CLOUDP-286477: Workload/Workforce Identity Federation (#1969)

config/crd/bases/atlas.mongodb.com_atlasdatabaseusers.yaml

@@ -80,8 +80,11 @@ spec:
                 type: object
               databaseName:
                 default: admin
-                description: DatabaseName is a Database against which Atlas authenticates
-                  the user. Default value is 'admin'.
+                description: |-
+                  DatabaseName is a Database against which Atlas authenticates the user.
+                  If the user authenticates with AWS IAM, x.509, LDAP, or OIDC Workload this value should be '$external'.
+                  If the user authenticates with SCRAM-SHA or OIDC Workforce, this value should be 'admin'.
+                  Default value is 'admin'.
                 type: string
               deleteAfterDate:
                 description: |-
@@ -119,13 +122,13 @@ spec:
               oidcAuthType:
                 default: NONE
                 description: |-
-                  Human-readable label that indicates whether the new database Username
-                  with OIDC federated authentication.
-                  To create a federated authentication user, specify the value
-                  of IDP_GROUP for this field
+                  Human-readable label that indicates whether the new database Username with OIDC federated authentication.
+                  To create a federated authentication group (Workforce), specify the value of IDP_GROUP in this field.
+                  To create a federated authentication user (Workload), specify the value of USER in this field.
                 enum:
                 - NONE
                 - IDP_GROUP
+                - USER
                 type: string
               passwordSecretRef:
                 description: PasswordSecret is a reference to the Secret keeping the
@@ -208,7 +211,7 @@ spec:
                   Username is a username for authenticating to MongoDB
                   Human-readable label that represents the user that authenticates to MongoDB. The format of this label depends on the method of authentication:
                   In case of AWS IAM: the value should be AWS ARN for the IAM User/Role;
-                  In case of OIDC: the value should be the Identity Provider ID;
+                  In case of OIDC Workload or Workforce: the value should be the Atlas OIDC IdP ID, followed by a '/', followed by the IdP group name;
                   In case of Plain text auth: the value can be anything
                 maxLength: 1024
                 type: string

config/crd/bases/atlas.mongodb.com_atlasfederatedauths.yaml

@@ -60,6 +60,13 @@ spec:
                 required:
                 - name
                 type: object
+              dataAccessIdentityProviders:
+                description: |-
+                  The collection of unique ids representing the identity providers that can be used for data access in this organization.
+                  Currently connected data access identity providers missing from the this field will be disconnected.
+                items:
+                  type: string
+                type: array
               domainAllowList:
                 description: Approved domains that restrict users who can join the
                   organization based on their email address.

internal/featureflags/featureflag.go

@@ -7,9 +7,6 @@ import (
 const (
 	featurePrefix    = "FEATURE_"
 	featureSeparator = "="
-
-	//nolint:stylecheck
-	FeatureOIDC = "FEATURE_PREVIEW_OIDC_DB_ACCESS"
 )
 
 type FeatureFlags struct {

pkg/api/v1/atlasdatabaseuser_types.go

@@ -61,7 +61,10 @@ type AtlasDatabaseUserSpec struct {
 	// ExternalProjectRef holds the Atlas project ID the user belongs to
 	ExternalProjectRef *ExternalProjectReference `json:"externalProjectRef,omitempty"`
 
-	// DatabaseName is a Database against which Atlas authenticates the user. Default value is 'admin'.
+	// DatabaseName is a Database against which Atlas authenticates the user.
+	// If the user authenticates with AWS IAM, x.509, LDAP, or OIDC Workload this value should be '$external'.
+	// If the user authenticates with SCRAM-SHA or OIDC Workforce, this value should be 'admin'.
+	// Default value is 'admin'.
 	// +kubebuilder:default=admin
 	DatabaseName string `json:"databaseName,omitempty"`
 
