Merge branch 'correction-1.5.3' into 'development'

Correction 1.5.3

See merge request !3

helm_chart/values-openshift.yaml

+# Create the CustomerResourceDefinition for MongoDB custom types.
+createCrds: true
+
 # Name of the Namespace to use
 namespace: mongodb
 
@@ -15,7 +18,7 @@ operator:
   deployment_name: mongodb-enterprise-operator
 
   # Version of mongodb-enterprise-operator and mongodb-enterprise-database images
-  version: 1.8.0
+  version: 1.5.3
 
   # The Custom Resources that will be watched by the Operator. Needs to be changed if only some of the CRDs are installed
   watchedResources:
@@ -23,39 +26,28 @@ operator:
   - opsmanagers
   - mongodbusers
 
-## Database
 database:
   name: enterprise-database
-  version: 2.0.0
-
-initDatabase:
-  name: mongodb-enterprise-init-database
-  version: 1.0.0
 
-## Ops Manager
 opsManager:
   name: mongodb-enterprise-ops-manager
 
 initOpsManager:
   name: mongodb-enterprise-init-ops-manager
-  version: 1.0.2
+  version: 1.0.0
 
-## Application Database
 appDb:
   name: mongodb-enterprise-appdb
 
 initAppDb:
   name: mongodb-enterprise-init-appdb
-  version: 1.0.4
+  version: 1.0.0
 
-## Registry
 registry:
   # The pull secret must be specified
   imagePullSecrets:
   pullPolicy: Always
-  database: registry.connect.redhat.com/mongodb
   operator: registry.connect.redhat.com/mongodb
-  initDatabase: registry.connect.redhat.com/mongodb
   initOpsManager: registry.connect.redhat.com/mongodb
   opsManager: registry.connect.redhat.com/mongodb
   initAppDb: registry.connect.redhat.com/mongodb

helm_chart/values.yaml

+# Create the CustomerResourceDefinition for MongoDB custom types.
+createCrds: true
+
 # Name of the Namespace to use
 namespace: mongodb
 
-## Operator
-
 # Set this to true if your cluster is managing SecurityContext for you.
 # If running OpenShift (Cloud, Minishift, etc.), set this to true.
 managedSecurityContext: false
@@ -18,7 +19,7 @@ operator:
   deployment_name: mongodb-enterprise-operator
 
   # Version of mongodb-enterprise-operator and mongodb-enterprise-database images
-  version: 1.8.0
+  version: 1.5.3
 
   # The Custom Resources that will be watched by the Operator. Needs to be changed if only some of the CRDs are installed
   watchedResources:
@@ -26,40 +27,29 @@ operator:
   - opsmanagers
   - mongodbusers
 
-## Database
 database:
   name: mongodb-enterprise-database
-  version: 2.0.0
-
-initDatabase:
-  name: mongodb-enterprise-init-database
-  version: 1.0.0
 
-## Ops Manager
 opsManager:
   name: mongodb-enterprise-ops-manager
 
 initOpsManager:
   name: mongodb-enterprise-init-ops-manager
-  version: 1.0.2
+  version: 1.0.0
 
-## Application Database
 appDb:
   name: mongodb-enterprise-appdb
 
 initAppDb:
   name: mongodb-enterprise-init-appdb
-  version: 1.0.4
+  version: 1.0.0
 
-## Registry
 registry:
   imagePullSecrets:
   # TODO: specify for each image and move there?
   pullPolicy: Always
   # Specify if images are pulled from private registry
   operator: quay.io/mongodb
-  database: quay.io/mongodb
-  initDatabase: quay.io/mongodb
   initOpsManager: quay.io/mongodb
   opsManager: quay.io/mongodb
   initAppDb: quay.io/mongodb

mongodb-enterprise-openshift.yaml

 ---
 # Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: enterprise-operator
   namespace: mongodb
+
+
 ---
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: enterprise-operator-mongodb-certs
-rules:
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - get
-  - create
-  - list
-  - watch
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: enterprise-operator-mongodb-webhook-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mongodb-enterprise-operator-mongodb-webhook
-subjects:
-- kind: ServiceAccount
-  name: enterprise-operator
-  namespace: mongodb
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: enterprise-operator-mongodb-certs-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: enterprise-operator-mongodb-certs
-subjects:
-- kind: ServiceAccount
-  name: enterprise-operator
-  namespace: mongodb
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
 kind:  Role 
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -101,7 +57,21 @@ rules:
 # definitions. The validating webhooks are optional so this can be removed if
 # necessary.
 ---
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-webhook-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-webhook
+subjects:
+- kind: ServiceAccount
+  name: enterprise-operator
+  namespace: mongodb
+
+---
 kind:  RoleBinding 
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -118,29 +88,62 @@ subjects:
 
