The AtlasProject custom resource configures the project in
Atlas. When you create the AtlasProject custom resource,
Atlas Kubernetes Operator tries to create a new project in Atlas.
Important
Custom Resources No Longer Delete Objects by Default
- Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an - AtlasProjectCustom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.- Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator. 
- Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a - READYstate. For example, explicitly defining your desired autoscaling behavior in your- AtlasDeploymentcustom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.- autoScaling: - diskGB: - enabled: true - compute: - enabled: true - scaleDownEnabled: true - minInstanceSize: M30 - maxInstanceSize: M40 
Atlas Kubernetes Operator does one of the following actions:
- Creates a new project in the organization that the connection secret configures. 
- Reuses an existing project. In this case, Atlas Kubernetes Operator verifies whether a project with - spec.nameexists. If the project exists, Atlas Kubernetes Operator skips creation. After the reconciliation, Atlas Kubernetes Operator updates the- status.idfield with the id of the project.
You can use the spec.connectionSecretRef.name parameter
to set the connection secret for  the AtlasProject custom
resource. This parameter overrides the default global connection
secret.
By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace
as the AtlasProject Custom Resource. To store
secrets in another namespace, specify the
spec.connectionSecretRef.namespace parameter.
To connect to the Atlas Administration API, Atlas Kubernetes Operator reads the organization ID and API keys from Atlas Kubernetes Operator secrets.
You can also edit the AtlasProject custom resource specification to
configure the following options:
- An IP access list with the - spec.projectIpAccessListparameter. This IP access list grants network access to Atlas clusters in the project.
- Teams with the - spec.teamsparameter. A team lets you grant an access role to an entire group of Atlas users for a particular project.
- The maintenance window with the - spec.maintenanceWindowparameter. The maintenance window sets the hour and day that Atlas starts weekly maintenance on your database deployments.
- Network peering with the - spec.networkPeersparameter. Network peering allows you to connect securely to your AWS, Azure, or Google Cloud VPC.
- Encryption at rest using customer-managed keys with the - spec.encryptionAtRestparameter. Encryption at rest using customer-managed keys allows you to add an additional layer of security by using your cloud provider's KMS together with the MongoDB encrypted storage engine.
- Private endpoints with the - spec.privateEndpointsparameter.
- X.509 authentication with the - spec.x509CertRef.nameparameter.
- Project settings with the - spec.settingsparameter, including settings to enable and disable the following:- Collection of database statistics in cluster metrics 
- Project alerts configurations with the - spec.alertConfigurationSyncEnabledand- spec.alertConfigurationsparameters.- For information on how these settings interact, see the Considerations. 
 
If you remove the AtlasProject resource from your Kubernetes cluster,
Atlas Kubernetes Operator removes the project from Atlas. You must remove all the
clusters in the project beforehand. Otherwise, Atlas rejects the
delete request.
Example
The following example shows an AtlasProject custom resource
specification:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:  name: my-project spec:  name: Test project  connectionSecretRef:    name: my-atlas-key  projectIpAccessList:    - cidrBlock: "203.0.113.0/24"      comment: "CIDR block for Application Server B - D" 
Prometheus Example
The following example shows an AtlasProject custom resource
specification that integrates with Prometheus:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:   name: my-project spec:   name: TestPrometheusIntegration   connectionSecretRef:     name: my-atlas-key   projectIpAccessList:     - cidrBlock: "0.0.0.0/1"       comment: "Everyone has access. For test purposes only."     - cidrBlock: "128.0.0.0/1"       comment: "Everyone has access. For test purposes only."   integrations:     - type: "PROMETHEUS"       enabled: "true"       username: "prometheus-user"       passwordRef:         name: "password-name"         namespace: "password-namespace"       scheme: "http"       serviceDiscovery: "http" 
To learn more, see Integrate with Third-Party Services.
Note
Atlas Kubernetes Operator offers a sample Grafana dashboard that you can import into Grafana.
Teams Example
The following example shows an AtlasProject custom resource
specification that gives the green-leaf-team the Organization Owner
role for this project. The team members are defined in the
AtlasTeam custom resource.
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:   name: my-project spec:   name: Test project   teams:     - teamRef:         name: green-leaf-team       roles:       - ORGANIZATION_OWNER 
To learn more, see Configure Teams.
Maintenance Window Example
The following example shows an AtlasProject custom resource
specification that sets the maintenance window to 5:00 AM every Tuesday with automatic deferral disabled:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:  name: my-project spec:  name: Test project  projectIpAccessList:    - ipAddress: "192.0.2.15"      comment: "IP address for Application Server A" maintenanceWindow:  dayOfWeek: 3  hourOfDay: 5  autoDefer: false 
Project Settings Example
The following example shows an AtlasProject custom resource
specification that disables the collection of database statistics in
cluster metrics,
data explorer, Performance Advisor, Realtime Performance Panel, and Schema Advisor.
