diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 000000000..48cab7faf Binary files /dev/null and b/.DS_Store differ diff --git a/README.md b/README.md index 0c7ce85a0..34e30252d 100644 --- a/README.md +++ b/README.md @@ -8,274 +8,43 @@ If you are a MongoDB Enterprise customer, or need Enterprise features such as Ba ## Table of Contents -- [Install the Operator](#install-the-operator) - - [Prerequisites](#prerequisites) - - [Procedure](#procedure) -- [Upgrade the Operator](#upgrade-the-operator) -- [Deploy & Configure MongoDB Resources](#deploy-and-configure-a-mongodb-resource) - - [Deploy a Replica Set](#deploy-a-replica-set) - - [Upgrade MongoDB Version & FCV](#upgrade-your-mongodb-resource-version-and-feature-compatibility-version) -- [Secure MongoDB Resource Connections using TLS](#secure-mongodb-resource-connections-using-tls) - - [Prerequisites](#prerequisites-1) - - [Procedure](#procedure-1) +- [Documentation](#documentation) - [Supported Features](#supported-features) - [Contribute](#contribute) - [License](#license) -## Install the Operator +## Documentation -### Prerequisites +See the [documentation](/docs) to learn how to: -Before you install the MongoDB Community Kubernetes Operator, you must: - -1. Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/). -2. Have a Kubernetes solution available to use. - If you need a Kubernetes solution, see the [Kubernetes documentation on picking the right solution](https://kubernetes.io/docs/setup). For testing, MongoDB recommends [Kind](https://kind.sigs.k8s.io/). -3. Clone this repository. - ``` - git clone https://github.com/mongodb/mongodb-kubernetes-operator.git - ``` - -### Procedure - -The MongoDB Community Kubernetes Operator is a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) and a controller. - -To install the MongoDB Community Kubernetes Operator: - -1. Change to the directory in which you cloned the repository. -2. Install the [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). - - a. Invoke the following `kubectl` command: - ``` - kubectl create -f deploy/crds/mongodb.com_mongodb_crd.yaml - ``` - b. Verify that the Custom Resource Definitions installed successfully: - ``` - kubectl get crd/mongodb.mongodb.com - ``` -3. Install the Operator. - - a. Invoke the following `kubectl` command to install the Operator in the specified namespace: - ``` - kubectl create -f deploy/ --namespace - ``` - b. Verify that the Operator installed successsfully: - ``` - kubectl get pods --namespace - ``` - -## Upgrade the Operator - -To upgrade the MongoDB Community Kubernetes Operator: - -1. Change to the directory in which you cloned the repository. -2. Invoke the following `kubectl` command to upgrade the [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). - ``` - kubectl apply -f deploy/crds/mongodb.com_mongodb_crd.yaml - ``` - -## Deploy and Configure a MongoDB Resource - -The [`/deploy/crds`](deploy/crds) directory contains example MongoDB resources that you can modify and deploy. - -### Deploy a Replica Set - -To deploy your first replica set: - -1. Invoke the following `kubectl` command: - ``` - kubectl apply -f deploy/crds/mongodb.com_v1_mongodb_cr.yaml --namespace - ``` -2. Verify that the MongoDB resource deployed: - ``` - kubectl get mongodb --namespace - ``` -3. connect clients to MongoDB replica set: - ``` - mongodb://-svc..svc.cluster.local:27017/?replicaSet= - ``` - -### Upgrade your MongoDB Resource Version and Feature Compatibility Version - -You can upgrade the major, minor, and/or feature compatibility versions of your MongoDB resource. These settings are configured in your resource definition YAML file. - -- To upgrade your resource's major and/or minor versions, set the `spec.version` setting to the desired MongoDB version. - -- To modify your resource's [feature compatibility version](https://docs.mongodb.com/manual/reference/command/setFeatureCompatibilityVersion/), set the `spec.featureCompatibilityVersion` setting to the desired version. - -If you update `spec.version` to a later version, consider setting `spec.featureCompatibilityVersion` to the current working MongoDB version to give yourself the option to downgrade if necessary. To learn more about feature compatibility, see [`setFeatureCompatibilityVersion`](https://docs.mongodb.com/manual/reference/command/setFeatureCompatibilityVersion/) in the MongoDB