 # This ClusterRole is needed if the user wants to use the Kubernetes CA
 # infrastructure to generate certificates.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-certs
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-certs-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: enterprise-operator-mongodb-certs
+subjects:
+- kind: ServiceAccount
+  name: enterprise-operator
+  namespace: mongodb
+
+
 ---
 # Source: mongodb-enterprise-operator/templates/database-roles.yaml
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-appdb
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-database-pods
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-ops-manager
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -150,11 +153,11 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - secrets
+      - configmaps
     verbs:
       - get
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -168,8 +171,10 @@ subjects:
   - kind: ServiceAccount
     name: mongodb-enterprise-appdb
     namespace: mongodb
+
 ---
 # Source: mongodb-enterprise-operator/templates/operator.yaml
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -179,20 +184,16 @@ spec:
   replicas: 1
   selector:
       matchLabels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/name: enterprise-operator
-        app.kubernetes.io/instance: enterprise-operator
+        app: enterprise-operator
   template:
     metadata:
       labels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/name: enterprise-operator
-        app.kubernetes.io/instance: enterprise-operator
+        app: enterprise-operator
     spec:
       serviceAccountName: enterprise-operator
       containers:
       - name: mongodb-enterprise-operator
-        image: registry.connect.redhat.com/mongodb/enterprise-operator:1.8.0
+        image: registry.connect.redhat.com/mongodb/enterprise-operator:1.5.3
         imagePullPolicy: Always
         args:
           - "-watch-resource=mongodb"
@@ -213,30 +214,21 @@ spec:
               fieldPath: metadata.namespace
         - name: MANAGED_SECURITY_CONTEXT
           value: 'true'
+        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
+          value: registry.connect.redhat.com/mongodb/enterprise-database:1.5.3
         - name: IMAGE_PULL_POLICY
           value: Always
-        # Database
-        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
-          value: registry.connect.redhat.com/mongodb/enterprise-database
-        - name: INIT_DATABASE_IMAGE_REPOSITORY
-          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-database
-        - name: INIT_DATABASE_VERSION
-          value: 1.0.0
-        - name: DATABASE_VERSION
-          value: 2.0.0
-        # Ops Manager
         - name: OPS_MANAGER_IMAGE_REPOSITORY
           value: registry.connect.redhat.com/mongodb/mongodb-enterprise-ops-manager
         - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
           value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-ops-manager
         - name: INIT_OPS_MANAGER_VERSION
-          value: 1.0.2
-        # AppDB
-        - name: APPDB_IMAGE_REPOSITORY
-          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-appdb
+          value: 1.0.0
         - name: INIT_APPDB_IMAGE_REPOSITORY
           value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-appdb
         - name: INIT_APPDB_VERSION
-          value: 1.0.4
+          value: 1.0.0
         - name: OPS_MANAGER_IMAGE_PULL_POLICY
           value: Always
+        - name: APPDB_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-appdb

mongodb-enterprise.yaml

 ---
 # Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-operator
   namespace: mongodb
+
+
 ---
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-enterprise-operator-mongodb-certs
-rules:
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - get
-  - create
-  - list
-  - watch
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-enterprise-operator-mongodb-webhook-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mongodb-enterprise-operator-mongodb-webhook
-subjects:
-- kind: ServiceAccount
-  name: mongodb-enterprise-operator
-  namespace: mongodb
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-enterprise-operator-mongodb-certs-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mongodb-enterprise-operator-mongodb-certs
-subjects:
-- kind: ServiceAccount
-  name: mongodb-enterprise-operator
-  namespace: mongodb
----
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
 kind:  Role 
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -101,7 +57,21 @@ rules:
 # definitions. The validating webhooks are optional so this can be removed if
 # necessary.
 ---
-# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-webhook-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-webhook
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+
+---
 kind:  RoleBinding 
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -118,29 +88,62 @@ subjects:
 
 # This ClusterRole is needed if the user wants to use the Kubernetes CA
 # infrastructure to generate certificates.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-certs
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+
+
 ---
 # Source: mongodb-enterprise-operator/templates/database-roles.yaml
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-appdb
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-database-pods
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: mongodb-enterprise-ops-manager
   namespace: mongodb
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -150,11 +153,11 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - secrets
+      - configmaps
     verbs:
       - get
+
 ---
-# Source: mongodb-enterprise-operator/templates/database-roles.yaml
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -168,8 +171,10 @@ subjects:
   - kind: ServiceAccount
     name: mongodb-enterprise-appdb
     namespace: mongodb
+
 ---
 # Source: mongodb-enterprise-operator/templates/operator.yaml
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -179,15 +184,11 @@ spec:
   replicas: 1
   selector:
       matchLabels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/name: mongodb-enterprise-operator
-        app.kubernetes.io/instance: mongodb-enterprise-operator
+        app: mongodb-enterprise-operator
   template:
     metadata:
       labels:
-        app.kubernetes.io/component: controller
-        app.kubernetes.io/name: mongodb-enterprise-operator
-        app.kubernetes.io/instance: mongodb-enterprise-operator
+        app: mongodb-enterprise-operator
     spec:
       serviceAccountName: mongodb-enterprise-operator
       securityContext:
@@ -195,7 +196,7 @@ spec:
         runAsUser: 2000
       containers:
       - name: mongodb-enterprise-operator
-        image: quay.io/mongodb/mongodb-enterprise-operator:1.8.0
+        image: quay.io/mongodb/mongodb-enterprise-operator:1.5.3
         imagePullPolicy: Always
         args:
           - "-watch-resource=mongodb"
@@ -214,30 +215,21 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
+          value: quay.io/mongodb/mongodb-enterprise-database:1.5.3
         - name: IMAGE_PULL_POLICY
           value: Always
-        # Database
-        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
-          value: quay.io/mongodb/mongodb-enterprise-database
-        - name: INIT_DATABASE_IMAGE_REPOSITORY
-          value: quay.io/mongodb/mongodb-enterprise-init-database
-        - name: INIT_DATABASE_VERSION
-          value: 1.0.0
-        - name: DATABASE_VERSION
-          value: 2.0.0
-        # Ops Manager
         - name: OPS_MANAGER_IMAGE_REPOSITORY
           value: quay.io/mongodb/mongodb-enterprise-ops-manager
         - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
           value: quay.io/mongodb/mongodb-enterprise-init-ops-manager
         - name: INIT_OPS_MANAGER_VERSION
-          value: 1.0.2
-        # AppDB
-        - name: APPDB_IMAGE_REPOSITORY
-          value: quay.io/mongodb/mongodb-enterprise-appdb
+          value: 1.0.0
         - name: INIT_APPDB_IMAGE_REPOSITORY
           value: quay.io/mongodb/mongodb-enterprise-init-appdb
         - name: INIT_APPDB_VERSION
-          value: 1.0.4
+          value: 1.0.0
         - name: OPS_MANAGER_IMAGE_PULL_POLICY
           value: Always
+        - name: APPDB_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-appdb

