Merge branch 'operator-repo-initialpush' into 'development'

Mirror of repo available on open internet. See merge request !1

Merge branch 'operator-repo-initialpush' into 'development'
Mirror of repo available on open internet. See merge request !1
64d8d739 · Andy Maksymowicz · 8fb6dc63 · b3cbc173 · 64d8d739 · 64d8d739
Commit 64d8d739 authored Nov 04, 2020 by Andy Maksymowicz
20 changed files
--- a/helm_chart/values-openshift.yaml
+++ b/helm_chart/values-openshift.yaml
+# Name of the Namespace to use
+namespace: mongodb
+# OpenShift manages security context on its own
+managedSecurityContext: true
+operator:
+  # Execution environment for the operator, dev or prod. Use dev for more verbose logging
+  env: prod
+  # Name that will be assigned to most of internal Kubernetes objects like Deployment, ServiceAccount, Role etc.
+  name: enterprise-operator
+  # Name of the deployment of the operator pod
+  deployment_name: mongodb-enterprise-operator
+  # Version of mongodb-enterprise-operator and mongodb-enterprise-database images
+  version: 1.8.0
+  # The Custom Resources that will be watched by the Operator. Needs to be changed if only some of the CRDs are installed
+  watchedResources:
+  - mongodb
+  - opsmanagers
+  - mongodbusers
+## Database
+database:
+  name: enterprise-database
+  version: 2.0.0
+initDatabase:
+  name: mongodb-enterprise-init-database
+  version: 1.0.0
+## Ops Manager
+opsManager:
+  name: mongodb-enterprise-ops-manager
+initOpsManager:
+  name: mongodb-enterprise-init-ops-manager
+  version: 1.0.2
+## Application Database
+appDb:
+  name: mongodb-enterprise-appdb
+initAppDb:
+  name: mongodb-enterprise-init-appdb
+  version: 1.0.4
+## Registry
+registry:
+  # The pull secret must be specified
+  imagePullSecrets:
+  pullPolicy: Always
+  database: registry.connect.redhat.com/mongodb
+  operator: registry.connect.redhat.com/mongodb
+  initDatabase: registry.connect.redhat.com/mongodb
+  initOpsManager: registry.connect.redhat.com/mongodb
+  opsManager: registry.connect.redhat.com/mongodb
+  initAppDb: registry.connect.redhat.com/mongodb
+  appDb: registry.connect.redhat.com/mongodb
+# Set this to true if the operator will require Kubernetes CA
+# infrastructure to generate TLS certificates.
+needsCAInfrastructure: true
+# Set this to false to disable subresource utilization
+# It might be required on some versions of Openshift
+subresourceEnabled: true
--- a/helm_chart/values.yaml
+++ b/helm_chart/values.yaml
+# Name of the Namespace to use
+namespace: mongodb
+## Operator
+# Set this to true if your cluster is managing SecurityContext for you.
+# If running OpenShift (Cloud, Minishift, etc.), set this to true.
+managedSecurityContext: false
+operator:
+  # Execution environment for the operator, dev or prod. Use dev for more verbose logging
+  env: prod
+  # Name that will be assigned to most of internal Kubernetes objects like Deployment, ServiceAccount, Role etc.
+  name: mongodb-enterprise-operator
+  # Name of the deployment of the operator pod
+  deployment_name: mongodb-enterprise-operator
+  # Version of mongodb-enterprise-operator and mongodb-enterprise-database images
+  version: 1.8.0
+  # The Custom Resources that will be watched by the Operator. Needs to be changed if only some of the CRDs are installed
+  watchedResources:
+  - mongodb
+  - opsmanagers
+  - mongodbusers
+## Database
+database:
+  name: mongodb-enterprise-database
+  version: 2.0.0
+initDatabase:
+  name: mongodb-enterprise-init-database
+  version: 1.0.0
+## Ops Manager
+opsManager:
+  name: mongodb-enterprise-ops-manager
+initOpsManager:
+  name: mongodb-enterprise-init-ops-manager
+  version: 1.0.2
+## Application Database
+appDb:
+  name: mongodb-enterprise-appdb
+initAppDb:
+  name: mongodb-enterprise-init-appdb
+  version: 1.0.4
+## Registry
+registry:
+  imagePullSecrets:
+  # TODO: specify for each image and move there?
