/ /

Custom Resources

Docs Home

/ /

Atlas Kubernetes Operator

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

`AtlasProject` Custom Resource

The AtlasProject custom resource configures the project in Atlas. When you create the AtlasProject custom resource, Atlas Kubernetes Operator tries to create a new project in Atlas.

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

autoScaling:
  diskGB:
    enabled: true
  compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

Atlas Kubernetes Operator does one of the following actions:

Creates a new project in the organization that the connection secret configures.
Reuses an existing project. In this case, Atlas Kubernetes Operator verifies whether a project with spec.name exists. If the project exists, Atlas Kubernetes Operator skips creation. After the reconciliation, Atlas Kubernetes Operator updates the status.id field with the id of the project.

You can use the spec.connectionSecretRef.name parameter to set the connection secret for the AtlasProject custom resource. This parameter overrides the default global connection secret.

By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource. To store secrets in another namespace, specify the spec.connectionSecretRef.namespace parameter.

To connect to the Atlas Administration API, Atlas Kubernetes Operator reads the organization ID and API keys from Atlas Kubernetes Operator secrets.

You can also edit the AtlasProject custom resource specification to configure the following options:

An IP access list with the spec.projectIpAccessList parameter. This IP access list grants network access to Atlas clusters in the project.
Teams with the spec.teams parameter. A team lets you grant an access role to an entire group of Atlas users for a particular project.
The maintenance window with the spec.maintenanceWindow parameter. The maintenance window sets the hour and day that Atlas starts weekly maintenance on your database deployments.
Network peering with the spec.networkPeers parameter. Network peering allows you to connect securely to your AWS, Azure, or Google Cloud VPC.
Encryption at rest using customer-managed keys with the spec.encryptionAtRest parameter. Encryption at rest using customer-managed keys allows you to add an additional layer of security by using your cloud provider's KMS together with the MongoDB encrypted storage engine.
Private endpoints with the spec.privateEndpoints parameter.
X.509 authentication with the spec.x509CertRef.name parameter.
Project settings with the spec.settings parameter, including settings to enable and disable the following:
- Collection of database statistics in cluster metrics
- Data explorer
- Performance Advisor
- Realtime Performance Panel
- Schema Advisor
- Project alerts configurations with the spec.alertConfigurationSyncEnabled and spec.alertConfigurations parameters.
  For information on how these settings interact, see the Considerations.

If you remove the AtlasProject resource from your Kubernetes cluster, Atlas Kubernetes Operator removes the project from Atlas. You must remove all the clusters in the project beforehand. Otherwise, Atlas rejects the delete request.

Example

The following example shows an AtlasProject custom resource specification:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
 name: my-project
spec:
 name: Test project
 connectionSecretRef:
   name: my-atlas-key
 projectIpAccessList:
   - cidrBlock: "203.0.113.0/24"
     comment: "CIDR block for Application Server B - D"

Prometheus Example

The following example shows an AtlasProject custom resource specification that integrates with Prometheus:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
  name: my-project
spec:
  name: TestPrometheusIntegration
  connectionSecretRef:
    name: my-atlas-key
  projectIpAccessList:
    - cidrBlock: "0.0.0.0/1"
      comment: "Everyone has access. For test purposes only."
    - cidrBlock: "128.0.0.0/1"
      comment: "Everyone has access. For test purposes only."
  integrations:
    - type: "PROMETHEUS"
      enabled: "true"
      username: "prometheus-user"
      passwordRef:
        name: "password-name"
        namespace: "password-namespace"
      scheme: "http"
      serviceDiscovery: "http"

To learn more, see Integrate with Third-Party Services.

Note

Atlas Kubernetes Operator offers a sample Grafana dashboard that you can import into Grafana.

Teams Example

The following example shows an AtlasProject custom resource specification that gives the green-leaf-team the Organization Owner role for this project. The team members are defined in the AtlasTeam custom resource.

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
  name: my-project
spec:
  name: Test project
  teams:
    - teamRef:
        name: green-leaf-team
      roles:
      - ORGANIZATION_OWNER

To learn more, see Configure Teams.

Maintenance Window Example

The following example shows an AtlasProject custom resource specification that sets the maintenance window to 5:00 AM every Tuesday with automatic deferral disabled:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
 name: my-project
spec:
 name: Test project
 projectIpAccessList:
   - ipAddress: "192.0.2.15"
     comment: "IP address for Application Server A"
maintenanceWindow:
 dayOfWeek: 3
 hourOfDay: 5
 autoDefer: false

Project Settings Example

The following example shows an AtlasProject custom resource specification that disables the collection of database statistics in cluster metrics, data explorer, Performance Advisor, Realtime Performance Panel, and Schema Advisor.

