Docs Menu
Docs Home
/ /
MongoDB Atlas Kubernetes Operator
/

AtlasDatabaseUser Custom Resource

On this page

  • Connection Secrets
  • Examples
  • Project and Clusters
  • Database User without Scopes
  • Database User with Scopes
  • Database User with X.509 Authentication
  • Database User with OIDC Authentication
  • Database User with AWS IAM Authentication
  • Parameters

The AtlasDatabaseUser custom resource configures the database user in an Atlas project. You create database users per project, not per cluster. So, the AtlasDatabaseUser custom resource configuration contains a reference to the AtlasProject Custom Resource. Create the AtlasProject Custom Resource beforehand.

Important

Custom Resources No Longer Delete Objects by Default

  • Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.

    Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

  • Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

    autoScaling:
    diskGB:
    enabled: true
    compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

The following example shows a reference to the AtlasProject Custom Resource:

spec:
projectRef:
name: my-project

Atlas Kubernetes Operator ensures the database user configuration in Atlas matches the configuration in Kubernetes.

Atlas Kubernetes Operator does one of the following actions using the Atlas Database Users API:

  • Creates a new database user.

  • Updates an existing user.

Before you create a database user, you must create an opaque secret with a single password field to log into the Atlas cluster database.

Note

You must create the secret in the same namespace where the AtlasDatabaseUser custom resource is located.

The following example creates a secret:

kubectl create secret generic the-user-password --from-literal="password=P@@sword%"

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

After Atlas Kubernetes Operator successfully creates or updates the database user in Atlas, Atlas Kubernetes Operator creates or updates the connection secrets in the same namespace where the AtlasDatabaseUser custom resource is located.

Connection secrets contain all the information required to connect to the Atlas clusters including the following parameters:

Parameter
Description
connectionStringStandard
Public mongodb:// connection URI.
connectionstringStandardSrv
Public mongodb+srv:// connection URI.
username
Name that identifies the database user.
password
Password of the database user.

Applications running in Kubernetes can use this information to connect to Atlas clusters. You can mount the secrets to the application pods as files and the application process can read these files to get data.

The following example shows mounting the secret as an environment variable:

spec:
containers:
- name: test-app
env:
- name: "CONNECTIONSTRING"
valueFrom:
secretKeyRef:
name: project-cluster-basic-theuser
key: connectionStringStandardSrv

The following example shows mounting the secret as files:

spec:
containers:
- name: test-app
volumeMounts:
- mountPath: /var/secrets/
name: theuser-connection
volumes:
- name: theuser-connection
secret:
secretName: project-cluster-basic-theuser

By default, Atlas Kubernetes Operator creates the database user connection secret for each cluster in the same project that the AtlasDatabaseUser references. You can change this behavior with the spec.scopes parameter. This parameter restricts the clusters where the database user gets created. The name of the connection secret uses the following format: <project_name>-<cluster_name>-<db_user_name>.

The following example shows an Atlas project and the clusters that reference it:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
name: my-project
spec:
name: p1
projectIpAccessList:
- ipAddress: "192.0.2.15"
comment: "IP address for Application Server A"
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
name: my-aws-cluster
spec:
name: aws-cluster
projectRef:
name: my-project
providerSettings:
instanceSizeName: M10
providerName: AWS
regionName: US_EAST_1
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
name: my-gcp-cluster
spec:
name: gcp-cluster
projectRef:
name: my-project
providerSettings:
instanceSizeName: M10
providerName: GCP
regionName: EASTERN_US

The following example shows an AtlasDatabaseUser custom resource specification with spec.scopes omitted:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
name: my-database-user
spec:
roles:
- roleName: readWriteAnyDatabase
databaseName: admin
projectRef:
name: my-project
username: theuser
passwordSecretRef:
name: the-user-password

After you create this custom resource, Atlas Kubernetes Operator creates the following secrets:

  • p1-aws-cluster-theuser

  • p1-gcp-cluster-theuser

The following example shows an AtlasDatabaseUser custom resource specification with spec.scopes set to the Google Cloud cluster only:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
name: my-database-user
spec:
roles:
- roleName: "readWriteAnyDatabase"
databaseName: "admin"
projectRef:
name: my-project
username: theuser
passwordSecretRef:
name: the-user-password
scopes:
- type: CLUSTER
name: gcp-cluster

After you update this custom resource, Atlas Kubernetes Operator removes theuser from the aws-cluster. It also removes the p1-aws-cluster-theuser secret from the Kubernetes cluster.