+  pullPolicy: Always
+  # Specify if images are pulled from private registry
+  operator: quay.io/mongodb
+  database: quay.io/mongodb
+  initDatabase: quay.io/mongodb
+  initOpsManager: quay.io/mongodb
+  opsManager: quay.io/mongodb
+  initAppDb: quay.io/mongodb
+  appDb: quay.io/mongodb
+# Set this to true if the operator will require Kubernetes CA
+# infrastructure to generate TLS certificates.
+needsCAInfrastructure: true
+# Set this to false to disable subresource utilization
+# It might be required on some versions of Openshift
+subresourceEnabled: true
--- a/mongodb-enterprise-openshift.yaml
+++ b/mongodb-enterprise-openshift.yaml
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-certs
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-webhook-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-webhook
+subjects:
+- kind: ServiceAccount
+  name: enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator-mongodb-certs-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: enterprise-operator-mongodb-certs
+subjects:
+- kind: ServiceAccount
+  name: enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind:  Role 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator
+  namespace: mongodb
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - services
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+  - update
+- apiGroups:
+  - mongodb.com
+  resources:
+  - mongodb
+  - mongodb/finalizers
+  - mongodbusers
+  - opsmanagers
+  - opsmanagers/finalizers
+  - mongodb/status
+  - mongodbusers/status
+  - opsmanagers/status
+  verbs:
+  - "*"
+# This ClusterRoleBinding is necessary in order to use validating
+# webhooks—these will prevent you from applying a variety of invalid resource
+# definitions. The validating webhooks are optional so this can be removed if
+# necessary.
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind:  RoleBinding 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: enterprise-operator
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:  Role 
+  name: enterprise-operator
+subjects:
+- kind: ServiceAccount
+  name: enterprise-operator
+  namespace: mongodb
+# This ClusterRole is needed if the user wants to use the Kubernetes CA
+# infrastructure to generate certificates.
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-database-pods
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-ops-manager
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mongodb-enterprise-appdb
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-enterprise-appdb
+    namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: enterprise-operator
+  namespace: mongodb
+spec:
+  replicas: 1
+  selector:
+      matchLabels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: enterprise-operator
+        app.kubernetes.io/instance: enterprise-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: enterprise-operator
+        app.kubernetes.io/instance: enterprise-operator
+    spec:
+      serviceAccountName: enterprise-operator
+      containers:
+      - name: mongodb-enterprise-operator
+        image: registry.connect.redhat.com/mongodb/enterprise-operator:1.8.0
+        imagePullPolicy: Always
+        args:
+          - "-watch-resource=mongodb"
+          - "-watch-resource=opsmanagers"
+          - "-watch-resource=mongodbusers"
+        command:
+          - "/usr/local/bin/mongodb-enterprise-operator"
+        env:
+        - name: OPERATOR_ENV
+          value: prod
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CURRENT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MANAGED_SECURITY_CONTEXT
+          value: 'true'
+        - name: IMAGE_PULL_POLICY
+          value: Always
+        # Database
+        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
+          value: registry.connect.redhat.com/mongodb/enterprise-database
+        - name: INIT_DATABASE_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-database
+        - name: INIT_DATABASE_VERSION
+          value: 1.0.0
+        - name: DATABASE_VERSION
+          value: 2.0.0
+        # Ops Manager
+        - name: OPS_MANAGER_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-ops-manager
+        - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-ops-manager
+        - name: INIT_OPS_MANAGER_VERSION
+          value: 1.0.2
+        # AppDB
+        - name: APPDB_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-appdb
+        - name: INIT_APPDB_IMAGE_REPOSITORY
+          value: registry.connect.redhat.com/mongodb/mongodb-enterprise-init-appdb
+        - name: INIT_APPDB_VERSION
+          value: 1.0.4
+        - name: OPS_MANAGER_IMAGE_PULL_POLICY
+          value: Always
--- a/mongodb-enterprise.yaml