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
 name: my-project
spec:
 name: Test project
 projectIpAccessList:
   - ipAddress: "192.0.2.15"
     comment: "IP address for Application Server A"
 settings:
   isCollectDatabaseSpecificsStatisticsEnabled: false
   isDataExplorerEnabled: false
   isExtendedStorageSizesEnabled: false
   isPerformanceAdvisorEnabled: false
   isRealtimePerformancePanelEnabled: false
   isSchemaAdvisorEnabled: false

Alert Configuration Example

The following example shows an AtlasProject custom resource specification that configures an alert that triggers if the oplog window reaches less than one hour:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
  name: my-project
spec:
  name: Test Atlas Operator Project
  connectionSecretRef:
    name: my-atlas-key
  alertConfigurations:
    - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT",
      enabled: true,
      notifications:
      -  delayMin: 0
         emailEnabled: true
         intervalMin: 60
         roles: [ "GROUP_OWNER" ]
         smsEnabled: false
         typeName: "GROUP"
      threshold:
         operator: "LESS_THAN",
         threshold: "1",
         units: "HOURS"
  alertConfigurationSyncEnabled: true
  withDefaultAlertsSettings: false

Third-Party Alert Configuration Example

The following example shows an AtlasProject custom resource specification that configures an alert that sends notifications through Slack:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
  name: my-project
spec:
  name: Test Atlas Operator Project
  connectionSecretRef:
    name: my-atlas-key
  alertConfigurations:
    - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT"
      enabled: true
      notifications:
      -  delayMin: 0
         emailEnabled: true
         intervalMin: 60
         roles: [ "GROUP_OWNER" ]
         smsEnabled: false
         - typeName: "SLACK"
           apiTokenRef:
             name: key-name
             namespace: key-namespace
      threshold:
         operator: "LESS_THAN"
         threshold: "1"
         units: "HOURS"
  alertConfigurationSyncEnabled: true
  withDefaultAlertsSettings: false

Parameters

This section describes the AtlasProject custom resource parameters:

spec.name

Type: string

Required

Name of the project created or updated in Atlas. The name length must not exceed 64 characters. The name can contain only letters, numbers, spaces, dashes, and underscores.

spec.alertConfigurations

Type: array of objects

Optional

List that contains alert configurations for this project.

If you use this setting, you must also set spec.alertConfigurationSyncEnabled to true for Atlas Kubernetes Operator to modify project alert configurations.

If you omit or leave this setting empty, Atlas Kubernetes Operator doesn't alter the project's alert configurations. If creating a project, Atlas applies the default project alert configurations.

spec.alertConfigurations.eventTypeName

Type: string

Required

Event that triggers an alert that this alert configration describes.

To learn about the values that Atlas Kubernetes Operator accepts, see the request body schema for the Create One Alert Configuration in One Project endpoint in the MongoDB Atlas Administration API documentation.

spec.alertConfigurations.enabled

Type: boolean

Optional

Default: false

Flag that indicates whether this alert configuration is enabled. If omitted, defaults to false.

spec.alertConfigurations.matchers

Type: array of objects

Conditional

List of rules that determine whether Atlas checks an object for the alert configuration. You can filter using the matchers array if spec.alertConfigurations.eventTypeName specifies an event for a host, replica set, or sharded cluster.

spec.alertConfigurations.matchers.fieldName

Type: string

Conditional

Human-readable label that identifies the parameter in the target object that Atlas checks. The parameter must match all rules for Atlas to check for alert configurations.

Atlas Kubernetes Operator accepts the following values:

CLUSTER_NAME
HOSTNAME
HOSTNAME_AND_PORT
PORT
REPLICA_SET_NAME
SHARD_NAME
TYPE_NAME

Atlas Kubernetes Operator requires this setting if you include an object in the spec.alertConfigurations.matchers array.

spec.alertConfigurations.matchers.operator

Type: string

Conditional

Comparison operator to apply when checking the current metric value against spec.alertConfigurations.matchers.value.

Atlas Kubernetes Operator accepts the following values:

EQUALS
CONTAINS
STARTS_WITH
ENDS_WITH
NOT_EQUALS
NOT_CONTAINS
REGEX

Atlas Kubernetes Operator requires this setting if you include an object in the spec.alertConfigurations.matchers array.

spec.alertConfigurations.matchers.value

Type: string

Conditional

Value to match or exceed using the specified spec.alertConfigurations.matchers.operator.

Atlas Kubernetes Operator requires this setting if you include an object in the spec.alertConfigurations.matchers array.

spec.alertConfigurations.metricThreshold

Type: object

Conditional

Threshold for the metric that, when exceeded, triggers an alert.

Atlas Kubernetes Operator requires this setting when spec.alertConfigurations.eventTypeName is OUTSIDE_METRIC_THRESHOLD.

spec.alertConfigurations.metricThreshold.metricName

Type: string

Conditional

Human-readable label that identifies the metric against which Atlas checks the configured spec.alertConfigurations.metricThreshold.threshold.