openshift-install.md

 # OpenShift Install
 
-The MongoDB Enterprise Operator requires a set of images including `operator`, `database` and others. The Openshift
+The MongoDB Enterprise Operator requires two images to work: `operator` and `database` images. The Openshift
 installation requires images to be based on Red Hat Enterprise Linux, and these images are published to [Red Hat
 Container Catalog](https://catalog.redhat.com/software/containers/explore/). You will have to create special credentials
 for your OpenShift installation to be able to fetch images from this registry.
@@ -8,7 +8,7 @@ for your OpenShift installation to be able to fetch images from this registry.
 ## Create your OpenShift Secret
 
 First, complete the instructions
-[here](https://access.redhat.com/terms-based-registry/#/token/openshift3-test-cluster/docker-config). Unfortunately,
+[here](https://access.redhat.com/terms-based-registry/#/token/openshift3-test-cluster/docker-config). Unfortunatelly,
 these instructions refer to a `registry.redhat.io` Registry which is not the one we need, but they accept the same
 credentials. First, click on "view its contents" to display the contents we need, and save these contents into a json
 file. This file includes 1 entry for `registry.redhat.io`; replicate that entry with a new name,
@@ -27,15 +27,19 @@ file. This file includes 1 entry for `registry.redhat.io`; replicate that entry
 }
 ```
 
-Now save this file and create a `Secret` object from it:
+Now save this file as `dockerconfig` and encode it as a base64 string.
+
 ```
-$ kubectl -n <your-namespace> create secret generic openshift-pull-secrets --from-file=.dockerconfigjson=<path-to-your-file> \
-        --type=kubernetes.io/dockerconfigjson
+$ cat dockerconfig | base64 -w0 > .dockerconfigjson
 ```
 
-## Install the Operator using the new Secret to pull images
+Finally, create a `Secret` object that contains this encoded string:
 
-### Installation using .yaml config file
+```
+$ kubectl -n <your-namespace> create secret generic openshift-pull-secrets --from-file=.dockerconfigjson
+```
+
+## Use the new Secret to pull images
 
 Now that the `Secret` has been created, you need to reference it from the `mongodb-enterprise-openshift.yaml` file.
 When you edit this file, you'll realize that there's a `Deployment` object at the end (the one with name
@@ -47,8 +51,7 @@ The `spec` section will look something like:
 # ...
 
 spec:
-  imagePullSecrets: 
-  - name: openshift-pull-secrets  # this is where the name of the Secret goes
+  imagePullSecrets: openshift-pull-secrets  # this is where the name of the Secret goes
   ...
   containers:
   - name: enterprise-operator
@@ -72,6 +75,8 @@ containers:
   ...
 ```
 
+## Finish the Operator Installation
+
 Now that we have instructed our OpenShift cluster to be able to fetch images from the Red Hat registry we will be able
 to install the operator using:
 
@@ -81,11 +86,3 @@ $ kubectl -n <your-namespace> -f mongodb-enterprise-openshift.yaml
 