+++ b/mongodb-enterprise.yaml
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - create
+  - list
+  - watch
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-webhook-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-webhook
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator-mongodb-certs-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-enterprise-operator-mongodb-certs
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind:  Role 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - services
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - delete
+  - update
+- apiGroups:
+  - mongodb.com
+  resources:
+  - mongodb
+  - mongodb/finalizers
+  - mongodbusers
+  - opsmanagers
+  - opsmanagers/finalizers
+  - mongodb/status
+  - mongodbusers/status
+  - opsmanagers/status
+  verbs:
+  - "*"
+# This ClusterRoleBinding is necessary in order to use validating
+# webhooks—these will prevent you from applying a variety of invalid resource
+# definitions. The validating webhooks are optional so this can be removed if
+# necessary.
+---
+# Source: mongodb-enterprise-operator/templates/operator-roles.yaml
+kind:  RoleBinding 
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind:  Role 
+  name: mongodb-enterprise-operator
+subjects:
+- kind: ServiceAccount
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+# This ClusterRole is needed if the user wants to use the Kubernetes CA
+# infrastructure to generate certificates.
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-database-pods
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-enterprise-ops-manager
+  namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+# Source: mongodb-enterprise-operator/templates/database-roles.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-enterprise-appdb
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mongodb-enterprise-appdb
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-enterprise-appdb
+    namespace: mongodb
+---
+# Source: mongodb-enterprise-operator/templates/operator.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongodb-enterprise-operator
+  namespace: mongodb
+spec:
+  replicas: 1
+  selector:
+      matchLabels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: mongodb-enterprise-operator
+        app.kubernetes.io/instance: mongodb-enterprise-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: controller
+        app.kubernetes.io/name: mongodb-enterprise-operator
+        app.kubernetes.io/instance: mongodb-enterprise-operator
+    spec:
+      serviceAccountName: mongodb-enterprise-operator
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+      containers:
+      - name: mongodb-enterprise-operator
+        image: quay.io/mongodb/mongodb-enterprise-operator:1.8.0
+        imagePullPolicy: Always
+        args:
+          - "-watch-resource=mongodb"
+          - "-watch-resource=opsmanagers"
+          - "-watch-resource=mongodbusers"
+        command:
+          - "/usr/local/bin/mongodb-enterprise-operator"
+        env:
+        - name: OPERATOR_ENV
+          value: prod
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CURRENT_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: IMAGE_PULL_POLICY
+          value: Always
+        # Database
+        - name: MONGODB_ENTERPRISE_DATABASE_IMAGE
+          value: quay.io/mongodb/mongodb-enterprise-database
+        - name: INIT_DATABASE_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-init-database
+        - name: INIT_DATABASE_VERSION
+          value: 1.0.0
+        - name: DATABASE_VERSION
+          value: 2.0.0
+        # Ops Manager
+        - name: OPS_MANAGER_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-ops-manager
+        - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-init-ops-manager
+        - name: INIT_OPS_MANAGER_VERSION
+          value: 1.0.2
+        # AppDB
+        - name: APPDB_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-appdb
+        - name: INIT_APPDB_IMAGE_REPOSITORY
+          value: quay.io/mongodb/mongodb-enterprise-init-appdb
+        - name: INIT_APPDB_VERSION
+          value: 1.0.4
+        - name: OPS_MANAGER_IMAGE_PULL_POLICY
+          value: Always
--- a/openshift-install.md
+++ b/openshift-install.md
+# OpenShift Install
+The MongoDB Enterprise Operator requires a set of images including `operator`, `database` and others. The Openshift
+installation requires images to be based on Red Hat Enterprise Linux, and these images are published to [Red Hat
+Container Catalog](https://catalog.redhat.com/software/containers/explore/). You will have to create special credentials
+for your OpenShift installation to be able to fetch images from this registry.