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.metricThreshold object.

spec.alertConfigurations.metricThreshold.mode

Type: string

Optional

Default: AVERAGE

Atlas computes the current metric value as an average.

Atlas Kubernetes Operator accepts only a value of AVERAGE.

spec.alertConfigurations.metricThreshold.operator

Type: string

Conditional

Comparison operator to apply when checking the current metric value.

Atlas Kubernetes Operator accepts the following values:

GREATER_THAN
LESS_THAN

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.metricThreshold object.

spec.alertConfigurations.metricThreshold.threshold

Type: integer

Conditional

Value of metric that, when exceeded, triggers an alert.

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.metricThreshold object.

spec.alertConfigurations.metricThreshold.units

Type: string

Conditional

Element used to express the quantity. This value can be an element of time, storage capacity, and so on

Atlas Kubernetes Operator accepts the following values:

BITS
BYTES
DAYS
GIGABITS
GIGABYTES
HOURS
KILOBITS
KILOBYTES
MEGABITS
MEGABYTES
MILLISECONDS
MINUTES
PETABYTES
RAW
SECONDS
TERABYTES

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.metricThreshold object.

spec.alertConfigurations.notifications

Type: array

Conditional

List that describes the notifications that Atlas sends for alerts that this alert configuration describes.

spec.alertConfigurations.notifications.apiTokenRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with your API token for Slack.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

If you want notifications through Slack, you must specify this setting.

spec.alertConfigurations.notifications.apiTokenRef.namespace

Type: string

Conditional

Namespace that contains your API token for Slack. If you want notifictions through Slack, you must specify this setting.

spec.alertConfigurations.notifications.channelName

Type: string

Conditional

Human-readable label that identifies the Slack channel to which Atlas sends alert notifications.

Atlas Kubernetes Operator requires this setting when you set spec.alertConfigurations.notifications.typeName to SLACK.

spec.alertConfigurations.notifications.datadogApiKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API key for Datadog. If you want notifications through Datadog, you must specify this setting`.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.alertConfigurations.notifications.datadogApiKeyRef.namespace

Type: string

Conditional

Namespace that contains your API key for Datadog. If you want notifications through Datadog, you must specify this setting.

spec.alertConfigurations.notifications.datadogRegion

Type: string

Optional

Default: US

Datadog region that indicates which API Uniform Resource Locator (URL) to use.

Atlas Kubernetes Operator accepts the following values:

US
EU

spec.alertConfigurations.notifications.delayMins

Type: integer

Optional

Default: 0

Number of minutes that Atlas waits after it detects an alert condition before it sends out the first notification.

spec.alertConfigurations.notifications.emailAddress

Type: string

Conditional

Email address to which Atlas sends alert notifications.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to EMAIL.

Atlas Kubernetes Operator doesn't require this setting to send email notifications when you set spec.alertConfigurations.notifications.typeName to one of the following values:

GROUP
ORG
TEAM
USERS

To send emails to one Atlas user or group of users, set the spec.alertConfigurations.notifications.emailEnabled parameter.

spec.alertConfigurations.notifications.emailEnabled

Type: boolean

Conditional

Flag that indicates whether Atlas sends email notifications.

Atlas Kubernetes Operator requires this setting when you set spec.alertConfigurations.notifications.typeName to one of the following values:

GROUP
ORG
TEAM

spec.alertConfigurations.notifications.intervalMin

Type: integer

Optional

Number of minutes to wait between successive notifications. Atlas sends notifications until someone acknowledges the unacknowledged alert. Atlas Kubernetes Operator accepts values greater than or equal to 5.

PagerDuty, VictorOps, and OpsGenie notifications don't use this field. Configure and manage the notification interval within each of those services.

spec.alertConfigurations.notifications.microsoftTeamsWebhookUrl

Type: string

Conditional

Microsoft Teams Webhook Uniform Resource Locator (URL) that Atlas needs to send this notification via Microsoft Teams. If the URL later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to MICROSOFT_TEAMS.

spec.alertConfigurations.notifications.mobileNumber

Type: string

Conditional

Mobile phone number to which Atlas sends alert notifications.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to SMS.

spec.alertConfigurations.notifications.opsGenieApiKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.alertConfigurations.notifications.opsGenieApiKeyRef.namespace

Type: string

Conditional

Namespace that contains your API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting.

spec.alertConfigurations.notifications.opsGenieRegion

Type: string

Optional

Default: US

Opsgenie region that indicates which API Uniform Resource Locator (URL) to use.

Atlas Kubernetes Operator accepts the following values:

US
EU

Atlas Kubernetes Operator applies this setting if you set spec.alertConfigurations.notifications.typeName to OPS_GENIE.

spec.alertConfigurations.notifications.roles

Type: array

Optional

List that contains the one or more organization or project roles that receive the configured alert. If you include this parameter, Atlas sends alerts only to users assigned the roles you specify in the list. If you omit this parameter, Atlas sends alerts to users assigned any role.

