`AtlasDatabaseUser` Custom Resource¶

On this page

Connection Secrets

Examples
Project and Clusters
Database User without Scopes
Database User with Scopes
Parameters

The AtlasDatabaseUser custom resource configures the database user in an Atlas project. You create database users per project, not per cluster. So, the AtlasDatabaseUser custom resource configuration contains a reference to the AtlasProject Custom Resource. Create the AtlasProject Custom Resource beforehand.

The following example shows a reference to the AtlasProject Custom Resource:

spec:
  projectRef:
    name: my-project

Atlas Kubernetes Operator ensures the database user configuration in Atlas matches the configuration in Kubernetes.

Atlas Kubernetes Operator does one of the following actions:

Creates a new database user.
If the databse user already exists, updates the existing user.

Before you create a database user, you must create a secret with a password to log into the Atlas cluster database.

Note

You must create the secret in the same namespace where the AtlasDatabaseUser custom resource is located.

The following example creates a secret:

kubectl create secret generic the-user-password --from-literal="password=P@@sword%"

Connection Secrets¶

After Atlas Kubernetes Operator successfully creates or updates the database user in Atlas, Atlas Kubernetes Operator creates or updates the connection secrets in the same namespace where the AtlasDatabaseUser custom resource is located.

Connection secrets contain all the information required to connect to the Atlas clusters including the following parameters:

Parameter	Description
`connectionStringStandard`	Public `mongodb://` connection URI.
`connectionstringStandardSrv`	Public `mongodb+srv://` connection URI.
`username`	Name that identifies the database user.
`password`	Password of the database user.

Applications running in Kubernetes can use this information to connect to Atlas clusters. You can mount the secrets to the application pods as files and the application process can read these files to get data.

The following example shows mounting the secret as an environment variable:

spec:
containers:
- name: test-app
  env:
    - name: "CONNECTIONSTRING"
      valueFrom:
        secretKeyRef:
          name: project-cluster-basic-theuser
          key: connectionStringStandardSrv

The following example shows mounting the secret as files:

spec:
containers:
- name: test-app
  volumeMounts:
  - mountPath: /var/secrets/
    name: theuser-connection
volumes:
  - name: theuser-connection
    secret:
      secretName: project-cluster-basic-theuser

By default, Atlas Kubernetes Operator creates the database user connection secret for each cluster in the same project that the AtlasDatabaseUser references. You can change this behavior with the spec.scopes parameter. This parameter restricts the clusters where the database user gets created. The name of the connection secret uses the following format: <project_name>-<cluster_name>-<db_user_name>.

Examples¶

Project and Clusters¶

The following example shows an Atlas project and the clusters that reference it:

apiVersion: atlas.mongodb.com/v1
kind: AtlasProject
metadata:
 name: my-project
spec:
 name: p1
 projectIpAccessList:
   - ipAddress: "192.0.2.15"
     comment: "IP address for Application Server A"
apiVersion: atlas.mongodb.com/v1
kind: AtlasCluster
metadata:
 name: my-aws-cluster
spec:
 name: aws-cluster
 projectRef:
   name: my-project
 providerSettings:
   instanceSizeName: M10
   providerName: AWS
   regionName: US_EAST_1
apiVersion: atlas.mongodb.com/v1
kind: AtlasCluster
metadata:
 name: my-gcp-cluster
spec:
 name: gcp-cluster
 projectRef:
   name: my-project
 providerSettings:
   instanceSizeName: M10
   providerName: GCP
   regionName: EASTERN_US

Database User without Scopes¶

The following example shows an AtlasDatabaseUser custom resource specification with spec.scopes omitted:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
 name: my-database-user
spec:
 roles:
   - roleName: readWriteAnyDatabase
     databaseName: admin
 projectRef:
   name: my-project
 username: theuser
 passwordSecretRef:
   name: the-user-password

After you create this custom resource, Atlas Kubernetes Operator creates the following secrets:

p1-aws-cluster-theuser
p1-gcp-cluster-theuser

Database User with Scopes¶

The following example shows an AtlasDatabaseUser custom resource specification scoped to the Google Cloud cluster only:

apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
 name: my-database-user
spec:
 roles:
   - roleName: "readWriteAnyDatabase"
     databaseName: "admin"
 projectRef:
   name: my-project
 username: theuser
 passwordSecretRef:
   name: the-user-password
 scopes:
   - type: CLUSTER
     name: gcp-cluster

After you update this custom resource, Atlas Kubernetes Operator removes theuser from the aws-cluster. It also removes the p1-aws-cluster-theuser secret from the Kubernetes cluster.

Parameters¶

spec.passwordSecretRef¶

Type: string

Required

Reference to the secret that contains the password. The only supported authentication method, SCRAM-SHA, requires this parameter.

For the configuration parameters available from the API, see the Atlas API.

Currently, Atlas Kubernetes Operator does not support the following parameters available from the Atlas API:

x509Type
awsIAMType
ldapAuthType

Do not specify the following parameters:

groupId
password
Specify spec.passwordSecretRef instead.

← AtlasCluster Custom Resource Atlas Kubernetes Operator Changelog →