 From now on, the OpenShift cluster will be authenticated to pull images from the Red Hat registry. Now you should be
 able to return to the regular instructions for Kubernetes.
-
-### Installation using Helm
-
-As an alternative to manual editing the config files you can use the following command to install the Operator using `Helm`:
-
-```bash
-helm install --set registry.imagePullSecrets=openshift-pull-secrets --values helm_chart/values-openshift.yaml <chart-name> helm_chart
-``` 

platform_one/mongodb-enterprise.modified.yaml

+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+imagePullSecrets:
+  - name: registry1-credentials
+
+
+---
+kind:  Role 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - services
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+  - update
+- apiGroups:
+  - mongodb.com
+  resources:
+  - mongodb
+  - mongodb/finalizers
+  - mongodbusers
+  - opsmanagers
+  - opsmanagers/finalizers
+  - mongodb/status
+  - mongodbusers/status
+  - opsmanagers/status
+  verbs:
+  - "*"
+# This ClusterRoleBinding is necessary in order to use validating
+# webhooks—these will prevent you from applying a variety of invalid resource
+# definitions. The validating webhooks are optional so this can be removed if
+# necessary.
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-webhook-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-webhook
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+
+---
+kind:  RoleBinding 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:  Role 
+  name: mongodb-enterprise-operator
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+
+# This ClusterRole is needed if the user wants to use the Kubernetes CA
+# infrastructure to generate certificates.
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-certs
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+
+
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+imagePullSecrets:
+  - name: registry1-credentials
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-database-pods
+  namespace: mongodb
+imagePullSecrets:
+  - name: registry1-credentials
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-ops-manager
+  namespace: mongodb
+imagePullSecrets:
+  - name: registry1-credentials
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mongodb-enterprise-appdb
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-enterprise-appdb
+    namespace: mongodb
+
+---
+# Source: mongodb-enterprise-operator/templates/operator.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+spec:
+  replicas: 1
+  selector:
+      matchLabels:
+        app: mongodb-enterprise-operator
+  template:
+    metadata:
+      labels:
+        app: mongodb-enterprise-operator
+    spec:
+      serviceAccountName: mongodb-enterprise-operator
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      containers:
+      - name: mongodb-enterprise-operator
+        image: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-operator:1.5.3
+        imagePullPolicy: Always
+        args:
+          - "-watch-resource=mongodb"
+          - "-watch-resource=opsmanagers"
+          - "-watch-resource=mongodbusers"
+        command:
+          - "/usr/local/bin/mongodb-enterprise-operator"
+        env:
+        - name: OPERATOR_ENV
+          value: prod
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CURRENT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
+          value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-database:1.5.3
+        - name: IMAGE_PULL_POLICY
+          value: Always
+        - name: OPS_MANAGER_IMAGE_REPOSITORY
+          value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-ops-manager
+        - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
+          value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-init
+        - name: INIT_OPS_MANAGER_VERSION
+          value: 1.0.0
+        - name: INIT_APPDB_IMAGE_REPOSITORY
+          value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb-init
+        - name: INIT_APPDB_VERSION
+          value: 1.0.0
+        - name: OPS_MANAGER_IMAGE_PULL_POLICY
+          value: Always
+        - name: APPDB_IMAGE_REPOSITORY
+          value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb
+      imagePullSecrets:
+      - name: registry1-credentials
+

samples/ops-manager/ops-manager-local-mode-bincontainer.yaml → platform_one/ops-manager-localMode.yaml

@@ -5,14 +5,42 @@ metadata:
   name: ops-manager-localmode
 spec:
   replicas: 1
-  version: 4.4.1
-  adminCredentials: ops-manager-admin-secret
+  version: 4.4.14
+  adminCredentials: ops-manager-firstuser-secret
 
-  # Local Mode must be configured so Ops Manger does not download any binaries from
-  # the internet. Only the binaries present will be available for the agents.
+  # optional. The Ops Manager configuration. All the values must be of type string.
+  # Setting these values allow you to bypass the configuration wizard (a manual step).
   configuration:
+    # passing mms.ignoreInitialUiSetup=true allows to avoid the setup wizard in Ops Manager. Note, that
+    # this requires to set some mandatory configuration properties, see
+    # https://docs.opsmanager.mongodb.com/current/reference/configuration/index.html#mms.ignoreInitialUiSetup
+    mms.ignoreInitialUiSetup: "true"
+    mms.adminEmailAddr: someadmin@somewhere.com
+    mms.fromEmailAddr: someadmin@somewhere.com
+    mms.mail.hostname: someemail-smtp.somewhere.com
+    mms.mail.port: "465"
+    mms.mail.ssl: "true"
+    mms.mail.transport: smtp
+    mms.minimumTLSVersion: TLSv1.2
+    mms.replyToEmailAddr: someadmin@somewhere.com
+    mms.fromEmailAddr: someadmin@somewhere.com
+    # Local Mode must be configured so Ops Manger does not download any binaries from
+    # the internet. Only the binaries present will be available for the agents.
+    # automation.versions.source: mongodb
     automation.versions.source: local
 
