/ /

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

`AtlasDatabaseUser` Custom Resource

The AtlasDatabaseUser custom resource configures the database user in an Atlas project. You create database users per project, not per cluster. So, the AtlasDatabaseUser custom resource configuration contains a reference to the AtlasProject Custom Resource. Create the AtlasProject Custom Resource beforehand.

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

autoScaling:
  diskGB:
    enabled: true
  compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

The following example shows a reference to the AtlasProject Custom Resource:

spec:
  projectRef:
    name: my-project

Atlas Kubernetes Operator ensures the database user configuration in Atlas matches the configuration in Kubernetes.

Atlas Kubernetes Operator does one of the following actions using the Atlas Database Users API:

Creates a new database user.
Updates an existing user.

Before you create a database user, you must create an opaque secret with a single password field to log into the Atlas cluster database.

Note

You must create the secret in the same namespace where the AtlasDatabaseUser custom resource is located.

The following example creates a secret:

kubectl create secret generic the-user-password --from-literal="password=P@@sword%"

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

Connection Secrets

After Atlas Kubernetes Operator successfully creates or updates the database user in Atlas, Atlas Kubernetes Operator creates or updates the connection secrets in the same namespace where the AtlasDatabaseUser custom resource is located.

Connection secrets contain all the information required to connect to the Atlas clusters including the following parameters:

Parameter	Description
`connectionStringStandard`	Public `mongodb://` connection URI.
`connectionstringStandardSrv`	Public `mongodb+srv://` connection URI.
`username`	Name that identifies the database user.
`password`	Password of the database user.

Applications running in Kubernetes can use this information to connect to Atlas clusters. You can mount the secrets to the application pods as files and the application process can read these files to get data.

The following example shows mounting the secret as an environment variable:

spec:
containers:
- name: test-app
  env:
    - name: "CONNECTIONSTRING"
      valueFrom:
        secretKeyRef:
          name: project-cluster-basic-theuser
          key: connectionStringStandardSrv

The following example shows mounting the secret as files:

spec:
containers:
- name: test-app
  volumeMounts:
  - mountPath: /var/secrets/
    name: theuser-connection
volumes:
  - name: theuser-connection
    secret:
      secretName: project-cluster-basic-theuser

By default, Atlas Kubernetes Operator creates the database user connection secret for each cluster in the same project that the AtlasDatabaseUser references. You can change this behavior with the spec.scopes parameter. This parameter restricts the clusters where the database user gets created. The name of the connection secret uses the following format: <project_name>-<cluster_name>-<db_user_name>.

Examples

Project and Clusters

The following example shows an Atlas project and the clusters that reference it:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
 name: my-project
spec:
 name: p1
 projectIpAccessList:
   - ipAddress: "192.0.2.15"
     comment: "IP address for Application Server A"
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
 name: my-aws-cluster
spec:
 name: aws-cluster
 projectRef:
   name: my-project
 providerSettings:
   instanceSizeName: M10
   providerName: AWS
   regionName: US_EAST_1
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
 name: my-gcp-cluster
spec:
 name: gcp-cluster
 projectRef:
   name: my-project
 providerSettings:
   instanceSizeName: M10
   providerName: GCP
   regionName: EASTERN_US

Database User without Scopes

The following example shows an AtlasDatabaseUser custom resource specification with spec.scopes omitted:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
 name: my-database-user
spec:
 description: "User for the reporting application."
 roles:
   - roleName: readWriteAnyDatabase
     databaseName: admin
 projectRef:
   name: my-project
 username: theuser
 passwordSecretRef:
   name: the-user-password

After you create this custom resource, Atlas Kubernetes Operator creates the following secrets:

p1-aws-cluster-theuser
p1-gcp-cluster-theuser

Database User with Scopes

The following example shows an AtlasDatabaseUser custom resource specification with spec.scopes set to the Google Cloud cluster only:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
 name: my-database-user
spec:
 roles:
   - roleName: "readWriteAnyDatabase"
     databaseName: "admin"
 projectRef:
   name: my-project
 username: theuser
 passwordSecretRef:
   name: the-user-password
 scopes:
   - type: CLUSTER
     name: gcp-cluster

After you update this custom resource, Atlas Kubernetes Operator removes theuser from the aws-cluster. It also removes the p1-aws-cluster-theuser secret from the Kubernetes cluster.

