Docs Menu
Docs Home
/ /
/ / /

AtlasFederatedAuth Custom Resource

The AtlasFederatedAuth custom resource configures federated authentication for your Atlas organization.

When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator uses the Federated Authentication API Resource to update the organization configuration for the federation. In the organization configuration, you specify federation settings for your Atlas organization such as organization and role mappings.

Important

Custom Resources No Longer Delete Objects by Default

  • Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.

    Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

  • Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

    autoScaling:
    diskGB:
    enabled: true
    compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

To use this resource, you must have an existing identity provider (IdP) linked to your Atlas organization. To learn more, see Leverage Federated Authentication from Kubernetes.

The following example configures an AtlasFederatedAuth custom resource that does the following:

apiVersion: atlas.mongodb.com/v1
kind: AtlasFederatedAuth
metadata:
name: atlas-default-federated-auth
namespace: mongodb-atlas-system
spec:
enabled: true
dataAccessIdentityProviders:
- 32b6e34b3d91647abb20e7b8
- 42d8v92k5a34184rnv93f0c1
connectionSecretRef:
name: my-org-secret
namespace: mongodb-atlas-system
domainAllowList:
- my-org-domain.com
domainRestrictionEnabled: true
ssoDebugEnabled: false
postAuthRoleGrants:
- ORG_MEMBER
roleMappings:
- externalGroupName: org-admin
roleAssignments:
- role: ORG_OWNER
- externalGroupName: dev-team
roleAssignments:
- role: ORG_GROUP_CREATOR
- projectName: dev-project
role: GROUP_OWNER
status:
conditions:
- type: Ready
status: True
- type: RolesReady
status: True
- type: UsersReady
status: True

Note

The preceding example includes the status section, which describes the update process. To learn more, see Create and Update Process.

This section describes the parameters available for the AtlasFederatedAuth custom resource. For detailed descriptions of the parameters, see the Atlas Federated Authentication API Resource.

Refer to these descriptions, the example on this page, and the API documentation to customize your specifications.

metadata.name

Type: string

Required

Name that identifies the AtlasFederatedAuth custom resource that Atlas Kubernetes Operator uses to configure federated authentication for the organization.

metadata.namespace

Type: string

Optional

Namespace where you want to deploy the AtlasFederatedAuth custom resource.

spec.enabled

Type: boolean

Required

Flag that determines whether to enable federated authentication for the organization. Defaults to false.

spec.dataAccessIdentityProviders

Type: list

Optional

List of string values that identify the identity providers that Atlas Kubernetes Operator uses to configure federated authentication for the organization.

Note

The dataAccessIdentityProviders parameter defines one or more identity providers that are used for data access. This means that they are used to access the actual MongoDB database instances, as configured in the AtlasDatabaseUser resource. This is different from the existing options in the AtlasFederatedAuth resource which is used to configure using identity providers for the Atlas UI.

spec.connectionSecretRef.name

Type: string

Required

Name of the opaque secret that contains a single password field with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. When you create the secret, specify the orgID, publicApiKey, and privateApiKey fields.

The secret's API keys must have the Organization Owner role. You can use the same secret from an AtlasProject Custom Resource only if the secret has Organization Owner permissions.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

Note

By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource. To store secrets in another namespace, specify the spec.connectionSecretRef.namespace parameter.

spec.connectionSecretRef.namespace

Type: string

Optional

Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If you omit or don't specify this parameter, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource.

spec.domainAllowList

Type: array of strings

Optional

Approved domains that restrict users who can join the organization based on their email address.

spec.domainRestrictionEnabled

Type: boolean

Required

Flag that indicates whether domain restriction is enabled for the connected organization. Defaults to false.

If you set this parameter to true, Atlas returns a list of users that belong to organizations outside of the federation. To learn more, see User Conflicts.

spec.ssoDebugEnabled

Type: boolean

Optional

Flag that indicates whether the identity provider has debug enabled for SSO. Defaults to false.

spec.postAuthRoleGrants

Type: array of strings

Optional

Atlas roles that are granted to a user in this organization after authenticating. For example:

  • ORG_MEMBER

  • ORG_READ_ONLY

  • ORG_BILLING_ADMIN

  • ORG_GROUP_CREATOR

  • ORG_OWNER

  • ORG_BILLING_READ_ONLY

  • ORG_TEAM_MEMBERS_ADMIN

For a full list of accepted values, refer to the Federated Authentication API Resource.

spec.roleMappings

Type: array of objects

Optional

Role mappings that are configured in this organization.

The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.externalGroupName

Type: string

Required

Unique human-readable label that identifies the identity provider group to which this role mapping applies.

spec.roleMappings.roleAssignments

Type: array of objects

Optional

Atlas roles and the unique identifiers of the groups and organizations associated with each role. This parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.roleAssignments.projectName

Type: string

Optional

The Atlas project in the same organization to which to associate the role.

spec.roleMappings.roleAssignments.role

Type: string

Optional

Human-readable label that identifies the collection of privileges that Atlas grants a specific API key, user, or team. These roles include organization and project-level privileges.

Atlas Kubernetes Operator accepts the following values:

  • ORG_MEMBER

  • ORG_READ_ONLY

  • ORG_BILLING_ADMIN

  • ORG_GROUP_CREATOR

  • ORG_OWNER

  • ORG_BILLING_READ_ONLY

  • ORG_TEAM_MEMBERS_ADMIN

  • GROUP_AUTOMATION_ADMIN

  • GROUP_BACKUP_ADMIN

  • GROUP_MONITORING_ADMIN

  • GROUP_OWNER

  • GROUP_READ_ONLY

  • GROUP_USER_ADMIN

  • GROUP_BILLING_ADMIN

  • GROUP_DATA_ACCESS_ADMIN

  • GROUP_DATA_ACCESS_READ_ONLY

  • GROUP_DATA_ACCESS_READ_WRITE

  • GROUP_CHARTS_ADMIN

  • GROUP_CLUSTER_MANAGER

  • GROUP_SEARCH_INDEX_EDITOR

Back

AtlasDataFederation

On this page