/ /

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

`AtlasFederatedAuth` Custom Resource

The AtlasFederatedAuth custom resource configures federated authentication for your Atlas organization.

When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator uses the Federated Authentication API Resource to update the organization configuration for the federation. In the organization configuration, you specify federation settings for your Atlas organization such as organization and role mappings.

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

autoScaling:
  diskGB:
    enabled: true
  compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

To use this resource, you must have an existing identity provider (IdP) linked to your Atlas organization. To learn more, see Leverage Federated Authentication from Kubernetes.

Examples

The following example configures an AtlasFederatedAuth custom resource that does the following:

Enables federated authentication for the organization linked to the specified secret.
Adds my-org-domain.com as an approved domain.
Enables domain restriction for the organization.
Disables debugging for SSO.
Grants the Organization Member role to users after authenticating.
Maps the Organization Owner role for the organization and applies the role mapping to an IdP group named org-admin.
Maps the Organization Project Creator and Project Owner roles for a project in the organization named dev-project and applies the role mapping to an IdP group named dev-team.

apiVersion: atlas.mongodb.com/v1
kind: AtlasFederatedAuth
metadata:
  name: atlas-default-federated-auth
  namespace: mongodb-atlas-system
spec:
  enabled: true
  dataAccessIdentityProviders:
    - 32b6e34b3d91647abb20e7b8
    - 42d8v92k5a34184rnv93f0c1
  connectionSecretRef:
    name: my-org-secret
    namespace: mongodb-atlas-system
  domainAllowList:
    - my-org-domain.com
  domainRestrictionEnabled: true
  ssoDebugEnabled: false
  postAuthRoleGrants:
    - ORG_MEMBER
  roleMappings:
    - externalGroupName: org-admin
      roleAssignments:
        - role: ORG_OWNER
    - externalGroupName: dev-team
      roleAssignments:
        - role: ORG_GROUP_CREATOR
        - projectName: dev-project
          role: GROUP_OWNER
status:
  conditions:
    - type: Ready
      status: True
    - type: RolesReady
      status: True
    - type: UsersReady
      status: True

Note

The preceding example includes the status section, which describes the update process. To learn more, see Create and Update Process.

Parameters

AtlasFederatedAuth

AtlasFederatedAuth is the Schema for the Atlasfederatedauth API

`Name`	Type	Description	Required
`apiVersion`	string	atlas.mongodb.com/v1	true
`kind`	string	`AtlasFederatedAuth`	true
`metadata`	object	Refer to the Kubernetes `API` documentation for the fields of the `metadata` field.	true
`spec`	object	`AtlasFederatedAuthSpec` defines the target state of `AtlasFederatedAuth`.	false
`status`	object	`AtlasFederatedAuthStatus` defines the observed state of `AtlasFederatedAuth`.	false

AtlasFederatedAuth.spec

AtlasFederatedAuthSpec defines the target state of AtlasFederatedAuth.

`Name`	Type	Description	Required
`connectionSecretRef`	object	Connection secret with `API` credentials for configuring the federation. These credentials must have `OrganizationOwner` permissions.	false
`dataAccessIdentityProviders`	[]string	The collection of unique ids representing the identity providers that can be used for data access in this organization. Currently connected data access identity providers missing from this field will be disconnected.	false
`domainAllowList`	[]string	Approved domains that restrict users who can join the organization based on their email address.	false
`domainRestrictionEnabled`	boolean	Prevent users in the federation from accessing organizations outside the federation, and creating new organizations. This option applies to the entire federation. See more information at https://www.mongodb.com/docs/atlas/security/federation-advanced-options/#restrict-user-membership-to-the-federation Default: false	false
`enabled`	boolean	Default: false	false
`postAuthRoleGrants`	[]string	Atlas roles that are granted to a user in this organization after authenticating.	false
`roleMappings`	[]object	Map `IDP` groups to Atlas roles.	false
`ssoDebugEnabled`	boolean	Default: false	false

AtlasFederatedAuth.spec.connectionSecretRef

Connection secret with API credentials for configuring the federation. These credentials must have OrganizationOwner permissions.

`Name`	Type	Description	Required
`name`	string	Name of the Kubernetes Resource	true
`namespace`	string	Namespace of the Kubernetes Resource	false

AtlasFederatedAuth.spec.roleMappings

RoleMapping maps an external group from an identity provider to roles within Atlas.

`Name`	Type	Description	Required
`externalGroupName`	string	`ExternalGroupName` is the name of the `IDP` group to which this mapping applies.	false
`roleAssignments`	[]object	`RoleAssignments` define the roles within projects that should be given to members of the group.	false

AtlasFederatedAuth.spec.roleMappings.roleAssignments

`Name`	Type	Description	Required
`projectName`	string	The Atlas project in the same org in which the role should be given.	false
`role`	enum	The `role` in Atlas that should be given to group members. Enum: `ORG_MEMBER`, `ORG_READ_ONLY`, `ORG_BILLING_ADMIN`, `ORG_GROUP_CREATOR`, `ORG_OWNER`, `ORG_BILLING_READ_ONLY`, `GROUP_OWNER`, `GROUP_READ_ONLY`, `GROUP_DATA_ACCESS_ADMIN`, `GROUP_DATA_ACCESS_READ_ONLY`, `GROUP_DATA_ACCESS_READ_WRITE`, `GROUP_CLUSTER_MANAGER`, `GROUP_SEARCH_INDEX_EDITOR`, `GROUP_DATABASE_ACCESS_ADMIN`, `GROUP_BACKUP_MANAGER`, `GROUP_STREAM_PROCESSING_OWNER`, `ORG_STREAM_PROCESSING_ADMIN`, `GROUP_OBSERVABILITY_VIEWER`	false

AtlasFederatedAuth.status

AtlasFederatedAuthStatus defines the observed state of AtlasFederatedAuth.

`Name`	Type	Description	Required
`conditions`	[]object	Conditions is the list of statuses showing the current state of the Atlas Custom Resource	true
`observedGeneration`	integer	`ObservedGeneration` indicates the generation of the resource specification of which the Atlas Operator is aware. The Atlas Operator updates this field to the value of 'metadata.generation' as soon as it starts reconciliation of the resource. Format: int64	false

AtlasFederatedAuth.status.conditions

Condition describes the state of an Atlas Custom Resource at a certain point.

`Name`	Type	Description	Required
`status`	string	Status of the condition; one of True, False, Unknown.	true
`type`	string	Type of Atlas Custom Resource condition.	true
`lastTransitionTime`	string	Last time the condition transitioned from one status to another. Represented in `ISO` 8601 format. Format: date-time	false
`message`	string	A `message` providing details about the transition.	false
`reason`	string	The `reason` for the condition's last transition.	false

Back

AtlasDataFederation

Flex to Dedicated Migration