(DOCSP-24201): Move Production Notes to other parts of the documentation (#1432)

* Move prod notes to considerations and create security section

* copy review feedback

* Update considerations page order

* copy review {cont.)

* tech review feedback

Author: davidhou17

config/redirects

@@ -109,3 +109,7 @@ raw: docs/kubernetes-operator/release-notes -> ${base}/stable/release-notes/
 
 [*-v1.18]: docs/kubernetes-operator/${version}/openshift-tutorials -> ${base}/
 [*-v1.18]: docs/kubernetes-operator/${version}/restricted-network-tutorial -> ${base}/
+
+# Add redirect for production notes refactor
+
+[v1.19-*]: docs/kubernetes-operator/${version}/reference/production-notes -> ${base}/stable/tutorial/plan-k8s-op-considerations

source/authentication.txt

@@ -0,0 +1,83 @@
+.. _k8s-authentication:
+
+=====================
+Enable Authentication
+=====================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+The |k8s-op-short| supports :ref:`X.509 <create-x509-certs>`, LDAP,
+and :ref:`SCRAM <add-db-user-scram>` user authentication.
+
+.. note::
+   For LDAP configuration, see the
+   :setting:`spec.security.authentication.ldap.automationLdapGroupDN`
+   setting.
+   
+You must create an additional |k8s-crd| for your
+MongoDB users and the {+mdbagent+} instances.
+The |k8s-op-short| generates and distributes the certificate.
+
+See the full X.509 certificates configuration examples in the
+:github:`x509 Authentication
+</mongodb/mongodb-enterprise-kubernetes/tree/master/samples/mongodb/authentication/x509>` directory in
+the :github:`Authentication </mongodb/mongodb-enterprise-kubernetes/tree/master/samples/mongodb/authentication>`
+samples directory. This directory also contains sample LDAP and SCRAM configurations.
+
+Example Deployment CRD
+----------------------
+
+.. code-block:: yaml
+   :copyable: false
+   :emphasize-lines: 14-17
+   :linenos:
+
+   apiVersion: mongodb.com/v1
+   kind: MongoDB
+   metadata:
+     name: my-tls-enabled-rs
+   spec:
+     type: ReplicaSet
+     members: 3
+     version: "4.0.4-ent"
+     project: my-project
+     credentials: my-credentials
+     security:
+       tls:
+         enabled: true
+       authentication:
+         enabled: true
+         modes: ["X509"]
+         internalCluster: "X509"
+
+Example User CRD
+----------------
+
+.. code-block:: yaml
+   :copyable: false
+   :linenos:
+
+   apiVersion: mongodb.com/v1
+   kind: MongoDBUser
+   metadata:
+     name: user-with-roles
+   spec:
+     username: "CN=mms-user-1,OU=cloud,O=MongoDB,L=New York,ST=New York,C=US"
+     db: "$external"
+     project: my-project
+     roles:
+       - db: "admin"
+         name: "clusterAdmin"
+
+.. seealso::
+
+   - :ref:`mongodbuser-specification`
+   - :setting:`spec.security.authentication.ldap.automationLdapGroupDN`
+   - :ref:`Manage Database Users Using X.509 Authentication <create-x509-certs>`
+   - :ref:`Manage Database Users Using SCRAM Authentication <add-db-user-scram>`

source/encryption.txt

@@ -0,0 +1,80 @@
+.. _k8s-encryption:
+
+====================
+Configure Encryption
+====================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+Enable HTTPS
+------------
+
+The |k8s-op-short| supports configuring |onprem| to run over 
+:ref:`HTTPS <config-https>`.
+
+Enable |https| before deploying your |onprem| resources to avoid a situation 
+where the |k8s-op-short| reports your resources' status as ``Failed``.
+
+.. seealso::
+   
+   - :ref:`https-enablement-issues`
+
+Enable TLS
+----------
+
+The |k8s-op-short| supports |tls| encryption.
+Use |tls| with your MongoDB deployment to encrypt your data over
+the network.
+
+The configuration in the following example enables |tls| for the replica
+set. When |tls| is enabled, all traffic between members of the replica
+set and clients is encrypted using |tls| certificates.
+
+To learn more about securing your MongoDB deployments using |tls|, see 
+:ref:`secure-tls`.
+
+The default |tls| mode is ``requireTLS``. You can customize it using the
+:setting:`spec.additionalMongodConfig.net.ssl.mode` configuration
+parameter, as shown in the following abbreviated example.
+
+.. code-block:: yaml
+   :copyable: false
+   :emphasize-lines: 15-18,21-24
+   :linenos:
+   
+   apiVersion: mongodb.com/v1
+   kind: MongoDB
+   metadata:
+   name: my-tls-enabled-rs
+   spec:
+     type: ReplicaSet
+     members: 3
+     version: 4.4.0-ent
+
+    opsManager:
+      configMapRef:
+        name: my-project
+    credentials: my-credentials
+
+    security:
+      tls:
+        enabled: true
+        ca: <custom-ca>
+
+    ...
+    additionalMongodConfig:
+      net:
+        ssl:
+         mode: "preferSSL"
+
+See the full |tls| configuration example in
+:github:`replica-set.yaml </mongodb/mongodb-enterprise-kubernetes/tree/master/samples/mongodb/tls/replica-set>`
+in the :github:`TLS </mongodb/mongodb-enterprise-kubernetes/tree/master/samples/mongodb/tls>`
+samples directory. This directory also contains sample |tls| configurations for
+sharded clusters and standalone deployments.

