MongoDB Search and Vector Search now Generally Available with MCK
MongoDB Search and Vector Search is now generally available for Enterprise Advanced and supported for production use, graduating from public preview. In addition, Auto Embeddings for Enterprise is now in Public Preview.
With MongoDB Search and Vector Search, the operator runs MongoDB's Search engine (mongot) right alongside your database, wherever they are (in Kubernetes, VMs or bare-metal), so you can add full-text and vector search to your Kubernetes deployments without standing up and managing a separate search system. See more here.
What's New
Auto Embeddings (Public Preview): Added support for auto embeddings in MongoDB Enterprise to automatically generate vector embeddings for the vector search data. All the details can be found in our public documentation.
Add support to password-encrypted key file: This release gives you more ways to meet your security and compliance requirements for the connection between MongoDB and mongot:
- Use a password-encrypted private key on the gRPC connection between
mongotandmongod/mongos. - Use client TLS (including a password-encrypted key) on the SCRAM sync-source connection.
- Keep the password for an encrypted x509 client key in its own dedicated Kubernetes Secret.
In each case you supply the decryption password through a Kubernetes Secret, and you can leave it out entirely when your key isn't encrypted.
Monitoring in Ops Manager: Search metrics can now flow straight into Ops Manager, next to the rest of your deployment, no extra monitoring stack required. Turn it on with the new metrics forwarder, point it at your Ops Manager project, and track its health from the resource's status.
Choose the sync source using their tag: You can now direct mongot to sync from specific members using their replica set tags. For example, automatically detect and sync from a set of members tagged eu-west. This can help customers with data-locality requirements.
Additional load balancer and tuning options: This release also adds a retry policy and configurable pod count for the managed (Envoy) load balancer, a readiness threshold for how many search replicas must be ready before it routes traffic, advanced pass-through configuration for mongot, and a toggle for its overload-retry signal.
Minimum required versions for Search GA:
- MongoDB Server: 8.3.0
- Ops Manager: 8.0.24
- Search (mongot): 1.70.1
The default Search version is now 1.70.1, if spec.version is not defined.
Breaking Changes from the Search and Vector Search Public Preview
If you're coming from the Search preview, a migration guide will be available in the upcoming days for the MongoDBSearch schema updates in our public documentation.
API Changes
We are introducing relevant changes in the GA release in comparison to the Public Preview in order to bring more clarity to the API design and to introduce new features and capabilities to be production ready.
The changes are listed below:
spec.observability.metricsForwarder(+.opsManager): Forwardsmongotmetrics to Ops Manager.opsManagerholds the project config and agent credentials. Status is surfaced understatus.metricsForwarder. Default: off.spec.security.tls.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted private key for the gRPC connection betweenmongod/mongosandmongot. Omit if the key isn't encrypted.spec.source.tls.clientCertificateSecretRef: Client certificatemongotpresents during the TLS handshake on the SCRAM sync-source connection.spec.source.tls.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted SCRAM client key.spec.source.x509.keyFilePasswordSecretRef: The Kubernetes Secret holding the password that decrypts a password-encrypted x509 client key. Replaces the oldtls.keyFilePasswordentry embedded in the x509 client-certificate Secret, which is no longer used.spec.clusters[].advancedMongotConfigs: Passes extra tuning configuration through to themongotprocess.spec.clusters[].syncSourceSelector.matchTagSets: Controls which replica set membersmongotreads from (maps tomongot'sreplicationReader.tagSets).spec.clusters[].loadBalancer.managed.retryPolicy: Envoy retry policy (numRetries,perTryTimeout). Default: 2 retries, 60s per try.spec.clusters[].loadBalancer.managed.minMongotReadyReplicas: Minimum readymongotreplicas in a group before Envoy routes real traffic to it. Default: 1.spec.clusters[].loadBalancer.managed.replicas: Number of Envoy proxy pods for the managed load balancer. Default: 1.spec.featureFlags.enableOverloadRetrySignal: Enables/disablesmongot'sOVERLOAD_RETRY_SIGNALfeature flag. Default:true..spec.prometheusfield has moved to.spec.observability.prometheus. Update yourMongoDBSearchresources to use the new path. Prometheus metrics are now enabled by default. Set.spec.observability.prometheus.modetodisabledto disable them.
General Changes
New Features
MongoDBandMongoDBUserresources now expose the reconciled Ops Manager project ID in.status.projectId.
Bug Fixes
-
To follow the Pod Security Standards more secure default pod
securityContextsettings were added.
Operator deploymentsecurityContextsettings that have changed:allowPrivilegeEscalation: falsecapabilities.drop: [ ALL ]seccompProfile.type: RuntimeDefault
Other workloads:
capabilities.drop: [ ALL ]- container levelseccompProfile.type: RuntimeDefault- pod level
If you require less restrictive
securityContextsettings please usetemplateorpodTemplateoverrides.
Detailed information about overrides can be found in Modify Ops Manager or MongoDB Kubernetes Resource Containers. -
MongoDBOpsManager: Fixed an issue in the
MongoDBOpsManagerresource where JVM parameter blocks were appended tomms.confon every pod restart without removing previous entries, causing duplicate configuration entries to accumulate. -
MongoDBMulticluster: Fixed an issue where reconciliation of an entire resource could be blocked if automatic failover was disabled and a member cluster was marked as failed. Now, the operator will reconcile healthy clusters and skip the failed clusters.
-
MongoDBMulticluster: When automatic failover is disabled, the operator will now remove the failed clusters annotation once the clusters respond successfully to health checks a consecutive number of times, allowing for recovery without manual intervention. The number of consecutive successful health checks required to remove the failed annotation is configurable via the
MDB_MEMBER_CLUSTER_REQUIRED_HEALTHY_STREAKenvironment variable, or themultiCluster.memberClusterRequiredHealthyStreakhelm value. The default is 5. -
MongoDB: Fixed a bug where setting a field to
nullinadditionalMongodConfigto remove it from a deployment did not take effect. The field would either be ignored or reappear on the next reconciliation. -
MongoDBOpsManager, MongoDB, MongoDBMultiCluster, MongoDBUser: Fixed a bug in multi-cluster mode where
Service,ConfigMap, TLSSecret, andStatefulSetresources created in member clusters carriedownerReferencespointing to the Custom Resource in the central cluster, causing the Kubernetes garbage collector to delete them as orphans. -
MongoDB, MongoDBMultiCluster, MongoDBOpsManager, AppDB: Fixed a bug where reconciliation did not consistently trigger after StatefulSet resource changes in single-cluster and multi-cluster deployments.
-
OpsManager AppDB: Fixed an issue where the
status.applicationDatabase.pvcfield in theMongoDBOpsManagerCRD retained a stalePVC Resize - STS has been orphanedphase indefinitely after a PVC resize completed successfully. -
MongoDBUser: Passwords containing spaces or plus signs are now correctly percent-encoded in generated connection string secrets. Spaces are encoded as
%20and plus signs as%2B, ensuring both the Go driver and pymongo decode credentials correctly.