DOCSP-22213: Document TLS migration in operator (#924)

Author: jwilliams-mongo

conf.py

@@ -245,6 +245,7 @@
     'wikipedia' : ('https://en.wikipedia.org/wiki%s', ''),
     'k8sdocs': ('https://kubernetes.io/docs%s', ''),
     'v1.2': ('https://www.mongodb.com/docs/kubernetes-operator/v1.2%s', ''),
+    'v1.13': ('https://www.mongodb.com/docs/kubernetes-operator/v1.13%s', ''),
     'github' : ('https://github.com%s', ''),
     'github-raw' : ('https://raw.githubusercontent.com%s', ''),
     'mdb-github' : ('https://mongodb.github.io%s', ''),

source/includes/steps-migrate-to-new-tls-format.yaml

@@ -0,0 +1,88 @@
+---
+title: "Upgrade |k8s-op-short| to its latest version."
+level: 4
+ref: upgrade-to-latest
+content: |
+  To learn how to upgrade the |k8s-op-short|, see 
+  :ref:`upgrade-k8s-operator`.
+
+---
+title: "Wait for the |k8s-op-short| Pods to reach a ``READY`` state."
+level: 4
+ref: wait-for-ready-resources
+content: |
+
+  Use the following command to get the status of the Pods in your
+  cluster:
+  
+  .. code-block:: sh
+
+     kubectl get pods -n <namespace> -w
+
+  Inspect the response. In the ``READY`` column for your |k8s-op-short|
+  Pod, ensure that the value in this column shows that all Pods are 
+  ready. In the following sample output, the single |k8s-op-short| Pod 
+  is ready.
+
+  .. code-block:: sh
+     :copyable: false
+     :emphasize-lines: 2
+
+     NAME                                          READY   STATUS    RESTARTS   AGE
+     mongodb-enterprise-operator-d7d5d9b7c-p4xl4   1/1     Running   0     7m39s
+     
+  When all |k8s-op-short| Pods are ``READY``, proceed to the next step.
+
+---
+title: "Create new |tls| secrets that contain your existing certificates."
+level: 4
+ref: create-new-tls-secrets
+content: |
+  Using the certificates stored in your existing secrets, create one new
+  secret for each component that you want to secure using |tls|.
+
+  For more information, see the prerequisites in the |k8s-op-short|
+  |tls| tutorials:
+
+  - :ref:`secure-om-db-tls` for Application Database resources
+  - :ref:`deploy-om-container` for |onprem| resources
+  - :ref:`k8s-secure-resources` for database resources
+
+---
+title: "Update your CRDs to use the new |tls| secret fields."
+level: 4
+ref: update-crds
+content: |
+
+  In each of the resources that you secure with |tls|, update the
+  following fields, as appropriate, to reference the new |tls| secrets
+  you created in the previous step:
+
+  - Application Database |tls| secrets: :opsmgrkube:`applicationDatabase.security.certsSecretPrefix`
+  - |onprem| |tls| secrets: :opsmgrkube:`security.certsSecretPrefix`
+  - Database resource |tls| secrets: :setting:`security.security.certsSecretPrefix`
+  
+---
+title: "Replace the CRDs in your |k8s| cluster."
+level: 4
+ref: apply-crds
+content: |
+  For each CRD you updated, run the following command to apply your
+  changes to the |k8s| cluster:
+
+  .. code-block:: sh
+
+     kubectl replace -f <resource-crd>.yaml
+
+---
+title: "Re-enable internal cluster authentication and X.509 authentication."
+level: 4
+optional: true
+ref: enable-internal-auth-x509
+content: |
+
+  When all of the resources you updated reach a ``READY`` state, you can
+  re-enable internal cluster authentication and X.509 authentication if
+  you disabled it to migrate your |tls| secrets.
+
+...

source/tutorial/migrate-to-new-tls-format.txt

@@ -0,0 +1,85 @@
+.. _migrate-to-new-tls-format:
+
+===================================================
+Upgrade from |k8s-op-short| 1.12 with |tls| Enabled
+===================================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. include:: /includes/styles/corrections.rst
+
+|k8s-op| 1.13 :v1.13:`introduced several changes 
+</release-notes/#k8s-op-short>` to how it handles |tls| secrets for 
+|onprem| and database deployments.
+
+If you installed |k8s-op-short| 1.12 or earlier and you secure access to
+your resources using |tls|, complete this task to upgrade to the latest
+|k8s-op-short| version and migrate your opaque |tls| secrets to 
+:k8sdocs:`kubernetes.io/tls 
+</concepts/configuration/secret/#tls-secrets>` type secrets without
+re-creating your MongoDB resources and incurring downtime.
+
+Considerations
+--------------
+
+|k8s-op-short| can migrate your |tls| secrets when you
+upgrade from 1.12 or earlier to the latest version for as long as 1.12
+is supported. After |k8s-op-short| 1.12 reaches End of Life (EOL), you 
+might not be able to migrate your |tls| secrets automatically when you 
+upgrade.
+
+Limitations
+-----------
+
+|k8s-op-short| doesn't migrate the following |tls| secret 
+types: 
+
+- |tls| secrets that contain X.509 certificates for internal 
+  server authentication
+- |tls| secrets that contain {+mdbagent+} X.509 certificates
+
+You must manually migrate these types of |tls| secrets from opaque to
+:k8sdocs:`kubernetes.io/tls 
+</concepts/configuration/secret/#tls-secrets>` type secrets by creating
+new secrets that contain the relevant certificates and signing keys. To
+learn how to create these secrets, see the following resources:
+
+- :ref:`secure-tls`
+- :ref:`secure-internal-auth`
+
+Prerequisites
+-------------
+
+- Before you migrate your |tls| secrets and upgrade |k8s-op-short|, your
+  CRDs must use the following fields to describe your |tls| secrets:
+
+  - Application Database |tls| secrets: :opsmgrkube:`applicationDatabase.security.tls.secretRef.prefix`
+  - |onprem| |tls| secrets: :opsmgrkube:`security.tls.secretRef.prefix`
+  - Database resource |tls| secrets: :setting:`security.tls.secretRef.prefix`
+
+  If your CRDs use any of the following fields to describe your |tls| 
+  secrets, you must first update your CRDs to use the fields listed
+  above instead:
+
+  -  Application Database |tls| secrets:
+     ``spec.applicationDatabase.security.tls.secretRef.name``
+  - |onprem| |tls| secrets: ``spec.security.tls.secretRef.name``
+  - Database resource |tls| secrets: ``spec.security.tls.secretRef.name``
+
+- You must disable internal cluster and X.509 authentication before you 
+  upgrade |k8s-op-short| to its latest
+  version.
+
+  When the upgrade is complete, you can re-enable internal cluster and
+  X.509 authentication.
+
+Procedure
+---------
+
+.. include::  /includes/steps/migrate-to-new-tls-format.rst

source/upgrade.txt

@@ -20,10 +20,16 @@ Upgrade the |k8s-op-short| from Prior Versions
 :ref:`migrate-to-ent-appdb-version`
   Migrate the Application Database to the latest MongoDB version.
 
+:ref:`migrate-to-new-tls-format`
+  Migrate opaque |tls| secrets from |k8s-op-short| 1.12 or earlier to 
+  secrets of the :k8sdocs:`kubernetes.io/tls
+  </concepts/configuration/secret/#tls-secrets>` type.
+
 .. class:: hidden
 
    .. toctree::
       :titlesonly:
 
       /tutorial/upgrade-k8s-operator
       /tutorial/migrate-to-ent-appdb-version
+      /tutorial/migrate-to-new-tls-format