Graylog2 · monrax · Dec 18, 2025 · Dec 4, 2025 · Dec 5, 2025 · Dec 16, 2025
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ This chart is still under development and does not have locked in api contracts
 
 ## Table of Contents
 * [Requirements](#requirements)
-  * [Optional Dependencies](#optional-dependencies)
+  * [External Dependencies](#external-dependencies)
 * [Installation](#installation)
 * [Post-installation](#post-installation)
   * [Set root Graylog password](#set-root-graylog-password)
@@ -33,18 +33,30 @@ This chart is still under development and does not have locked in api contracts
 * [Graylog Helm Chart Values Reference](#graylog-helm-chart-values-reference)
 
 # Requirements
-- Kubernetes v1.32
+- Kubernetes >= v1.32
+- Helm >= v3.0
+- MongoDB Controllers for Kubernetes (MCK) Operator v1.6.1 (required unless a [user-provided MongoDB](#bring-your-own-mongodb) is used)
 
-## Optional Dependencies
+## External Dependencies
 
 This Helm chart is designed as a turnkey solution for quick demos and proofs of concept,
-as well as streamlined production-grade setups through optional dependencies.
+as well as streamlined production-grade setups through external dependencies.
 These dependencies are not bundled with the chart and must be installed separately.
 
 > [!WARNING]
 > We do not provide support for any of these optional dependencies.
 > Please refer to their respective documentation for installation, usage, and troubleshooting.
 
+### MongoDB Operator
+
+The official [MongoDB Controllers for Kubernetes (MCK) Operator](https://www.mongodb.com/docs/kubernetes/current/)
+is the recommended method for provisioning the MongoDB replica sets required for running Graylog in production. 
+This decoupled approach provides greater flexibility, improved lifecycle management, operational consistency, and 
+overall production readiness.
+
+You may also choose to [bring your own MongoDB](#bring-your-own-mongodb), but for ease of deployment as well as
+improved reliability the MCK Operator remains the preferred way to deploy MongoDB and is therefore enabled by default.
+
 ### Ingress Controller
 
 By default, the chart exposes a Kubernetes service.
@@ -68,23 +80,6 @@ for `cert-manager`. This feature is disabled by default, since issuers are typic
 administrators. However, if you don't want to manage the issuer yourself, just set `managed.issuer=true` and
 we'll provision one automatically for you.
 -->
-<!--
-#### MongoDB Operator
-
-By default, this chart includes the Bitnami MongoDB sub-chart for simplicity and ease of use as it provides a
-zero-config, self-contained database setup. However, note that:
-
-- Bitnami’s free MongoDB containers are being deprecated.
-- The official MongoDB team recommends using the MongoDB Kubernetes Operator for production environments
-
-Thus, our chart also works with the **MongoDB Operator**, via a custom resource template rendered when the mongo
-subchart is disabled by setting `mongo.enabled = false`.
-
-> [!IMPORTANT]
-> The MongoDB operator must be installed and running in your cluster before disabling the subchart.
-
-This decoupled approach provides greater flexibility, lifecycle control, and production-readiness.
--->
 
 <!--
 ### Install
@@ -109,7 +104,15 @@ git clone git@github.com:Graylog2/graylog-helm.git
 cd graylog-helm
 ```
 
-## Install local chart
+## Install the official MongoDB Kubernetes Operator using Helm
+```sh
+helm upgrade --install mongodb-kubernetes-operator mongodb-kubernetes \
+  --repo https://mongodb.github.io/helm-charts --version "1.6.1" \
+  --set operator.watchNamespace="*" --reuse-values \
+  --namespace operators --create-namespace
+```
+
+## Install the official Graylog Helm chart
 ```sh
 helm install graylog ./graylog --namespace graylog --create-namespace
 ```
@@ -174,8 +177,8 @@ helm upgrade graylog ./graylog -n graylog --set datanode.replicas=5 --reuse-valu
 
 ## Scale MongoDB
 ```sh
-# scaling out: add more MongoDB nodes to your replicaset
-helm upgrade graylog ./graylog -n graylog --set mongodb.replicaCount=4 --reuse-values
+# scaling out: add more MongoDB nodes to your replica set
+helm upgrade graylog ./graylog -n graylog --set mongodb.replicas=4 --reuse-values
 ```
 
 ## Modify Graylog `server.conf` parameters
@@ -368,20 +371,24 @@ helm upgrade -i graylog ./graylog -n graylog --reuse-values --set global.existin
 
 ## Bring Your Own MongoDB
 
-By default, this chart deploys a MongoDB replicaset using [the Bitnami MongoDB chart](https://artifacthub.io/packages/helm/bitnami/mongodb) as a dependency.
-If you prefer to use your own MongoDB instance, you can disable the bundled MongoDB and configure the chart to connect to your external database:
+By default, this chart deploys a MongoDB replica set using a custom resource template, which is rendered when 
+`mongodb.communityResource.enabled` is set to `true` (the default setting).The
+[MongoDB Controllers for Kubernetes Operator](https://github.com/mongodb/mongodb-kubernetes) then manages the
+corresponding pods.
 
+If you prefer to use your own MongoDB instance, you can disable the custom MongoDB resource and configure the chart to
+connect to your external database:
 ```sh
 helm upgrade --install graylog ./graylog --namespace graylog --reuse-values \
-  --set mongodb.subchart.enabled=false \
+  --set mongodb.communityResource.enabled=false \
   --set graylog.config.mongodb.customUri="mongodb[+srv]://<username>:<password>@<hostname>:<port>[,<i-th hostname>:<i-th port>]/<db name>"
 ```
 
 **Alternatively**, the MongoDB URI can also be provided as part of an externally-managed secret:
 
