(DOCSP-9541), (DOCSP-9518): Operator: validate the AppDB configuratio… (#223)

jwilliams-mongo · jwilliams-mongo · commit 3235ab8cebb7 · 2025-04-14T17:11:15.000-05:00
* (DOCSP-9541), (DOCSP-9518): Operator: validate the AppDB configuration and Changes to webhook section * (DOCSP-9541): copy review feedback * (DOCSP-9541), (DOCSP-9518): tech review feedback
diff --git a/source/reference/k8s-operator-om-specification.txt b/source/reference/k8s-operator-om-specification.txt
@@ -133,15 +133,6 @@ Optional |onprem| Resource Settings
    - ``spec.applicationDatabase.podSpec.``:setting:`~spec.podSpec.nodeAffinity`
    - :opsmgrkube:`spec.applicationDatabase.version`
 
-   Do not use the following settings from the
-   :ref:`replica set <replica-set-settings>` resource specification:
-
-   - :setting:`spec.additionalMongodConfig.net.ssl.mode`
-   - :setting:`spec.security.authentication.internalCluster`
-   - :setting:`spec.security.tls.enabled`
-   - :setting:`spec.opsManager.configMapRef.name`
-   - :setting:`spec.credentials`
-
 .. opsmgrkube:: spec.applicationDatabase.passwordSecretKeyRef.name
 
    *Type*: string
diff --git a/source/tutorial/plan-k8s-operator-install.txt b/source/tutorial/plan-k8s-operator-install.txt
@@ -67,26 +67,34 @@ Validation Webhook
 ~~~~~~~~~~~~~~~~~~
 
 The |k8s-op-short| uses a webhook to prevent users from applying invalid
-resource definitions. The webhook rejects creating and updating replica
-sets in the following scenarios:
-
-- :setting:`spec.connectivity.replicaSetHorizons` is set, but
-  :setting:`spec.security.tls.enabled` is ``false`` or not set
-- :setting:`spec.connectivity.replicaSetHorizons` has a number of
-  horizons configured that is not equal to the number of members set in
-  :setting:`spec.members` 
-  
-The webhook rejects these requests immediately and the |k8s-op-short|
-doesn't create or update the resource.
+resource definitions. The webhook rejects these requests immediately and
+the |k8s-op-short| doesn't create or update the resource.
 
 The ``ClusterRole`` and ``ClusterRoleBinding`` for the webhook are
 included in the default configuration files that you apply during
 installation. To create the role and binding, you must have
 :k8sdocs:`cluster-admin privileges
-</reference/access-authn-authz/rbac/#user-facing-roles>` . If you have
-insufficient privileges or if you choose to remove the role and binding
-from the default configuration, the |k8s-op-short| produces error logs
-and continues to function normally, but without validation rejections.
+</reference/access-authn-authz/rbac/#user-facing-roles>`.
+
+If you apply an invalid resource definition, the webhook returns 
+a message that describes the error to the shell:
+
+.. code-block:: none
+
+   Error from server (shardPodSpec field is not configurable for
+   application databases as it is for sharded clusters and appdbs are
+   replica sets): error when creating "my-ops-manager.yaml":
+   admission webhook "ompolicy.mongodb.com" denied the request:
+   shardPodSpec field is not configurable for application databases as
+   it is for sharded clusters and appdbs are replica sets
+
+The validation webhook is not required to create or update resources. If 
+you omit the validation webhook, remove its role and binding from the
+default configuration, or have insufficient privileges to run it, the 
+|k8s-op-short| performs the same validations when it reconciles each 
+resource. The |k8s-op-short| marks resources as ``Failed`` if validation
+encounters a critical error. For non-critical errors, the |k8s-op-short|
+issues warnings.
 
 .. _k8s-deployment-scopes:
 
