-
Notifications
You must be signed in to change notification settings - Fork 77
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Federated Authentication Configuration
- Loading branch information
1 parent
5e7e580
commit c5957fe
Showing
20 changed files
with
1,107 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
190 changes: 190 additions & 0 deletions
190
config/crd/bases/atlas.mongodb.com_atlasfederatedauths.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,190 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.9.2 | ||
creationTimestamp: null | ||
name: atlasfederatedauths.atlas.mongodb.com | ||
spec: | ||
group: atlas.mongodb.com | ||
names: | ||
kind: AtlasFederatedAuth | ||
listKind: AtlasFederatedAuthList | ||
plural: atlasfederatedauths | ||
singular: atlasfederatedauth | ||
scope: Namespaced | ||
versions: | ||
- name: v1 | ||
schema: | ||
openAPIV3Schema: | ||
description: AtlasFederatedAuth is the Schema for the Atlasfederatedauth API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
properties: | ||
connectionSecretRef: | ||
description: Connection secret with API credentials for configuring | ||
the federation. These credentials must have OrganizationOwner permissions. | ||
properties: | ||
name: | ||
description: Name is the name of the Kubernetes Resource | ||
type: string | ||
namespace: | ||
description: Namespace is the namespace of the Kubernetes Resource | ||
type: string | ||
required: | ||
- name | ||
type: object | ||
domainAllowList: | ||
description: Approved domains that restrict users who can join the | ||
organization based on their email address. | ||
items: | ||
type: string | ||
type: array | ||
domainRestrictionEnabled: | ||
default: false | ||
description: Prevent users in the federation from accessing organizations | ||
outside of the federation, and creating new organizations. This | ||
option applies to the entire federation. See more information at | ||
https://www.mongodb.com/docs/atlas/security/federation-advanced-options/#restrict-user-membership-to-the-federation | ||
type: boolean | ||
enabled: | ||
default: false | ||
type: boolean | ||
postAuthRoleGrants: | ||
description: Atlas roles that are granted to a user in this organization | ||
after authenticating. | ||
enum: | ||
- ORG_MEMBER | ||
- ORG_READ_ONLY | ||
- ORG_BILLING_ADMIN | ||
- ORG_GROUP_CREATOR | ||
- ORG_OWNER | ||
- ORG_BILLING_READ_ONLY | ||
- ORG_TEAM_MEMBERS_ADMIN | ||
items: | ||
type: string | ||
type: array | ||
roleMappings: | ||
description: Map IDP groups to Atlas roles. | ||
items: | ||
description: RoleMapping maps an external group from an identity | ||
provider to roles within Atlas. | ||
properties: | ||
externalGroupName: | ||
description: ExternalGroupName is the name of the IDP group | ||
to which this mapping applies. | ||
maxLength: 200 | ||
minLength: 1 | ||
type: string | ||
roleAssignments: | ||
description: RoleAssignments define the roles within projects | ||
that should be given to members of the group. | ||
items: | ||
properties: | ||
projectRef: | ||
description: The Atlas project in which the role should | ||
be given. | ||
properties: | ||
name: | ||
description: Name is the name of the Kubernetes Resource | ||
type: string | ||
namespace: | ||
description: Namespace is the namespace of the Kubernetes | ||
Resource | ||
type: string | ||
required: | ||
- name | ||
type: object | ||
role: | ||
description: The role in Atlas that should be given to | ||
group members. | ||
enum: | ||
- ORG_MEMBER | ||
- ORG_READ_ONLY | ||
- ORG_BILLING_ADMIN | ||
- ORG_GROUP_CREATOR | ||
- ORG_OWNER | ||
- ORG_BILLING_READ_ONLY | ||
- ORG_TEAM_MEMBERS_ADMIN | ||
- GROUP_AUTOMATION_ADMIN | ||
- GROUP_BACKUP_ADMIN | ||
- GROUP_MONITORING_ADMIN | ||
- GROUP_OWNER | ||
- GROUP_READ_ONLY | ||
- GROUP_USER_ADMIN | ||
- GROUP_BILLING_ADMIN | ||
- GROUP_DATA_ACCESS_ADMIN | ||
- GROUP_DATA_ACCESS_READ_ONLY | ||
- GROUP_DATA_ACCESS_READ_WRITE | ||
- GROUP_CHARTS_ADMIN | ||
- GROUP_CLUSTER_MANAGER | ||
- GROUP_SEARCH_INDEX_EDITOR | ||
type: string | ||
type: object | ||
type: array | ||
type: object | ||
type: array | ||
ssoDebugEnabled: | ||
default: false | ||
type: boolean | ||
type: object | ||
status: | ||
properties: | ||
conditions: | ||
description: Conditions is the list of statuses showing the current | ||
state of the Atlas Custom Resource | ||
items: | ||
description: Condition describes the state of an Atlas Custom Resource | ||
at a certain point. | ||
properties: | ||
lastTransitionTime: | ||
description: Last time the condition transitioned from one status | ||
to another. | ||
format: date-time | ||
type: string | ||
message: | ||
description: A human readable message indicating details about | ||
the transition. | ||
type: string | ||
reason: | ||
description: The reason for the condition's last transition. | ||
type: string | ||
status: | ||
description: Status of the condition, one of True, False, Unknown. | ||
type: string | ||
type: | ||
description: Type of Atlas Custom Resource condition. | ||
type: string | ||
required: | ||
- status | ||
- type | ||
type: object | ||
type: array | ||
observedGeneration: | ||
description: ObservedGeneration indicates the generation of the resource | ||
specification that the Atlas Operator is aware of. The Atlas Operator | ||
updates this field to the 'metadata.generation' as soon as it starts | ||
reconciliation of the resource. | ||
format: int64 | ||
type: integer | ||
required: | ||
- conditions | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# The following patch adds a directive for certmanager to inject CA into the CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
name: atlasfederatedauths.atlas.mongodb.com |
Oops, something went wrong.