Manual. - -### Deploying on OpenShift - -If you want to deploy the operator on OpenShift you will have to provide the environment variable `MANAGED_SECURITY_CONTEXT` set to `true` for both the mongodb and mongodb agent containers, as well as the operator deployment. - -See [here](deploy/crds/mongodb.com_v1_mongodb_openshift_cr.yaml) for an example of how to provide the required configuration for a MongoDB ReplicaSet. - -See [here](deploy/openshift/operator_openshift.yaml) for an example of how to configure the Operator deployment. - -#### Example - -Consider the following example MongoDB resource definition: - -```yaml -apiVersion: mongodb.com/v1 -kind: MongoDB -metadata: - name: example-mongodb -spec: - members: 3 - type: ReplicaSet - version: "4.0.6" -``` -To upgrade this resource from `4.0.6` to `4.2.7`: - -1. Edit the resource definition. - - a. Update `spec.version` to `4.2.7`. - - b. Update `spec.featureCompatibilityVersion` to `4.0`. - - ```yaml - apiVersion: mongodb.com/v1 - kind: MongoDB - metadata: - name: example-mongodb - spec: - members: 3 - type: ReplicaSet - version: "4.2.7" - featureCompatibilityVersion: "4.0" - ``` - - **NOTE:** Setting `featureCompatibilityVersion` to `4.0` disables [4.2 features incompatible with MongoDB 4.0](https://docs.mongodb.com/manual/release-notes/4.2-compatibility/#compatibility-enabled). - -2. Reapply the configuration to Kubernetes: - ``` - kubectl apply -f .yaml --namespace - ``` - -## Secure MongoDB Resource Connections using TLS - -You can configure the MongoDB Community Kubernetes Operator to use TLS certificates to encrypt traffic between: - -- MongoDB hosts in a replica set, and -- Client applications and MongoDB deployments. - -### Prerequisites - -Before you secure MongoDB resource connections using TLS, you must: - -1. Create a PEM-encoded TLS certificate for the servers in the MongoDB resource using your own Certificate Authority (CA). The certificate must have one of the following: - - - A wildcard `Common Name` that matches the domain name of all of the replica set members: - - ``` - *.-svc..svc.cluster.local - ``` - - The domain name for each of the replica set members as `Subject Alternative Names` (SAN): - - ``` - -0.-svc..svc.cluster.local - -1.-svc..svc.cluster.local - -2.-svc..svc.cluster.local - ``` - -1. Create a Kubernetes ConfigMap that contains the certificate for the CA that signed your server certificate. The key in the ConfigMap that references the certificate must be named `ca.crt`. Kubernetes configures this automatically if the certificate file is named `ca.crt`: - ``` - kubectl create configmap --from-file=ca.crt --namespace - ``` - - For a certificate file with any other name, you must define the `ca.crt` key manually: - ``` - kubectl create configmap --from-file=ca.crt=.crt --namespace - ``` - -1. Create a Kubernetes secret that contains the server certificate and key for the members of your replica set. For a server certificate named `server.crt` and key named `server.key`: - ``` - kubectl create secret tls --cert=server.crt --key=server.key --namespace - ``` - -### Procedure - -To secure connections to MongoDB resources using TLS: - -1. Add the following fields to the MongoDB resource definition: - - - `spec.security.tls.enabled`: Encrypts communications using TLS certificates between MongoDB hosts in a replica set and client applications and MongoDB deployments. Set to `true`. - - `spec.security.tls.optional`: (**Optional**) Enables the members of the replica set to accept both TLS and non-TLS client connections. Equivalent to setting the MongoDB[`net.tls.mode`](https://docs.mongodb.com/manual/reference/configuration-options/#net.tls.mode) setting to `preferSSL`. If omitted, defaults to `false`. - - --- - **NOTE** - - When you enable TLS on an existing replica set deployment: - - a. Set `spec.security.tls.optional` to `true`. - - b. Apply the configuration to Kubernetes. - - c. Upgrade your existing clients to use TLS. - - d. Remove the `spec.security.tls.optional` field. - - e. Complete the remaining steps in the procedure. - - --- - - `spec.security.tls.certificateKeySecretRef.name`: Name of the Kubernetes secret that contains the server certificate and key that you created in the [prerequisites](#prerequisites-1). - - `spec.security.tls.caConfigMapRef.name`: Name of the Kubernetes ConfigMap that contains the Certificate Authority certificate