Atlas Kubernetes Operator accepts the following values:

GROUP_CLUSTER_MANAGER
GROUP_DATA_ACCESS_ADMIN
GROUP_DATA_ACCESS_READ_ONLY
GROUP_DATA_ACCESS_READ_WRITE
GROUP_OWNER
GROUP_READ_WRITE
ORG_OWNER
ORG_MEMBER
ORG_GROUP_CREATOR
ORG_BILLING_ADMIN
ORG_READ_ONLY

Atlas Kubernetes Operator applies this setting when you set spec.alertConfigurations.notifications.typeName to one of the following values:

GROUP
ORG

spec.alertConfigurations.notifications.serviceKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.alertConfigurations.notifications.serviceKeyRef.namespace

Type: string

Conditional

Namespace that contains your API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting.

spec.alertConfigurations.notifications.severity

Type: string

Optional

Degree of seriousness given to this notification.

Atlas Kubernetes Operator accepts the following values:

CRITICAL
ERROR
WARNING

spec.alertConfigurations.notifications.smsEnabled

Type: boolean

Conditional

Flag that indicates whether Atlas sends text message notifications.

Atlas Kubernetes Operator requires this setting when you set spec.alertConfigurations.notifications.typeName to one of the following values:

GROUP
ORG
TEAM

spec.alertConfigurations.notifications.teamId

Type: string

Conditional

Unique 24-hexadecimal digit string that identifies one Atlas team.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to TEAM.

spec.alertConfigurations.notifications.teamName

Type: string

Conditional

Name of the Atlas team that receives this notification.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to TEAM.

spec.alertConfigurations.notifications.typeName

Type: string

Conditional

Human-readable label that displays the alert notification type. This setting is required if you specify a value for the spec.alertConfigurations.notifications setting. Atlas supports the following values:

DATADOG
EMAIL
OPS-GENIE
ORG
PAGER_DUTY
PROMETHEUS
SLACK
SMS
TEAM
USER
VICTOR_OPS
WEBHOOK

spec.alertConfigurations.notifications.username

Type: string

Conditional

Atlas username of the person to whom Atlas sends notifications. Specify only Atlas users who belong to the project that owns the alert configuration.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to USER.

spec.alertConfigurations.notifications.victorOpsSecretRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.alertConfigurations.notifications.victorOpsSecretRef.namespace

Type: string

Conditional

Namespace that contains your API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting.

spec.alertConfigurations.notifications.victorOpsRoutingKey

Type: string

Conditional

Routing key that Atlas needs to send alert notifications to Splunk On-Call. If the key later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to VICTOR_OPS.

spec.alertConfigurations.notifications.webhookSecret

Type: string

Optional

Authentication secret for a webhook-based alert.

Atlas Kubernetes Operator applies this setting if you set spec.alertConfigurations.notifications.typeName to WEBHOOK.

spec.alertConfigurations.notifications.webhookUrl

Type: string

Conditional

String that indicates your webhook URL.

Atlas Kubernetes Operator requires this setting if you set spec.alertConfigurations.notifications.typeName to WEBHOOK.

spec.alertConfigurations.threshold

Type: object

Conditional

Limit that triggers an alert when exceeded.

Atlas Kubernetes Operator applies this setting if you set spec.alertConfigurations.eventTypeName to a value other than OUTSIDE_METRIC_THRESHOLD.

spec.alertConfigurations.threshold.operator

Type: string

Conditional

Comparison operator to apply when Atlas checks the current metric value.

Atlas Kubernetes Operator accepts the following values:

GREATER_THAN
LESS_THAN

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.threshold object.

spec.alertConfigurations.threshold.threshold

Type: integer

Conditional

Value of metric that, when exceeded, triggers an alert.

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.threshold object.

spec.alertConfigurations.threshold.units

Type: string

Conditional

Element that expresses the quantity. You can specify an element of time, storage capacity, and so on.

Atlas Kubernetes Operator accepts the following values:

BITS
BYTES
DAYS
GIGABITS
GIGABYTES
HOURS
KILOBITS
KILOBYTES
MEGABITS
MEGABYTES
MILLISECONDS
MINUTES
PETABYTES
RAW
SECONDS
TERABYTES

Atlas Kubernetes Operator requires this setting if you include the spec.alertConfigurations.threshold object.

spec.alertConfigurationSyncEnabled

Type: boolean

Optional

Default: false

Flag that indicates whether Atlas Kubernetes Operator applies the project alert settings defined in spec.alertConfigurations. If you omit or set to this parameter to false, Atlas Kubernetes Operator doesn't syncronize the project's alert configurations with the ones that you define in the AtlasProject custom resource.

