AtlasProject
Custom Resource
On this page
The AtlasProject
custom resource configures the project in
Atlas. When you create the AtlasProject
custom resource,
Atlas Kubernetes Operator tries to create a new project in Atlas.
Important
Custom Resources No Longer Delete Objects by Default
Atlas Kubernetes Operator uses custom resource configuration
files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0,
custom resources you delete in Kubernetes are no longer deleted in
Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources.
For example, if you delete an AtlasProject
Custom Resource
in Kubernetes, Atlas Kubernetes Operator no longer automatically deletes the corresponding project
from Atlas, preventing accidental or unexpected deletions. To learn more,
including how to revert this behavior to
the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Atlas Kubernetes Operator does one of the following actions:
Creates a new project in the organization that the connection secret configures.
Reuses an existing project. In this case, Atlas Kubernetes Operator verifies whether a project with
spec.name
exists. If the project exists, Atlas Kubernetes Operator skips creation. After the reconciliation, Atlas Kubernetes Operator updates thestatus.id
field with the id of the project.
You can use the spec.connectionSecretRef.name
parameter
to set the connection secret for the AtlasProject
custom
resource. This parameter overrides the default global
connection
secret.
Note
By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace
as the AtlasProject
Custom Resource. To store
secrets in another namespace, specify the
spec.connectionSecretRef.namespace
parameter.
To connect to the Atlas Administration API, Atlas Kubernetes Operator reads the organization ID and API keys from Atlas Kubernetes Operator secrets.
You can also edit the AtlasProject
custom resource specification to
configure the following options:
An IP access list with the
spec.projectIpAccessList
parameter. This IP access list grants network access to Atlas clusters in the project.Teams with the
spec.teams
parameter. A team lets you grant an access role to an entire group of Atlas users for a particular project.The maintenance window with the
spec.maintenanceWindow
parameter. The maintenance window sets the hour and day that Atlas starts weekly maintenance on your database deployments.Network peering with the
spec.networkPeers
parameter. Network peering allows you to connect securely to your AWS, Azure, or Google Cloud VPC.Encryption at rest using customer-managed keys with the
spec.encryptionAtRest
parameter. Encryption at rest using customer-managed keys allows you to add an additional layer of security by using your cloud provider's KMS together with the MongoDB encrypted storage engine.Private endpoints with the
spec.privateEndpoints
parameter.X.509 authentication with the
spec.x509CertRef.name
parameter.Project settings with the
spec.settings
parameter, including settings to enable and disable the following:Collection of database statistics in cluster metrics
Project alerts configurations with the
spec.alertConfigurationSyncEnabled
andspec.alertConfigurations
parameters.For information on how these settings interact, see the Considerations.
If you remove the AtlasProject
resource from your Kubernetes cluster,
Atlas Kubernetes Operator removes the project from Atlas. You must remove all the
clusters in the project beforehand. Otherwise, Atlas rejects the
delete request.
Example
The following example shows an AtlasProject
custom resource
specification:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test project connectionSecretRef: name: my-atlas-key projectIpAccessList: - cidrBlock: "203.0.113.0/24" comment: "CIDR block for Application Server B - D"
Prometheus Example
The following example shows an AtlasProject
custom resource
specification that integrates with Prometheus:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: TestPrometheusIntegration connectionSecretRef: name: my-atlas-key projectIpAccessList: - cidrBlock: "0.0.0.0/1" comment: "Everyone has access. For test purposes only." - cidrBlock: "128.0.0.0/1" comment: "Everyone has access. For test purposes only." integrations: - type: "PROMETHEUS" enabled: "true" username: "prometheus-user" passwordRef: name: "password-name" namespace: "password-namespace" scheme: "http" serviceDiscovery: "http"
To learn more, see Integrate with Third-Party Services.
Note
Atlas Kubernetes Operator offers a sample Grafana dashboard that you can import into Grafana.
Teams Example
The following example shows an AtlasProject
custom resource
specification that gives the green-leaf-team
the Organization Owner
role for this project. The team members are defined in the
AtlasTeam custom resource.
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test project teams: - teamRef: name: green-leaf-team roles: - ORGANIZATION_OWNER
To learn more, see Configure Teams.
Maintenance Window Example
The following example shows an AtlasProject
custom resource
specification that sets the maintenance window to 5:00 AM every Tuesday with automatic deferral disabled:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test project projectIpAccessList: - ipAddress: "192.0.2.15" comment: "IP address for Application Server A" maintenanceWindow: dayOfWeek: 3 hourOfDay: 5 autoDefer: false
Project Settings Example
The following example shows an AtlasProject
custom resource
specification that disables the collection of database statistics in
cluster metrics,
data explorer, Performance Advisor, Realtime Performance Panel, and Schema Advisor.