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:  name: my-project spec:  name: Test project  projectIpAccessList:    - ipAddress: "192.0.2.15"      comment: "IP address for Application Server A"  settings:    isCollectDatabaseSpecificsStatisticsEnabled: false    isDataExplorerEnabled: false    isExtendedStorageSizesEnabled: false    isPerformanceAdvisorEnabled: false    isRealtimePerformancePanelEnabled: false    isSchemaAdvisorEnabled: false 
Alert Configuration Example
The following example shows an AtlasProject custom resource
specification that configures an alert that triggers if the oplog
window reaches less than one hour:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:   name: my-project spec:   name: Test Atlas Operator Project   connectionSecretRef:     name: my-atlas-key   alertConfigurations:     - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT",       enabled: true,       notifications:       -  delayMin: 0          emailEnabled: true          intervalMin: 60          roles: [ "GROUP_OWNER" ]          smsEnabled: false          typeName: "GROUP"       threshold:          operator: "LESS_THAN",          threshold: "1",          units: "HOURS"   alertConfigurationSyncEnabled: true   withDefaultAlertsSettings: false 
Third-Party Alert Configuration Example
The following example shows an AtlasProject custom resource
specification that configures an alert that sends notifications through
Slack:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata:   name: my-project spec:   name: Test Atlas Operator Project   connectionSecretRef:     name: my-atlas-key   alertConfigurations:     - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT"       enabled: true       notifications:       -  delayMin: 0          emailEnabled: true          intervalMin: 60          roles: [ "GROUP_OWNER" ]          smsEnabled: false          - typeName: "SLACK"            apiTokenRef:              name: key-name              namespace: key-namespace       threshold:          operator: "LESS_THAN"          threshold: "1"          units: "HOURS"   alertConfigurationSyncEnabled: true   withDefaultAlertsSettings: false 
Parameters
This section describes the AtlasProject custom resource parameters:
- spec.name
- Type: string - Required - Name of the project created or updated in Atlas. The name length must not exceed 64 characters. The name can contain only letters, numbers, spaces, dashes, and underscores. 
- spec.alertConfigurations
- Type: array of objects - Optional - List that contains alert configurations for this project. - If you use this setting, you must also set - spec.alertConfigurationSyncEnabledto- truefor Atlas Kubernetes Operator to modify project alert configurations.- If you omit or leave this setting empty, Atlas Kubernetes Operator doesn't alter the project's alert configurations. If creating a project, Atlas applies the default project alert configurations. 
- spec.alertConfigurations.eventTypeName
- Type: string - Required - Event that triggers an alert that this alert configration describes. - To learn about the values that Atlas Kubernetes Operator accepts, see the request body schema for the Create One Alert Configuration in One Project endpoint in the MongoDB Atlas Administration API documentation. 
- spec.alertConfigurations.enabled
- Type: boolean - Optional - Default: - false- Flag that indicates whether this alert configuration is enabled. If omitted, defaults to - false.
- spec.alertConfigurations.matchers
- Type: array of objects - Conditional - List of rules that determine whether Atlas checks an object for the alert configuration. You can filter using the matchers array if - spec.alertConfigurations.eventTypeNamespecifies an event for a host, replica set, or sharded cluster.
- spec.alertConfigurations.matchers.fieldName
- Type: string - Conditional - Human-readable label that identifies the parameter in the target object that Atlas checks. The parameter must match all rules for Atlas to check for alert configurations. - Atlas Kubernetes Operator accepts the following values: - CLUSTER_NAME
- HOSTNAME
- HOSTNAME_AND_PORT
- PORT
- REPLICA_SET_NAME
- SHARD_NAME
- TYPE_NAME
 - Atlas Kubernetes Operator requires this setting if you include an object in the - spec.alertConfigurations.matchersarray.
- spec.alertConfigurations.matchers.operator
- Type: string - Conditional - Comparison operator to apply when checking the current metric value against - spec.alertConfigurations.matchers.value.- Atlas Kubernetes Operator accepts the following values: - EQUALS
- CONTAINS
- STARTS_WITH
- ENDS_WITH
- NOT_EQUALS
- NOT_CONTAINS
- REGEX
 - Atlas Kubernetes Operator requires this setting if you include an object in the - spec.alertConfigurations.matchersarray.
- spec.alertConfigurations.matchers.value
- Type: string - Conditional - Value to match or exceed using the specified - spec.alertConfigurations.matchers.operator.- Atlas Kubernetes Operator requires this setting if you include an object in the - spec.alertConfigurations.matchersarray.
- spec.alertConfigurations.metricThreshold
- Type: object - Conditional - Threshold for the metric that, when exceeded, triggers an alert. - Atlas Kubernetes Operator requires this setting when - spec.alertConfigurations.eventTypeNameis- OUTSIDE_METRIC_THRESHOLD.
- spec.alertConfigurations.metricThreshold.metricName
- Type: string - Conditional - Human-readable label that identifies the metric against which Atlas checks the configured - spec.alertConfigurations.metricThreshold.threshold.- To learn about the values that Atlas Kubernetes Operator accepts, see the request body schema for the Create One Alert Configuration in One Project endpoint in the MongoDB Atlas Administration API documentation. - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.metricThresholdobject.