@@ -87,17 +90,16 @@ type AtlasDatabaseUserSpec struct {
 	// Username is a username for authenticating to MongoDB
 	// Human-readable label that represents the user that authenticates to MongoDB. The format of this label depends on the method of authentication:
 	// In case of AWS IAM: the value should be AWS ARN for the IAM User/Role;
-	// In case of OIDC: the value should be the Identity Provider ID;
+	// In case of OIDC Workload or Workforce: the value should be the Atlas OIDC IdP ID, followed by a '/', followed by the IdP group name;
 	// In case of Plain text auth: the value can be anything
 	// +kubebuilder:validation:MaxLength:=1024
 	Username string `json:"username"`
 
-	// Human-readable label that indicates whether the new database Username
-	// with OIDC federated authentication.
-	// To create a federated authentication user, specify the value
-	// of IDP_GROUP for this field
+	// Human-readable label that indicates whether the new database Username with OIDC federated authentication.
+	// To create a federated authentication group (Workforce), specify the value of IDP_GROUP in this field.
+	// To create a federated authentication user (Workload), specify the value of USER in this field.
 	// +kubebuilder:default:=NONE
-	// +kubebuilder:validation:Enum:=NONE;IDP_GROUP
+	// +kubebuilder:validation:Enum:=NONE;IDP_GROUP;USER
 	// +optional
 	OIDCAuthType string `json:"oidcAuthType,omitempty"`
 

pkg/api/v1/atlasfederatedauth_types.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 
-	"go.mongodb.org/atlas-sdk/v20231115008/admin"
+	"go.mongodb.org/atlas-sdk/v20241113001/admin"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -41,6 +41,10 @@ type AtlasFederatedAuthSpec struct {
 	// Map IDP groups to Atlas roles.
 	// +optional
 	RoleMappings []RoleMapping `json:"roleMappings,omitempty"`
+	// The collection of unique ids representing the identity providers that can be used for data access in this organization.
+	// Currently connected data access identity providers missing from the this field will be disconnected.
+	// +optional
+	DataAccessIdentityProviders *[]string `json:"dataAccessIdentityProviders,omitempty"`
 }
 
 func (f *AtlasFederatedAuthSpec) ToAtlas(orgID, idpID string, projectNameToID map[string]string) (*admin.ConnectedOrgConfig, error) {
@@ -73,11 +77,21 @@ func (f *AtlasFederatedAuthSpec) ToAtlas(orgID, idpID string, projectNameToID ma
 	}
 
 	result := &admin.ConnectedOrgConfig{
-		DomainAllowList:          &f.DomainAllowList,
-		DomainRestrictionEnabled: *f.DomainRestrictionEnabled,
-		IdentityProviderId:       idpID,
-		OrgId:                    orgID,
-		PostAuthRoleGrants:       &f.PostAuthRoleGrants,
+		DataAccessIdentityProviderIds: f.DataAccessIdentityProviders,
+		DomainRestrictionEnabled:      *f.DomainRestrictionEnabled,
+		OrgId:                         orgID,
+	}
+
+	if len(f.DomainAllowList) > 0 {
+		result.SetDomainAllowList(f.DomainAllowList)
+	}
+
+	if idpID != "" {
+		result.SetIdentityProviderId(idpID)
+	}
+
+	if len(f.PostAuthRoleGrants) > 0 {
+		result.SetPostAuthRoleGrants(f.PostAuthRoleGrants)
 	}
 
 	if len(atlasRoleMappings) > 0 {

pkg/api/v1/atlasfederatedauth_types_test.go

@@ -3,9 +3,10 @@ package v1
 import (
 	"testing"
 
-	"go.mongodb.org/atlas-sdk/v20231115008/admin"
+	"go.mongodb.org/atlas-sdk/v20241113001/admin"
 