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test project projectIpAccessList: - ipAddress: "192.0.2.15" comment: "IP address for Application Server A" settings: isCollectDatabaseSpecificsStatisticsEnabled: false isDataExplorerEnabled: false isExtendedStorageSizesEnabled: false isPerformanceAdvisorEnabled: false isRealtimePerformancePanelEnabled: false isSchemaAdvisorEnabled: false
Alert Configuration Example
The following example shows an AtlasProject
custom resource
specification that configures an alert that triggers if the oplog
window reaches less than one hour:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project connectionSecretRef: name: my-atlas-key alertConfigurations: - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT", enabled: true, notifications: - delayMin: 0 emailEnabled: true intervalMin: 60 roles: [ "GROUP_OWNER" ] smsEnabled: false typeName: "GROUP" threshold: operator: "LESS_THAN", threshold: "1", units: "HOURS" alertConfigurationSyncEnabled: true withDefaultAlertsSettings: false
Third-Party Alert Configuration Example
The following example shows an AtlasProject
custom resource
specification that configures an alert that sends notifications through
Slack:
apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: name: Test Atlas Operator Project connectionSecretRef: name: my-atlas-key alertConfigurations: - eventTypeName: "REPLICATION_OPLOG_WINDOW_RUNNING_OUT", enabled: true, notifications: - delayMin: 0 emailEnabled: true intervalMin: 60 roles: [ "GROUP_OWNER" ] smsEnabled: false - typeName: "SLACK" apiTokenRef: name: key-name namespace: key-namespace threshold: operator: "LESS_THAN", threshold: "1", units: "HOURS" alertConfigurationSyncEnabled: true withDefaultAlertsSettings: false
Parameters
This section describes the AtlasProject
custom resource parameters:
spec.name
Type: string
Required
Name of the project created or updated in Atlas. The name length must not exceed 64 characters. The name can contain only letters, numbers, spaces, dashes, and underscores.
spec.alertConfigurations
Type: array of objects
Optional
List that contains alert configurations for this project.
If you use this setting, you must also set
spec.alertConfigurationSyncEnabled
totrue
for Atlas Kubernetes Operator to modify project alert configurations.If you omit or leave this setting empty, Atlas Kubernetes Operator doesn't alter the project's alert configurations. If creating a project, Atlas applies the default project alert configurations.
spec.alertConfigurations.eventTypeName
Type: string
Required
Event that triggers an alert that this alert configration describes.
To learn about the values that Atlas Kubernetes Operator accepts, see the request body schema for the Create One Alert Configuration in One Project endpoint in the MongoDB Atlas Administration API documentation.
spec.alertConfigurations.enabled
Type: boolean
Optional
Default:
false
Flag that indicates whether this alert configuration is enabled. If omitted, defaults to
false
.
spec.alertConfigurations.matchers
Type: array of objects
Conditional
List of rules that determine whether Atlas checks an object for the alert configuration. You can filter using the matchers array if
spec.alertConfigurations.eventTypeName
specifies an event for a host, replica set, or sharded cluster.
spec.alertConfigurations.matchers.fieldName
Type: string
Conditional
Human-readable label that identifies the parameter in the target object that Atlas checks. The parameter must match all rules for Atlas to check for alert configurations.
Atlas Kubernetes Operator accepts the following values:
CLUSTER_NAME
HOSTNAME
HOSTNAME_AND_PORT
PORT
REPLICA_SET_NAME
SHARD_NAME
TYPE_NAME
Atlas Kubernetes Operator requires this setting if you include an object in the
spec.alertConfigurations.matchers
array.
spec.alertConfigurations.matchers.operator
Type: string
Conditional
Comparison operator to apply when checking the current metric value against
spec.alertConfigurations.matchers.value
.Atlas Kubernetes Operator accepts the following values:
EQUALS
CONTAINS
STARTS_WITH
ENDS_WITH
NOT_EQUALS
NOT_CONTAINS
REGEX
Atlas Kubernetes Operator requires this setting if you include an object in the
spec.alertConfigurations.matchers
array.
spec.alertConfigurations.matchers.value
Type: string
Conditional
Value to match or exceed using the specified
spec.alertConfigurations.matchers.operator
.Atlas Kubernetes Operator requires this setting if you include an object in the
spec.alertConfigurations.matchers
array.
spec.alertConfigurations.metricThreshold
Type: object
Conditional
Threshold for the metric that, when exceeded, triggers an alert.
Atlas Kubernetes Operator requires this setting when
spec.alertConfigurations.eventTypeName
isOUTSIDE_METRIC_THRESHOLD
.
spec.alertConfigurations.metricThreshold.metricName
Type: string
Conditional
Human-readable label that identifies the metric against which Atlas checks the configured
spec.alertConfigurations.metricThreshold.threshold
.To learn about the values that Atlas Kubernetes Operator accepts, see the request body schema for the Create One Alert Configuration in One Project endpoint in the MongoDB Atlas Administration API documentation.
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.metricThreshold
object.
spec.alertConfigurations.metricThreshold.mode
Type: string
Optional
Default:
AVERAGE
Atlas computes the current metric value as an average.
Atlas Kubernetes Operator accepts only a value of
AVERAGE
.
spec.alertConfigurations.metricThreshold.operator
Type: string
Conditional
Comparison operator to apply when checking the current metric value.