source/includes/facts/fact-readiness-probe-override.rst

@@ -0,0 +1,27 @@
+If you create custom services that require external access to MongoDB custom
+resources deployed by the |k8s-op-short| and use readiness probes
+in |k8s|, set the ``publishNotReadyAddresses`` setting in |k8s| to ``true``.
+
+The ``publishNotReadyAddresses`` setting indicates that an agent that
+interacts with endpoints for this service should disregard the service's
+:k8sdocs:`ready </concepts/services-networking/endpoint-slices/#ready>`
+state. Setting ``publishNotReadyAddresses`` to ``true`` overrides the
+behavior of the readiness probe configured for the Pod hosting your service.
+
+By default, the ``publishNotReadyAddresses`` setting is set to ``false``.
+In this case, when the Pods that host the MongoDB custom resources in the
+|k8s-op-short| lose connectivity to |cloud-short| or |onprem|, the
+readiness probes configured for these Pods fail.
+However, when you set the  ``publishNotReadyAddresses`` setting to ``true``:
+
+- |k8s| does not shut down the service whose readiness probe fails.
+- |k8s| considers all endpoints as :k8sdocs:`ready </concepts/services-networking/endpoint-slices/#ready>`
+  even if the probes for the Pods hosting the services for these endpoints
+  indicate that they aren't ready.
+- MongoDB custom resources are still available for read and write operations.
+
+.. seealso::
+   
+   - |k8s-api-ref| and search for ``publishNotReadyAddresses``
+   - :k8sdocs:`DNS for Services in Pods </concepts/services-networking/dns-pod-service/>`
+   - :k8sdocs:`Configure Readiness Probes </tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes>`

source/includes/list-tables/default-k8s-object-permissions.rst

@@ -3,7 +3,7 @@
    :header-rows: 1
 
    * - Kubernetes Resources
-     - Verbs
+     - API Verbs
 
    * - Configmaps
      - Require the following permissions:

source/index.txt

@@ -52,6 +52,7 @@ optimal performance.
       Quick Start </kind-quick-start>
       OpenShift Tutorials </openshift-tutorials>
       Kubernetes Operator Architecture </tutorial/plan-k8s-op-architecture>
+      Security </security>
       Install the Operator </installation>
       Deploy Ops Manager Resources </om-resources>
       Deploy MongoDB Database Resources </mdb-resources>
@@ -60,7 +61,6 @@ optimal performance.
       /reference
       FAQ </faq.txt>
       Release Notes </release-notes>
-      Production Notes </reference/production-notes>
       /reference/troubleshooting
       Known Issues </reference/known-issues>
       MongoDB Community Kubernetes Operator <https://github.com/mongodb/mongodb-kubernetes-operator>