- spec.alertConfigurations.metricThreshold.mode
- Type: string - Optional - Default: - AVERAGE- Atlas computes the current metric value as an average. - Atlas Kubernetes Operator accepts only a value of - AVERAGE.
- spec.alertConfigurations.metricThreshold.operator
- Type: string - Conditional - Comparison operator to apply when checking the current metric value. - Atlas Kubernetes Operator accepts the following values: - GREATER_THAN
- LESS_THAN
 - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.metricThresholdobject.
- spec.alertConfigurations.metricThreshold.threshold
- Type: integer - Conditional - Value of metric that, when exceeded, triggers an alert. - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.metricThresholdobject.
- spec.alertConfigurations.metricThreshold.units
- Type: string - Conditional - Element used to express the quantity. This value can be an element of time, storage capacity, and so on - Atlas Kubernetes Operator accepts the following values: - BITS
- BYTES
- DAYS
- GIGABITS
- GIGABYTES
- HOURS
- KILOBITS
- KILOBYTES
- MEGABITS
- MEGABYTES
- MILLISECONDS
- MINUTES
- PETABYTES
- RAW
- SECONDS
- TERABYTES
 - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.metricThresholdobject.
- spec.alertConfigurations.notifications
- Type: array - Conditional - List that describes the notifications that Atlas sends for alerts that this alert configuration describes. - Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with your API token for Slack.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials - If you want notifications through Slack, you must specify this setting. 
- spec.alertConfigurations.notifications.apiTokenRef.namespace
- Type: string - Conditional - Namespace that contains your API token for Slack. If you want notifictions through Slack, you must specify this setting. 
- spec.alertConfigurations.notifications.channelName
- Type: string - Conditional - Human-readable label that identifies the Slack channel to which Atlas sends alert notifications. - Atlas Kubernetes Operator requires this setting when you set - spec.alertConfigurations.notifications.typeNameto- SLACK.
- spec.alertConfigurations.notifications.datadogApiKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API key for Datadog. If you want notifications through Datadog, you must specify this setting`.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.alertConfigurations.notifications.datadogApiKeyRef.namespace
- Type: string - Conditional - Namespace that contains your API key for Datadog. If you want notifications through Datadog, you must specify this setting. 
- spec.alertConfigurations.notifications.datadogRegion
- Type: string - Optional - Default: - US- Datadog region that indicates which API Uniform Resource Locator (URL) to use. - Atlas Kubernetes Operator accepts the following values: - US
- EU
 
- spec.alertConfigurations.notifications.delayMins
- Type: integer - Optional - Default: - 0- Number of minutes that Atlas waits after it detects an alert condition before it sends out the first notification. 
- spec.alertConfigurations.notifications.emailAddress
- Type: string - Conditional - Email address to which Atlas sends alert notifications. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- EMAIL.- Atlas Kubernetes Operator doesn't require this setting to send email notifications when you set - spec.alertConfigurations.notifications.typeNameto one of the following values:- GROUP
- ORG
- TEAM
- USERS
 - To send emails to one Atlas user or group of users, set the - spec.alertConfigurations.notifications.emailEnabledparameter.
- spec.alertConfigurations.notifications.emailEnabled
- Type: boolean - Conditional - Flag that indicates whether Atlas sends email notifications. - Atlas Kubernetes Operator requires this setting when you set - spec.alertConfigurations.notifications.typeNameto one of the following values:- GROUP
- ORG
- TEAM
 
- spec.alertConfigurations.notifications.intervalMin
- Type: integer - Optional - Number of minutes to wait between successive notifications. Atlas sends notifications until someone acknowledges the unacknowledged alert. Atlas Kubernetes Operator accepts values greater than or equal to - 5.- PagerDuty, VictorOps, and OpsGenie notifications don't use this field. Configure and manage the notification interval within each of those services. 
- spec.alertConfigurations.notifications.microsoftTeamsWebhookUrl
- Type: string - Conditional - Microsoft Teams Webhook Uniform Resource Locator (URL) that Atlas needs to send this notification via Microsoft Teams. If the URL later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- MICROSOFT_TEAMS.
- spec.alertConfigurations.notifications.mobileNumber
- Type: string - Conditional - Mobile phone number to which Atlas sends alert notifications. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- SMS.
- spec.alertConfigurations.notifications.opsGenieApiKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.alertConfigurations.notifications.opsGenieApiKeyRef.namespace
- Type: string - Conditional - Namespace that contains your API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting. 
- spec.alertConfigurations.notifications.opsGenieRegion
- Type: string - Optional - Default: - US- Opsgenie region that indicates which API Uniform Resource Locator (URL) to use. - Atlas Kubernetes Operator accepts the following values: - US
- EU
 - Atlas Kubernetes Operator applies this setting if you set - spec.alertConfigurations.notifications.typeNameto- OPS_GENIE.