Atlas Kubernetes Operator accepts the following values:
GREATER_THAN
LESS_THAN
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.metricThreshold
object.
spec.alertConfigurations.metricThreshold.threshold
Type: integer
Conditional
Value of metric that, when exceeded, triggers an alert.
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.metricThreshold
object.
spec.alertConfigurations.metricThreshold.units
Type: string
Conditional
Element used to express the quantity. This value can be an element of time, storage capacity, and so on
Atlas Kubernetes Operator accepts the following values:
BITS
BYTES
DAYS
GIGABITS
GIGABYTES
HOURS
KILOBITS
KILOBYTES
MEGABITS
MEGABYTES
MILLISECONDS
MINUTES
PETABYTES
RAW
SECONDS
TERABYTES
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.metricThreshold
object.
spec.alertConfigurations.notifications
Type: array
Conditional
List that describes the notifications that Atlas sends for alerts that this alert configuration describes.
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with your API token for Slack.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials If you want notifications through Slack, you must specify this setting.
spec.alertConfigurations.notifications.apiTokenRef.namespace
Type: string
Conditional
Namespace that contains your API token for Slack. If you want notifictions through Slack, you must specify this setting.
spec.alertConfigurations.notifications.channelName
Type: string
Conditional
Human-readable label that identifies the Slack channel to which Atlas sends alert notifications.
Atlas Kubernetes Operator requires this setting when you set
spec.alertConfigurations.notifications.typeName
toSLACK
.
spec.alertConfigurations.notifications.datadogApiKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API key for Datadog. If you want notifications through Datadog, you must specify this setting`.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.alertConfigurations.notifications.datadogApiKeyRef.namespace
Type: string
Conditional
Namespace that contains your API key for Datadog. If you want notifications through Datadog, you must specify this setting.
spec.alertConfigurations.notifications.datadogRegion
Type: string
Optional
Default:
US
Datadog region that indicates which API Uniform Resource Locator (URL) to use.
Atlas Kubernetes Operator accepts the following values:
US
EU
spec.alertConfigurations.notifications.delayMins
Type: integer
Optional
Default:
0
Number of minutes that Atlas waits after it detects an alert condition before it sends out the first notification.
spec.alertConfigurations.notifications.emailAddress
Type: string
Conditional
Email address to which Atlas sends alert notifications.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toEMAIL
.Atlas Kubernetes Operator doesn't require this setting to send email notifications when you set
spec.alertConfigurations.notifications.typeName
to one of the following values:GROUP
ORG
TEAM
USERS
To send emails to one Atlas user or group of users, set the
spec.alertConfigurations.notifications.emailEnabled
parameter.
spec.alertConfigurations.notifications.emailEnabled
Type: boolean
Conditional
Flag that indicates whether Atlas sends email notifications.
Atlas Kubernetes Operator requires this setting when you set
spec.alertConfigurations.notifications.typeName
to one of the following values:GROUP
ORG
TEAM
spec.alertConfigurations.notifications.intervalMin
Type: integer
Optional
Number of minutes to wait between successive notifications. Atlas sends notifications until someone acknowledges the unacknowledged alert. Atlas Kubernetes Operator accepts values greater than or equal to
5
.PagerDuty, VictorOps, and OpsGenie notifications don't use this field. Configure and manage the notification interval within each of those services.
spec.alertConfigurations.notifications.microsoftTeamsWebhookUrl
Type: string
Conditional
Microsoft Teams Webhook Uniform Resource Locator (URL) that Atlas needs to send this notification via Microsoft Teams. If the URL later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toMICROSOFT_TEAMS
.
spec.alertConfigurations.notifications.mobileNumber
Type: string
Conditional
Mobile phone number to which Atlas sends alert notifications.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toSMS
.
spec.alertConfigurations.notifications.opsGenieApiKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.alertConfigurations.notifications.opsGenieApiKeyRef.namespace
Type: string
Conditional
Namespace that contains your API key for Opsgenie. If you want notifications through Opsgenie, you must specify this setting.
spec.alertConfigurations.notifications.opsGenieRegion
Type: string
Optional
Default:
US
Opsgenie region that indicates which API Uniform Resource Locator (URL) to use.
Atlas Kubernetes Operator accepts the following values:
US
EU
Atlas Kubernetes Operator applies this setting if you set
spec.alertConfigurations.notifications.typeName
toOPS_GENIE
.
spec.alertConfigurations.notifications.roles
Type: array
Optional
List that contains the one or more organization or project roles that receive the configured alert. If you include this parameter, Atlas sends alerts only to users assigned the roles you specify in the list. If you omit this parameter, Atlas sends alerts to users assigned any role.
Atlas Kubernetes Operator accepts the following values:
GROUP_CLUSTER_MANAGER
GROUP_DATA_ACCESS_ADMIN
GROUP_DATA_ACCESS_READ_ONLY
GROUP_DATA_ACCESS_READ_WRITE
GROUP_OWNER
GROUP_READ_WRITE
ORG_OWNER
ORG_MEMBER
ORG_GROUP_CREATOR
ORG_BILLING_ADMIN
ORG_READ_ONLY
Atlas Kubernetes Operator applies this setting when you set
spec.alertConfigurations.notifications.typeName
to one of the following values:GROUP
ORG
spec.alertConfigurations.notifications.serviceKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.alertConfigurations.notifications.serviceKeyRef.namespace
Type: string
Conditional
Namespace that contains your API key for PagerDuty. If you want notifications through PagerDuty, you must specify this setting.
spec.alertConfigurations.notifications.severity
Type: string
Optional
Degree of seriousness given to this notification.