 ```sh
 helm upgrade --install graylog ./graylog --namespace graylog --reuse-values \
-  --set mongodb.subchart.enabled=false \
+  --set mongodb.communityResource.enabled=false \
   --set global.existingSecretName="<your secret name>"
 ```
 
@@ -653,12 +660,14 @@ These values affect Graylog, DataNode, and MongoDB
 
 
 ## Service Account
-| Key Path                      | Description                       | Default |
-| ----------------------------- | --------------------------------- | ------- |
-| `serviceAccount.create`       | Create a new service account.     | `true`  |
-| `serviceAccount.automount`    | Automount service account token.  | `true`  |
-| `serviceAccount.annotations`  | Annotations for service account.  | `{}`    |
-| `serviceAccount.nameOverride` | Override name of service account. | `""`    |
+| Key Path                      | Description                                             | Default |
+|-------------------------------|---------------------------------------------------------|--------|
+| `serviceAccount.create`       | Create a new service account.                           | `true` |
+| `serviceAccount.automount`    | Automount service account token.                        | `true` |
+| `serviceAccount.annotations`  | Annotations for service account.                        | `{}`   |
+| `serviceAccount.nameOverride` | Override name of service account.                       | `""`   |
+| `serviceAccount.role.create`  | Create a new role to bind to this service account.      | `false` |
+| `serviceAccount.role.rules`   | Rules for the new role to bind to this service account. | `[]`   |
 
 
 ## Ingress
@@ -684,3 +693,24 @@ These values affect Graylog, DataNode, and MongoDB
 | `ingress.forwarder.hosts[0].paths[0].path`     | Path for routing.                     | `/`                      |
 | `ingress.forwarder.hosts[0].paths[0].pathType` | Path matching type.                   | `ImplementationSpecific` |
 | `ingress.forwarder.tls`                        | TLS configuration.                    | `[]`                     |
+
+## MongoDB
+MongoDB Community Resource configuration.
+Requires the MCK Operator: https://github.com/mongodb/mongodb-kubernetes/tree/master/docs/mongodbcommunity
+
+| Key Path                              | Description                                                 | Default                                                                                                                                                                                                                |
+|---------------------------------------|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `mongodb.communityResource.enabled`   | Enables creation of the `MongoDBCommunity` custom resource. | `true`                                                                                                                                                                                                                 |
+| `mongodb.version`                     | MongoDB server version for the replica set.                 | `"7.0.25"`                                                                                                                                                                                                             |
+| `mongodb.replicas`                    | Number of data-bearing replica set members.                 | `2`                                                                                                                                                                                                                    |
+| `mongodb.arbiters`                    | Number of arbiter nodes to deploy.                          | `1`                                                                                                                                                                                                                    |
+| `mongodb.persistence.storageClass`    | StorageClass to use for persistent volumes.                 | `""`                                                                                                                                                                                                                   |
+| `mongodb.persistence.size.data`       | Persistent volume size for data storage.                    | `"10G"`                                                                                                                                                                                                                |
+| `mongodb.persistence.size.logs`       | Persistent volume size for MongoDB logs.                    | `"2G"`                                                                                                                                                                                                                 |