+## Create your OpenShift Secret
+First, complete the instructions
+[here](https://access.redhat.com/terms-based-registry/#/token/openshift3-test-cluster/docker-config). Unfortunately,
+these instructions refer to a `registry.redhat.io` Registry which is not the one we need, but they accept the same
+credentials. First, click on "view its contents" to display the contents we need, and save these contents into a json
+file. This file includes 1 entry for `registry.redhat.io`; replicate that entry with a new name,
+"`registry.connect.redhat.com`", as in the following example:
+```json
+{
+  "auths": {
+    "registry.redhat.io": {
+      "auth": "YOURBASE64USERNAMEANDPASSWORD"
+    },
+    "registry.connect.redhat.com": {
+      "auth": "YOURBASE64USERNAMEANDPASSWORD"
+    }
+  }
+}
+```
+Now save this file and create a `Secret` object from it:
+```
+$ kubectl -n <your-namespace> create secret generic openshift-pull-secrets --from-file=.dockerconfigjson=<path-to-your-file> \
+        --type=kubernetes.io/dockerconfigjson
+```
+## Install the Operator using the new Secret to pull images
+### Installation using .yaml config file
+Now that the `Secret` has been created, you need to reference it from the `mongodb-enterprise-openshift.yaml` file.
+When you edit this file, you'll realize that there's a `Deployment` object at the end (the one with name
+`enterprise-operator`). This `Deployment` needs to be modified slightly, under the `spec` section you need to add
+a new attribute, with name `imagePullSecrets` and use the name of the `Secrets` object that you downloaded and created.
+The `spec` section will look something like:
+```yaml
+# ...
+spec:
+  imagePullSecrets: 
+  - name: openshift-pull-secrets  # this is where the name of the Secret goes
+  ...
+  containers:
+  - name: enterprise-operator
+    ...
+# ...
+```
+That's one image. You will also have to set a new environment variable, on the `env` section, like in the following
+snippet:
+```yaml
+containers:
+- name: enterprise-operator
+  image: registry.connect.redhat.com/mongodb/enterprise-operator:<version>
+  imagePullPolicy: Always
+  env:
+  ...
+  - name: IMAGE_PULL_SECRETS
+    value: openshift-pull-secrets
+  ...
+```
+Now that we have instructed our OpenShift cluster to be able to fetch images from the Red Hat registry we will be able
+to install the operator using:
+```bash
+$ kubectl -n <your-namespace> -f mongodb-enterprise-openshift.yaml
+```
+From now on, the OpenShift cluster will be authenticated to pull images from the Red Hat registry. Now you should be
+able to return to the regular instructions for Kubernetes.
