(DOCSP-20622): deprecate old TLS settings (#826)

Author: jwilliams-mongo

source/includes/admonitions/deprecate-secret-ref-name.rst

@@ -5,8 +5,7 @@
    and :opsmgrkube:`spec.security.tls.secretRef.name`
    settings are deprecated.
 
-   These fields will remain in future releases to maintain backwards
-   compatibility.
+   These fields will be removed in a future release.
 
    If you omit these settings,
    the |k8s-op-short| expects the secrets that contain your

source/includes/code-examples/yaml-files/example-replica-set.yaml

@@ -410,10 +410,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
 ...
 END-tls-replset-full-custom
 
@@ -438,10 +436,8 @@ END-tls-replset-upper-custom
 START-tls-replset-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
 ...
 END-tls-replset-lower-custom
 
@@ -463,10 +459,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -494,10 +488,8 @@ END-x509-client-replset-upper-custom
 START-x509-client-replset-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -522,10 +514,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -554,10 +544,8 @@ END-x509-internal-replset-upper-custom
 START-x509-internal-replset-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]

source/includes/code-examples/yaml-files/example-sharded-cluster.yaml

@@ -293,10 +293,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
 ...
 END-tls-sharded-full-custom
 
@@ -324,10 +322,8 @@ END-tls-sharded-upper-custom
 START-tls-sharded-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
 ...
 END-tls-sharded-lower-custom
 
@@ -352,10 +348,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -386,10 +380,8 @@ END-x509-client-sharded-upper-custom
 START-x509-client-sharded-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -417,10 +409,8 @@ spec:
   persistent: true
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]
@@ -452,10 +442,8 @@ END-x509-internal-sharded-upper-custom
 START-x509-internal-sharded-lower-custom
   security:
     tls:
-      enabled: true
       ca: <custom-ca>
-      secretRef:
-        prefix: <prefix>
+    certsSecretPrefix: <prefix>
     authentication:
       enabled: true
       modes: ["X509"]

source/includes/list-tables/resource-keys-external-access-sharded.rst

@@ -16,17 +16,6 @@
        :k8sdocs:`NodePort service </concepts/services-networking/service/#nodeport>`.
      - ``true``
 
-   * - | ``spec.security``
-       | :setting:`.tls.enabled<spec.security.tls.enabled>`
-     - boolean
-     - Optional
-     - If this value is ``true``, |tls| is enabled on the MongoDB
-       deployment.
-
-       By default, |k8s-op-short| requires hosts to use and
-       accept |tls| encrypted connections.
-     - ``true``
-
    * - | ``spec.security.tls``
        | :setting:`.additionalCertificateDomains<spec.security.tls.additionalCertificateDomains>`
      - collection
@@ -37,3 +26,11 @@
        certificate includes a |san-dns| in the form ``<pod
        name>.<additional cert domain>``.
      - ``true``
+
+   * - | ``spec.security``
+       | :setting:`.certsSecretPrefix<spec.security.certsSecretPrefix>`
+     - string
+     - Required
+     - Add the ``<prefix>`` of the secret 
+       name that contains your MongoDB deployment's |tls| certificates.
+     - ``devDb``

source/includes/list-tables/resource-keys-split-horizons.rst

@@ -8,22 +8,6 @@
      - Description
      - Example
 
-   * - | ``spec.security.tls``
-       | :setting:`.enabled<spec.security.tls.enabled>`
-     - boolean
-     - Optional
-     - Set this value to ``true`` to enable |tls| on the MongoDB
-       deployment.
-
-       By default, |k8s-op-short| requires hosts to use and accept
-       |tls| encrypted connections.
-
-       .. note::
-
-          To connect to a replica set from outside |k8s|, set this
-          value to ``true``.
-     - ``true``
-
    * - | ``spec.connectivity``
        | :setting:`.replicaSetHorizons<spec.connectivity.replicaSetHorizons>`
      - collection
@@ -45,7 +29,16 @@
           - Make sure that the number of entries in this array matches
             the value given in :setting:`spec.members`.
 
-          - Set the :setting:`spec.security.tls.enabled` to ``true`` to
-            enable |tls|. This method to use split horizons requires
-            the Server Name Indication extension of the |tls| protocol.
+          - Provide a value for the
+            :setting:`spec.security.certsSecretPrefix` setting to
+            enable |tls|. This method to use split horizons requires the
+            Server Name Indication extension of the |tls| protocol.
      - :setting:`See Setting<spec.connectivity.replicaSetHorizons>`
+
+   * - | ``spec.security``
+       | :setting:`.tls.certsSecretPrefix<spec.security.tls.certsSecretPrefix>`
+     - string
+     - Required
+     - Add the ``<prefix>`` of the secret 
+       name that contains your MongoDB deployment's |tls| certificates.
+     - ``devDb``

source/includes/list-tables/resource-keys-tls-custom-ca.rst

@@ -8,17 +8,6 @@
      - Description
      - Example
 
-   * - | ``spec.security``
-       | :setting:`.tls.enabled<spec.security.tls.enabled>`
-     - boolean
-     - Required
-     - If this value is ``true``, |tls| is enabled on the MongoDB
-       deployment.
-
-       By default, |k8s-op-short| requires hosts to use and
-       accept |tls| encrypted connections.
-     - ``true``
-
    * - | ``spec.security``
        | :setting:`.tls.ca<spec.security.tls.ca>`
      - string
@@ -28,9 +17,9 @@
      - ``<custom-ca>``
 