 	"github.com/go-test/deep"
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/pointer"
@@ -24,12 +25,13 @@ func Test_FederatedAuthSpec_ToAtlas(t *testing.T) {
 		}
 
 		spec := &AtlasFederatedAuthSpec{
-			Enabled:                  true,
-			ConnectionSecretRef:      common.ResourceRefNamespaced{},
-			DomainAllowList:          []string{"test.com"},
-			DomainRestrictionEnabled: pointer.MakePtr(true),
-			SSODebugEnabled:          pointer.MakePtr(true),
-			PostAuthRoleGrants:       []string{"role-3", "role-4"},
+			Enabled:                     true,
+			ConnectionSecretRef:         common.ResourceRefNamespaced{},
+			DomainAllowList:             []string{"test.com"},
+			DomainRestrictionEnabled:    pointer.MakePtr(true),
+			DataAccessIdentityProviders: &[]string{"test-123", "test-456"},
+			SSODebugEnabled:             pointer.MakePtr(true),
+			PostAuthRoleGrants:          []string{"role-3", "role-4"},
 			RoleMappings: []RoleMapping{
 				{
 					ExternalGroupName: "test-group",
@@ -49,11 +51,12 @@ func Test_FederatedAuthSpec_ToAtlas(t *testing.T) {
 		assert.NotNil(t, result, "ToAtlas() result is nil")
 
 		expected := &admin.ConnectedOrgConfig{
-			DomainAllowList:          &spec.DomainAllowList,
-			DomainRestrictionEnabled: *spec.DomainRestrictionEnabled,
-			IdentityProviderId:       idpID,
-			OrgId:                    orgID,
-			PostAuthRoleGrants:       &spec.PostAuthRoleGrants,
+			DomainAllowList:               &spec.DomainAllowList,
+			DomainRestrictionEnabled:      *spec.DomainRestrictionEnabled,
+			DataAccessIdentityProviderIds: spec.DataAccessIdentityProviders,
+			IdentityProviderId:            &idpID,
+			OrgId:                         orgID,
+			PostAuthRoleGrants:            &spec.PostAuthRoleGrants,
 			RoleMappings: &[]admin.AuthFederationRoleMapping{
 				{
 					ExternalGroupName: spec.RoleMappings[0].ExternalGroupName,
@@ -69,6 +72,9 @@ func Test_FederatedAuthSpec_ToAtlas(t *testing.T) {
 		}
 
 		diff := deep.Equal(expected, result)
+		if diff != nil {
+			t.Log(cmp.Diff(expected, result))
+		}
 		assert.Nil(t, diff, diff)
 	})
 

pkg/controller/atlasdatabaseuser/atlasdatabaseuser_controller.go

@@ -57,16 +57,15 @@ var ErrOIDCNotEnabled = fmt.Errorf("'OIDCAuthType' field is set but OIDC authent
 
 // AtlasDatabaseUserReconciler reconciles an AtlasDatabaseUser object
 type AtlasDatabaseUserReconciler struct {
-	Client                        client.Client
-	Log                           *zap.SugaredLogger
-	Scheme                        *runtime.Scheme
-	EventRecorder                 record.EventRecorder
-	AtlasProvider                 atlas.Provider
-	GlobalPredicates              []predicate.Predicate
-	ObjectDeletionProtection      bool
-	SubObjectDeletionProtection   bool
-	FeaturePreviewOIDCAuthEnabled bool
-	independentSyncPeriod         time.Duration
+	Client                      client.Client
+	Log                         *zap.SugaredLogger
+	Scheme                      *runtime.Scheme
+	EventRecorder               record.EventRecorder
+	AtlasProvider               atlas.Provider
+	GlobalPredicates            []predicate.Predicate
+	ObjectDeletionProtection    bool
+	SubObjectDeletionProtection bool
+	independentSyncPeriod       time.Duration
 