+### Installation using Helm
+As an alternative to manual editing the config files you can use the following command to install the Operator using `Helm`:
+```bash
+helm install --set registry.imagePullSecrets=openshift-pull-secrets --values helm_chart/values-openshift.yaml <chart-name> helm_chart
+``` 
--- a/samples/mongodb/affinity/replica-set-affinity.yaml
+++ b/samples/mongodb/affinity/replica-set-affinity.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-replica-set
+spec:
+  members: 3
+  version: 4.2.1-ent
+  service: my-service
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  type: ReplicaSet
+  persistent: true
+  podSpec:
+    memory: 512M
+    # For podAffinity and nodeAffinity see Kubernetes Docs
+    # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+    podAntiAffinityTopologyKey: nodeId
+    podAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: security
+            operator: In
+            values:
+            - S1
+        topologyKey: failure-domain.beta.kubernetes.io/zone
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/e2e-az-name
+            operator: In
+            values:
+            - e2e-az1
+            - e2e-az2
--- a/samples/mongodb/affinity/sharded-cluster-affinity.yaml
+++ b/samples/mongodb/affinity/sharded-cluster-affinity.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-sharded-cluster
+spec:
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.2.1-ent
+  service: my-service
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  type: ShardedCluster
+  persistent: true
+  configSrvPodSpec:
+    # For podAffinity and nodeAffinity see Kubernetes Docs
+    # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+    podAntiAffinityTopologyKey: kubernetes.io/hostname
+    podAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: security
+            operator: In
+            values:
+            - S1
+        topologyKey: failure-domain.beta.kubernetes.io/zone
+  mongosPodSpec:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: another-node-label-key
+            operator: In
+            values:
+            - another-node-label-value
+  shardPodSpec:
+    podAntiAffinityTopologyKey: rackId
--- a/samples/mongodb/affinity/standalone-affinity.yaml
+++ b/samples/mongodb/affinity/standalone-affinity.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-standalone
+spec:
+  version: 4.2.1-ent
+  service: my-service
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  type: Standalone
+  persistent: true
+  podSpec:
+    # For podAffinity and nodeAffinity see Kubernetes Docs
+    # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+    podAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: security
+            operator: In
+            values:
+            - S1
+        topologyKey: failure-domain.beta.kubernetes.io/zone
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/e2e-az-name
+            operator: In
+            values:
+            - e2e-az1
+            - e2e-az2
--- a/samples/mongodb/agent-startup-options/replica-set-agent-startup-options.yaml
+++ b/samples/mongodb/agent-startup-options/replica-set-agent-startup-options.yaml
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-replica-set-agent-parameters
+spec:
+  members: 3
+  version: 4.4.0-ent
+  type: ReplicaSet
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  persistent: true
+  # optional. Allows to pass custom flags that will be used
+  # when launching the mongodb agent. All values must be strings
+  # The full list of available settings is at:
+  # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
+  agent:
+    startupOptions:
+      maxLogFiles: "30"
+      dialTimeoutSeconds: "40"
--- a/samples/mongodb/agent-startup-options/sharded-cluster-agent-startup-options.yaml
+++ b/samples/mongodb/agent-startup-options/sharded-cluster-agent-startup-options.yaml
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-sharded-cluster-options
+spec:
+  version: 4.4.0-ent
+  type: ShardedCluster
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  persistent: true
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 1
+  mongos:
+    # optional. Allows to pass custom flags that will be used
+    # when launching the mongodb agent for mongos processes.
+    # All values must be string
+    # The full list of available settings is at:
+    # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
+    agent:
+      startupOptions:
+        maxLogFiles: "30"
+  configSrv:
+     # optional. Allows to pass custom flags that will be used
+     # when launching the mongodb agent for Config Server mongod processes.
+     # All values must be string
+     # The full list of available settings is at:
+     # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
+     agent:
+       startupOptions:
+         dialTimeoutSeconds: "40"
+  shard:
+     # optional. Allows to pass custom flags that will be used
+     # when launching the mongodb agent for Shards mongod processes.