Atlas Kubernetes Operator accepts the following values:
CRITICAL
ERROR
WARNING
spec.alertConfigurations.notifications.smsEnabled
Type: boolean
Conditional
Flag that indicates whether Atlas sends text message notifications.
Atlas Kubernetes Operator requires this setting when you set
spec.alertConfigurations.notifications.typeName
to one of the following values:GROUP
ORG
TEAM
spec.alertConfigurations.notifications.teamId
Type: string
Conditional
Unique 24-hexadecimal digit string that identifies one Atlas team.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toTEAM
.
spec.alertConfigurations.notifications.teamName
Type: string
Conditional
Name of the Atlas team that receives this notification.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toTEAM
.
spec.alertConfigurations.notifications.typeName
Type: string
Conditional
Human-readable label that displays the alert notification type. This setting is required if you specify a value for the
spec.alertConfigurations.notifications
setting. Atlas supports the following values:DATADOG
EMAIL
OPS-GENIE
ORG
PAGER_DUTY
PROMETHEUS
SLACK
SMS
TEAM
USER
VICTOR_OPS
WEBHOOK
spec.alertConfigurations.notifications.username
Type: string
Conditional
Atlas username of the person to whom Atlas sends notifications. Specify only Atlas users who belong to the project that owns the alert configuration.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toUSER
.
spec.alertConfigurations.notifications.victorOpsSecretRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.alertConfigurations.notifications.victorOpsSecretRef.namespace
Type: string
Conditional
Namespace that contains your API key for Splunk On-Call. If you want notifications through Splunk On-Call, you must specify this setting.
spec.alertConfigurations.notifications.victorOpsRoutingKey
Type: string
Conditional
Routing key that Atlas needs to send alert notifications to Splunk On-Call. If the key later becomes invalid, Atlas sends an email to the project owners. If the key remains invalid, Atlas removes it.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toVICTOR_OPS
.
spec.alertConfigurations.notifications.webhookSecret
Type: string
Optional
Authentication secret for a webhook-based alert.
Atlas Kubernetes Operator applies this setting if you set
spec.alertConfigurations.notifications.typeName
toWEBHOOK
.
spec.alertConfigurations.notifications.webhookUrl
Type: string
Conditional
String that indicates your webhook URL.
Atlas Kubernetes Operator requires this setting if you set
spec.alertConfigurations.notifications.typeName
toWEBHOOK
.
spec.alertConfigurations.threshold
Type: object
Conditional
Limit that triggers an alert when exceeded.
Atlas Kubernetes Operator applies this setting if you set
spec.alertConfigurations.eventTypeName
to a value other thanOUTSIDE_METRIC_THRESHOLD
.
spec.alertConfigurations.threshold.operator
Type: string
Conditional
Comparison operator to apply when Atlas checks the current metric value.
Atlas Kubernetes Operator accepts the following values:
GREATER_THAN
LESS_THAN
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.threshold
object.
spec.alertConfigurations.threshold.threshold
Type: integer
Conditional
Value of metric that, when exceeded, triggers an alert.
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.threshold
object.
spec.alertConfigurations.threshold.units
Type: string
Conditional
Element that expresses the quantity. You can specify an element of time, storage capacity, and so on.
Atlas Kubernetes Operator accepts the following values:
BITS
BYTES
DAYS
GIGABITS
GIGABYTES
HOURS
KILOBITS
KILOBYTES
MEGABITS
MEGABYTES
MILLISECONDS
MINUTES
PETABYTES
RAW
SECONDS
TERABYTES
Atlas Kubernetes Operator requires this setting if you include the
spec.alertConfigurations.threshold
object.
spec.alertConfigurationSyncEnabled
Type: boolean
Optional
Default:
false
Flag that indicates whether Atlas Kubernetes Operator applies the project alert settings defined in
spec.alertConfigurations
. If you omit or set to this parameter tofalse
, Atlas Kubernetes Operator doesn't syncronize the project's alert configurations with the ones that you define in theAtlasProject
custom resource.For information on how this setting interacts with
spec.withDefaultAlertsSettings
, see the Considerations.
spec.auditing.auditAuthorizationSuccess
Type: boolean
Optional
Default:
false
Flag that indicates whether to direct the auditing system to capture successful authentication attempts for audit filters using the
"atype" : "authCheck"
auditing event. To set this parameter totrue
, you must setspec.auditing.enabled
totrue
. To learn more, see auditAuthorizationSuccess.Warning
If you enable auditAuthorizationSuccess, you might severely impact cluster performance. Enable this option with caution.