For information on how this setting interacts with spec.withDefaultAlertsSettings, see the Considerations.

spec.auditing.auditAuthorizationSuccess

Type: boolean

Optional

Default: false

Flag that indicates whether to direct the auditing system to capture successful authentication attempts for audit filters using the "atype" : "authCheck" auditing event. To set this parameter to true, you must set spec.auditing.enabled to true. To learn more, see auditAuthorizationSuccess.

WARNING: If you enable auditAuthorizationSuccess, you might severely impact cluster performance. Enable this option with caution.

spec.auditing.auditFilter

Type: string

Optional

JSON-formatted auditing filter. You might need to escape the JSON string to remove characters that could prevent parsing, such as single or double-quotes. To specify a value for this setting, you must set spec.auditing.enabled to true.

To view example auditing filters, see Example Auditing Filters. To learn more about configuring MongoDB auditing filters, see Configure a Custom Auditing Filter.

spec.auditing.enabled

Type: boolean

Conditional

Default: false

Flag that indicates whether to enable auditing for the project. To specify a value for spec.auditing.auditFilter, or to set spec.auditing.auditAuthorizationSuccess to true, you must specify this setting. To learn more, see Enable Audit Logs.

spec.backupCompliancePolicyRef

Type: object

Conditional

Object that contains the name and namespace of the opaque secret that references the AtlasBackupCompliancePolicy Custom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.

spec.backupCompliancePolicyRef.name

Type: string

Conditional

Name of the opaque secret that references the AtlasBackupCompliancePolicy Custom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.

spec.backupCompliancePolicyRef.namespace

Type: object

Conditional

Namespace of the opaque secret that references the AtlasBackupCompliancePolicy Custom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.

spec.connectionSecretRef.name

Type: string

Optional

Name of the opaque secret that contains a single password field with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator uses the default global secret.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.connectionSecretRef.namespace

Type: string

Optional

Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource.

spec.cloudProviderAccessRoles

Type: array

Deprecated. Use spec.cloudProviderIntegrations instead.

List that contains your unified cloud provider access settings.

spec.cloudProviderAccessRoles.iamAssumedRoleArn

Type: string

Deprecated. Use spec.cloudProviderIntegrations.iamAssumedRoleArn instead.

Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider access, you must specify this setting.

spec.cloudProviderAccessRoles.providerName

Type: string

Deprecated. Use spec.cloudProviderIntegrations.providerName instead.

Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports AWS for unified cloud provider access. If you want to set up unified cloud provider access, you must specify this setting.

spec.cloudProviderIntegrations

Type: array

Optional

List that contains your unified cloud provider integration settings.

spec.cloudProviderIntegrations.iamAssumedRoleArn

Type: string

Conditional

Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider integrations, you must specify this setting.

spec.cloudProviderIntegrations.providerName

Type: string

Conditional

Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports AWS for unified cloud provider integrations. If you want to set up unified cloud provider integrations, you must specify this setting.

spec.customRoles

Type: object

Optional

Object that contains your custom role specifications.

Important

This parameter is deprecated beginning in version 2.6. To create custom roles with Atlas Kubernetes Operator, use the AtlasCustomRole Custom Resource.

To learn more about the configuration parameters available from the API, see the Atlas Custom Database Roles API.

spec.encryptionAtRest

Type: array

Optional

List that contains the configurations for encryption at rest using customer-managed keys for the project.

spec.encryptionAtRest.awsKms

Type: object

Optional

List that contains the configurations to use AWS KMS for encryption at rest using customer-managed keys for the project.

spec.encryptionAtRest.enabled

Type: boolean

Optional

Flag that indicates whether this project uses AWS KMS to encrypt data at rest. To enable encryption at rest using AWS KMS, set this parameter to true. To disable encryption at rest using AWS KMS, set this parameter to false. If you disable encryption at rest using AWS KMS, Atlas Kubernetes Operator removes the configuration details.

spec.encryptionAtRest.awsKms.region

Type: string

Optional

Label that indicates the AWS region where the customer master key exists.

spec.encryptionAtRest.awsKms.secretRef.name

Type: string

Optional

Name of the opaque secret that contains your AWS credentials.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.encryptionAtRest.awsKms.secretRef.namespace

Type: string

Optional

Namespace that contains your AWS credentials. If unspecified, this parameter defaults to the namespace of the AtlasProject custom resource.

spec.encryptionAtRest.azureKeyVault

Type: object

Optional

List that contains the configurations to use Azure Key Vault for encryption at rest using customer-managed keys for the project.

spec.encryptionAtRest.azureKeyVault.azureEnvironment

Type: string

Optional

Azure deployment location where the Azure account credentials reside. Valid values include AZURE, AZURE_CHINA, and AZURE_GERMANY.

spec.encryptionAtRest.azureKeyVault.clientID

Type: string

Optional

Unique 36-hexadecimal character string that identifies your Azure application.