+| `mongodb.security.tls.enabled`        | Enables TLS/SSL for MongoDB communication.                  | `false`                                                                                                                                                                                                                |
+| `mongodb.serviceAccount.create`       | Create a new service account for MongoDB workloads.         | `true`                                                                                                                                                                                                                 |
+| `mongodb.serviceAccount.automount`    | Automount service account token.                            | `true`                                                                                                                                                                                                                 |
+| `mongodb.serviceAccount.annotations`  | Annotations for service account.                            | `{}`                                                                                                                                                                                                                   |
+| `mongodb.serviceAccount.nameOverride` | Override name of service account.                           | `""`                                                                                                                                                                                                                   |
+| `mongodb.serviceAccount.role.create`  | Create a new role to bind to this service account.          | `true`                                                                                                                                                                                                                 |
+| `mongodb.serviceAccount.role.rules`   | Rules for the new role to bind to this service account.     | <pre><code>rules:<br/>  - apiGroups: [ "" ]<br/>    resources: [ "secrets" ]<br/>    verbs: [ "get" ]<br/>  - apiGroups: [ "" ]<br/>    resources: [ "pods" ]<br/>    verbs: [ "get", "patch", "delete" ]</code></pre> |
diff --git a/graylog/Chart.yaml b/graylog/Chart.yaml
@@ -2,16 +2,7 @@ apiVersion: v2
 name: graylog
 description: Official Graylog Helm chart for Kubernetes
 type: application
-
-# Dependency subcharts
-dependencies:
-  - name: mongodb
-    version: "16.5.21"
-    repository: https://charts.bitnami.com/bitnami
-    condition: mongodb.subchart.enabled
-
 # This is the chart version.
 version: 0.1.0
-
 # This is the version number of the Graylog application bundled with this chart.
 appVersion: "6.3"
diff --git a/graylog/charts/mongodb-16.5.21.tgz b/graylog/charts/mongodb-16.5.21.tgz
diff --git a/graylog/templates/NOTES.txt b/graylog/templates/NOTES.txt
@@ -10,10 +10,13 @@ SUMMARY
 
   - {{ include "graylog.replicas" . | int }} replicas of the Graylog application.
   - {{ include "graylog.datanode.replicas" . | int }} replicas of the Graylog Datanode.
-  {{- if .Values.mongodb.subchart.enabled }}
-  - {{ if eq .Values.mongodb.architecture "replicaset" }}{{ .Values.mongodb.replicaCount }} replicas{{ if .Values.mongodb.arbiter.enabled }} (+ 1 arbiter){{ end }} for MongoDB, running as a replicaset in Primary-Secondary{{if .Values.mongodb.arbiter.enabled }}-Arbiter{{ end }} mode.
-    {{- else }}1 replica for MongoDB running in standalone mode.
-    WARNING: running mongoDB in standalone mode is NOT SUPPORTED.{{ end }}
+  {{- if .Values.mongodb.communityResource.enabled }}
+  {{- $mongoReplicaCount := .Values.mongodb.replicas | int }}
+  {{- $mongoArbiterCount := .Values.mongodb.arbiters | int }}
+  - {{ $mongoReplicaCount }} replicas{{ if $mongoArbiterCount }} (+ {{ $mongoArbiterCount }} arbiter){{ end }} for MongoDB, running as a replicaset in Primary-Secondary{{ if $mongoArbiterCount }}-Arbiter{{ end }} mode.
+  {{ if mod (add $mongoArbiterCount $mongoReplicaCount | int) 2 | eq 0 }}
+  WARNING: An odd number of workers (replicas + arbiters) is preferred for MongoDB Replica Sets.
+  {{- end }}
   {{- end }}
 
   Use the following command to list all the resources deployed with this release:
@@ -106,7 +109,7 @@ ADDITIONAL NOTES
 
 · IMPORTANT: You are currently using a randomly generated password: {{ include "graylog.rootPassword" . | quote }}, which will NOT persist across upgrades. Please run the following command to set a persistent password:
 