Database User with X.509 Authentication

The following example shows an AtlasDatabaseUser custom resource specification with X.509 authentication.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
  name: my-database-user
spec:
  username: CN=my-x509-authenticated-user,OU=organizationalunit,O=organization
  databaseName: "\$external"
  x509Type: "CUSTOMER"
  roles:
    - roleName: "readWriteAnyDatabase"
      databaseName: "admin"
  projectRef:
    name: my-project

Database User with OIDC Authentication

The following example shows an AtlasDatabaseUser custom resource specification with OIDC.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
  name: my-database-user
spec:
  roles:
    - roleName: "readWriteAnyDatabase"
      databaseName: "admin"
  projectRef:
    name: my-project
  username: my-oidc-group-id/my-idp-group-name
  oidcAuthType: IDP_GROUP

Database User with AWS IAM Authentication

The following example shows an AtlasDatabaseUser custom resource specification with AWS IAM.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
  name: my-database-user
spec:
  username: arn:aws:iam::123456789012:user/johndoe
  databaseName: "$external"
  roles:
    - roleName: "readWriteAnyDatabase"
      databaseName: "admin"
  projectRef:
    name: my-project
 awsIamType: USER

Parameters

AtlasDatabaseUser

AtlasDatabaseUser is the Schema for the Atlas Database User API

`Name`	Type	Description	Required
`apiVersion`	string	atlas.mongodb.com/v1	true
`kind`	string	`AtlasDatabaseUser`	true
`metadata`	object	Refer to the Kubernetes `API` documentation for the fields of the `metadata` field.	true
`spec`	object	`AtlasDatabaseUserSpec` defines the target state of Database User in Atlas Validations: (has(self.``externalProjectRef``) && !has(self.``projectRef``)) \|\| (!has(self.``externalProjectRef``) && has(self.``projectRef``)): must define only one project reference through `externalProjectRef` or `projectRef` (has(self.``externalProjectRef``) && has(self.``connectionSecret``)) \|\| !has(self.``externalProjectRef``): must define a local connection secret when referencing an external project	false
`status`	object	`AtlasDatabaseUserStatus` defines the observed state of `AtlasProject`	false

AtlasDatabaseUser.spec

AtlasDatabaseUserSpec defines the target state of Database User in Atlas

`Name`	Type	Description	Required
`roles`	[]object	Roles is an array of this user's `roles` and the databases / collections on which the `roles` apply. A role allows the user to perform particular actions on the specified database.	true
`username`	string	Username is a `username` for authenticating to `MongoDB` Human-readable label that represents the user that authenticates to `MongoDB`. The format of this label depends on the method of authentication: In case of `AWS` `IAM`: the value should be `AWS` `ARN` for the `IAM` User/Role; In case of `OIDC` Workload or Workforce: the value should be the Atlas `OIDC` `IdP` `ID`, followed by a '/', followed by the `IdP` group name; In case of Plain text auth: the value can be anything.	true
`awsIamType`	enum	Human-readable label that indicates whether the new database user authenticates with Amazon Web Services (`AWS`). Identity and Access Management (`IAM`) credentials associated with the user or the user's role Enum: `NONE`, `USER`, `ROLE` Default: `NONE`	false
`connectionSecret`	object	Name of the secret containing Atlas `API` private and public keys.	false
`databaseName`	string	`DatabaseName` is a Database against which Atlas authenticates the user. If the user authenticates with `AWS` `IAM`, x.509, `LDAP`, or `OIDC` Workload this value should be '$external'. If the user authenticates with `SCRAM`-`SHA` or `OIDC` Workforce, this value should be 'admin'. Default value is 'admin'. Default: admin	false
`deleteAfterDate`	string	`DeleteAfterDate` is a timestamp in `ISO` 8601 date and time format in `UTC` after which Atlas deletes the user. The specified date must be in the future and within one week.	false
`description`	string	Description of this database user. Maximum 100 characters.	false
`externalProjectRef`	object	`externalProjectRef` holds the parent Atlas project `ID`. Mutually exclusive with the "`projectRef`" field.	false
`labels`	[]object	Labels is an array containing key-value pairs that tag and categorize the database user. Each key and value has a maximum length of 255 characters.	false
`oidcAuthType`	enum	Human-readable label that indicates whether the new database Username with `OIDC` federated authentication. To create a federated authentication group (Workforce), specify the value of `IDP_GROUP` in this field. To create a federated authentication user (Workload), specify the value of `USER` in this field. Enum: `NONE`, `IDP_GROUP`, `USER` Default: `NONE`	false
`passwordSecretRef`	object	`PasswordSecret` is a reference to the Secret keeping the user password.	false
`projectRef`	object	`projectRef` is a reference to the parent `AtlasProject` resource. Mutually exclusive with the "`externalProjectRef`" field.	false
`scopes`	[]object	Scopes is an array of clusters and Atlas Data Lakes that this user has access to.	false
`x509Type`	enum	X509Type is X.509 method by which the database authenticates the provided username. Enum: `NONE`, `MANAGED`, `CUSTOMER` Default: `NONE`	false