- spec.alertConfigurations.notifications.roles
- Type: array - Optional - List that contains the one or more organization or project roles that receive the configured alert. If you include this parameter, Atlas sends alerts only to users assigned the roles you specify in the list. If you omit this parameter, Atlas sends alerts to users assigned any role. - Atlas Kubernetes Operator accepts the following values: - GROUP_CLUSTER_MANAGER
- GROUP_DATA_ACCESS_ADMIN
- GROUP_DATA_ACCESS_READ_ONLY
- GROUP_DATA_ACCESS_READ_WRITE
- GROUP_OWNER
- GROUP_READ_WRITE
- ORG_OWNER
- ORG_MEMBER
- ORG_GROUP_CREATOR
- ORG_BILLING_ADMIN
- ORG_READ_ONLY
 - Atlas Kubernetes Operator applies this setting when you set - spec.alertConfigurations.notifications.typeNameto one of the following values:- GROUP
- ORG
 
- spec.alertConfigurations.notifications.serviceKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.alertConfigurations.notifications.serviceKeyRef.namespace
- Type: string - Conditional - Namespace that contains your API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting. 
- spec.alertConfigurations.notifications.severity
- Type: string - Optional - Degree of seriousness given to this notification. - Atlas Kubernetes Operator accepts the following values: - CRITICAL
- ERROR
- WARNING
 
- spec.alertConfigurations.notifications.smsEnabled
- Type: boolean - Conditional - Flag that indicates whether Atlas sends text message notifications. - Atlas Kubernetes Operator requires this setting when you set - spec.alertConfigurations.notifications.typeNameto one of the following values:- GROUP
- ORG
- TEAM
 
- spec.alertConfigurations.notifications.teamId
- Type: string - Conditional - Unique 24-hexadecimal digit string that identifies one Atlas team. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- TEAM.
- spec.alertConfigurations.notifications.teamName
- Type: string - Conditional - Name of the Atlas team that receives this notification. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- TEAM.
- spec.alertConfigurations.notifications.typeName
- Type: string - Conditional - Human-readable label that displays the alert notification type. This setting is required if you specify a value for the - spec.alertConfigurations.notificationssetting. Atlas supports the following values:- DATADOG
- EMAIL
- OPS-GENIE
- ORG
- PAGER_DUTY
- PROMETHEUS
- SLACK
- SMS
- TEAM
- USER
- VICTOR_OPS
- WEBHOOK
 
- spec.alertConfigurations.notifications.username
- Type: string - Conditional - Atlas username of the person to whom Atlas sends notifications. Specify only Atlas users who belong to the project that owns the alert configuration. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- USER.
- spec.alertConfigurations.notifications.victorOpsSecretRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.alertConfigurations.notifications.victorOpsSecretRef.namespace
- Type: string - Conditional - Namespace that contains your API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting. 
- spec.alertConfigurations.notifications.victorOpsRoutingKey
- Type: string - Conditional - Routing key that Atlas needs to send alert notifications to Splunk On-Call. If the key later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- VICTOR_OPS.
- spec.alertConfigurations.notifications.webhookSecret
- Type: string - Optional - Authentication secret for a webhook-based alert. - Atlas Kubernetes Operator applies this setting if you set - spec.alertConfigurations.notifications.typeNameto- WEBHOOK.
- spec.alertConfigurations.notifications.webhookUrl
- Type: string - Conditional - String that indicates your webhook URL. - Atlas Kubernetes Operator requires this setting if you set - spec.alertConfigurations.notifications.typeNameto- WEBHOOK.
- spec.alertConfigurations.threshold
- Type: object - Conditional - Limit that triggers an alert when exceeded. - Atlas Kubernetes Operator applies this setting if you set - spec.alertConfigurations.eventTypeNameto a value other than- OUTSIDE_METRIC_THRESHOLD.
- spec.alertConfigurations.threshold.operator
- Type: string - Conditional - Comparison operator to apply when Atlas checks the current metric value. - Atlas Kubernetes Operator accepts the following values: - GREATER_THAN
- LESS_THAN
 - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.thresholdobject.
- spec.alertConfigurations.threshold.threshold
- Type: integer - Conditional - Value of metric that, when exceeded, triggers an alert. - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.thresholdobject.
- spec.alertConfigurations.threshold.units
- Type: string - Conditional - Element that expresses the quantity. You can specify an element of time, storage capacity, and so on. - Atlas Kubernetes Operator accepts the following values: - BITS
- BYTES
- DAYS
- GIGABITS
- GIGABYTES
- HOURS
- KILOBITS
- KILOBYTES
- MEGABITS
- MEGABYTES
- MILLISECONDS
- MINUTES
- PETABYTES
- RAW
- SECONDS
- TERABYTES
 - Atlas Kubernetes Operator requires this setting if you include the - spec.alertConfigurations.thresholdobject.