source/opa-gatekeeper.txt

@@ -0,0 +1,110 @@
+
+.. _OPA-gatekeeper:
+.. _k8s-gatekeeper:
+
+=============================
+Apply OPA Gatekeeper Policies
+=============================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+To control, audit, and debug your production deployments, you can use policies
+for the `Gatekeeper <https://github.com/open-policy-agent/gatekeeper>`__
+Open Policy Agent (OPA). Gatekeeper contains |k8s-crds| for creating and extending
+deployment constraints through the
+:gatekeeper:`constraint templates </constrainttemplates/>`.
+
+Control Your Deployments with Gatekeeper Policies
+-------------------------------------------------
+
+The |k8s-op-short| offers a :ref:`list of Gatekeeper policies <gatekeeper-policies-list>`
+that you can customize and apply to your deployments.
+
+Each Gatekeeper policy consists of:
+
+- ``<policy_name>.yaml`` file
+- ``constraints.yaml`` file that is based on the :gatekeeper:`constraint template </constrainttemplates/>`
+
+You can use binary and configurable Gatekeeper policies:
+
+- Binary policies allow or prevent specific configurations, such as
+  preventing deployments that don't use TLS, or deploying only specific
+  MongoDB or |onprem| versions.
+
+- Configurable policies allow you to specify configurations, such as the
+  total number of replica sets that will be deployed for a specific
+  MongoDB or |onprem| custom resource.
+
+To use and apply Gatekeeper sample policies with the |k8s-op-short|:
+
+1. :gatekeeper:`Install the OPA Gatekeeper </install/>` on your Kubernetes cluster.
+
+2. Review the list of available constraint templates and constraints:
+
+   .. code-block:: sh
+      
+      kubectl get constrainttemplates
+      kubectl get constraints
+
+3. Navigate to the policy directory, select a policy from the list and
+   apply it and its constraints file:
+
+   .. code-block:: sh
+
+      cd <policy_directory>
+      kubectl apply -f <policy_name>.yaml
+      kubectl apply -f constraints.yaml
+
+4. Review the Gatekeeper policies that are currently applied:
+
+   .. code-block:: sh
+
+      kubectl get constrainttemplates
+      kubectl get contstraints
+
+.. _gatekeeper-policies-list:
+
+List of Sample OPA Gatekeeper Policies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The |k8s-op-short| offers the following sample policies in this
+:github:`OPA examples </mongodb/mongodb-enterprise-kubernetes/tree/master/opa_examples>`
+GitHub directory:
+
+.. list-table::
+   :widths: 40 60
+   :header-rows: 1
+
+   * - Location
+     - Policy Description
+
+   * - :github:`Debugging </mongodb/mongodb-enterprise-kubernetes/tree/master/opa_examples/debugging>`
+     - Blocks all MongoDB and |onprem| resources. This allows you to use
+       the log output to craft your own policies. To learn more, see
+       :gatekeeper:`Gatekeeper Debugging </debug/>`.
+
+   * - :github:`mongodb_allow_replicaset </mongodb/mongodb-enterprise-kubernetes/tree/master/opa_examples/mongodb_allow_replicaset>`
+     - Allows deploying only replica sets for MongoDB resources and
+       prevents deploying sharded clusters.
+
+   * - :github:`mongodb_allowed_versions </mongodb/mongodb-enterprise-kubernetes/tree/master/opa_examples/mongodb_allowed_versions>`
+     - Allows deploying only specific MongoDB versions.
+
+   * - :github:`ops_manager_allowed_versions </mongodb-enterprise-kubernetes/tree/master/opa_examples/ops_manager_allowed_versions>`
+     - Allows deploying only specific |onprem| versions.
+
+   * - :github:`mongodb_strict_tls </10gen/mongodb-enterprise-kubernetes/tree/master/opa_examples/mongodb_strict_tls>`
+     - Allows using strict TLS mode for MongoDB deployments.
+
+   * - :github:`ops_manager_replica_members </10gen/mongodb-enterprise-kubernetes/tree/master/opa_examples/ops_manager_replica_members>`
+     - Allows deploying a specified number of |onprem| replica set and
+       Application Database members.
+
+   * - :github:`ops_manager_wizardless </10gen/mongodb-enterprise-kubernetes/tree/master/opa_examples/ops_manager_wizardless>`
+     - Allows installing |onprem| in a non-interactive mode.

source/permissions.txt

@@ -0,0 +1,27 @@
+.. _k8s-permissions:
+
+==================
+Verify Permissions
+==================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+Objects in the |k8s-op-short| configuration use
+default permissions. These are the minimum
+permissions for the |k8s-op-short| to deploy and manage |onprem|
+and MongoDB resources in a |k8s| cluster.
+
+Default Permissions for Kubernetes Operator Objects
+---------------------------------------------------
+
+Use the following chart to verify that the
+objects in your |k8s-op-short| configuration have access to the
+required |k8s| :k8sdocs:`API verbs </reference/using-api/api-concepts/#api-verbs>`:
+
+.. include:: /includes/list-tables/default-k8s-object-permissions.rst