spec.encryptionAtRest.azureKeyVault.enabled

Type: boolean

Optional

Flag that indicates whether this project uses Azure Key using Azure key vault, Atlas Kubernetes Operator removes the configuration details.

spec.encryptionAtRest.azureKeyVault.resourceGroupName

Type: string

Optional

Label that identifies the Azure resource group that contains your Azure Key Vault. Azure displays the resource group name on the resource group's details page.

spec.encryptionAtRest.azureKeyVault.secretRef.name

Type: string

Optional

Name of the opaque secret that contains your Azure credentials.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.encryptionAtRest.azureKeyVault.secretRef.namespace

Type: string

Optional

Namespace that contains your Azure credentials. If unspecified, this parameter defaults to the namespace of the AtlasProject custom resource.

spec.encryptionAtRest.azureKeyVault.tenantID

Type: string

Optional

Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. Azure displays the tenant ID on the tenant properties page.

spec.encryptionAtRest.googleCloudKms

Type: object

Optional

List that contains the configurations to use Google Cloud KMS for encryption at rest using customer-managed keys for the project.

spec.encryptionAtRest.googleCloudKms.enabled`

Type: string

Optional

Flag that indicates whether this project uses Google Cloud KMS to encrypt data at rest. To enable encryption at rest using Google Cloud KMS, set this parameter to true. To disable encryption at rest using Google Cloud KMS, set this parameter to false. If you disable encryption at rest using Google Cloud KMS, Atlas Kubernetes Operator removes the configuration details.

spec.encryptionAtRest.googleCloudKms.secretRef.name

Type: string

Optional

Name of the opaque secret that contains your Google Cloud credentials.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.encryptionAtRest.googleCloudKms.secretRef.namespace

Type: string

Optional

Namespace that contains your Google Cloud credentials. If unspecified, this parameter defaults to the namespace of the AtlasProject custom resource.

spec.integrations

Type: array

Optional

List that contains your third-party integration settings. The parameters that you must specify depend on the third-party service that you want to configure:

Service	Settings
All	`spec.integrations.type`
Datadog	`spec.integrations.apiKeyRef.name` `spec.integrations.apiKeyRef.namespace` `spec.integrations.region`
Microsoft Teams	`spec.integrations.microsoftTeamsWebhookURL`
Opsgenie	`spec.integrations.apiKeyRef.name` `spec.integrations.apiKeyRef.namespace` `spec.integrations.region`
PagerDuty	`spec.integrations.serviceKeyRef.name` `spec.integrations.serviceKeyRef.namespace`
Prometheus	`spec.integrations.enabled` `spec.integrations.passwordRef.name` `spec.integrations.passwordRef.namespace` `spec.integrations.scheme` `spec.integrations.serviceDiscovery` `spec.integrations.username`
Slack	`spec.integrations.apiTokenRef.name` `spec.integrations.apiTokenRef.namespace`
VictorOps	`spec.integrations.apiKeyRef.name` `spec.integrations.routingKeyRef.name` `spec.integrations.routingKeyRef.namespace`
Webhook Settings	`spec.integrations.secretRef.name` `spec.integrations.secretRef.namespace` `spec.integrations.url`

spec.integrations.accountId

Type: string

Conditional

Unique string that identifies your New Relic account. If you want to integrate with New Relic, you must specify this setting.

spec.integrations.apiKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.apiKeyRef.namespace

Type: string

Conditional

Namespace that contains your API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting.

spec.integrations.apiTokenRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the API token for Slack. If you want to integrate with Slack, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.apiTokenRef.namespace

Type: string

Conditional

Namespace that contains your API token for Slack. If you want to integrate with Slack, you must specify this setting.

spec.integrations.enabled

Type: boolean

Conditional

Flag that indicates whether your cluster has Prometheus enabled. If you want to integrate with Prometheus, you must specify this setting as true.

spec.integrations.licenseKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the license key for New Relic. If you want to integrate with New Relic, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.licenseKeyRef.namespace

Type: string

Conditional

Namespace that contains your license key for New Relic. If you want to integrate with New Relic, you must specify this setting.

spec.integrations.microsoftTeamsWebhookURL

Type: string

Conditional

String that specifies your Microsoft Teams incoming webhook URL. If you want to integrate with Mircosoft Teams, you must specify this setting.

spec.integrations.passwordRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the Prometheus password. If you want to integrate with Prometheus, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.passwordRef.namespace

Type: string

Conditional

Namespace that contains your Prometheus password. If you want to integrate with Prometheus, you must specify this setting.

spec.integrations.readTokenRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.readTokenRef.namespace

Type: string

Conditional

Namespace that contains your Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting.

spec.integrations.region

Type: string

Conditional

Default: US

String value that indicates the API URL to use for Datadog or Opsgenie. If you want to integrate with Datadog or Opsgenie, you must specify this setting.