used to sign the server certificate that you created in the [prerequisites](#prerequisites-1). - - ```yaml - apiVersion: mongodb.com/v1 - kind: MongoDB - metadata: - name: example-mongodb - spec: - members: 3 - type: ReplicaSet - version: "4.2.7" - security: - tls: - enabled: true - certificateKeySecretRef: - name: - caConfigMapRef: - name: - ``` - -1. Apply the configuration to Kubernetes: - ``` - kubectl apply -f .yaml --namespace - ``` -1. From within the Kubernetes cluster, connect to the MongoDB resource. - - If `spec.security.tls.optional` is omitted or `false`: clients must - establish TLS connections to the MongoDB servers in the replica set. - - If `spec.security.tls.optional` is true, clients can establish TLS or - non-TLS connections to the MongoDB servers in the replica set. - - See the documentation for your connection method to learn how to establish a TLS connection to a MongoDB server. +1. [Install or upgrade](/docs/install-upgrade.md) the Operator. +1. [Deploy and configure](/docs/deploy-configure.md) MongoDB resources. +1. [Create a database user](/docs/users.md) with SCRAM authentication. +1. [Secure MongoDB resource connections](/docs/secure.md) using TLS. ## Supported Features The MongoDB Community Kubernetes Operator supports the following features: -- MongoDB Topology: [replica sets](https://docs.mongodb.com/manual/replication/) -- Upgrading and downgrading MongoDB server version -- Scaling replica sets up and down -- Reading from and writing to the replica set while scaling, upgrading, and downgrading. These operations are done in an "always up" manner. -- Reporting of MongoDB server state via the [MongoDB resource](/deploy/crds/mongodb.com_mongodb_crd.yaml) `status` field -- Use of any of the available [Docker MongoDB images](https://hub.docker.com/_/mongo/) -- Clients inside the Kubernetes cluster can connect to the replica set (no external connectivity) -- TLS support for client-to-server and server-to-server communication +- Create [replica sets](https://docs.mongodb.com/manual/replication/) +- Upgrade and downgrade MongoDB server version +- Scale replica sets up and down +- Read from and write to the replica set while scaling, upgrading, and downgrading. These operations are done in an "always up" manner. +- Report MongoDB server state via the [MongoDB resource](/deploy/crds/mongodb.com_mongodb_crd.yaml) `status` field +- Use any of the available [Docker MongoDB images](https://hub.docker.com/_/mongo/) +- Connect to the replica set from inside the Kubernetes cluster (no external connectivity) +- Secure client-to-server and server-to-server connections with TLS +- Create users with [SCRAM](https://docs.mongodb.com/manual/core/security-scram/) authentication ### Planned Features - Server internal authentication via keyfile -- Creating users with SCRAM-SHA authentication ## Contribute Before you contribute to the MongoDB Community Kubernetes Operator, please read: -- [MongoDB Community Kubernetes Operator Architecture](architecture.md) -- [Contributing to MongoDB Community Kubernetes Operator](contributing.md) +- [MongoDB Community Kubernetes Operator Architecture](/docs/architecture.md) +- [Contributing to MongoDB Community Kubernetes Operator](/docs/contributing.md) Please file issues before filing PRs. For PRs to be accepted, contributors must sign our [CLA](https://www.mongodb.com/legal/contributor-agreement). diff --git a/deploy/.DS_Store b/deploy/.DS_Store new file mode 100644 index 000000000..617ac7b19 Binary files /dev/null and b/deploy/.DS_Store differ diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 000000000..8e93678fd --- /dev/null +++ b/docs/README.md @@ -0,0 +1,10 @@ +# MongoDB Community Kubernetes Operator Documentation # + +## Table of Contents + +- [Contribute to the MongoDB Kubernetes Operator](/docs/contributing.md) +- [MongoDB Community Kubernetes Operator Architecture](/docs/architecutre.md) +- [Install and Upgrade the Community Kubernetes Operator](/docs/install-upgrade.md) +- [Deploy and Configure MongoDB Resources](/docs/deploy-configure.md) +- [Create Database Users](/docs/users.md) +- [Secure MongoDB Resources](/docs/secure.md) diff --git a/architecture.md b/docs/architecture.md similarity index 100% rename from architecture.md rename to docs/architecture.md diff --git a/contributing.md b/docs/contributing.md similarity index 100% rename from