(DOCSP-45643) custom resource updates for federated auth support

carriecwk · jwilliams-mongo · commit 910861a09cb1 · 2024-12-19T08:34:55.000-06:00
(DOCSP-45643) clarifies that federated auth crd is optional (DOCSP-45643) resolving build errors (DOCSP-45643) resolving merge conflicts (DOCSP-45643) finalizing tech review (DOCSP-45643) custom resource updates for federated auth support (#164) * (DOCSP-45643) custom resource updates for federated auth support * (DOCSP-45643) clarifies that federated auth crd is optional * (DOCSP-45643) resolving build errors * (DOCSP-45643) tech feedback (DOCSP-46114) fixes a formatting error (#173)
diff --git a/source/ak8so-configure-federated-authentication.txt b/source/ak8so-configure-federated-authentication.txt
@@ -29,6 +29,21 @@ specify and update the :ref:`atlasfederatedauth-custom-resource`.
 
 .. include:: /includes/fact-ak8so-federated-auth.rst
 
+The :ref:`atlasfederatedauth-custom-resource` is **not** required to 
+map database users to an |idp|, both any existing authentication |idp| or 
+workload and workforce |idp|. You can use the :ref:`AtlasDatabaseUser <atlasdatabaseuser-custom-resource>` 
+custom resource to manage database users, in which you specify the 
+authentication method used for a given database user. The 
+:ref:`AtlasDatabaseUser <atlasdatabaseuser-custom-resource>` custom 
+resource must be configured in conjunction with :ref:`federated authentication
+<atlas-federated-authentication>` to associate users and roles in the 
+|idp| with users and groups in MongoDB. 
+
+The :ref:`atlasfederatedauth-custom-resource` 
+is optional to use any :ref:`federated authentication
+<atlas-federated-authentication>`, provided that you have configured it 
+elsewhere in {+service+}.
+
 Prerequisites
 -------------
 
@@ -77,6 +92,9 @@ To learn more, see :ref:`atlasfederatedauth-parameters`.
      namespace: mongodb-atlas-system
    spec:
      enabled: true
+     dataAccessIdentityProviders:
+       - 32b6e34b3d91647abb20e7b8
+       - 42d8v92k5a34184rnv93f0c1
      connectionSecretRef:
        name: my-org-secret
        namespace: mongodb-atlas-system
diff --git a/source/atlascustomrole-custom-resource.txt b/source/atlascustomrole-custom-resource.txt
@@ -36,7 +36,7 @@ To create this custom role within a given project, you must either:
 - Updates an existing custom database role.
 
 Examples
---------
+---------
 
 .. _atlascustomrole-example-basic:
 
diff --git a/source/atlasdatabaseuser-custom-resource.txt b/source/atlasdatabaseuser-custom-resource.txt
@@ -368,6 +368,9 @@ to customize your specifications.
    If the database user authenticates with :ref:`X.509 <ak8so-x509>`, 
    this value must be ``\$external``.
 
+   If the database user authenticates with :manual:`OpenID Connect
+   </core/security-oidc>`, this value must be ``$external``.
+
 .. setting:: spec.externalProjectRef.id
 
    *Type*: string
@@ -398,6 +401,21 @@ to customize your specifications.
    If the database user authenticates with :manual:`OpenID Connect
    </core/security-oidc>`, this value must be ``IDP_GROUP``.
 
+   This parameter accepts:
+
+   .. list-table::
+      :stub-columns: 1
+      :widths: 20 80
+
+      * - NONE
+        - User that doesn't use |oidc| authentication.
+
+      * - USER
+        - User that uses |service|-managed |oidc|.
+
+          You must specify ``$external`` for the
+          :setting:`spec.databaseName` parameter.
+
 .. setting:: spec.passwordSecretRef
 
    *Type*: string
diff --git a/source/atlasfederatedauth-custom-resource.txt b/source/atlasfederatedauth-custom-resource.txt
@@ -38,6 +38,9 @@ Examples
      namespace: mongodb-atlas-system
    spec:
      enabled: true
+     dataAccessIdentityProviders:
+       - 32b6e34b3d91647abb20e7b8
+       - 42d8v92k5a34184rnv93f0c1
      connectionSecretRef:
        name: my-org-secret
        namespace: mongodb-atlas-system
@@ -116,6 +119,28 @@ API documentation to customize your specifications.
   Flag that determines whether to enable federated 
   authentication for the organization. Defaults to ``false``.
 
+.. _atlasfederatedauth-dateaccessidentityproviders-id:
+
+``spec.dataAccessIdentityProviders``
+  *Type*: list
+
+  *Optional*
+  
+  List of string values that identify the identity providers that 
+  |ak8so| uses to configure federated authentication
+  for the organization.
+
+  .. note::
+
+     The ``dataAccessIdentityProviders`` parameter defines one or 
+     more identity providers that are used for data access. This 
+     means that they are used to access the actual MongoDB database 
+     instances, as configured in the :ref:`AtlasDatabaseUser <atlasdatabaseuser-custom-resource>` 
+     resource. This is different from the existing options in the 
+     :ref:`AtlasFederatedAuth <atlasfederatedauth-custom-resource>` 
+     resource which is used to configure using identity providers for 
+     the {+service+} UI.
+
 .. _atlasfederatedauth-connectionSecretRef-name:
 
 ``spec.connectionSecretRef.name``
diff --git a/source/includes/steps-ak8so-helm-quick-start.yaml b/source/includes/steps-ak8so-helm-quick-start.yaml
@@ -29,9 +29,9 @@ content: |
        helm repo add mongodb https://mongodb.github.io/helm-charts
        helm install atlas-operator --namespace=atlas-operator --create-namespace mongodb/mongodb-atlas-operator
   
-  - If you want |ak8so| to watch a particular set of |k8s-nss|, set the 
-    ``--watchNamespaces`` flag to a comma-separated list of |k8s-nss| to be watched.
-    For example, run the following command to watch only the ``atlas-operator`` namespace:
+  - If you want |ak8so| to watch a particular set of |k8s-nss|, set the  ``--watchNamespaces`` 
+    flag to a comma-separated list of |k8s-nss| to be watched.
+    For example, run the following command to watch only the ``atlas-operator``namespace:
 
     .. code-block:: sh
 