Values for Opsgenie include US or EU.

Atlas supports the following Datadog regions in the Atlas Administration API:

Atlas Administration API region	Corresponding Datadog region
`US`	`US1`
`US3`	`US3`
`US5`	`US5`
`EU`	`EU1`

Datadog uses US1 (US in the Atlas Administration API) by default.

To learn more about Datadog's regions, see Datadog Sites.

spec.integrations.routingKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.routingKeyRef.namespace

Type: string

Conditional

Namespace that contains your routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting.

spec.integrations.secretRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.secretRef.namespace

Type: string

Conditional

Namespace that contains your Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting.

spec.integrations.scheme

Type: string

Conditional

String that indicates the Prometheus protocol scheme configured for requests. Values include http or https. If you want to integrate with Prometheus, you must specify this setting.

spec.integrations.serviceDiscovery

Type: string

Conditional

Human-readable label that indicates the Prometheus service discovery method to use. Values include file or http. If you want to integrate with Prometheus, you must specify this setting.

spec.integrations.serviceKeyRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.serviceKeyRef.namespace

Type: string

Conditional

Namespace that contains your service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting.

spec.integrations.type

Type: string

Conditional

String value that indicates the third-party service to integrate with Atlas. Values include:

DATADOG
MICROSOFT_TEAMS
NEW_RELIC
OPS_GENIE
PAGER_DUTY
PROMETHEUS
SLACK
VICTOR_OPS
WEBHOOK

If you want to integrate with a third-party service, you must specify this setting.

spec.integrations.url

Type: string

Conditional

String that specifies your Webhook URL. If you want to integrate with Webhook Settings, you must specify this setting.

spec.integrations.username

Type: string

Conditional

Human-readable label that identifies the Prometheus user. If you want to integrate with Prometheus, you must specify this setting.

spec.integrations.writeTokenRef.name

Type: string

Conditional

Name of the opaque secret that contains a single password field with the write token for New Relic. If you want to integrate with New Relic, you must specify this setting.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

spec.integrations.writeTokenRef.namespace

Type: string

Conditional

Namespace that contains your write token for New Relic. If you want to integrate with New Relic, you must specify this setting.

spec.maintenanceWindow

Type: object

Optional

List that contains your maintenance window settings. You can specify the following body parameters:

Name

Type

Necessity

Description

dayOfWeek

number

Required

Day of the week that you want the maintenance window to start, as a 1-based integer.

Day of Week	Integer
Sunday	1
Monday	2
Tuesday	3
Wednesday	4
Thursday	5
Friday	6
Saturday	7

hourOfDay

number

Required

Hour of the day that you want the maintenance window to start. This parameter uses the 24-hour clock, where midnight is 0 and noon is 12.

autoDeferOnceEnabled

boolean

Optional

Flag that indicates whether you want to defer all maintenance windows one week they would be triggered.

Important

Maintenance Window Considerations

Urgent Maintenance Activities: Urgent maintenance activities such as security patches cannot wait for your chosen window. Atlas will start those maintenance activities when needed.
Ongoing Maintenance Operations: Once maintenance is scheduled for your cluster, you cannot change your maintenance window until the current maintenance efforts have completed.
Maintenance Requires Replica Set Elections: Atlas performs maintenance the same way as the maintenance procedure described in the MongoDB Manual. This procedure requires at least one replica set election during the maintenance window per replica set.
Maintenance Starts As Close to the Hour As Possible: Maintenance always begins as close to the scheduled hour as possible, but in-progress cluster updates or unexpected system issues could delay the start time.

spec.maintenanceWindow.autoDefer

Type: boolean

Conditional

Flag that indicates whether Atlas should defer all maintenance windows for one week after you enable them.

spec.maintenanceWindow.defer

Type: boolean

Conditional

Flag that indicates whether Atlas should defer scheduled maintenance. You must schedule maintenance before you can successfully defer maintenance. spec.maintenanceWindow.defer and spec.maintenanceWindow.startASAP can't both be set to true at the same time.

Important

While spec.maintenanceWindow.defer is set to true, Atlas Kubernetes Operator defers scheduled maintenance every time you apply changes to the AtlasProject custom resource. If you set spec.maintenanceWindow.defer to true, you should change spec.maintenanceWindow.defer to false after you apply changes.

spec.maintenanceWindow.dayOfWeek

Type: number

Conditional

One-based integer that represents the day of the week that the maintenance window starts. Use the following table to find the integer that corresponds to each day:

Day of Week	Integer
Sunday	1
Monday	2
Tuesday	3
Wednesday	4
Thursday	5
Friday	6
Saturday	7

If you want to configure the maintenance window for your project, you must specify this setting.

spec.maintenanceWindow.hourOfDay

Type: number

Conditional

Zero-based integer that represents the hour of the of the day that the maintenance window starts according to a 24-hour clock. Use 0 for midnight and 12 for noon. If you want to configure the maintenance window for your project, you must specify this setting.

spec.maintenanceWindow.startASAP

Type: boolean

Conditional

Flag that indicates whether Atlas should immediately start maintenance. spec.maintenanceWindow.defer and spec.maintenanceWindow.startASAP can't both be set to true at the same time.

