CLOUDP-195050: Atlas Federated Authentication configuration (#1124)

mongodb · Oct 6, 2023 · 3769e68 · 3769e68
1 parent 5878ddc
commit 3769e68
Show file tree

Hide file tree

Showing 28 changed files with 1,258 additions and 80 deletions.
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -203,7 +203,7 @@ jobs:
         run: |
           kubectl version
       - name: Install CRDs if needed
-        if: ${{ !( matrix.test == 'helm-update' || matrix.test == 'helm-wide' || matrix.test == 'bundle-test' ) }}
+        if: ${{ !( matrix.test == 'helm-update' || matrix.test == 'helm-wide' || matrix.test == 'helm-ns' || matrix.test == 'bundle-test' ) }}
         run: |
           kubectl apply -f deploy/crds
       - name: Run e2e test

diff --git a/.github/workflows/test-int.yml b/.github/workflows/test-int.yml
@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        test: ["AtlasProject", "AtlasDeployment", "AtlasDatabaseUser", "AtlasDataFederation"]
+        test: ["AtlasProject", "AtlasDeployment", "AtlasDatabaseUser", "AtlasDataFederation", "AtlasFederatedAuth"]
         path: [ "./test/int" ]
         nodes: [12]
         include:

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -46,6 +46,7 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdatabaseuser"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdatafederation"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdeployment"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasfederatedauth"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasproject"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/connectionsecret"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/watch"
@@ -196,6 +197,22 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "AtlasDataFederation")
 		os.Exit(1)
 	}
+
+	if err = (&atlasfederatedauth.AtlasFederatedAuthReconciler{
+		Client:                      mgr.GetClient(),
+		Log:                         logger.Named("controllers").Named("AtlasFederatedAuth").Sugar(),
+		Scheme:                      mgr.GetScheme(),
+		AtlasDomain:                 config.AtlasDomain,
+		ResourceWatcher:             watch.NewResourceWatcher(),
+		GlobalPredicates:            globalPredicates,
+		EventRecorder:               mgr.GetEventRecorderFor("AtlasFederatedAuth"),
+		ObjectDeletionProtection:    config.ObjectDeletionProtection,
+		SubObjectDeletionProtection: config.SubObjectDeletionProtection,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "AtlasFederatedAuth")
+		os.Exit(1)
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {

diff --git a/config/crd/bases/atlas.mongodb.com_atlasfederatedauths.yaml b/config/crd/bases/atlas.mongodb.com_atlasfederatedauths.yaml
@@ -0,0 +1,172 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
+  name: atlasfederatedauths.atlas.mongodb.com
+spec:
+  group: atlas.mongodb.com
+  names:
+    kind: AtlasFederatedAuth
+    listKind: AtlasFederatedAuthList
+    plural: atlasfederatedauths
+    singular: atlasfederatedauth
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AtlasFederatedAuth is the Schema for the Atlasfederatedauth API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              connectionSecretRef:
+                description: Connection secret with API credentials for configuring
+                  the federation. These credentials must have OrganizationOwner permissions.
+                properties:
+                  name:
+                    description: Name is the name of the Kubernetes Resource
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Kubernetes Resource
+                    type: string
+                required:
+                - name
+                type: object
+              domainAllowList:
+                description: Approved domains that restrict users who can join the
+                  organization based on their email address.
+                items:
+                  type: string
+                type: array
+              domainRestrictionEnabled:
+                default: false
+                description: Prevent users in the federation from accessing organizations
+                  outside of the federation, and creating new organizations. This
+                  option applies to the entire federation. See more information at
+                  https://www.mongodb.com/docs/atlas/security/federation-advanced-options/#restrict-user-membership-to-the-federation
+                type: boolean
+              enabled:
+                default: false
+                type: boolean
+              postAuthRoleGrants:
+                description: Atlas roles that are granted to a user in this organization
+                  after authenticating.
+                items:
+                  type: string
+                type: array
+              roleMappings:
+                description: Map IDP groups to Atlas roles.
+                items:
+                  description: RoleMapping maps an external group from an identity
+                    provider to roles within Atlas.
+                  properties:
+                    externalGroupName:
+                      description: ExternalGroupName is the name of the IDP group
+                        to which this mapping applies.
+                      maxLength: 200
+                      minLength: 1
+                      type: string
+                    roleAssignments:
+                      description: RoleAssignments define the roles within projects
+                        that should be given to members of the group.
+                      items:
+                        properties:
+                          projectName:
+                            description: The Atlas project in the same org in which
+                              the role should be given.
+                            type: string
+                          role:
+                            description: The role in Atlas that should be given to
+                              group members.
+                            enum:
+                            - ORG_MEMBER
+                            - ORG_READ_ONLY
+                            - ORG_BILLING_ADMIN
+                            - ORG_GROUP_CREATOR
+                            - ORG_OWNER
+                            - ORG_BILLING_READ_ONLY
+                            - ORG_TEAM_MEMBERS_ADMIN
+                            - GROUP_AUTOMATION_ADMIN
+                            - GROUP_BACKUP_ADMIN
+                            - GROUP_MONITORING_ADMIN
+                            - GROUP_OWNER
+                            - GROUP_READ_ONLY
+                            - GROUP_USER_ADMIN
+                            - GROUP_BILLING_ADMIN
+                            - GROUP_DATA_ACCESS_ADMIN
+                            - GROUP_DATA_ACCESS_READ_ONLY
+                            - GROUP_DATA_ACCESS_READ_WRITE
+                            - GROUP_CHARTS_ADMIN
+                            - GROUP_CLUSTER_MANAGER
+                            - GROUP_SEARCH_INDEX_EDITOR
+                            type: string
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              ssoDebugEnabled:
+                default: false
+                type: boolean
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Conditions is the list of statuses showing the current
+                  state of the Atlas Custom Resource
+                items:
+                  description: Condition describes the state of an Atlas Custom Resource
+                    at a certain point.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of Atlas Custom Resource condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration indicates the generation of the resource
+                  specification that the Atlas Operator is aware of. The Atlas Operator
+                  updates this field to the 'metadata.generation' as soon as it starts
+                  reconciliation of the resource.
+                format: int64
+                type: integer
+            required:
+            - conditions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -9,27 +9,6 @@ resources:
   - bases/atlas.mongodb.com_atlasbackuppolicies.yaml
   - bases/atlas.mongodb.com_atlasbackupschedules.yaml
   - bases/atlas.mongodb.com_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizeresource
-
-patchesStrategicMerge:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
-# patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_atlasclusters.yaml
-#- patches/webhook_in_atlasprojects.yaml
-#- patches/webhook_in_atlasbackuppolicies.yaml
-#- patches/webhook_in_atlasbackupschedules.yaml
-#- patches/webhook_in_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizewebhookpatch
-
-# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_atlasclusters.yaml
-#- patches/cainjection_in_atlasprojects.yaml
-#- patches/cainjection_in_atlasbackuppolicies.yaml
-#- patches/cainjection_in_atlasbackupschedules.yaml
-#- patches/cainjection_in_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
-# the following config is for teaching kustomize how to do kustomization for CRDs.
+  - bases/atlas.mongodb.com_atlasfederatedauths.yaml
 configurations:
   - kustomizeconfig.yaml
diff --git a/config/crd/patches/cainjection_in_atlasfederatedauths.yaml b/config/crd/patches/cainjection_in_atlasfederatedauths.yaml
@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: atlasfederatedauths.atlas.mongodb.com
diff --git a/config/crd/patches/webhook_in_atlasfederatedauths.yaml b/config/crd/patches/webhook_in_atlasfederatedauths.yaml
@@ -0,0 +1,17 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: atlasfederatedauths.atlas.mongodb.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+      caBundle: Cg==
+      service:
+        namespace: system
+        name: webhook-service
+        path: /convert