    Operator deployment securityContext settings that have changed:

    • allowPrivilegeEscalation: false
    • capabilities.drop: [ ALL ]
    • seccompProfile.type: RuntimeDefault

    Other workloads:

    • capabilities.drop: [ ALL ] - container level
    • seccompProfile.type: RuntimeDefault - pod level

    If you require less restrictive securityContext settings please use template or podTemplate overrides.
    Detailed information about overrides can be found in Modify Ops Manager or MongoDB Kubernetes Resource Containers.

  • MongoDBOpsManager: Fixed an issue in the MongoDBOpsManager resource where JVM parameter blocks were appended to mms.conf on every pod restart without removing previous entries, causing duplicate configuration entries to accumulate.

  • MongoDBMulticluster: Fixed an issue where reconciliation of an entire resource could be blocked if automatic failover was disabled and a member cluster was marked as failed. Now, the operator will reconcile healthy clusters and skip the failed clusters.

  • MongoDBMulticluster: When automatic failover is disabled, the operator will now remove the failed clusters annotation once the clusters respond successfully to health checks a consecutive number of times, allowing for recovery without manual intervention. The number of consecutive successful health checks required to remove the failed annotation is configurable via the MDB_MEMBER_CLUSTER_REQUIRED_HEALTHY_STREAK environment variable, or the multiCluster.memberClusterRequiredHealthyStreak helm value. The default is 5.

  • MongoDB: Fixed a bug where setting a field to null in additionalMongodConfig to remove it from a deployment did not take effect. The field would either be ignored or reappear on the next reconciliation.

  • MongoDBOpsManager, MongoDB, MongoDBMultiCluster, MongoDBUser: Fixed a bug in multi-cluster mode where Service, ConfigMap, TLS Secret, and StatefulSet resources created in member clusters carried ownerReferences pointing to the Custom Resource in the central cluster, causing the Kubernetes garbage collector to delete them as orphans.

  • MongoDB, MongoDBMultiCluster, MongoDBOpsManager, AppDB: Fixed a bug where reconciliation did not consistently trigger after StatefulSet resource changes in single-cluster and multi-cluster deployments.

  • OpsManager AppDB: Fixed an issue where the status.applicationDatabase.pvc field in the MongoDBOpsManager CRD retained a stale PVC Resize - STS has been orphaned phase indefinitely after a PVC resize completed successfully.

  • MongoDBUser: Passwords containing spaces or plus signs are now correctly percent-encoded in generated connection string secrets. Spaces are encoded as %20 and plus signs as %2B, ensuring both the Go driver and pymongo decode credentials correctly.

Don't miss a new mongodb-kubernetes release

NewReleases is sending notifications on new releases.