 	dbUserService     dbuser.AtlasUsersService
 	deploymentService deployment.AtlasDeploymentsService
@@ -286,14 +285,13 @@ func NewAtlasDatabaseUserReconciler(
 	logger *zap.Logger,
 ) *AtlasDatabaseUserReconciler {
 	return &AtlasDatabaseUserReconciler{
-		Scheme:                        mgr.GetScheme(),
-		Client:                        mgr.GetClient(),
-		EventRecorder:                 mgr.GetEventRecorderFor("AtlasDatabaseUser"),
-		GlobalPredicates:              predicates,
-		Log:                           logger.Named("controllers").Named("AtlasDatabaseUser").Sugar(),
-		AtlasProvider:                 atlasProvider,
-		ObjectDeletionProtection:      deletionProtection,
-		FeaturePreviewOIDCAuthEnabled: featureFlags.IsFeaturePresent(featureflags.FeatureOIDC),
-		independentSyncPeriod:         independentSyncPeriod,
+		Scheme:                   mgr.GetScheme(),
+		Client:                   mgr.GetClient(),
+		EventRecorder:            mgr.GetEventRecorderFor("AtlasDatabaseUser"),
+		GlobalPredicates:         predicates,
+		Log:                      logger.Named("controllers").Named("AtlasDatabaseUser").Sugar(),
+		AtlasProvider:            atlasProvider,
+		ObjectDeletionProtection: deletionProtection,
+		independentSyncPeriod:    independentSyncPeriod,
 	}
 }

pkg/controller/atlasdatabaseuser/databaseuser.go

@@ -101,10 +101,6 @@ func (r *AtlasDatabaseUserReconciler) dbuLifeCycle(ctx *workflow.Context, atlasD
 }
 
 func (r *AtlasDatabaseUserReconciler) create(ctx *workflow.Context, projectID string, atlasDatabaseUser *akov2.AtlasDatabaseUser) ctrl.Result {
-	if !canManageOIDC(r.FeaturePreviewOIDCAuthEnabled, atlasDatabaseUser.Spec.OIDCAuthType) {
-		return r.terminate(ctx, atlasDatabaseUser, api.DatabaseUserReadyType, workflow.Internal, false, ErrOIDCNotEnabled)
-	}
-
 	userPassword, passwordVersion, err := r.readPassword(ctx.Context, atlasDatabaseUser)
 	if err != nil {
 		return r.terminate(ctx, atlasDatabaseUser, api.DatabaseUserReadyType, workflow.Internal, true, err)
@@ -136,10 +132,6 @@ func (r *AtlasDatabaseUserReconciler) create(ctx *workflow.Context, projectID st
 }
 
 func (r *AtlasDatabaseUserReconciler) update(ctx *workflow.Context, atlasProject *project.Project, atlasDatabaseUser *akov2.AtlasDatabaseUser, databaseUserInAtlas *dbuser.User) ctrl.Result {
-	if !canManageOIDC(r.FeaturePreviewOIDCAuthEnabled, atlasDatabaseUser.Spec.OIDCAuthType) {
-		return r.terminate(ctx, atlasDatabaseUser, api.DatabaseUserReadyType, workflow.Internal, false, ErrOIDCNotEnabled)
-	}
-
 	userPassword, passwordVersion, err := r.readPassword(ctx.Context, atlasDatabaseUser)
 	if err != nil {
 		return r.terminate(ctx, atlasDatabaseUser, api.DatabaseUserReadyType, workflow.Internal, true, err)
@@ -331,14 +323,6 @@ func (r *AtlasDatabaseUserReconciler) getProjectFromKube(ctx *workflow.Context,
 	return project.NewProject(atlasProject, orgID), nil
 }
 
-func canManageOIDC(isEnabled bool, oidcType string) bool {
-	if !isEnabled && (oidcType != "" && oidcType != "NONE") {
-		return false
-	}
-
-	return true
-}
-
 func isExpired(atlasDatabaseUser *akov2.AtlasDatabaseUser) (bool, error) {
 	if atlasDatabaseUser.Spec.DeleteAfterDate == "" {
 		return false, nil