- spec.alertConfigurationSyncEnabled
- Type: boolean - Optional - Default: - false- Flag that indicates whether Atlas Kubernetes Operator applies the project alert settings defined in - spec.alertConfigurations. If you omit or set to this parameter to- false, Atlas Kubernetes Operator doesn't syncronize the project's alert configurations with the ones that you define in the- AtlasProjectcustom resource.- For information on how this setting interacts with - spec.withDefaultAlertsSettings, see the Considerations.
- spec.auditing.auditAuthorizationSuccess
- Type: boolean - Optional - Default: - false- Flag that indicates whether to direct the auditing system to capture successful authentication attempts for audit filters using the - "atype" : "authCheck"auditing event. To set this parameter to- true, you must set- spec.auditing.enabledto- true. To learn more, see auditAuthorizationSuccess.- WARNING: If you enable auditAuthorizationSuccess, you might severely impact cluster performance. Enable this option with caution. 
- spec.auditing.auditFilter
- Type: string - Optional - JSON-formatted auditing filter. You might need to escape the JSON string to remove characters that could prevent parsing, such as single or double-quotes. To specify a value for this setting, you must set - spec.auditing.enabledto- true.- To view example auditing filters, see Example Auditing Filters. To learn more about configuring MongoDB auditing filters, see Configure a Custom Auditing Filter. 
- spec.auditing.enabled
- Type: boolean - Conditional - Default: - false- Flag that indicates whether to enable auditing for the project. To specify a value for - spec.auditing.auditFilter, or to set- spec.auditing.auditAuthorizationSuccessto- true, you must specify this setting. To learn more, see Enable Audit Logs.
- spec.backupCompliancePolicyRef
- Type: object - Conditional - Object that contains the name and namespace of the opaque secret that references the - AtlasBackupCompliancePolicyCustom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.
- spec.backupCompliancePolicyRef.name
- Type: string - Conditional - Name of the opaque secret that references the - AtlasBackupCompliancePolicyCustom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.
- spec.backupCompliancePolicyRef.namespace
- Type: object - Conditional - Namespace of the opaque secret that references the - AtlasBackupCompliancePolicyCustom Resource. If you enable a Backup Compliance Policy, you must specify this parameter.
- spec.connectionSecretRef.name
- Type: string - Optional - Name of the opaque secret that contains a single - passwordfield with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator uses the default- globalsecret.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials - By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the - AtlasProjectCustom Resource. To store secrets in another namespace, specify the- spec.connectionSecretRef.namespaceparameter.
- spec.connectionSecretRef.namespace
- Type: string - Optional - Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the - AtlasProjectCustom Resource.
- spec.cloudProviderAccessRoles
- Type: array - Deprecated. Use - spec.cloudProviderIntegrationsinstead.- List that contains your unified cloud provider access settings. 
- spec.cloudProviderAccessRoles.iamAssumedRoleArn
- Type: string - Deprecated. Use - spec.cloudProviderIntegrations.iamAssumedRoleArninstead.- Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider access, you must specify this setting. 
- spec.cloudProviderAccessRoles.providerName
- Type: string - Deprecated. Use - spec.cloudProviderIntegrations.providerNameinstead.- Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports - AWSfor unified cloud provider access. If you want to set up unified cloud provider access, you must specify this setting.
- spec.cloudProviderIntegrations
- Type: array - Optional - List that contains your unified cloud provider integration settings. 
- spec.cloudProviderIntegrations.iamAssumedRoleArn
- Type: string - Conditional - Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider integrations, you must specify this setting. 
- spec.cloudProviderIntegrations.providerName
- Type: string - Conditional - Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports - AWSfor unified cloud provider integrations. If you want to set up unified cloud provider integrations, you must specify this setting.
- spec.customRoles
- Type: object - Optional - Object that contains your custom role specifications. - Important- This parameter is deprecated beginning in version 2.6. To create custom roles with Atlas Kubernetes Operator, use the - AtlasCustomRoleCustom Resource.- To learn more about the configuration parameters available from the API, see the Atlas Custom Database Roles API. 
- spec.encryptionAtRest
- Type: array - Optional - List that contains the configurations for encryption at rest using customer-managed keys for the project. 
- spec.encryptionAtRest.awsKms
- Type: object - Optional - List that contains the configurations to use AWS KMS for encryption at rest using customer-managed keys for the project. 
- spec.encryptionAtRest.enabled
- Type: boolean - Optional - Flag that indicates whether this project uses AWS KMS to encrypt data at rest. To enable encryption at rest using AWS KMS, set this parameter to - true. To disable encryption at rest using AWS KMS, set this parameter to- false. If you disable encryption at rest using AWS KMS, Atlas Kubernetes Operator removes the configuration details.
- spec.encryptionAtRest.awsKms.region
- Type: string - Optional - Label that indicates the AWS region where the customer master key exists. 
- spec.encryptionAtRest.awsKms.secretRef.name
- Type: string - Optional - Name of the opaque secret that contains your AWS credentials. - Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.encryptionAtRest.awsKms.secretRef.namespace
- Type: string - Optional - Namespace that contains your AWS credentials. If unspecified, this parameter defaults to the namespace of the - AtlasProjectcustom resource.