The following example shows an AtlasDatabaseUser custom resource specification with X.509 authentication.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
name: my-database-user
spec:
username: CN=my-x509-authenticated-user,OU=organizationalunit,O=organization
databaseName: "\$external"
x509Type: "CUSTOMER"
roles:
- roleName: "readWriteAnyDatabase"
databaseName: "admin"
projectRef:
name: my-project

The following example shows an AtlasDatabaseUser custom resource specification with OIDC.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
name: my-database-user
spec:
roles:
- roleName: "readWriteAnyDatabase"
databaseName: "admin"
projectRef:
name: my-project
username: my-oidc-group-id/my-idp-group-name
oidcAuthType: IDP_GROUP

The following example shows an AtlasDatabaseUser custom resource specification with AWS IAM.

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
name: my-database-user
spec:
username: arn:aws:iam::123456789012:user/johndoe
roles:
- roleName: "readWriteAnyDatabase"
databaseName: "admin"
projectRef:
name: my-project
awsIAMType: USER

This section describes some of the key AtlasDatabaseUser custom resource parameters available. For a full list of parameters available, see the Atlas Database Users API. Refer to these descriptions, the available examples, and the API documentation to customize your specifications.

spec.awsIAMType

Type: string

Optional

Label that indicates whether the database user authenticates with the AWS IAM credentials associated with the user, or the user's role. If you don't specify a value, Atlas uses the default value of NONE.

This parameter accepts:

NONE
User who doesn't use AWS IAM authentication.
USER
User who authenticates with the AWS IAM credentials associated with the user.
ROLE
User who authenticates with the AWS IAM credentials associated with the user's role.
spec.connectionSecret.name

Type: string

Conditional

Name of the opaque secret that contains the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator falls back to either:

  • The spec.connectionSecretRef.name parameter of the parent atlasProject

  • The default global secret, if spec.connectionSecretRef.name is undefined for the parent atlasProject

This parameter is mandatory for independent CRDs.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.databaseName

Type: string

Required

Database against which the database user authenticates. Database users must provide both a username and authentication database to log into MongoDB.

If the database user authenticates with SCRAM-SHA, this value must be admin.

If the database user authenticates with X.509, this value must be \$external.

spec.externalProjectRef.id

Type: string

Conditional

ID of the project to which the database user belongs. You must specify the project ID of an existing Atlas Project. This parameter is required for database users who belong to projects managed by either:

  • A different instance of Atlas Kubernetes Operator

  • Tooling other than Atlas Kubernetes Operator

For database users who belong to projects managed by the same instance of Atlas Kubernetes Operator, use spec.projectRef.name if you do not use spec.externalProjectRef.id.

spec.oidcAuthType

Type: string

Conditional

OIDC method by which the database authenticates the provided spec.username.

If the database user authenticates with OpenID Connect, this value must be IDP_GROUP.

spec.passwordSecretRef

Type: string

Conditional

Reference to the secret that contains the password. The SCRAM-SHA authentication method requires this parameter.

spec.projectRef.name

Type: string

Conditional

Name of the project to which the database user belongs. You must specify an existing AtlasProject Custom Resource. This parameter applies only to database users who belong to projects managed by the same instance Atlas Kubernetes Operator.

For database users who belong to projects managed by either:

  • a different instance of Atlas Kubernetes Operator

  • tooling other than Atlas Kubernetes Operator

use spec.externalProjectRef.name.

spec.roles

Type: array

Required

List that contains the user's roles and the databases or collections on which the roles apply. For a full list of parameters available, see the Atlas Database Users API.

spec.scopes

Type: array

Optional

List that contains the clusters where the user gets created.

spec.scopes.name

Type: string

Conditional

Human-readable label that identifies the cluster that the database user can access. You must specify this parameter if you specified spec.scopes.

spec.scopes.type

Type: string

Conditional

Human-readable label that identifies the resource type that the database user can access. Atlas Kubernetes Operator currently supports only CLUSTER. You must specify this parameter if you specified spec.scopes.

spec.username

Type: string

Required

Human-readable label that identifies the user needed to authenticate to the MongoDB database or collection.

If the database user authenticates with OpenID Connect, this value must be your Atlas OIDC IdP followed by a forward slash / and your IdP group name.

If the database user authenticates with AWS IAM credentials, this value must be the user that authenticates with the AWS IAM credentials or the role of the user that authenticates with the AWS IAM credentials in Amazon Resource Name format.

spec.x509Type

Type: string

Optional

X.509 method by which the database authenticates the provided spec.username. If you don't specify a value, Atlas uses the default value of NONE.

This parameter accepts:

NONE
User that doesn't use X.509 authentication.
MANAGED

User that uses Atlas-managed X.509.

You must specify \$external for the spec.databaseName parameter.

CUSTOMER

User that uses Self-Managed X.509. Users created with this x509Type require a Common Name (CN) in the spec.username parameter. To learn more, see RFC 2253.

You must specify \$external for the spec.databaseName parameter.

For the configuration parameters available from the API, see the Atlas Database Users API.

Currently, Atlas Kubernetes Operator does not support the following parameters available from the Atlas Database Users API:

  • ldapAuthType

Do not specify the following parameters:

Back

AtlasDeployment