-    echo "Enter your new password and press return:" && read -s pass && echo "Upgrading helm release {{ squote .Release.Name}}..." && helm upgrade {{ .Release.Name }} ./graylog --namespace {{ .Release.Namespace }} --reuse-values --set "graylog.config.rootPassword=$pass"; unset pass
+    echo "Enter your new password and press return:" && read -s pass && echo "Upgrading helm release {{ squote .Release.Name }}..." && helm upgrade {{ .Release.Name }} ./graylog --namespace {{ .Release.Namespace }} --reuse-values --set "graylog.config.rootPassword=$pass"; unset pass
 {{- end }}
 
 · Use the following command to print this status page again:

diff --git a/graylog/templates/_helpers.tpl b/graylog/templates/_helpers.tpl
@@ -64,6 +64,17 @@ Service account name
 {{- .Values.serviceAccount.nameOverride | default $defaultName }}
 {{- end }}
 
+{{/*
+MongoDB service account name
+*/}}
+{{- define "graylog.mongodb.serviceAccountName" -}}
+{{ $defaultName := "default" }}
+{{- if .Values.mongodb.serviceAccount.create }}
+{{- $defaultName = include "graylog.fullname" . | printf "%s-mongo-sa" }}
+{{- end }}
+{{- .Values.mongodb.serviceAccount.nameOverride | default $defaultName }}
+{{- end }}
+
 {{/*
 Size presets
 usage: (list <size preset key> <size field to index> . | list "graylog" | include "_presets.size")
@@ -209,16 +220,38 @@ Graylog Datanode secret name
 Graylog backup-secret name
 */}}
 {{- define "graylog.backupSecretName" -}}
-{{- $defaultName := include "graylog.fullname" . | printf "%s-backup-secret" }}
-{{- .Values.mongodb.passwordUpdateJob.previousPasswords.existingSecret | default $defaultName }}
+{{- include "graylog.fullname" . | printf "%s-backup-secret" }}
+{{- end }}
+
+{{/*
+MongoDB Community Resource name
+*/}}
+{{- define "graylog.mongodb.crName" -}}
+{{- include "graylog.fullname" . | printf "%s-mongo-rs" }}
+{{- end }}
+
+{{/*
+MongoDB Community Resource main username
+*/}}
+{{- define "graylog.mongodb.crUsername" -}}
+{{- print "graylog" }}
+{{- end }}
+
+{{/*
+MongoDB Community Resource main database
+*/}}
+{{- define "graylog.mongodb.crDatabase" -}}
+{{- print "graylog" }}
 {{- end }}
 
 {{/*
-MongoDB secret name
+MongoDB Community Resource Secret name
 */}}
-{{- define "graylog.mongodb.secretName" -}}
-{{- $defaultName := include "graylog.fullname" . | printf "%s-mongo-secret" }}
-{{- .Values.mongodb.auth.existingSecret | default $defaultName }}
+{{- define "graylog.mongodb.crSecretName" -}}
+{{- $crName := include "graylog.mongodb.crName" . }}
+{{- $userName := include "graylog.mongodb.crUsername" . }}
+{{- $dbName := include "graylog.mongodb.crDatabase" . }}
+{{- printf "%s-%s-%s" $crName $userName $dbName }}
 {{- end }}
 
 {{/*

diff --git a/graylog/templates/auth/mongo-sa.yaml b/graylog/templates/auth/mongo-sa.yaml
@@ -0,0 +1,34 @@
+{{- if .Values.mongodb.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "graylog.mongodb.serviceAccountName" . }}
+  labels:
+    {{- include "graylog.labels" . | nindent 4 }}
+  {{- with .Values.mongodb.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.mongodb.serviceAccount.automount | default true }}
+{{- if empty .Values.mongodb.serviceAccount.role.rules | not | and .Values.mongodb.serviceAccount.role.create }}
+{{- $roleName := include "graylog.mongodb.serviceAccountName" . | printf "%s-role" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $roleName }}
+rules: {{ .Values.mongodb.serviceAccount.role.rules | toYaml | nindent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "graylog.mongodb.serviceAccountName" . | printf "%s-rb" }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "graylog.mongodb.serviceAccountName" . }}
+roleRef:
+  kind: Role
+  name: {{ $roleName }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
diff --git a/graylog/templates/auth/sa.yaml b/graylog/templates/auth/sa.yaml
@@ -9,24 +9,15 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount | default true }}
+{{- if empty .Values.serviceAccount.role.rules | not | and .Values.serviceAccount.role.create }}
+{{- $roleName := include "graylog.serviceAccountName" . | printf "%s-role" }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: secret-patch-role
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames:
-      - {{ include "graylog.secretsName" . }}
-      - {{ include "graylog.mongodb.secretName" . }}
-    verbs: ["get"]
-  - apiGroups: [ "" ]
-    resources: ["secrets"]
-    resourceNames:
-      - {{ include "graylog.secretsName" . }}
-    verbs: ["get", "patch"]
+  name: {{ $roleName }}
+rules: {{ .Values.serviceAccount.role.rules | toYaml | nindent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -37,6 +28,7 @@ subjects:
     name: {{ include "graylog.serviceAccountName" . }}
 roleRef:
   kind: Role
-  name: secret-patch-role
+  name: {{ $roleName }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- end }}