- spec.encryptionAtRest.azureKeyVault
- Type: object - Optional - List that contains the configurations to use Azure Key Vault for encryption at rest using customer-managed keys for the project. 
- spec.encryptionAtRest.azureKeyVault.azureEnvironment
- Type: string - Optional - Azure deployment location where the Azure account credentials reside. Valid values include - AZURE,- AZURE_CHINA, and- AZURE_GERMANY.
- spec.encryptionAtRest.azureKeyVault.clientID
- Type: string - Optional - Unique 36-hexadecimal character string that identifies your Azure application. 
- spec.encryptionAtRest.azureKeyVault.enabled
- Type: boolean - Optional - Flag that indicates whether this project uses Azure Key using Azure key vault, Atlas Kubernetes Operator removes the configuration details. 
- spec.encryptionAtRest.azureKeyVault.resourceGroupName
- Type: string - Optional - Label that identifies the Azure resource group that contains your Azure Key Vault. Azure displays the resource group name on the resource group's details page. 
- spec.encryptionAtRest.azureKeyVault.secretRef.name
- Type: string - Optional - Name of the opaque secret that contains your Azure credentials. - Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.encryptionAtRest.azureKeyVault.secretRef.namespace
- Type: string - Optional - Namespace that contains your Azure credentials. If unspecified, this parameter defaults to the namespace of the - AtlasProjectcustom resource.
- spec.encryptionAtRest.azureKeyVault.tenantID
- Type: string - Optional - Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. Azure displays the tenant ID on the tenant properties page. 
- spec.encryptionAtRest.googleCloudKms
- Type: object - Optional - List that contains the configurations to use Google Cloud KMS for encryption at rest using customer-managed keys for the project. 
- spec.encryptionAtRest.googleCloudKms.enabled`
- Type: string - Optional - Flag that indicates whether this project uses Google Cloud KMS to encrypt data at rest. To enable encryption at rest using Google Cloud KMS, set this parameter to - true. To disable encryption at rest using Google Cloud KMS, set this parameter to- false. If you disable encryption at rest using Google Cloud KMS, Atlas Kubernetes Operator removes the configuration details.
- spec.encryptionAtRest.googleCloudKms.secretRef.name
- Type: string - Optional - Name of the opaque secret that contains your Google Cloud credentials. - Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.encryptionAtRest.googleCloudKms.secretRef.namespace
- Type: string - Optional - Namespace that contains your Google Cloud credentials. If unspecified, this parameter defaults to the namespace of the - AtlasProjectcustom resource.
- spec.integrations
- Type: array - Optional - List that contains your third-party integration settings. The parameters that you must specify depend on the third-party service that you want to configure: ServiceSettings- All - Datadog - Microsoft Teams - Opsgenie - PagerDuty - Prometheus - Slack - VictorOps - Webhook Settings 
- spec.integrations.accountId
- Type: string - Conditional - Unique string that identifies your New Relic account. If you want to integrate with New Relic, you must specify this setting. 
- spec.integrations.apiKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.apiKeyRef.namespace
- Type: string - Conditional - Namespace that contains your API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting. 
- spec.integrations.apiTokenRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the API token for Slack. If you want to integrate with Slack, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.apiTokenRef.namespace
- Type: string - Conditional - Namespace that contains your API token for Slack. If you want to integrate with Slack, you must specify this setting. 
- spec.integrations.enabled
- Type: boolean - Conditional - Flag that indicates whether your cluster has Prometheus enabled. If you want to integrate with Prometheus, you must specify this setting as - true.
- spec.integrations.licenseKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the license key for New Relic. If you want to integrate with New Relic, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.licenseKeyRef.namespace
- Type: string - Conditional - Namespace that contains your license key for New Relic. If you want to integrate with New Relic, you must specify this setting. 
- spec.integrations.microsoftTeamsWebhookURL
- Type: string - Conditional - String that specifies your Microsoft Teams incoming webhook URL. If you want to integrate with Mircosoft Teams, you must specify this setting. 
- spec.integrations.passwordRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the Prometheus password. If you want to integrate with Prometheus, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.passwordRef.namespace
- Type: string - Conditional - Namespace that contains your Prometheus password. If you want to integrate with Prometheus, you must specify this setting. 
- spec.integrations.readTokenRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.readTokenRef.namespace
- Type: string - Conditional - Namespace that contains your Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting. 
- spec.integrations.region
- Type: string - Conditional - Default: - US- String value that indicates the API URL to use for Datadog or Opsgenie. If you want to integrate with Datadog or Opsgenie, you must specify this setting. - Values for Opsgenie include - USor- EU.- Atlas supports the following Datadog regions in the Atlas Administration API: Atlas Administration API regionCorresponding Datadog region- US- US1- US3- US3- US5- US5- EU- EU1- Datadog uses - US1(- USin the Atlas Administration API) by default.- To learn more about Datadog's regions, see Datadog Sites. 