AtlasDatabaseUser.spec.roles

RoleSpec allows the user to perform particular actions on the specified database. A role on the admin database can include privileges that apply to the other databases as well.

`Name`	Type	Description	Required
`databaseName`	string	`DatabaseName` is a database on which the user has the specified role. A role on the admin database can include privileges that apply to the other databases.	true
`roleName`	string	`RoleName` is a name of the role. This value can either be a built-in role or a custom role.	true
`collectionName`	string	`CollectionName` is a collection for which the role applies.	false

AtlasDatabaseUser.spec.connectionSecret

Name of the secret containing Atlas API private and public keys.

`Name`	Type	Description	Required
`name`	string	Name of the resource being referred to More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	true

AtlasDatabaseUser.spec.externalProjectRef

externalProjectRef holds the parent Atlas project ID. Mutually exclusive with the "projectRef" field.

`Name`	Type	Description	Required
`id`	string	`ID` is the Atlas project `ID`.	true

AtlasDatabaseUser.spec.labels

LabelSpec contains key-value pairs that tag and categorize the Cluster/DBUser

`Name`	Type	Description	Required
`key`	string	Key applied to tag and categorize this component.	true
`value`	string	Value set to the Key applied to tag and categorize this component.	true

AtlasDatabaseUser.spec.passwordSecretRef

PasswordSecret is a reference to the Secret keeping the user password.

`Name`	Type	Description	Required
`name`	string	Name is the `name` of the Kubernetes Resource	true

AtlasDatabaseUser.spec.projectRef

projectRef is a reference to the parent AtlasProject resource. Mutually exclusive with the "externalProjectRef" field.

`Name`	Type	Description	Required
`name`	string	Name of the Kubernetes Resource	true
`namespace`	string	Namespace of the Kubernetes Resource	false

AtlasDatabaseUser.spec.scopes

ScopeSpec if present a database user only have access to the indicated resource (Cluster or Atlas Data Lake) if none is given then it has access to all. It's highly recommended to restrict the access of the database users only to a limited set of resources.

`Name`	Type	Description	Required
`name`	string	Name is a `name` of the cluster or Atlas Data Lake that the user has access to.	true
`type`	enum	Type is a `type` of resource that the user has access to. Enum: `CLUSTER`, `DATA_LAKE`	true

AtlasDatabaseUser.status

AtlasDatabaseUserStatus defines the observed state of AtlasProject

`Name`	Type	Description	Required
`conditions`	[]object	Conditions is the list of statuses showing the current state of the Atlas Custom Resource	true
`name`	string	`UserName` is the current `name` of database user.	false
`observedGeneration`	integer	`ObservedGeneration` indicates the generation of the resource specification of which the Atlas Operator is aware. The Atlas Operator updates this field to the value of 'metadata.generation' as soon as it starts reconciliation of the resource. Format: int64	false
`passwordVersion`	string	`PasswordVersion` is the '`ResourceVersion`' of the password Secret that the Atlas Operator is aware of	false

AtlasDatabaseUser.status.conditions

Condition describes the state of an Atlas Custom Resource at a certain point.

`Name`	Type	Description	Required
`status`	string	Status of the condition; one of True, False, Unknown.	true
`type`	string	Type of Atlas Custom Resource condition.	true
`lastTransitionTime`	string	Last time the condition transitioned from one status to another. Represented in `ISO` 8601 format. Format: date-time	false
`message`	string	A `message` providing details about the transition.	false
`reason`	string	The `reason` for the condition's last transition.	false

Back

AtlasDeployment

AtlasBackupPolicy