Docs Menu
Docs Home
/ /
MongoDB Atlas Kubernetes Operator
/

AtlasFederatedAuth Custom Resource

On this page

  • Examples
  • Parameters

The AtlasFederatedAuth custom resource configures federated authentication for your Atlas organization.

When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator uses the Federated Authentication API Resource to update the organization configuration for the federation. In the organization configuration, you specify federation settings for your Atlas organization such as organization and role mappings.

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources. For example, if you delete an AtlasProject Custom Resource in Kubernetes, Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas, preventing accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.

To use this resource, you must have an existing identity provider (IdP) linked to your Atlas organization. To learn more, see Leverage Federated Authentication from Kubernetes.

The following example configures an AtlasFederatedAuth custom resource that does the following:

apiVersion: atlas.mongodb.com/v1
kind: AtlasFederatedAuth
metadata:
name: atlas-default-federated-auth
namespace: mongodb-atlas-system
spec:
enabled: true
connectionSecretRef:
name: my-org-secret
namespace: mongodb-atlas-system
domainAllowList:
- my-org-domain.com
domainRestrictionEnabled: true
ssoDebugEnabled: false
postAuthRoleGrants:
- ORG_MEMBER
roleMappings:
- externalGroupName: org-admin
roleAssignments:
- role: ORG_OWNER
- externalGroupName: dev-team
roleAssignments:
- role: ORG_GROUP_CREATOR
- projectName: dev-project
role: GROUP_OWNER
status:
conditions:
- type: Ready
status: True
- type: RolesReady
status: True
- type: UsersReady
status: True

Note

The preceding example includes the status section, which describes the update process. To learn more, see Create and Update Process.

This section describes the parameters available for the AtlasFederatedAuth custom resource. For detailed descriptions of the parameters, see the Atlas Federated Authentication API Resource.

Refer to these descriptions, the example on this page, and the API documentation to customize your specifications.

metadata.name

Type: string

Required

Name that identifies the AtlasFederatedAuth custom resource that Atlas Kubernetes Operator uses to configure federated authentication for the organization.

metadata.namespace

Type: string

Optional

Namespace where you want to deploy the AtlasFederatedAuth custom resource.

spec.enabled

Type: boolean

Required

Flag that determines whether to enable federated authentication for the organization. Defaults to false.

spec.connectionSecretRef.name

Type: string

Required

Name of the opaque secret that contains a single password field with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. When you create the secret, specify the orgID, publicApiKey, and privateApiKey fields.

The secret's API keys must have the Organization Owner role. You can use the same secret from an AtlasProject Custom Resource only if the secret has Organization Owner permissions.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

Note

By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource. To store secrets in another namespace, specify the spec.connectionSecretRef.namespace parameter.

spec.connectionSecretRef.namespace

Type: string

Optional

Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If you omit or don't specify this parameter, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource.

spec.domainAllowList

Type: array of strings

Optional

Approved domains that restrict users who can join the organization based on their email address.

spec.domainRestrictionEnabled

Type: boolean

Required

Flag that indicates whether domain restriction is enabled for the connected organization. Defaults to false.

If you set this parameter to true, Atlas returns a list of users that belong to organizations outside of the federation. To learn more, see User Conflicts.

spec.ssoDebugEnabled

Type: boolean

Optional

Flag that indicates whether the identity provider has debug enabled for SSO. Defaults to false.

spec.postAuthRoleGrants

Type: array of strings

Optional

Atlas roles that are granted to a user in this organization after authenticating. For example:

  • ORG_MEMBER

  • ORG_READ_ONLY

  • ORG_BILLING_ADMIN

  • ORG_GROUP_CREATOR

  • ORG_OWNER

  • ORG_BILLING_READ_ONLY

  • ORG_TEAM_MEMBERS_ADMIN

For a full list of accepted values, refer to the Federated Authentication API Resource.

spec.roleMappings

Type: array of objects

Optional

Role mappings that are configured in this organization.

The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.externalGroupName

Type: string

Required

Unique human-readable label that identifies the identity provider group to which this role mapping applies.

spec.roleMappings.roleAssignments

Type: array of objects

Optional

Atlas roles and the unique identifiers of the groups and organizations associated with each role. This parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.roleAssignments.projectName

Type: string

Optional

The Atlas project in the same organization to which to associate the role.

spec.roleMappings.roleAssignments.role

Type: string

Optional

Human-readable label that identifies the collection of privileges that Atlas grants a specific API key, user, or team. These roles include organization and project-level privileges.

Atlas Kubernetes Operator accepts the following values:

  • ORG_MEMBER

  • ORG_READ_ONLY

  • ORG_BILLING_ADMIN

  • ORG_GROUP_CREATOR

  • ORG_OWNER

  • ORG_BILLING_READ_ONLY

  • ORG_TEAM_MEMBERS_ADMIN

  • GROUP_AUTOMATION_ADMIN

  • GROUP_BACKUP_ADMIN

  • GROUP_MONITORING_ADMIN

  • GROUP_OWNER

  • GROUP_READ_ONLY

  • GROUP_USER_ADMIN

  • GROUP_BILLING_ADMIN

  • GROUP_DATA_ACCESS_ADMIN

  • GROUP_DATA_ACCESS_READ_ONLY

  • GROUP_DATA_ACCESS_READ_WRITE

  • GROUP_CHARTS_ADMIN

  • GROUP_CLUSTER_MANAGER

  • GROUP_SEARCH_INDEX_EDITOR

Back

AtlasStreamInstance

On this page