    * - | ``spec.security``
-       | :setting:`.tls.certsSecretPrefix<spec.security.tls.certsSecretPrefix>`
+       | :setting:`.certsSecretPrefix<spec.security.certsSecretPrefix>`
      - string
-     - Optional
-     - If applicable, add the ``<prefix>`` of the secret 
+     - Required
+     - Add the ``<prefix>`` of the secret 
        name that contains your MongoDB deployment's |tls| certificates.
      - ``devDb``

source/includes/list-tables/resource-keys-tls.rst

@@ -679,7 +679,8 @@ description: |
      - Make sure that the number of entries in this array matches the
        value given in :setting:`spec.members`.
 
-     - Set the :setting:`spec.security.tls.enabled` to ``true`` to
+     - Provide a value for the
+       :setting:`spec.security.certsSecretPrefix` setting to
        enable |tls|. This method to use split horizons requires the
        Server Name Indication extension of the |tls| protocol.
 

source/includes/options-k8s-replica-set.yaml

@@ -566,6 +566,13 @@ directive: setting
 optional: true
 default: "``false``"
 description: |
+
+  .. important::
+
+     :setting:`spec.security.tls.enabled` is deprecated and will be
+     removed in a future release. To enable |tls|, provide a value for 
+     the :setting:`spec.security.certsSecretPrefix` setting.
+
   Encrypts communications using TLS certificates between:
 
   - MongoDB hosts in a replica set or sharded cluster configuration
@@ -603,13 +610,6 @@ description: |
      - :setting:`spec.security.tls.secretRef.prefix`
      - :setting:`spec.security.certsSecretPrefix`
 
-  You must prefix your secrets with ``<metadata.name>`` if you omit all 
-  of the following settings:
-
-  - :setting:`spec.security.tls.secretRef.name`
-  - :setting:`spec.security.tls.secretRef.prefix`
-  - :setting:`spec.security.certsSecretPrefix`
-
   To learn more about naming the secrets that contain your |tls| 
   certificates, see the topic in :ref:`secure-tls` that applies to your 
   deployment.
@@ -639,13 +639,6 @@ description: |
   - You set :setting:`spec.security.certsSecretPrefix` or :setting:`spec.security.tls.secretRef.prefix`
   - You omit :setting:`spec.security.tls.secretRef.name`.
 
-  You must prefix your secrets with ``<metadata.name>`` if you omit all 
-  of the following settings:
-
-  - :setting:`spec.security.tls.secretRef.name`
-  - :setting:`spec.security.tls.secretRef.prefix`
-  - :setting:`spec.security.certsSecretPrefix`
-
   To learn more about naming the secrets that contain your |tls| 
   certificates, see the topic in :ref:`secure-tls` that applies to your 
   deployment.
@@ -675,13 +668,6 @@ description: |
   - You set :setting:`spec.security.certsSecretPrefix` or :setting:`spec.security.tls.secretRef.prefix`
   - You omit :setting:`spec.security.tls.secretRef.name`.
 
-  You must prefix your secrets with ``<metadata.name>`` if you omit all 
-  of the following settings:
-
-  - :setting:`spec.security.tls.secretRef.name`
-  - :setting:`spec.security.tls.secretRef.prefix`
-  - :setting:`spec.security.certsSecretPrefix`
-
   To learn more about naming the secrets that contain your |tls| 
   certificates, see the topic in :ref:`secure-tls` that applies to your 
   deployment.
@@ -712,7 +698,8 @@ description: |
      value to ``["X509"]`` and specify the following settings:
 
      - :setting:`spec.security.authentication.internalCluster` ``: "X509"``
-     - :setting:`spec.security.tls.enabled` ``: true``
+     - provide a value for the
+       :setting:`spec.security.certsSecretPrefix` setting.`
 
   If you provide more than one value for
   :setting:`spec.security.authentication.modes`, you must also specify a
@@ -751,8 +738,10 @@ default: "``false``"
 description: |
 
   Specifies whether the MongoDB host requires clients to connect using a
-  |tls| certificate. Defaults to ``true`` if
-  :setting:`spec.security.tls.enabled` is ``true``.
+  |tls| certificate. Defaults to ``true`` if you enable |tls|
+  authentication.
+  
+  To enable |tls| authentication, provide a value 
 
 ---
 program: _shared
@@ -1269,7 +1258,7 @@ description: |
   Requires that the following settings be specified:
   
   - :setting:`spec.security.authentication.modes` ``: ["X509"]``
-  - :setting:`spec.security.tls.enabled` ``: true``
+  - :setting:`spec.security.certsSecretPrefix`
 
   The |k8s-op-short| accepts the following values:
 

source/includes/options-k8s-shared.yaml

@@ -42,7 +42,6 @@ replacement:
       :lineno-start: 16
       :start-after: START-tls-replset-lower-custom
       :end-before: END-tls-replset-lower-custom
-      :emphasize-lines: 1-4
 
 ---
 stepnum: 5