- spec.integrations.routingKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.routingKeyRef.namespace
- Type: string - Conditional - Namespace that contains your routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting. 
- spec.integrations.secretRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.secretRef.namespace
- Type: string - Conditional - Namespace that contains your Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting. 
- spec.integrations.scheme
- Type: string - Conditional - String that indicates the Prometheus protocol scheme configured for requests. Values include - httpor- https. If you want to integrate with Prometheus, you must specify this setting.
- spec.integrations.serviceDiscovery
- Type: string - Conditional - Human-readable label that indicates the Prometheus service discovery method to use. Values include - fileor- http. If you want to integrate with Prometheus, you must specify this setting.
- spec.integrations.serviceKeyRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.serviceKeyRef.namespace
- Type: string - Conditional - Namespace that contains your service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting. 
- spec.integrations.type
- Type: string - Conditional - String value that indicates the third-party service to integrate with Atlas. Values include: - DATADOG
- MICROSOFT_TEAMS
- NEW_RELIC
- OPS_GENIE
- PAGER_DUTY
- PROMETHEUS
- SLACK
- VICTOR_OPS
- WEBHOOK
 - If you want to integrate with a third-party service, you must specify this setting. 
- spec.integrations.url
- Type: string - Conditional - String that specifies your Webhook URL. If you want to integrate with Webhook Settings, you must specify this setting. 
- spec.integrations.username
- Type: string - Conditional - Human-readable label that identifies the Prometheus user. If you want to integrate with Prometheus, you must specify this setting. 
- spec.integrations.writeTokenRef.name
- Type: string - Conditional - Name of the opaque secret that contains a single - passwordfield with the write token for New Relic. If you want to integrate with New Relic, you must specify this setting.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials 
- spec.integrations.writeTokenRef.namespace
- Type: string - Conditional - Namespace that contains your write token for New Relic. If you want to integrate with New Relic, you must specify this setting. 
- spec.maintenanceWindow
- Type: object - Optional - List that contains your maintenance window settings. You can specify the following body parameters: NameTypeNecessityDescription- dayOfWeek - number - Required - Day of the week that you want the maintenance window to start, as a 1-based integer. Day of WeekInteger- Sunday - 1 - Monday - 2 - Tuesday - 3 - Wednesday - 4 - Thursday - 5 - Friday - 6 - Saturday - 7 - hourOfDay - number - Required - Hour of the day that you want the maintenance window to start. This parameter uses the 24-hour clock, where midnight is 0 and noon is 12. - autoDeferOnceEnabled - boolean - Optional - Flag that indicates whether you want to defer all maintenance windows one week they would be triggered. - Important- Maintenance Window Considerations- Urgent Maintenance Activities
- Urgent maintenance activities such as security patches cannot wait for your chosen window. Atlas will start those maintenance activities when needed.
- Ongoing Maintenance Operations
- Once maintenance is scheduled for your cluster, you cannot change your maintenance window until the current maintenance efforts have completed.
- Maintenance Requires Replica Set Elections
- Atlas performs maintenance the same way as the maintenance procedure described in the MongoDB Manual. This procedure requires at least one replica set election during the maintenance window per replica set.
- Maintenance Starts As Close to the Hour As Possible
- Maintenance always begins as close to the scheduled hour as possible, but in-progress cluster updates or unexpected system issues could delay the start time.
 
- spec.maintenanceWindow.autoDefer
- Type: boolean - Conditional - Flag that indicates whether Atlas should defer all maintenance windows for one week after you enable them. 
- spec.maintenanceWindow.defer
- Type: boolean - Conditional - Flag that indicates whether Atlas should defer scheduled maintenance. You must schedule maintenance before you can successfully defer maintenance. - spec.maintenanceWindow.deferand- spec.maintenanceWindow.startASAPcan't both be set to- trueat the same time.- Important- While - spec.maintenanceWindow.deferis set to- true, Atlas Kubernetes Operator defers scheduled maintenance every time you apply changes to the- AtlasProjectcustom resource. If you set- spec.maintenanceWindow.deferto- true, you should change- spec.maintenanceWindow.deferto- falseafter you apply changes.
- spec.maintenanceWindow.dayOfWeek
- Type: number - Conditional - One-based integer that represents the day of the week that the maintenance window starts. Use the following table to find the integer that corresponds to each day: Day of WeekInteger- Sunday - 1 - Monday - 2 - Tuesday - 3 - Wednesday - 4 - Thursday - 5 - Friday - 6 - Saturday - 7 - If you want to configure the maintenance window for your project, you must specify this setting. 
- spec.maintenanceWindow.hourOfDay
- Type: number - Conditional - Zero-based integer that represents the hour of the of the day that the maintenance window starts according to a 24-hour clock. Use - 0for midnight and- 12for noon. If you want to configure the maintenance window for your project, you must specify this setting.