+  # optional. Disabled by default. Creates an additional service to make Ops Manager reachable from
+  # outside of the Kubernetes cluster.
+  externalConnectivity:
+    # LoadBalancer|NodePort
+    type: NodePort
+    # optional. Corresponds to NodePort port
+    port: 30100
+    # optional
+    # loadBalancerIP: 123.456.789
+    # optional
+    # externalTrafficPolicy: Local
+
   statefulSet:
     spec:
       template:
@@ -28,22 +56,30 @@ spec:
                   mountPath: /mongodb-ops-manager/mongodb-releases
 
           initContainers:
-          - name: mongodb-ops-manager-db-binaries-rhel7
-            # Redirect this to IronBank
-            image: quay.io/mongodb/mongodb-enterprise/mongodb-ops-manager/mongodb-ops-manager-db-binaries-rhel7:4.2.8
+          - name: mongodb-binaries-init-container
+            image: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-db-bin:4.4.14
             command:
             - cp
-            - -a
-            - /binaries/*
+            - -r
+            - /binaries/.
             - /mongodb-ops-manager/mongodb-releases/
             volumeMounts:
              - name: mongodb-versions
                mountPath: /mongodb-ops-manager/mongodb-releases
 
-
-
+  # the application database backing Ops Manager. Replica Set is the only supported type
+  # Application database has the SCRAM-SHA authentication mode always enabled
   applicationDatabase:
     members: 3
+    # optional. Configures the version of MongoDB used as an application database.
+    # The bundled MongoDB binary will be used if omitted and no download from the Internet will happen
+    # version: "4.4.1"
+    persistent: true
+    podSpec:
+      cpu: '0.25'
+
+  backup:
+    enabled: false
 
 ---
 apiVersion: v1
@@ -51,9 +87,10 @@ kind: PersistentVolumeClaim
 metadata:
   name: mongodb-versions-claim
 spec:
-  storageClassName: gp2
+  # storageClassName: gp2
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 3Gi
+

samples/kubernetes-clients/README.md

+# Examples for Kubernetes Clients   
+
+The following directories include code samples for using the MongoDB Enterprise Kubernetes Operator programatically with the different [Kubernetes API client libraries](https://github.com/kubernetes-client) available.
+
+## Disclaimer
+
+Please note that the code and scripts in these sub-folders are released for use "AS IS" without any warranties of any kind, including, but not limited to their installation, use, or performance. 
+ 
+We do not warrant that the technology will meet your requirements, that the operation thereof will be uninterrupted or error-free, or that any errors will be corrected. 
+
+Any use of these sample scripts is at user's own risk. There is no guarantee that they have been through thorough testing in a comparable environment and we are not responsible for any damage or data loss incurred with their use. 
+
+The user is responsible for reviewing and testing any scripts to be executed thoroughly before use in any non-testing environment.
\ No newline at end of file

samples/kubernetes-clients/python/README.md

+The following examples using the [Official Python client library for Kubernetes](https://github.com/kubernetes-client/python) show how to:
+
+- Creation of the following Kubernetes objects:
+   - Config map for the Ops/Cloud Manager project
+   - Secret for the API user
+   
+- Create and delete the following type of MongoDB deployments:
+   - Standalone
+   - Replica Set
+   - Sharded Cluster
+
+The sample code has been tested with Python 2.7 and 3.6. 
+
+For more details, please refer to the repository for the Python client library for Kubernetes: https://github.com/kubernetes-client/python
+
+**NOTE**: the given example assume the existence of the following:
+ - namespace `mongodb`
+ - ClusterRole/Role `mongodb-enterprise-operator`
+ - ClusterRoleBinding/RoleBinding `mongodb-enterprise-operator` 
+ - ServiceAccount `mongodb-enterprise-operator`
+ 
+ If using a different namespace, please modify the relevant variable in the sample code.
\ No newline at end of file