contributing.md rename to docs/contributing.md diff --git a/docs/deploy-configure.md b/docs/deploy-configure.md new file mode 100644 index 000000000..59447cf14 --- /dev/null +++ b/docs/deploy-configure.md @@ -0,0 +1,85 @@ +# Deploy and Configure a MongoDB Resource # + +The [`/deploy/crds`](deploy/crds) directory contains example MongoDB resources that you can modify and deploy. + +## Table of Contents + +- [Deploy a Replica Set](#deploy-a-replica-set) +- [Upgrade MongoDB Version & FCV](#upgrade-your-mongodb-resource-version-and-feature-compatibility-version) +- [Deploying on Openshift](#deploying-on-openshift) + +## Deploy a Replica Set + +To deploy your first replica set: + +1. Invoke the following `kubectl` command: + ``` + kubectl apply -f deploy/crds/mongodb.com_v1_mongodb_cr.yaml --namespace + ``` +2. Verify that the MongoDB resource deployed: + ``` + kubectl get mongodb --namespace + ``` +3. Connect clients to the MongoDB replica set: + ``` + mongodb://-svc..svc.cluster.local:27017/?replicaSet= + ``` + +## Upgrade your MongoDB Resource Version and Feature Compatibility Version + +You can upgrade the major, minor, and/or feature compatibility versions of your MongoDB resource. These settings are configured in your resource definition YAML file. + +- To upgrade your resource's major and/or minor versions, set the `spec.version` setting to the desired MongoDB version. + +- To modify your resource's [feature compatibility version](https://docs.mongodb.com/manual/reference/command/setFeatureCompatibilityVersion/), set the `spec.featureCompatibilityVersion` setting to the desired version. + +If you update `spec.version` to a later version, consider setting `spec.featureCompatibilityVersion` to the current working MongoDB version to give yourself the option to downgrade if necessary. To learn more about feature compatibility, see [`setFeatureCompatibilityVersion`](https://docs.mongodb.com/manual/reference/command/setFeatureCompatibilityVersion/) in the MongoDB Manual. + +## Deploying on OpenShift + +If you want to deploy the operator on OpenShift you will have to provide the environment variable `MANAGED_SECURITY_CONTEXT` set to `true` for both the mongodb and mongodb agent containers, as well as the operator deployment. + +See [here](deploy/crds/mongodb.com_v1_mongodb_openshift_cr.yaml) for an example of how to provide the required configuration for a MongoDB ReplicaSet. + +See [here](deploy/operator_openshift.yaml) for an example of how to configure the Operator deployment. + +### Example + +Consider the following example MongoDB resource definition: + +```yaml +apiVersion: mongodb.com/v1 +kind: MongoDB +metadata: + name: example-mongodb +spec: + members: 3 + type: ReplicaSet + version: "4.0.6" +``` +To upgrade this resource from `4.0.6` to `4.2.7`: + +1. Edit the resource definition. + + a. Update `spec.version` to `4.2.7`. + + b. Update `spec.featureCompatibilityVersion` to `4.0`. + + ```yaml + apiVersion: mongodb.com/v1 + kind: MongoDB + metadata: + name: example-mongodb + spec: + members: 3 + type: ReplicaSet + version: "4.2.7" + featureCompatibilityVersion: "4.0" + ``` + + **NOTE:** Setting `featureCompatibilityVersion` to `4.0` disables [4.2 features incompatible with MongoDB 4.0](https://docs.mongodb.com/manual/release-notes/4.2-compatibility/#compatibility-enabled). + +2. Reapply the configuration to Kubernetes: + ``` + kubectl apply -f .yaml --namespace + ``` diff --git a/docs/install-upgrade.md b/docs/install-upgrade.md new file mode 100644 index 000000000..e58aee70c --- /dev/null +++ b/docs/install-upgrade.md @@ -0,0 +1,60 @@ +# Install and Upgrade the Community Kubernetes Operator # + +## Table of Contents + +- [Install the Operator](#install-the-operator) + - [Prerequisites](#prerequisites) + - [Procedure](#procedure) +- [Upgrade the Operator](#upgrade-the-operator) + +## Install the Operator + +### Prerequisites + +Before you install the MongoDB Community Kubernetes Operator, you must: + +1. Install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/). +2. Have a Kubernetes solution available to use. + If you need a Kubernetes solution, see the [Kubernetes documentation on picking the right solution](https://kubernetes.io/docs/setup). For testing, MongoDB recommends [Kind](https://kind.sigs.k8s.io/). +3. Clone this repository. + ``` + git clone https://github.com/mongodb/mongodb-kubernetes-operator.git + ``` + +### Procedure + +The MongoDB Community Kubernetes Operator is a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) and a controller. + +To install the MongoDB Community Kubernetes Operator: + +1. Change to the directory in which you cloned the repository. +2. Install the [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). + + a. Invoke the following `kubectl` command: + ``` + kubectl create -f deploy/crds/mongodb.com_mongodb_crd.yaml + ``` + b. Verify that the Custom Resource Definitions installed successfully: + ``` + kubectl get crd/mongodb.mongodb.com + ``` +3. Install the Operator. + + a. Invoke the following `kubectl` command to install the Operator in the specified namespace: + ``` + kubectl create -f deploy/ --namespace + ``` + b. Verify that the Operator installed successsfully: + ``` + kubectl get pods --namespace + ``` + +## Upgrade the Operator + +To upgrade the MongoDB Community Kubernetes Operator: + +1. Change to the directory in which you cloned the repository. +2. Invoke the following `kubectl` command to upgrade the [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). + ``` + kubectl apply -f deploy/crds/mongodb.com_mongodb_crd.yaml + ``` diff --git a/docs/secure.md b/docs/secure.md new file mode 100644 index 000000000..60d833c23 --- /dev/null +++ b/docs/secure.md @@ -0,0 +1,106 @@ +# Secure MongoDB Resources # + +## Table of Contents + +- [Secure MongoDB Resource Connections using TLS](#secure-mongodb-resource-connections-using-tls) + - [Prerequisites](#prerequisites) + - [Procedure](#procedure) + +## Secure MongoDB Resource Connections using TLS + +You can configure the MongoDB Community Kubernetes Operator to use TLS certificates to encrypt traffic between: + +- MongoDB hosts in a replica set, and +- Client applications and MongoDB deployments. + +### Prerequisites + +Before you secure MongoDB resource connections using TLS, you must: + +1. Create a PEM-encoded TLS certificate for the servers in the MongoDB resource using your own Certificate Authority (CA). The certificate must have one of the following: + + - A wildcard `Common Name` that matches the domain name of all of the replica set members: + + ``` + *.-svc..svc.cluster.local + ``` + - The domain name for each of the replica set members as `Subject Alternative Names` (SAN): + + ``` + -0.-svc..svc.cluster.local + -1.-svc..svc.cluster.local + -2.-svc..svc.cluster.local + ``` + +1. Create a Kubernetes ConfigMap that contains the certificate for the CA that signed your server certificate. The key in the ConfigMap that references the certificate must be named `ca.crt`. Kubernetes configures this automatically if the certificate file is named `ca.crt`: + ``` + kubectl create configmap --from-file=ca.crt --namespace + ``` + + For a certificate file with any other name, you must define the `ca.crt` key manually: + ``` + kubectl create configmap --from-file=ca.crt=.crt --namespace + ``` + +1. Create a Kubernetes secret that contains the server certificate and key for the members of your replica set. For a server certificate named `server.crt` and key named `server.key`: + ``` + kubectl create secret tls --cert=server.crt --key=server.key --namespace + ``` + +### Procedure + +To secure connections to MongoDB resources using TLS: + +1. Add the following fields to the MongoDB resource definition: + + - `spec.security.tls.enabled`: Encrypts communications using TLS certificates between MongoDB hosts in a replica set and client applications and MongoDB deployments. Set to `true`. + - `spec.security.tls.optional`: (**Optional**) Enables the members of the replica set to accept both TLS and non-TLS client connections. Equivalent to setting the MongoDB[`net.tls.mode`](https://docs.mongodb.com/manual/reference/configuration-options/#net.tls.mode) setting to `preferSSL`. If omitted, defaults to `false`. + + --- + **NOTE** + + When you enable TLS on an existing replica set deployment: + + a. Set `spec.security.tls.optional` to `true`. + + b. Apply the configuration to Kubernetes. + + c. Upgrade your existing clients to use TLS. + + d. Remove the `spec.security.tls.optional` field. + + e. Complete the remaining steps in the procedure. + + --- + - `spec.security.tls.certificateKeySecretRef.name`: Name of the Kubernetes secret that contains the server certificate and key that you created in the [prerequisites](#prerequisites-1). + - `spec.security.tls.caConfigMapRef.name`: Name of the Kubernetes ConfigMap that contains the Certificate Authority certificate used to sign the server certificate that you created in the [prerequisites](#prerequisites-1). + + ```yaml + apiVersion: mongodb.com/v1 + kind: MongoDB + metadata: + name: example-mongodb + spec: + members: 3 + type: ReplicaSet + version: "4.2.7" + security: + tls: + enabled: true + certificateKeySecretRef: + name: + caConfigMapRef: + name: + ``` + +1. Apply the configuration to Kubernetes: + ``` + kubectl apply -f .yaml --namespace + ``` +1. From within the Kubernetes cluster, connect to the MongoDB resource. + - If `spec.security.tls.optional` is omitted or `false`: clients must + establish TLS connections to the MongoDB servers in the replica set. + - If `spec.security.tls.optional` is true, clients can establish TLS or + non-TLS connections to the MongoDB servers in the replica set. + + See the documentation for your connection method to learn how to establish a TLS connection to a MongoDB server. diff --git a/docs/users.md b/docs/users.md new file mode 100644 index 000000000..2153d2cad --- /dev/null +++ b/docs/users.md @@ -0,0 +1,88 @@ +# Create a Database User # + +You can create a MongoDB database user to authenticate to your MongoDB resource using [SCRAM](https://docs.mongodb.com/manual/core/security-scram/). First, [create a Kubernetes secret](#create-a-user-secret) for the new user's password. Then, [modify and apply the MongoDB resource definition](#modify-the-mongodb-crd). + +You cannot disable SCRAM authentication. + +## Create a User Secret + +1. Copy the following example secret. + + ``` + --- + apiVersion: v1 + kind: Secret + metadata: + name: # corresponds to spec.users.passwordSecretRef.name in the MongoDB CRD + type: Opaque + stringData: + password: # corresponds to spec.users.passwordSecretRef.key in the MongoDB CRD + ... + ``` +1. Update the value of `metadata.name` with any name for this secret. +1. Update the value of `stringData.password` with the user's password. +1. Save the secret with a `.yaml` file extension. +1. Apply the secret in Kubernetes: + ``` + kubectl apply -f .yaml --namespace + ``` + +## Modify the MongoDB Resource + +1. Add the following fields to the MongoDB resource definition: + + | Key | Type | Description | Required? | + |----|----|----|----| + | `spec.users` | array of objects | Configures database users for this deployment. | Yes | + | `spec.users.name` | string | Username of the database user. | Yes | + | `spec.users.db` | string | Database that the user authenticates against. Defaults to `admin`. | No | + | `spec.users.passwordSecretRef.name` | string | Name of the secret that contains the user's plain text password. | Yes| + | `spec.users.passwordSecretRef.key` | string| Key in the secret that corresponds to the value of the user's password. Defaults to `password`. | No | + | `spec.users.roles` | array of objects | Configures roles assigned to the user. | Yes | + | `spec.users.roles.role.name` | string | Name of the role. Valid values are [built-in roles](https://docs.mongodb.com/manual/reference/built-in-roles/#built-in-roles). | Yes | + | `spec.users.roles.role.db` | string | Database that the role applies to. | Yes | + + ``` + --- + apiVersion: mongodb.com/v1 + kind: MongoDB + metadata: + name: example-scram-mongodb + spec: + members: 3 + type: ReplicaSet + version: "4.2.6" + security: + authentication: + modes: ["SCRAM"] + users: + - name: + db: + passwordSecretRef: + name: + roles: + - name: + db: + - name: + db: + ... + ``` +1. Save the file. +1. Apply the updated MongoDB resource definition: + + ``` + kubectl apply -f .yaml --namespace + ``` + +## Next Steps + +- After the MongoDB resource is running, the Operator no longer requires the user's secret. MongoDB recommends that you securely store the user's password and then delete the user secret: + ``` + kubectl delete secret --namespace + ``` + +- To authenticate to your MongoDB resource, run the following command: + ``` + mongo "mongodb://-svc..svc.cluster.local:27017/?replicaSet=" --username --password --authenticationDatabase + ``` +- To change a user's password, create and apply a new secret resource definition with a `metadata.name` that is the same as the name specified in `passwordSecretRef.name` of the MongoDB CRD. The Operator will automatically regenerate credentials.