+     # All values must be string
+     # The full list of available settings is at:
+     # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
+     agent:
+       startupOptions:
+         serverSelectionTimeoutSeconds: "20"
--- a/samples/mongodb/agent-startup-options/standalone-agent-startup-options.yaml
+++ b/samples/mongodb/agent-startup-options/standalone-agent-startup-options.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-standalone
+spec:
+  version: 4.4.0-ent
+  service: my-service
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  type: Standalone
+  persistent: true
+  # optional. Allows to pass custom flags that will be used
+  # when launching the mongodb agent. All values must be strings
+  # The full list of available settings is at:
+  # https://docs.opsmanager.mongodb.com/current/reference/mongodb-agent-settings/
+  agent:
+    startupOptions:
+      maxLogFiles: "30"
+      dialTimeoutSeconds: "40"
--- a/samples/mongodb/authentication/ldap/replica-set/replica-set-ldap-user.yaml
+++ b/samples/mongodb/authentication/ldap/replica-set/replica-set-ldap-user.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBUser
+metadata:
+  name: my-ldap-user
+spec:
+  username: my-ldap-user
+  db: $external
+  mongodbResourceRef:
+    name: my-ldap-enabled-replica-set # The name of the MongoDB resource this user will be added to
+  roles:
+    - db: admin
+      name: clusterAdmin
+    - db: admin
+      name: userAdminAnyDatabase
+    - db: admin
+      name: readWrite
+    - db: admin
+      name: userAdminAnyDatabase
--- a/samples/mongodb/authentication/ldap/replica-set/replica-set-ldap.yaml
+++ b/samples/mongodb/authentication/ldap/replica-set/replica-set-ldap.yaml
+# Creates a MongoDB Replica Set with LDAP Authentication Enabled.
+# LDAP is an Enterprise-only feature.
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-ldap-enabled-replica-set
+spec:
+  type: ReplicaSet
+  members: 3
+  version: 4.0.4-ent
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  security:
+    authentication:
+      enabled: true
+      # Enabled LDAP Authentication Mode
+      modes: ["LDAP"]
+      # LDAP related configuration
+      ldap:
+        # Specify the hostname:port combination of one or
+        # more LDAP servers
+        servers:
+        - "<ldap-server0>"
+        - "<ldap-server1>"
+        # Set to "tls" to use LDAP over TLS. Leave blank if
+        # LDAP server does not accept TLS.
+        transportSecurity: "tls"
+        # ConfigMap containing a CA certificate that validates
+        # the LDAP server's TLS certificate.
+        caConfigMapRef:
+          name: "<configmap-name>"
+          key: "<configmap-entry-key>"
+        # Specify the LDAP Distinguished Name to which
+        # MongoDB binds when connecting to the LDAP server
+        bindQueryUser: "cn=admin,dc=example,dc=org"
+        # Specify the password with which MongoDB binds
+        # when connecting to an LDAP server. This is a
+        # reference to a Secret Kubernetes Object containing
+        # one "password" key.
+        bindQueryPasswordSecretRef:
+          name: "<secret-name>"
--- a/samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap-user.yaml
+++ b/samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap-user.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBUser
+metadata:
+  name: my-ldap-user
+spec:
+  username: my-ldap-user
+  db: $external
+  mongodbResourceRef:
+    name: my-ldap-enabled-sharded-cluster # The name of the MongoDB resource this user will be added to
+  roles:
+    - db: admin
+      name: clusterAdmin
+    - db: admin
+      name: userAdminAnyDatabase
+    - db: admin
+      name: readWrite
+    - db: admin
+      name: userAdminAnyDatabase
--- a/samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap.yaml
+++ b/samples/mongodb/authentication/ldap/sharded-cluster/sharded-cluster-ldap.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-ldap-enabled-sharded-cluster
+spec:
+  type: ShardedCluster
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  version: 4.0.4-ent
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  security:
+    authentication:
+      enabled: true
+      # Enabled LDAP Authentication Mode
+      modes: ["LDAP"]
+      # LDAP related configuration
+      ldap:
+        # Specify the hostname:port combination of one or
+        # more LDAP servers
+        servers:
+        - "<ldap-server0>"
+        - "<ldap-server1>"
+        # Set to "tls" to use LDAP over TLS. Leave blank if
+        # LDAP server does not accept TLS.
+        transportSecurity: "tls"
+        # ConfigMap containing a CA certificate that validates
+        # the LDAP server's TLS certificate.
+        caConfigMapRef:
+          name: "<configmap-name>"
+          key: "<configmap-entry-key>"
+        # Specify the LDAP Distinguished Name to which
+        # MongoDB binds when connecting to the LDAP server
+        bindQueryUser: "cn=admin,dc=example,dc=org"
+        # Specify the password with which MongoDB binds
+        # when connecting to an LDAP server. This is a
+        # reference to a Secret Kubernetes Object containing
+        # one "password" key.
