`AtlasFederatedAuth` Custom Resource

On this page

Examples

Parameters

The AtlasFederatedAuth custom resource configures federated authentication for your Atlas organization.

When you create the AtlasFederatedAuth custom resource, Atlas Kubernetes Operator uses the Federated Authentication API Resource to update the organization configuration for the federation. In the organization configuration, you specify federation settings for your Atlas organization such as organization and role mappings.

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

autoScaling:
  diskGB:
    enabled: true
  compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

To use this resource, you must have an existing identity provider (IdP) linked to your Atlas organization. To learn more, see Leverage Federated Authentication from Kubernetes.

Examples

The following example configures an AtlasFederatedAuth custom resource that does the following:

Enables federated authentication for the organization linked to the specified secret.
Adds my-org-domain.com as an approved domain.
Enables domain restriction for the organization.
Disables debugging for SSO.
Grants the Organization Member role to users after authenticating.
Maps the Organization Owner role for the organization and applies the role mapping to an IdP group named org-admin.
Maps the Organization Project Creator and Project Owner roles for a project in the organization named dev-project and applies the role mapping to an IdP group named dev-team.

apiVersion: atlas.mongodb.com/v1
kind: AtlasFederatedAuth
metadata:
  name: atlas-default-federated-auth
  namespace: mongodb-atlas-system
spec:
  enabled: true
  dataAccessIdentityProviders:
    - 32b6e34b3d91647abb20e7b8
    - 42d8v92k5a34184rnv93f0c1
  connectionSecretRef:
    name: my-org-secret
    namespace: mongodb-atlas-system
  domainAllowList:
    - my-org-domain.com
  domainRestrictionEnabled: true
  ssoDebugEnabled: false
  postAuthRoleGrants:
    - ORG_MEMBER
  roleMappings:
    - externalGroupName: org-admin
      roleAssignments:
        - role: ORG_OWNER
    - externalGroupName: dev-team
      roleAssignments:
        - role: ORG_GROUP_CREATOR
        - projectName: dev-project
          role: GROUP_OWNER
status:
  conditions:
    - type: Ready
      status: True
    - type: RolesReady
      status: True
    - type: UsersReady
      status: True

Note

The preceding example includes the status section, which describes the update process. To learn more, see Create and Update Process.

Parameters

This section describes the parameters available for the AtlasFederatedAuth custom resource. For detailed descriptions of the parameters, see the Atlas Federated Authentication API Resource.

Refer to these descriptions, the example on this page, and the API documentation to customize your specifications.

metadata.name

Type: string

Required

Name that identifies the AtlasFederatedAuth custom resource that Atlas Kubernetes Operator uses to configure federated authentication for the organization.

metadata.namespace

Type: string

Optional

Namespace where you want to deploy the AtlasFederatedAuth custom resource.

spec.enabled

Type: boolean

Required

Flag that determines whether to enable federated authentication for the organization. Defaults to false.

spec.dataAccessIdentityProviders

Type: list

Optional

List of string values that identify the identity providers that Atlas Kubernetes Operator uses to configure federated authentication for the organization.

Note

The dataAccessIdentityProviders parameter defines one or more identity providers that are used for data access. This means that they are used to access the actual MongoDB database instances, as configured in the AtlasDatabaseUser resource. This is different from the existing options in the AtlasFederatedAuth resource which is used to configure using identity providers for the Atlas UI.

spec.connectionSecretRef.name

Type: string

Required

Name of the opaque secret that contains a single password field with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. When you create the secret, specify the orgID, publicApiKey, and privateApiKey fields.

The secret's API keys must have the Organization Owner role. You can use the same secret from an AtlasProject Custom Resource only if the secret has Organization Owner permissions.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials

Note

By default, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource. To store secrets in another namespace, specify the spec.connectionSecretRef.namespace parameter.

spec.connectionSecretRef.namespace

Type: string

Optional

Namespace that contains the secret with the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If you omit or don't specify this parameter, Atlas Kubernetes Operator keeps connection secrets in the same namespace as the AtlasProject Custom Resource.

spec.domainAllowList

Type: array of strings

Optional

Approved domains that restrict users who can join the organization based on their email address.

spec.domainRestrictionEnabled

Type: boolean

Required

Flag that indicates whether domain restriction is enabled for the connected organization. Defaults to false.

If you set this parameter to true, Atlas returns a list of users that belong to organizations outside of the federation. To learn more, see User Conflicts.

spec.ssoDebugEnabled

Type: boolean

Optional

Flag that indicates whether the identity provider has debug enabled for SSO. Defaults to false.

spec.postAuthRoleGrants

Type: array of strings

Optional

Atlas roles that are granted to a user in this organization after authenticating. For example:

ORG_MEMBER
ORG_READ_ONLY
ORG_BILLING_ADMIN
ORG_GROUP_CREATOR
ORG_OWNER
ORG_BILLING_READ_ONLY
ORG_TEAM_MEMBERS_ADMIN

For a full list of accepted values, refer to the Federated Authentication API Resource.

spec.roleMappings

Type: array of objects

Optional

Role mappings that are configured in this organization.

The spec.roleMappings.roleAssignments parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.externalGroupName

Type: string

Required

Unique human-readable label that identifies the identity provider group to which this role mapping applies.

spec.roleMappings.roleAssignments

Type: array of objects

Optional

Atlas roles and the unique identifiers of the groups and organizations associated with each role. This parameter must include at least one organization role within the current organization or the projects in the organization.

spec.roleMappings.roleAssignments.projectName

Type: string

Optional

The Atlas project in the same organization to which to associate the role.

spec.roleMappings.roleAssignments.role

Type: string

Optional

Human-readable label that identifies the collection of privileges that Atlas grants a specific API key, user, or team. These roles include organization and project-level privileges.

Atlas Kubernetes Operator accepts the following values:

ORG_MEMBER
ORG_READ_ONLY
ORG_BILLING_ADMIN
ORG_GROUP_CREATOR
ORG_OWNER
ORG_BILLING_READ_ONLY
ORG_TEAM_MEMBERS_ADMIN
GROUP_AUTOMATION_ADMIN
GROUP_BACKUP_ADMIN
GROUP_MONITORING_ADMIN
GROUP_OWNER
GROUP_READ_ONLY
GROUP_USER_ADMIN
GROUP_BILLING_ADMIN
GROUP_DATA_ACCESS_ADMIN
GROUP_DATA_ACCESS_READ_ONLY
GROUP_DATA_ACCESS_READ_WRITE
GROUP_CHARTS_ADMIN
GROUP_CLUSTER_MANAGER
GROUP_SEARCH_INDEX_EDITOR

Back

AtlasStreamInstance

Production Notes