Added Federated Authentication Configuration

cmd/manager/main.go

@@ -46,6 +46,7 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdatabaseuser"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdatafederation"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasdeployment"
+	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasfederatedauth"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/atlasproject"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/connectionsecret"
 	"github.com/mongodb/mongodb-atlas-kubernetes/pkg/controller/watch"
@@ -196,6 +197,22 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "AtlasDataFederation")
 		os.Exit(1)
 	}
+
+	if err = (&atlasfederatedauth.AtlasFederatedAuthReconciler{
+		Client:                      mgr.GetClient(),
+		Log:                         logger.Named("controllers").Named("AtlasFederatedAuth").Sugar(),
+		Scheme:                      mgr.GetScheme(),
+		AtlasDomain:                 config.AtlasDomain,
+		ResourceWatcher:             watch.NewResourceWatcher(),
+		GlobalPredicates:            globalPredicates,
+		EventRecorder:               mgr.GetEventRecorderFor("AtlasFederatedAuth"),
+		ObjectDeletionProtection:    config.ObjectDeletionProtection,
+		SubObjectDeletionProtection: config.SubObjectDeletionProtection,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "AtlasFederatedAuth")
+		os.Exit(1)
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {

config/crd/bases/atlas.mongodb.com_atlasfederatedauths.yaml

@@ -0,0 +1,190 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
+  name: atlasfederatedauths.atlas.mongodb.com
+spec:
+  group: atlas.mongodb.com
+  names:
+    kind: AtlasFederatedAuth
+    listKind: AtlasFederatedAuthList
+    plural: atlasfederatedauths
+    singular: atlasfederatedauth
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AtlasFederatedAuth is the Schema for the Atlasfederatedauth API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              connectionSecretRef:
+                description: Connection secret with API credentials for configuring
+                  the federation. These credentials must have OrganizationOwner permissions.
+                properties:
+                  name:
+                    description: Name is the name of the Kubernetes Resource
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Kubernetes Resource
+                    type: string
+                required:
+                - name
+                type: object
+              domainAllowList:
+                description: Approved domains that restrict users who can join the
+                  organization based on their email address.
+                items:
+                  type: string
+                type: array
+              domainRestrictionEnabled:
+                default: false
+                description: Prevent users in the federation from accessing organizations
+                  outside of the federation, and creating new organizations. This
+                  option applies to the entire federation. See more information at
+                  https://www.mongodb.com/docs/atlas/security/federation-advanced-options/#restrict-user-membership-to-the-federation
+                type: boolean
+              enabled:
+                default: false
+                type: boolean
+              postAuthRoleGrants:
+                description: Atlas roles that are granted to a user in this organization
+                  after authenticating.
+                enum:
+                - ORG_MEMBER
+                - ORG_READ_ONLY
+                - ORG_BILLING_ADMIN
+                - ORG_GROUP_CREATOR
+                - ORG_OWNER
+                - ORG_BILLING_READ_ONLY
+                - ORG_TEAM_MEMBERS_ADMIN
+                items:
+                  type: string
+                type: array
+              roleMappings:
+                description: Map IDP groups to Atlas roles.
+                items:
+                  description: RoleMapping maps an external group from an identity
+                    provider to roles within Atlas.
+                  properties:
+                    externalGroupName:
+                      description: ExternalGroupName is the name of the IDP group
+                        to which this mapping applies.
+                      maxLength: 200
+                      minLength: 1
+                      type: string
+                    roleAssignments:
+                      description: RoleAssignments define the roles within projects
+                        that should be given to members of the group.
+                      items:
+                        properties:
+                          projectRef:
+                            description: The Atlas project in which the role should
+                              be given.
+                            properties:
+                              name:
+                                description: Name is the name of the Kubernetes Resource
+                                type: string
+                              namespace:
+                                description: Namespace is the namespace of the Kubernetes
+                                  Resource
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          role:
+                            description: The role in Atlas that should be given to
+                              group members.
+                            enum:
+                            - ORG_MEMBER
+                            - ORG_READ_ONLY
+                            - ORG_BILLING_ADMIN
+                            - ORG_GROUP_CREATOR
+                            - ORG_OWNER
+                            - ORG_BILLING_READ_ONLY
+                            - ORG_TEAM_MEMBERS_ADMIN
+                            - GROUP_AUTOMATION_ADMIN
+                            - GROUP_BACKUP_ADMIN
+                            - GROUP_MONITORING_ADMIN
+                            - GROUP_OWNER
+                            - GROUP_READ_ONLY
+                            - GROUP_USER_ADMIN
+                            - GROUP_BILLING_ADMIN
+                            - GROUP_DATA_ACCESS_ADMIN
+                            - GROUP_DATA_ACCESS_READ_ONLY
+                            - GROUP_DATA_ACCESS_READ_WRITE
+                            - GROUP_CHARTS_ADMIN
+                            - GROUP_CLUSTER_MANAGER
+                            - GROUP_SEARCH_INDEX_EDITOR
+                            type: string
+                        type: object
+                      type: array
+                  type: object
+                type: array
+              ssoDebugEnabled:
+                default: false
+                type: boolean
+            type: object
+          status:
+            properties:
+              conditions:
+                description: Conditions is the list of statuses showing the current
+                  state of the Atlas Custom Resource
+                items:
+                  description: Condition describes the state of an Atlas Custom Resource
+                    at a certain point.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of Atlas Custom Resource condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              observedGeneration:
+                description: ObservedGeneration indicates the generation of the resource
+                  specification that the Atlas Operator is aware of. The Atlas Operator
+                  updates this field to the 'metadata.generation' as soon as it starts
+                  reconciliation of the resource.
+                format: int64
+                type: integer
+            required:
+            - conditions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/kustomization.yaml

@@ -9,27 +9,6 @@ resources:
   - bases/atlas.mongodb.com_atlasbackuppolicies.yaml
   - bases/atlas.mongodb.com_atlasbackupschedules.yaml
   - bases/atlas.mongodb.com_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizeresource
-
-patchesStrategicMerge:
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
-# patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_atlasclusters.yaml
-#- patches/webhook_in_atlasprojects.yaml
-#- patches/webhook_in_atlasbackuppolicies.yaml
-#- patches/webhook_in_atlasbackupschedules.yaml
-#- patches/webhook_in_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizewebhookpatch
-
-# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
-# patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_atlasclusters.yaml
-#- patches/cainjection_in_atlasprojects.yaml
-#- patches/cainjection_in_atlasbackuppolicies.yaml
-#- patches/cainjection_in_atlasbackupschedules.yaml
-#- patches/cainjection_in_atlasteams.yaml
-# +kubebuilder:scaffold:crdkustomizecainjectionpatch
-
-# the following config is for teaching kustomize how to do kustomization for CRDs.
+  - bases/atlas.mongodb.com_atlasfederatedauths.yaml
 configurations:
   - kustomizeconfig.yaml

config/crd/patches/cainjection_in_atlasfederatedauths.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: atlasfederatedauths.atlas.mongodb.com