+        bindQueryPasswordSecretRef:
+          name: "<secret-name>"
--- a/samples/mongodb/authentication/scram/replica-set/replica-set-scram-password.yaml
+++ b/samples/mongodb/authentication/scram/replica-set/replica-set-scram-password.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-scram-secret
+type: Opaque
+stringData:
+  password: my-replica-set-password
--- a/samples/mongodb/authentication/scram/replica-set/replica-set-scram-sha.yaml
+++ b/samples/mongodb/authentication/scram/replica-set/replica-set-scram-sha.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-scram-enabled-replica-set
+spec:
+  type: ReplicaSet
+  members: 3
+  # Using a version >= 4.0 will enable SCRAM-SHA-256 authentication
+  # setting a version < 4.0 will enable SCRAM-SHA-1/MONGODB-CR authentication
+  version: 4.0.4-ent
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  security:
+    authentication:
+      enabled: true
+      modes: ["SCRAM"] # Valid authentication modes are "SCRAM' and "X509"
+      # Optional field - ignoreUnknownUsers
+      # A value of true means that any users not configured via the Operator or the Ops Manager or Cloud Manager UI
+      # will not be altered in any way
+      # If you need to manage MongoDB users directly via the mongods, set this value to true
+      ignoreUnknownUsers: true # default value false
--- a/samples/mongodb/authentication/scram/replica-set/replica-set-scram-user.yaml
+++ b/samples/mongodb/authentication/scram/replica-set/replica-set-scram-user.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDBUser
+metadata:
+  name: my-scram-user
+spec:
+  passwordSecretKeyRef:
+    name: my-scram-secret # the name of the secret that stores this user's password
+    key: password # the key in the secret that stores the password
+  username: my-scram-user
+  db: admin
+  mongodbResourceRef:
+    name: my-scram-enabled-replica-set # The name of the MongoDB resource this user will be added to
+  roles:
+    - db: admin
+      name: clusterAdmin
+    - db: admin
+      name: userAdminAnyDatabase
+    - db: admin
+      name: readWrite
+    - db: admin
+      name: userAdminAnyDatabase
--- a/samples/mongodb/authentication/scram/sharded-cluster/sharded-cluster-scram-password.yaml
+++ b/samples/mongodb/authentication/scram/sharded-cluster/sharded-cluster-scram-password.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-scram-secret
+type: Opaque
+stringData:
+  password: my-sharded-cluster-password
--- a/samples/mongodb/authentication/scram/sharded-cluster/sharded-cluster-scram-sha.yaml
+++ b/samples/mongodb/authentication/scram/sharded-cluster/sharded-cluster-scram-sha.yaml
+---
+apiVersion: mongodb.com/v1
+kind: MongoDB
+metadata:
+  name: my-scram-enabled-sharded-cluster
+spec:
+  type: ShardedCluster
+  shardCount: 2
+  mongodsPerShardCount: 3
+  mongosCount: 2
+  configServerCount: 3
+  # Using a version >= 4.0 will enable SCRAM-SHA-256 authentication
+  # setting a version < 4.0 will enable SCRAM-SHA-1/MONGODB-CR authentication
+  version: 4.0.4-ent
+  opsManager:
+    configMapRef:
+      name: my-project
+  credentials: my-credentials
+  security:
+    authentication:
+      enabled: true
+      modes: ["SCRAM"] # Valid authentication modes are "SCRAM' and "X509"
+      # Optional field - ignoreUnknownUsers
+      # A value of true means that any users not configured via the Operator or the Ops Manager or Cloud Manager UI
+      # will not be altered in any way
+      # If you need to manage MongoDB users directly via the mongods, set this value to true
+      ignoreUnknownUsers: true # default value false