(DOCSP-7790): OM Containerization Beta - SCRAM-SHA (#136)

melissamahoney-mongodb · jwilliams-mongo · commit 9786683e000b · 2025-04-14T17:11:14.000-05:00
* (DOCSP-7790): OM Containerization Beta - SCRAM-SHA * (DOCSP-7790): Copy review * (DOCSP-7790): Tech review * (DOCSP-7790): Tech review 2
diff --git a/source/includes/steps-deploy-k8s-opsmgr.yaml b/source/includes/steps-deploy-k8s-opsmgr.yaml
@@ -148,8 +148,8 @@ content: |
   You can add any of the following optional settings to the
   |k8s-obj| specification file for an |onprem| deployment:
 
-  - :opsmgrkube:`spec.clusterName`
-  - :opsmgrkube:`spec.configuration`
+  - ``spec.``:opsmgrkube:`~spec.clusterName`
+  - ``spec.``:opsmgrkube:`~spec.configuration`
   - ``spec.applicationDatabase.``:setting:`~spec.logLevel`
   - ``spec.applicationDatabase.``:setting:`~spec.featureCompatibilityVersion`
   - ``spec.applicationDatabase.podSpec.``:setting:`~spec.podSpec.cpu`
@@ -163,6 +163,8 @@ content: |
   - ``spec.applicationDatabase.podSpec.``:setting:`~spec.podSpec.podAffinity`
   - ``spec.applicationDatabase.podSpec.``:setting:`~spec.podSpec.podAntiAffinityTopologyKey`
   - ``spec.applicationDatabase.podSpec.``:setting:`~spec.podSpec.nodeAffinity`
+  - ``spec.applicationDatabase.passwordSecretKeyRef.``:opsmgrkube:`~spec.applicationDatabase.passwordSecretKeyRef.name`
+  - ``spec.applicationDatabase.passwordSecretKeyRef.``:opsmgrkube:`~spec.applicationDatabase.passwordSecretKeyRef.key`
 
 ---
 title: "Save this file with a ``.yaml`` file extension."
diff --git a/source/reference/k8s-operator-om-specification.txt b/source/reference/k8s-operator-om-specification.txt
@@ -1,8 +1,8 @@
 .. _k8s-om-specification:
 
-================================
-Ops Manager Object Specification
-================================
+==================================
+Ops Manager Resource Specification
+==================================
 
 .. default-domain:: mongodb
 
@@ -155,3 +155,23 @@ Optional |onprem| Resource Settings
    See :opsmgr:`Ops Manager Configuration Settings
    </reference/configuration/>` for property names and descriptions.
 
+.. opsmgrkube:: spec.applicationDatabase.passwordSecretKeyRef.name
+
+   *Type*: string
+
+   Name of the :ref:`secret <om-db-user-secret>` that contains the
+   password for the |onprem| database user ``mongodb-ops-manager``.
+   |onprem| uses this password to :ref:`authenticate to the Application
+   Database <app-db-auth>`.
+   
+
+.. opsmgrkube:: spec.applicationDatabase.passwordSecretKeyRef.key
+
+   *Type*: string
+
+   Name of the field in the :ref:`secret <om-db-user-secret>` that
+   contains the password for the |onprem| database user
+   ``mongodb-ops-manager``. |onprem| uses this password to
+   :ref:`authenticate to the Application Database <app-db-auth>`.
+
+   The default value is ``password``.
diff --git a/source/reference/k8s/example-ops-manager.yaml b/source/reference/k8s/example-ops-manager.yaml
@@ -11,6 +11,9 @@ spec:
    mms.security.allowCORS: "false"   
 
  applicationDatabase:
+   passwordSecretKeyRef:
+    name: om-db-user-secret
+    key: password
    members: 3
    version: 4.0.7
    persistent: true
diff --git a/source/tutorial/deploy-om-container.txt b/source/tutorial/deploy-om-container.txt
@@ -29,8 +29,10 @@ To deploy an |onprem| resource you must:
 
 1. :doc:`Install </tutorial/install-k8s-operator>` the |k8s-op| 1.3.0
    or newer.
+
 #. Ensure that the host on which you want to deploy |onprem| has a
    minimum of five gigabytes of memory.
+
 #. Create a |k8s| |k8s-secret| for an admin user in the same |k8s-ns| as
    the |onprem| resource.
 
@@ -49,6 +51,38 @@ To deploy an |onprem| resource you must:
         --from-literal=LastName="<lastname>"
         -n <namespace>
 
+.. _om-db-user-secret:
+
+4. (*Optional*) To set the password for the |onprem| database user, 
+   create a |k8s-secret| in the same |k8s-ns| as the |onprem| resource. 
+   
+   The |k8s-op-short| creates the database user that |onprem| uses to
+   connect to the :ref:`mms-application-database`. You can set the
+   password for this database user by invoking the following command to
+   create a secret:
+   
+   .. code-block:: sh
+
+      kubectl create secret generic <om-db-user-secret-name>
+        --from-literal=password="<om-db-user-password>"
+        -n <namespace>
+
+   .. note::
+      
+      If you choose to create a secret for the |onprem| database user,
+      you must specify the secret's
+      :opsmgrkube:`~spec.applicationDatabase.passwordSecretKeyRef.name`
+      in the |onprem| resource definition. By default, the
+      |k8s-op-short| looks for the password value in the ``password``
+      key. If you stored the password value in a different key, you
+      must also specify that
+      :opsmgrkube:`~spec.applicationDatabase.passwordSecretKeyRef.key`
+      name in the |onprem| resource definition.
+
+   If you don't create a secret, then the |k8s-op-short| automatically
+   generates a password and stores it internally. For more information,
+   see :ref:`app-db-auth`.
+
 Considerations
 --------------
 
@@ -68,8 +102,8 @@ the |k8s-op-short| reuses the secret. If you create an |onprem| resource
 with a different name, then |k8s-op-short| creates a new secret and
 Application Database, and the old secret isn't reused. 
 
-Application Database Replica Set
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Application Database Topology
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 When you create an instance of |onprem| through the |k8s-op-short|, the
 :ref:`mms-application-database` is deployed as a :term:`replica set`.
@@ -79,6 +113,44 @@ have concerns about performance or size requirements for the Application
 Database, contact `MongoDB Support
 <https://support.mongodb.com/welcome>`__.  
 
+.. _app-db-auth:
+
+Application Database Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The |k8s-op-short| enforces ``SCRAM-SHA-1``
+:manual:`authentication </core/security-scram/#scram-mechanisms>` on the
+Application Database. 
+
+The |k8s-op-short| creates the database user which |onprem| uses to
+connect to the Application Database. This database user has the
+following attributes:
+
+.. list-table::
+   :widths: 30 70
+   :stub-columns: 1
+
+   * - Username
+     - ``mongodb-ops-manager``
+
+   * - Authentication Database
+     - ``admin``
+  
+   * - Roles
+     - | :authrole:`readWriteAnyDatabase`
+       | :authrole:`dbAdminAnyDatabase`
+       | :authrole:`clusterMonitor`
+
+The |onprem| database user's name and roles cannot be modified. However,
+you can set the database user's password by :ref:`creating a
+secret <om-db-user-secret>` and can later update the password by editing
+that secret. If you don't create a secret, or if you delete a previously
+created secret, then the |k8s-op-short| automatically generates a password and stores it internally.
+
+If you need to authenticate to the Application Database as a
+different user, you must first deploy the |onprem| resource and then
+manually :manual:`add a new user </reference/method/db.createUser/>` to the database.
+
 Procedure
 ---------
 