spec.auditing.auditFilter
Type: string
Optional
JSON-formatted auditing filter. You might need to escape the JSON string to remove characters that could prevent parsing, such as single or double-quotes. To specify a value for this setting, you must set
spec.auditing.enabled
totrue
.To view example auditing filters, see Example Auditing Filters. To learn more about configuring MongoDB auditing filters, see Configure a Custom Auditing Filter.
spec.auditing.enabled
Type: boolean
Conditional
Default:
false
Flag that indicates whether to enable auditing for the project. To specify a value for
spec.auditing.auditFilter
, or to setspec.auditing.auditAuthorizationSuccess
totrue
, you must specify this setting. To learn more, see Enable Audit Logs.
spec.connectionSecretRef.name
Type: string
Optional
Name of the opaque secret that contains a single
password
field with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator uses the defaultglobal
secret.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials Note
By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the
AtlasProject
Custom Resource. To store secrets in another namespace, specify thespec.connectionSecretRef.namespace
parameter.
spec.connectionSecretRef.namespace
Type: string
Optional
Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the
AtlasProject
Custom Resource.
spec.cloudProviderAccessRoles
Type: array
Deprecated. Use
spec.cloudProviderIntegrations
instead.List that contains your unified cloud provider access settings.
spec.cloudProviderAccessRoles.iamAssumedRoleArn
Type: string
Deprecated. Use
spec.cloudProviderIntegrations.iamAssumedRoleArn
instead.Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider access, you must specify this setting.
spec.cloudProviderAccessRoles.providerName
Type: string
Deprecated. Use
spec.cloudProviderIntegrations.providerName
instead.Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports
AWS
for unified cloud provider access. If you want to set up unified cloud provider access, you must specify this setting.
spec.cloudProviderIntegrations
Type: array
Optional
List that contains your unified cloud provider integration settings.
spec.cloudProviderIntegrations.iamAssumedRoleArn
Type: string
Conditional
Unique AWS ARN that identifies the IAM access role that Atlas assumes. If you want to set up unified cloud provider integrations, you must specify this setting.
spec.cloudProviderIntegrations.providerName
Type: string
Conditional
Cloud provider for the access role that Atlas assumes. Atlas Kubernetes Operator supports
AWS
for unified cloud provider integrations. If you want to set up unified cloud provider integrations, you must specify this setting.
spec.customRoles
Type: object
Optional
Object that contains your custom role specifications. To learn more, see Configure Custom Database Roles.
spec.customRoles.roleName
Type: string
Optional
Human-readable label that identifies the custom role.
Important
The specified role name can only contain letters, digits, underscores, and dashes. Additionally, you cannot specify a role name which meets any of the following criteria:
Is a name already used by an existing custom role in the project
Is a name of any of the built-in roles
Is
atlasAdmin
Starts with
xgen-
spec.customRoles.actions
Type: array
Optional
List of objects that represents the individual privilege actions that the role grants.
spec.customRoles.actions.action
Type: string
Optional
Human-readable label that identifies the privilege action. For a complete list of actions available in the Atlas Administration API, see /reference/custom-role-actions.
spec.customRoles.actions.resources
Type: array
Optional
List of objects that indicate a database and collection on which the action is granted, or indicates that the action is granted on the cluster resource.
spec.customRoles.actions.resources.cluster
Type: boolean
Optional
Flag that indicates that the action is granted on the cluster resource.
Note
This parameter is mutually exclusive with the
spec.customRoles.actions.resources.collection
andspec.customRoles.actions.resources.db
parameters.
spec.customRoles.actions.resources.collection
Type: string
Optional
Human-readable label that identifies the collection on which the action is granted. If this value is an empty string, the action is granted on all collections within the database specified in the
spec.customRoles.actions.resources.db
parameter.Note
This parameter is mutually exclusive with the
spec.customRoles.actions.resources.cluster
parameter.
spec.customRoles.actions.resources.db
Type: string
Optional
Human-readable label that indentifies the database on which the action is granted.
Note
This parameter is mutually exclusive with the
spec.customRoles.actions.resources.cluster
parameter.
spec.customRoles.inheritedRoles
Type: array
Optional
List of objects that represent key-value pairs that indicate the inherited role and the database on which the role is granted.
spec.customRoles.inheritedRoles.db
Type: string
Optional
Human-readable label that identifies the database on which the inherited role is granted.
Note
This value should be
admin
for all roles except read and readWrite.
spec.customRoles.inheritedRoles.role
Type: string
Optional
Human-readable label that identifies the inherited role. You can specify another custom role or a built-in role.
spec.encryptionAtRest
Type: array
Optional
List that contains the configurations for encryption at rest using customer-managed keys for the project.
spec.encryptionAtRest.awsKms
Type: object
Optional
List that contains the configurations to use AWS KMS for encryption at rest using customer-managed keys for the project.
spec.encryptionAtRest.enabled
Type: boolean
Optional
Flag that indicates whether this project uses AWS KMS to encrypt data at rest. To enable encryption at rest using AWS KMS, set this parameter to
true
. To disable encryption at rest using AWS KMS, set this parameter tofalse
. If you disable encryption at rest using AWS KMS, Atlas Kubernetes Operator removes the configuration details.
spec.encryptionAtRest.awsKms.region
Type: string
Optional
Label that indicates the AWS region where the customer master key exists.
spec.encryptionAtRest.awsKms.secretRef.name
Type: string
Optional
Name of the opaque secret that contains your AWS credentials.
Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.encryptionAtRest.awsKms.secretRef.namespace
Type: string
Optional
Namespace that contains your AWS credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProject
custom resource.
spec.encryptionAtRest.azureKeyVault
Type: object
Optional
List that contains the configurations to use Azure Key Vault for encryption at rest using customer-managed keys for the project.
spec.encryptionAtRest.azureKeyVault.azureEnvironment
Type: string
Optional
Azure deployment location where the Azure account credentials reside. Valid values include
AZURE
,AZURE_CHINA
, andAZURE_GERMANY
.
spec.encryptionAtRest.azureKeyVault.clientID
Type: string
Optional
Unique 36-hexadecimal character string that identifies your Azure application.
spec.encryptionAtRest.azureKeyVault.enabled
Type: boolean
Optional
Flag that indicates whether this project uses Azure Key using Azure key vault, Atlas Kubernetes Operator removes the configuration details.
spec.encryptionAtRest.azureKeyVault.resourceGroupName
Type: string
Optional
Label that identifies the Azure resource group that contains your Azure Key Vault. Azure displays the resource group name on the resource group's details page.
spec.encryptionAtRest.azureKeyVault.secretRef.name
Type: string
Optional
Name of the opaque secret that contains your Azure credentials.
Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.encryptionAtRest.azureKeyVault.secretRef.namespace
Type: string
Optional
Namespace that contains your Azure credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProject
custom resource.
spec.encryptionAtRest.azureKeyVault.tenantID
Type: string
Optional
Unique 36-hexadecimal character string that identifies the Azure Active Directory tenant within your Azure subscription. Azure displays the tenant ID on the tenant properties page.
spec.encryptionAtRest.googleCloudKms
Type: object
Optional
List that contains the configurations to use Google Cloud KMS for encryption at rest using customer-managed keys for the project.
spec.encryptionAtRest.googleCloudKms.enabled`
Type: string
Optional
Flag that indicates whether this project uses Google Cloud KMS to encrypt data at rest. To enable encryption at rest using Google Cloud KMS, set this parameter to
true
. To disable encryption at rest using Google Cloud KMS, set this parameter tofalse
. If you disable encryption at rest using Google Cloud KMS, Atlas Kubernetes Operator removes the configuration details.
spec.encryptionAtRest.googleCloudKms.secretRef.name
Type: string
Optional
Name of the opaque secret that contains your Google Cloud credentials.
Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.encryptionAtRest.googleCloudKms.secretRef.namespace
Type: string
Optional
Namespace that contains your Google Cloud credentials. If unspecified, this parameter defaults to the namespace of the
AtlasProject
custom resource.
spec.integrations
Type: array
Optional
List that contains your third-party integration settings. The parameters that you must specify depend on the third-party service that you want to configure:
ServiceSettingsAllDatadogMicrosoft TeamsOpsgeniePagerDutyPrometheusSlackVictorOpsWebhook Settings
spec.integrations.accountId
Type: string
Conditional
Unique string that identifies your New Relic account. If you want to integrate with New Relic, you must specify this setting.
spec.integrations.apiKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.apiKeyRef.namespace
Type: string
Conditional
Namespace that contains your API key for Datadog, Opsgenie, or VictorOps. If you want to integrate with Datadog, Opsgenie, or VictorOps, you must specify this setting.
spec.integrations.apiTokenRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the API token for Slack. If you want to integrate with Slack, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.apiTokenRef.namespace
Type: string
Conditional
Namespace that contains your API token for Slack. If you want to integrate with Slack, you must specify this setting.
spec.integrations.enabled
Type: boolean
Conditional
Flag that indicates whether your cluster has Prometheus enabled. If you want to integrate with Prometheus, you must specify this setting as
true
.
spec.integrations.licenseKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the license key for New Relic. If you want to integrate with New Relic, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.licenseKeyRef.namespace
Type: string
Conditional
Namespace that contains your license key for New Relic. If you want to integrate with New Relic, you must specify this setting.
spec.integrations.microsoftTeamsWebhookURL
Type: string
Conditional
String that specifies your Microsoft Teams incoming webhook URL. If you want to integrate with Mircosoft Teams, you must specify this setting.
spec.integrations.passwordRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the Prometheus password. If you want to integrate with Prometheus, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.passwordRef.namespace
Type: string
Conditional
Namespace that contains your Prometheus password. If you want to integrate with Prometheus, you must specify this setting.
spec.integrations.readTokenRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.readTokenRef.namespace
Type: string
Conditional
Namespace that contains your Insights Query Key for New Relic. If you want to integrate with New Relic, you must specify this setting.
spec.integrations.region
Type: string
Conditional
Default:
US
String value that indicates the API URL to use for Datadog or Opsgenie. If you want to integrate with Datadog or Opsgenie, you must specify this setting.