Important

While spec.maintenanceWindow.startASAP is set to true, Atlas Kubernetes Operator starts maintenance every time you apply changes to the AtlasProject custom resource. If you set spec.maintenanceWindow.startASAP to true, you should change spec.maintenanceWindow.startASAP to false after you apply changes.

spec.networkPeers

Type: array

Optional

List that contains the network peering configurations for the project.

spec.regionUsageRestrictions

Type: string

Optional

Designates the project's AWS region for Atlas for Government only. You can specify one of the following values:

NONE: If you set regionUsageRestrictions to NONE, value defaults to COMMERCIAL_FEDRAMP_REGIONS_ONLY. This is the default if you omit regionUsageRestrictions.
GOV_REGIONS_ONLY: Indicates project is restricted to AWS GovCloud regions that meet more stringent U.S. government security requirements. To learn more, see the AWS GovCloud documentation.
COMMERCIAL_FEDRAMP_REGIONS_ONLY: Indicates project is restricted to AWS FedRamp Moderate standard regions.

spec.projectIpAccessList

Type: array

Required

IP access list that grants network access to Atlas clusters in the project. You can specify the following body parameters:

Parameter	Type	Necessity	Description
awsSecurityGroup	string	Conditional	Unique identifier of the AWS security group to add to the access list. Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress. You must configure VPC peering for your project before you can add an AWS security group to an access list.
cidrBlock	string	Conditional	Range of IP addresses in CIDR notation to be added to the access list. Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress.
comment	string	Optional	Comment associated with the access list entry.
deleteAfterDate	date	Optional	Timestamp in ISO 8601 date and time format in UTC after which Atlas removes the entry from the access list. The specified date must be in the future and within one week of the time you make the API request. IMPORTANT: You cannot set AWS security groups as temporary access list entries. You may include an ISO 8601 time zone designator to ensure that the expiration date occurs with respect to the local time in the specified time zone.
ipAddress	string	Conditional	Single IP address to be added to the access list. Mutually exclusive with awsSecurityGroup and cidrBlock. Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress.

spec.settings

Type: object

Optional

List that contains your project settings.

spec.settings.isCollectDatabaseSpecificsStatisticsEnabled

Type: boolean

Optional

Flag that indicates whether your project has collection of database statistics in cluster metrics enabled.

spec.settings.isDataExplorerEnabled

Type: boolean

Optional

Flag that indicates whether your project has data explorer enabled.

spec.settings.isExtendedStorageSizesEnabled

Type: boolean

Optional

Flag that indicates whether to enable extended storage sizes for the specified project. To learn more about enabling extended storage, see Manage Project Settings.

spec.settings.isPerformanceAdvisorEnabled

Type: boolean

Optional

Flag that indicates whether your project has Performance Advisor enabled.

spec.settings.isRealtimePerformancePanelEnabled

Type: boolean

Optional

Flag that indicates whether your project has Realtime Performance Panel enabled.

spec.settings.isSchemaAdvisorEnabled

Type: boolean

Optional

Flag that indicates whether your project has Schema Advisor enabled.

spec.privateEndpoints

Type: array

Optional

List that contains the private endpoint configurations for the project.

spec.teams

Type: object

Optional

Object that contains your team specifications. To learn more, see Configure Teams.

spec.teams.teamRef.name

Type: string

Conditional

Human-readable label from the AtlasTeam Custom Resource in the metadata.name field. If you want to assign a team to this project, you must specify this setting.

spec.teams.teamRef.namespace

Type: string

Conditional

Namespace specified in the AtlasTeam Custom Resource if other than default.

spec.teams.teamRef.roles

Type: string

Conditional

Atlas User Roles that a team uses for this project. If you want to assign a team to this project, you must specify this setting.

spec.withDefaultAlertsSettings

Type: boolean

Optional

Default: true

Flag that indicates whether Atlas Kubernetes Operator creates a project with the default alert configurations. If omitted, defaults to true.

If you use this setting, you must also set spec.alertConfigurationSyncEnabled to true for Atlas Kubernetes Operator to modify project alert configurations.

If you set this parameter to false when you create a project, Atlas doesn't add the default alert configurations to your project.

This setting has no effect on existing projects.

For information on how this setting interacts with spec.alertConfigurationSyncEnabled, see the Considerations.

spec.x509CertRef.name

Type: string

Optional

Name of the kubernetes.io/tls secret for the X.509 certificate.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

Back

Custom Resources

AtlasDeployment