samples/kubernetes-clients/python/mongodb_kube_client.py

+from __future__ import print_function
+
+import base64
+
+from pprint import pprint
+from kubernetes import client, config
+from kubernetes.client.rest import ApiException
+
+# Added for Python2 and Python3 cross-compatibility
+try:
+
+    def base64encode(input_string):
+        return base64.encodebytes(bytes(input_string, "utf-8"))
+
+
+except:
+    base64encode = base64.b64encode
+
+
+class MongoDBEnterpriseKubeClient(object):
+    def __init__(self, namespace, om_api_user, om_api_key, om_project_id, om_base_url):
+
+        config.load_kube_config()
+
+        # Instantiate Core V1 API
+        self.v1 = client.CoreV1Api()
+
+        # Instantiate RBAC Auth V1 API
+        self.rbac_auth_v1 = client.RbacAuthorizationV1Api()
+
+        # Instantiate Apps V1 API
+        self.apps_v1 = client.AppsV1Api()
+
+        # Instantiate Custom Objects API - for creating MongoDB deployments
+        self.custom_obj = client.CustomObjectsApi()
+
+        # Namespace; must be already created in the Kubernetes Cluster
+        self.namespace = namespace
+
+        # Ops Manager API information
+        self.om_api_user = om_api_user
+        self.om_api_key = om_api_key
+
+        # Ops Manager project information
+        self.om_project_id = om_project_id
+        self.om_base_url = om_base_url
+
+    def create_secret(self):
+        """
+        Create secret:
+        https://docs.opsmanager.mongodb.com/current/tutorial/install-k8s-operator/index.html#create-credentials
+
+        Equivalent to execute:
+        kubectl -n mongodb create secret generic \
+          my-credentials --from-literal="user=<first.last@example.com>" \
+          --from-literal="publicApiKey=<my-public-api-key>"
+        """
+
+        print(
+            "Creating secret for user named %s with the provided API key"
+            % self.om_api_user
+        )
+        metadata = client.V1ObjectMeta(name="my-credentials", namespace=self.namespace)
+
+        # Encode credentials
+        encoded_user = base64encode(self.om_api_user)
+        encoded_key = base64encode(self.om_api_key)
+
+        # Transform binary into string
+        encoded_user = encoded_user.decode("utf-8").rstrip("\n")
+        encoded_key = encoded_key.decode("utf-8").rstrip("\n")
+
+        body = client.V1Secret(
+            api_version="v1",
+            kind="Secret",
+            metadata=metadata,
+            type="from-literal",
+            data={"user": encoded_user, "publicApiKey": encoded_key},
+        )
+
+        try:
+            api_response = self.v1.create_namespaced_secret(self.namespace, body)
+            pprint(api_response)
+        except ApiException as e:
+            print("Exception when creating secret: %s\n" % e)
+
+    def create_config_map(self):
+        """
+        Create a config map:
+        https://docs.opsmanager.mongodb.com/current/tutorial/install-k8s-operator/index.html#create-onprem-project
+        """
+
+        print(
+            "Creating config map for project ID %s with base URL %s"
+            % (self.om_project_id, self.om_base_url)
+        )
+        metadata = client.V1ObjectMeta(name="my-project", namespace=self.namespace)
+
+        body = client.V1ConfigMap(
+            api_version="v1",
+            kind="ConfigMap",
+            metadata=metadata,
+            data={"projectId": self.om_project_id, "baseUrl": self.om_base_url},
+        )
+
+        try:
+            api_response = self.v1.create_namespaced_config_map(self.namespace, body)
+            pprint(api_response)
+        except ApiException as e:
+            print("Exception when creating config map: %s\n" % e)
+
+    def deploy_standalone(self, mongo_version, name):
+        """
+        Creating a standalone MongoDB process.
+        """
+
+        group = "mongodb.com"
+        version = "v1"
+        plural = "mongodb"
+
+        body = {
+            "spec": {
+                "persistent": False,
+                "version": str(mongo_version),
+                "credentials": "my-credentials",
+                "project": "my-project",
+            },
+            "kind": "MongoDB",
+            "apiVersion": "mongodb.com/v1",
+            "metadata": {"name": name, "namespace": self.namespace},
+        }
+
+        try:
+            api_response = self.custom_obj.create_namespaced_custom_object(
+                group, version, self.namespace, plural, body
+            )
+            pprint(api_response)
+        except ApiException as e:
+            print("Exception when creating a MongoDB standalone process: %s\n" % e)
+
+    def deploy_replica_set(self, mongo_version, name, members=3):
+        """
+        Creating a MongoDB Replica Set.
+        """
+
+        group = "mongodb.com"
+        version = "v1"
+        plural = "mongodb"
+
+        body = {
+            "spec": {
+                "members": members,
+                "persistent": False,
+                "version": str(mongo_version),
+                "credentials": "my-credentials",
+                "project": "my-project",
+            },
+            "kind": "MongoDB",
+            "apiVersion": "mongodb.com/v1",
+            "metadata": {"name": name, "namespace": self.namespace},
+        }
+
+        try:
+
+            api_response = self.custom_obj.create_namespaced_custom_object(
+                group, version, self.namespace, plural, body
+            )
+            pprint(api_response)
+        except ApiException as e:
+            print("Exception when creating a MongoDB Replica Set: %s\n" % e)
+
+    def deploy_sharded_cluster(
+        self,
+        mongo_version,
+        name,
+        num_shards,
+        num_mongos,
+        num_mongod_per_shard=3,
+        num_cfg_rs_members=3,
+    ):
+        """
+        Creating a MongoDB Sharded Cluster.
+        """
+
+        group = "mongodb.com"
+        version = "v1"
+        plural = "mongodb"
+
+        body = {
+            "spec": {
+                "shardCount": num_shards,
+                "mongodsPerShardCount": num_mongod_per_shard,
+                "mongosCount": num_mongos,
+                "persistent": False,
+                "version": mongo_version,
+                "configServerCount": num_cfg_rs_members,
+                "credentials": "my-credentials",
+                "project": "my-project",
+            },
+            "kind": "MongoDB",
+            "apiVersion": "mongodb.com/v1",
+            "metadata": {"name": name, "namespace": self.namespace},
+        }
+
+        try:
+            api_response = self.custom_obj.create_namespaced_custom_object(
+                group, version, self.namespace, plural, body
+            )
+            pprint(api_response)
+        except ApiException as e:
+            print("Exception when creating a MongoDB Sharded Cluster: %s\n" % e)
+
+    def delete_mongo_process(self, name, type_plural):
+        """
+        Delete MongoDB deployments by name and type
+        """
+
+        group = "mongodb.com"
+        version = "v1"
+        namespace = self.namespace
+        plural = type_plural
+        body = client.V1DeleteOptions(propagation_policy="Background")
+        grace_period_seconds = 56
+        orphan_dependents = False
+
+        try:
+            api_response = self.custom_obj.delete_namespaced_custom_object(
+                group,
+                version,
+                namespace,
+                plural,
+                name,
+                body,
+                grace_period_seconds=grace_period_seconds,
+                orphan_dependents=orphan_dependents,
+            )
+            pprint(api_response)
+            if api_response["status"] == "Success":
+                return True
+        except ApiException as e:
+            print("Exception when deleting MongoDB deployment: %s\n" % e)
+        return False
+
+
+if __name__ == "__main__":
+    pass