- spec.maintenanceWindow.startASAP
- Type: boolean - Conditional - Flag that indicates whether Atlas should immediately start maintenance. - spec.maintenanceWindow.deferand- spec.maintenanceWindow.startASAPcan't both be set to- trueat the same time.- Important- While - spec.maintenanceWindow.startASAPis set to- true, Atlas Kubernetes Operator starts maintenance every time you apply changes to the- AtlasProjectcustom resource. If you set- spec.maintenanceWindow.startASAPto- true, you should change- spec.maintenanceWindow.startASAPto- falseafter you apply changes.
- spec.networkPeers
- Type: array - Optional - List that contains the network peering configurations for the project. 
- spec.regionUsageRestrictions
- Type: string - Optional - Designates the project's AWS region for Atlas for Government only. You can specify one of the following values: - NONE: If you set- regionUsageRestrictionsto- NONE, value defaults to- COMMERCIAL_FEDRAMP_REGIONS_ONLY. This is the default if you omit- regionUsageRestrictions.
- GOV_REGIONS_ONLY: Indicates project is restricted to AWS GovCloud regions that meet more stringent U.S. government security requirements. To learn more, see the AWS GovCloud documentation.
- COMMERCIAL_FEDRAMP_REGIONS_ONLY: Indicates project is restricted to AWS FedRamp Moderate standard regions.
 
- spec.projectIpAccessList
- Type: array - Required - IP access list that grants network access to Atlas clusters in the project. You can specify the following body parameters: ParameterTypeNecessityDescription- awsSecurityGroup - string - Conditional - Unique identifier of the AWS security group to add to the access list. - Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress. - You must configure VPC peering for your project before you can add an AWS security group to an access list. - cidrBlock - string - Conditional - Range of IP addresses in CIDR notation to be added to the access list. - Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress. - comment - string - Optional - Comment associated with the access list entry. - deleteAfterDate - date - Optional - Timestamp in ISO 8601 date and time format in UTC after which Atlas removes the entry from the access list. The specified date must be in the future and within one week of the time you make the API request. - IMPORTANT: You cannot set AWS security groups as temporary access list entries. - You may include an ISO 8601 time zone designator to ensure that the expiration date occurs with respect to the local time in the specified time zone. - ipAddress - string - Conditional - Single IP address to be added to the access list. Mutually exclusive with awsSecurityGroup and cidrBlock. - Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress. 
- spec.settings.isCollectDatabaseSpecificsStatisticsEnabled
- Type: boolean - Optional - Flag that indicates whether your project has collection of database statistics in cluster metrics enabled. 
- spec.settings.isDataExplorerEnabled
- Type: boolean - Optional - Flag that indicates whether your project has data explorer enabled. 
- spec.settings.isExtendedStorageSizesEnabled
- Type: boolean - Optional - Flag that indicates whether to enable extended storage sizes for the specified project. To learn more about enabling extended storage, see Manage Project Settings. 
- spec.settings.isPerformanceAdvisorEnabled
- Type: boolean - Optional - Flag that indicates whether your project has Performance Advisor enabled. 
- spec.settings.isRealtimePerformancePanelEnabled
- Type: boolean - Optional - Flag that indicates whether your project has Realtime Performance Panel enabled. 
- spec.settings.isSchemaAdvisorEnabled
- Type: boolean - Optional - Flag that indicates whether your project has Schema Advisor enabled. 
- spec.privateEndpoints
- Type: array - Optional - List that contains the private endpoint configurations for the project. 
- spec.teams
- Type: object - Optional - Object that contains your team specifications. To learn more, see Configure Teams. 
- spec.teams.teamRef.name
- Type: string - Conditional - Human-readable label from the - AtlasTeamCustom Resource in the- metadata.namefield. If you want to assign a team to this project, you must specify this setting.
- spec.teams.teamRef.namespace
- Type: string - Conditional - Namespace specified in the - AtlasTeamCustom Resource if other than- default.
- spec.teams.teamRef.roles
- Type: string - Conditional - Atlas User Roles that a team uses for this project. If you want to assign a team to this project, you must specify this setting. 
- spec.withDefaultAlertsSettings
- Type: boolean - Optional - Default: - true- Flag that indicates whether Atlas Kubernetes Operator creates a project with the default alert configurations. If omitted, defaults to - true.- If you use this setting, you must also set - spec.alertConfigurationSyncEnabledto- truefor Atlas Kubernetes Operator to modify project alert configurations.- If you set this parameter to - falsewhen you create a project, Atlas doesn't add the default alert configurations to your project.- This setting has no effect on existing projects. - For information on how this setting interacts with - spec.alertConfigurationSyncEnabled, see the Considerations.
- spec.x509CertRef.name
- Type: string - Optional - Name of the - kubernetes.io/tlssecret for the X.509 certificate.- Atlas Kubernetes Operator watches secrets only with the label - atlas.mongodb.com/type=credentialsto avoid watching unnecessary secrets.- The following example labels a secret: - kubectl label secret the-user-password atlas.mongodb.com/type=credentials