Values for Opsgenie include
US
orEU
.Atlas supports the following Datadog regions in the Atlas Administration API:
Atlas Administration API regionCorresponding Datadog regionUS
US1
US3
US3
US5
US5
EU
EU1
Datadog uses
US1
(US
in the Atlas Administration API) by default.To learn more about Datadog's regions, see Datadog Sites.
spec.integrations.routingKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.routingKeyRef.namespace
Type: string
Conditional
Namespace that contains your routing key for VictorOps. If you want to integrate with VictorOps, you must specify this setting.
spec.integrations.secretRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.secretRef.namespace
Type: string
Conditional
Namespace that contains your Webhook secret. If you want to integrate with Webhook Settings, you must specify this setting.
spec.integrations.scheme
Type: string
Conditional
String that indicates the Prometheus protocol scheme configured for requests. Values include
http
orhttps
. If you want to integrate with Prometheus, you must specify this setting.
spec.integrations.serviceDiscovery
Type: string
Conditional
Human-readable label that indicates the Prometheus service discovery method to use. Values include
file
orhttp
. If you want to integrate with Prometheus, you must specify this setting.
spec.integrations.serviceKeyRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.serviceKeyRef.namespace
Type: string
Conditional
Namespace that contains your service key for PagerDuty. If you want to integrate with PagerDuty, you must specify this setting.
spec.integrations.type
Type: string
Conditional
String value that indicates the third-party service to integrate with Atlas. Values include:
DATADOG
MICROSOFT_TEAMS
NEW_RELIC
OPS_GENIE
PAGER_DUTY
PROMETHEUS
SLACK
VICTOR_OPS
WEBHOOK
If you want to integrate with a third-party service, you must specify this setting.
spec.integrations.url
Type: string
Conditional
String that specifies your Webhook URL. If you want to integrate with Webhook Settings, you must specify this setting.
spec.integrations.username
Type: string
Conditional
Human-readable label that identifies the Prometheus user. If you want to integrate with Prometheus, you must specify this setting.
spec.integrations.writeTokenRef.name
Type: string
Conditional
Name of the opaque secret that contains a single
password
field with the write token for New Relic. If you want to integrate with New Relic, you must specify this setting.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.integrations.writeTokenRef.namespace
Type: string
Conditional
Namespace that contains your write token for New Relic. If you want to integrate with New Relic, you must specify this setting.
spec.maintenanceWindow
Type: object
Optional
List that contains your maintenance window settings. You can specify the following body parameters:
NameTypeNecessityDescriptiondayOfWeeknumberRequiredDay of the week that you want the maintenance window to start, as a 1-based integer.
Day of WeekIntegerSunday1Monday2Tuesday3Wednesday4Thursday5Friday6Saturday7hourOfDaynumberRequiredHour of the day that you want the maintenance window to start. This parameter uses the 24-hour clock, where midnight is 0 and noon is 12.autoDeferOnceEnabledbooleanOptionalFlag that indicates whether you want to defer all maintenance windows one week they would be triggered.Important
Maintenance Window Considerations
- Urgent Maintenance Activities
- Urgent maintenance activities such as security patches cannot wait for your chosen window. Atlas will start those maintenance activities when needed.
- Ongoing Maintenance Operations
- Once maintenance is scheduled for your cluster, you cannot change your maintenance window until the current maintenance efforts have completed.
- Maintenance Requires Replica Set Elections
- Atlas performs maintenance the same way as the maintenance procedure described in the MongoDB Manual. This procedure requires at least one replica set election during the maintenance window per replica set.
- Maintenance Starts As Close to the Hour As Possible
- Maintenance always begins as close to the scheduled hour as possible, but in-progress cluster updates or unexpected system issues could delay the start time.
spec.maintenanceWindow.autoDefer
Type: boolean
Conditional
Flag that indicates whether Atlas should defer all maintenance windows for one week after you enable them.
spec.maintenanceWindow.defer
Type: boolean
Conditional
Flag that indicates whether Atlas should defer scheduled maintenance. You must schedule maintenance before you can successfully defer maintenance.
spec.maintenanceWindow.defer
andspec.maintenanceWindow.startASAP
can't both be set totrue
at the same time.Important
While
spec.maintenanceWindow.defer
is set totrue
, Atlas Kubernetes Operator defers scheduled maintenance every time you apply changes to theAtlasProject
custom resource. If you setspec.maintenanceWindow.defer
totrue
, you should changespec.maintenanceWindow.defer
tofalse
after you apply changes.
spec.maintenanceWindow.dayOfWeek
Type: number
Conditional
One-based integer that represents the day of the week that the maintenance window starts. Use the following table to find the integer that corresponds to each day:
Day of WeekIntegerSunday1Monday2Tuesday3Wednesday4Thursday5Friday6Saturday7If you want to configure the maintenance window for your project, you must specify this setting.
spec.maintenanceWindow.hourOfDay
Type: number
Conditional
Zero-based integer that represents the hour of the of the day that the maintenance window starts according to a 24-hour clock. Use
0
for midnight and12
for noon. If you want to configure the maintenance window for your project, you must specify this setting.