samples/kubernetes-clients/python/mongodb_kube_operator.cfg

+ops_manager:
+  project:
+  api_user:
+  api_key:
+  base_url:
+
+kubernetes:
+  namespace: mongodb

samples/kubernetes-clients/python/requirements.txt

+kubernetes==6.0.0
\ No newline at end of file

samples/kubernetes-clients/python/test_mongodb_kube_client.py

+#!/usr/bin/env python
+from __future__ import print_function
+
+import yaml
+
+from mongodb_kube_client import MongoDBEnterpriseKubeClient
+
+
+def parse_config_file(path):
+    """
+    Parses the config file in the given path
+    """
+    with open(path, "r") as parameters:
+        try:
+            return yaml.load(parameters)
+        except yaml.YAMLError as exc:
+            print("Error when loading environment variables", exc)
+
+
+def main():
+    parameters = parse_config_file("mongodb_kube_operator.cfg")
+
+    namespace = parameters["kubernetes"]["namespace"]
+    om_project = parameters["ops_manager"]["project"]
+    om_base_url = parameters["ops_manager"]["base_url"]
+    om_api_user = parameters["ops_manager"]["api_user"]
+    om_api_key = parameters["ops_manager"]["api_key"]
+
+    # Instantiate client wrapper
+    kube_client = MongoDBEnterpriseKubeClient(
+        namespace, om_api_user, om_api_key, om_project, om_base_url
+    )
+
+    # Create a secret and config map for project
+    kube_client.create_secret()
+    kube_client.create_config_map()
+
+    # Create a standalone, replica set and sharded cluster
+
+    kube_client.deploy_standalone(mongo_version="4.0.0", name="my-standalone")
+
+    kube_client.deploy_replica_set(
+        mongo_version="4.0.0", name="my-replica-set", members=3
+    )
+
+    kube_client.deploy_sharded_cluster(
+        mongo_version="4.0.0",
+        name="my-sharded-cluster",
+        num_mongod_per_shard=3,
+        num_shards=2,
+        num_cfg_rs_members=3,
+        num_mongos=2,
+    )
+    """
+    # Delete the created deployments
+
+    kube_client.delete_mongo_process(name="my-standalone", type_plural="mongodb")
+
+    kube_client.delete_mongo_process(name="my-replica-set", type_plural="mongodb")
+
+    kube_client.delete_mongo_process(name="my-sharded-cluster", type_plural="mongodb")
+    """
+
+
+if __name__ == "__main__":
+    main()

samples/mongodb/agent-startup-options/replica-set-agent-startup-options.yaml

-apiVersion: mongodb.com/v1
-kind: MongoDB
-metadata:
-  name: my-replica-set-agent-parameters
-spec:
-  members: 3
-  version: 4.4.0-ent
-  type: ReplicaSet
-  opsManager:
-    configMapRef:
-      name: my-project
-  credentials: my-credentials
-  persistent: true
-  # optional. Allows to pass custom flags that will be used
-  # when launching the mongodb agent. All values must be strings
-  # The full list of available settings is at:
-  # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
-  agent:
-    startupOptions:
-      maxLogFiles: "30"
-      dialTimeoutSeconds: "40"

samples/mongodb/agent-startup-options/sharded-cluster-agent-startup-options.yaml

-apiVersion: mongodb.com/v1
-kind: MongoDB
-metadata:
-  name: my-sharded-cluster-options
-spec:
-  version: 4.4.0-ent
-  type: ShardedCluster
-  opsManager:
-    configMapRef:
-      name: my-project
-  credentials: my-credentials
-  persistent: true
-  shardCount: 2
-  mongodsPerShardCount: 3
-  mongosCount: 2
-  configServerCount: 1
-
-  mongos:
-    # optional. Allows to pass custom flags that will be used
-    # when launching the mongodb agent for mongos processes.
-    # All values must be string
-    # The full list of available settings is at:
-    # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
-    agent:
-      startupOptions:
-        maxLogFiles: "30"
-
-  configSrv:
-     # optional. Allows to pass custom flags that will be used
-     # when launching the mongodb agent for Config Server mongod processes.
-     # All values must be string
-     # The full list of available settings is at:
-     # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
-     agent:
-       startupOptions:
-         dialTimeoutSeconds: "40"
-  shard:
-     # optional. Allows to pass custom flags that will be used
-     # when launching the mongodb agent for Shards mongod processes.
-     # All values must be string
-     # The full list of available settings is at:
-     # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
-     agent:
-       startupOptions:
-         serverSelectionTimeoutSeconds: "20"