spec.maintenanceWindow.startASAP
Type: boolean
Conditional
Flag that indicates whether Atlas should immediately start maintenance.
spec.maintenanceWindow.defer
andspec.maintenanceWindow.startASAP
can't both be set totrue
at the same time.Important
While
spec.maintenanceWindow.startASAP
is set totrue
, Atlas Kubernetes Operator starts maintenance every time you apply changes to theAtlasProject
custom resource. If you setspec.maintenanceWindow.startASAP
totrue
, you should changespec.maintenanceWindow.startASAP
tofalse
after you apply changes.
spec.networkPeers
Type: array
Optional
List that contains the network peering configurations for the project.
spec.regionUsageRestrictions
Type: string
Optional
Designates the project's AWS region for Atlas for Government only. You can specify one of the following values:
NONE
: If you setregionUsageRestrictions
toNONE
, value defaults toCOMMERCIAL_FEDRAMP_REGIONS_ONLY
. This is the default if you omitregionUsageRestrictions
.GOV_REGIONS_ONLY
: Indicates project is restricted to AWS GovCloud regions that meet more stringent U.S. government security requirements. To learn more, see the AWS GovCloud documentation.COMMERCIAL_FEDRAMP_REGIONS_ONLY
: Indicates project is restricted to AWS FedRamp Moderate standard regions.
spec.projectIpAccessList
Type: array
Required
IP access list that grants network access to Atlas clusters in the project. You can specify the following body parameters:
ParameterTypeNecessityDescriptionawsSecurityGroupstringConditionalUnique identifier of the AWS security group to add to the access list.
Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress.
Note
You must configure VPC peering for your project before you can add an AWS security group to an access list.
cidrBlockstringConditionalRange of IP addresses in CIDR notation to be added to the access list.
Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress.
commentstringOptionalComment associated with the access list entry.deleteAfterDatedateOptionalTimestamp in ISO 8601 date and time format in UTC after which Atlas removes the entry from the access list. The specified date must be in the future and within one week of the time you make the API request.
Important
You cannot set AWS security groups as temporary access list entries.
Note
You may include an ISO 8601 time zone designator to ensure that the expiration date occurs with respect to the local time in the specified time zone.
ipAddressstringConditionalSingle IP address to be added to the access list. Mutually exclusive with awsSecurityGroup and cidrBlock.
Your access list entry can include only one awsSecurityGroup, one cidrBlock, or one ipAddress.
spec.settings.isCollectDatabaseSpecificsStatisticsEnabled
Type: boolean
Optional
Flag that indicates whether your project has collection of database statistics in cluster metrics enabled.
spec.settings.isDataExplorerEnabled
Type: boolean
Optional
Flag that indicates whether your project has data explorer enabled.
spec.settings.isExtendedStorageSizesEnabled
Type: boolean
Optional
Flag that indicates whether to enable extended storage sizes for the specified project. To learn more about enabling extended storage, see Manage Project Settings.
spec.settings.isPerformanceAdvisorEnabled
Type: boolean
Optional
Flag that indicates whether your project has Performance Advisor enabled.
spec.settings.isRealtimePerformancePanelEnabled
Type: boolean
Optional
Flag that indicates whether your project has Realtime Performance Panel enabled.
spec.settings.isSchemaAdvisorEnabled
Type: boolean
Optional
Flag that indicates whether your project has Schema Advisor enabled.
spec.privateEndpoints
Type: array
Optional
List that contains the private endpoint configurations for the project.
spec.teams
Type: object
Optional
Object that contains your team specifications. To learn more, see Configure Teams.
spec.teams.teamRef.name
Type: string
Conditional
Human-readable label from the
AtlasTeam
Custom Resource in themetadata.name
field. If you want to assign a team to this project, you must specify this setting.
spec.teams.teamRef.namespace
Type: string
Conditional
Namespace specified in the
AtlasTeam
Custom Resource if other thandefault
.
spec.teams.teamRef.roles
Type: string
Conditional
Atlas User Roles that a team uses for this project. If you want to assign a team to this project, you must specify this setting.
spec.withDefaultAlertsSettings
Type: boolean
Optional
Default:
true
Flag that indicates whether Atlas Kubernetes Operator creates a project with the default alert configurations. If omitted, defaults to
true
.If you use this setting, you must also set
spec.alertConfigurationSyncEnabled
totrue
for Atlas Kubernetes Operator to modify project alert configurations.If you set this parameter to
false
when you create a project, Atlas doesn't add the default alert configurations to your project.This setting has no effect on existing projects.
For information on how this setting interacts with
spec.alertConfigurationSyncEnabled
, see the Considerations.
spec.x509CertRef.name
Type: string
Optional
Name of the
kubernetes.io/tls
secret for the X.509 certificate.Atlas Kubernetes Operator watches secrets only with the label
atlas.mongodb.com/type=credentials
to avoid watching unnecessary secrets.The following example labels a secret:
kubectl label secret the-user-password atlas.mongodb.com/type=credentials