samples/mongodb/agent-startup-options/standalone-agent-startup-options.yaml

----
-apiVersion: mongodb.com/v1
-kind: MongoDB
-metadata:
-  name: my-standalone
-spec:
-  version: 4.4.0-ent
-  service: my-service
-
-  opsManager:
-    configMapRef:
-      name: my-project
-  credentials: my-credentials
-  type: Standalone
-
-  persistent: true
-  # optional. Allows to pass custom flags that will be used
-  # when launching the mongodb agent. All values must be strings
-  # The full list of available settings is at:
-  # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
-  agent:
-    startupOptions:
-      maxLogFiles: "30"
-      dialTimeoutSeconds: "40"

samples/mongodb/authentication/ldap/replica-set/replica-set-ldap-user.yaml

----
-apiVersion: mongodb.com/v1
-kind: MongoDBUser
-metadata:
-  name: my-ldap-user
-spec:
-  username: my-ldap-user
-  db: $external
-  mongodbResourceRef:
-    name: my-ldap-enabled-replica-set # The name of the MongoDB resource this user will be added to
-  roles:
-    - db: admin
-      name: clusterAdmin
-    - db: admin
-      name: userAdminAnyDatabase
-    - db: admin
-      name: readWrite
-    - db: admin
-      name: userAdminAnyDatabase

samples/mongodb/authentication/ldap/replica-set/replica-set-ldap.yaml

-# Creates a MongoDB Replica Set with LDAP Authentication Enabled.
-# LDAP is an Enterprise-only feature.
-
----
-apiVersion: mongodb.com/v1
-kind: MongoDB
-metadata:
-  name: my-ldap-enabled-replica-set
-spec:
-  type: ReplicaSet
-  members: 3
-  version: 4.0.4-ent
-
-  opsManager:
-    configMapRef:
-      name: my-project
-  credentials: my-credentials
-
-  security:
-    authentication:
-      enabled: true
-      # Enabled LDAP Authentication Mode
-      modes: ["LDAP"]
-
-      # LDAP related configuration
-      ldap:
-        # Specify the hostname:port combination of one or
-        # more LDAP servers
-        servers:
-        - "<ldap-server0>"
-        - "<ldap-server1>"
-
-        # Set to "tls" to use LDAP over TLS. Leave blank if
-        # LDAP server does not accept TLS.
-        transportSecurity: "tls"
-
-        # ConfigMap containing a CA certificate that validates
-        # the LDAP server's TLS certificate.
-        caConfigMapRef:
-          name: "<configmap-name>"
-          key: "<configmap-entry-key>"
-
-        # Specify the LDAP Distinguished Name to which
-        # MongoDB binds when connecting to the LDAP server
-        bindQueryUser: "cn=admin,dc=example,dc=org"
-
-        # Specify the password with which MongoDB binds
-        # when connecting to an LDAP server. This is a
-        # reference to a Secret Kubernetes Object containing
-        # one "password" key.
-        bindQueryPasswordSecretRef:
-          name: "<secret-name>"
-

samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap-user.yaml

----
-apiVersion: mongodb.com/v1
-kind: MongoDBUser
-metadata:
-  name: my-ldap-user
-spec:
-  username: my-ldap-user
-  db: $external
-  mongodbResourceRef:
-    name: my-ldap-enabled-sharded-cluster # The name of the MongoDB resource this user will be added to
-  roles:
-    - db: admin
-      name: clusterAdmin
-    - db: admin
-      name: userAdminAnyDatabase
-    - db: admin
-      name: readWrite
-    - db: admin
-      name: userAdminAnyDatabase

samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap.yaml

----
-apiVersion: mongodb.com/v1
-kind: MongoDB
-metadata:
-  name: my-ldap-enabled-sharded-cluster
-spec:
-  type: ShardedCluster
-
-  shardCount: 2
-  mongodsPerShardCount: 3
-  mongosCount: 2
-  configServerCount: 3
-
-  version: 4.0.4-ent
-
-  opsManager:
-    configMapRef:
-      name: my-project
-  credentials: my-credentials
-
-  security:
-    authentication:
-      enabled: true
-
-      # Enabled LDAP Authentication Mode
-      modes: ["LDAP"]
-
-      # LDAP related configuration
-      ldap:
-        # Specify the hostname:port combination of one or
-        # more LDAP servers
-        servers:
-        - "<ldap-server0>"
-        - "<ldap-server1>"
-
-        # Set to "tls" to use LDAP over TLS. Leave blank if
-        # LDAP server does not accept TLS.
-        transportSecurity: "tls"
-
-        # ConfigMap containing a CA certificate that validates
-        # the LDAP server's TLS certificate.
-        caConfigMapRef:
-          name: "<configmap-name>"
-          key: "<configmap-entry-key>"
-
-        # Specify the LDAP Distinguished Name to which
-        # MongoDB binds when connecting to the LDAP server
-        bindQueryUser: "cn=admin,dc=example,dc=org"
-
-        # Specify the password with which MongoDB binds
-        # when connecting to an LDAP server. This is a
-        # reference to a Secret Kubernetes Object containing
-        # one "password" key.
-        bindQueryPasswordSecretRef:
-          name: "<secret-name>"
-