CLOUDP-266544: Support local resource credentials

config/crd/bases/atlas.mongodb.com_atlasdatabaseusers.yaml

@@ -66,6 +66,18 @@ spec:
                 - USER
                 - ROLE
                 type: string
+              connectionSecret:
+                description: A reference to an object in the same namespace as the
+                  referent
+                properties:
+                  name:
+                    description: |-
+                      Name of the resource being referred to
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                required:
+                - name
+                type: object
               databaseName:
                 default: admin
                 description: DatabaseName is a Database against which Atlas authenticates

internal/translation/dbuser/conversion.go

@@ -68,6 +68,7 @@ func (u *User) clearedSpecClone() *akov2.AtlasDatabaseUserSpec {
 	clone.Project.Name = ""
 	clone.Project.Namespace = ""
 	clone.PasswordSecret = nil
+	clone.ConnectionSecret = nil
 	return &clone
 }
 

internal/translation/dbuser/conversion_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/timeutil"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/dbuser"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/common"
 )
@@ -393,6 +394,7 @@ func TestDiffSpecs(t *testing.T) {
 					spec.Project.Name = "some-project"
 					spec.Project.Namespace = "some-namespace"
 					spec.PasswordSecret = &common.ResourceRef{Name: "some-secret-ref"}
+					spec.ConnectionSecret = &api.LocalObjectReference{Name: "some-local-secret-ref"}
 					return spec
 				}(),
 			},
@@ -408,6 +410,7 @@ func TestDiffSpecs(t *testing.T) {
 					spec.Project.Name = "another-project"
 					spec.Project.Namespace = "another-namespace"
 					spec.PasswordSecret = &common.ResourceRef{Name: "another-secret-ref"}
+					spec.ConnectionSecret = &api.LocalObjectReference{Name: "another-local-secret-ref"}
 					return spec
 				}(),
 			},

pkg/api/credentials.go

@@ -0,0 +1,28 @@
+package api
+
+type LocalRef string
+
+// +k8s:deepcopy-gen=false
+
+// CredentialsProvider gives access to custom local credentials
+type CredentialsProvider interface {
+	Credentials() *LocalObjectReference
+}
+
+// +k8s:deepcopy-gen=false
+
+// ResourceWithCredentials is to be implemented by all CRDs using custom local credentials
+type ResourceWithCredentials interface {
+	CredentialsProvider
+	GetName() string
+	GetNamespace() string
+}
+
+// LocalCredentialHolder is to be embedded by Specs of CRDs using custom local credentials
+type LocalCredentialHolder struct {
+	ConnectionSecret *LocalObjectReference `json:"connectionSecret,omitempty"`
+}
+
+func (ch *LocalCredentialHolder) Credentials() *LocalObjectReference {
+	return ch.ConnectionSecret
+}

pkg/api/localref.go

@@ -0,0 +1,8 @@
+package api
+
+// LocalObjectReference is a reference to an object in the same namespace as the referent
+type LocalObjectReference struct {
+	// Name of the resource being referred to
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name string `json:"name"`
+}

pkg/api/v1/atlasdatabaseuser_types.go

@@ -52,6 +52,8 @@ const (
 
 // AtlasDatabaseUserSpec defines the desired state of Database User in Atlas
 type AtlasDatabaseUserSpec struct {
+	api.LocalCredentialHolder `json:",inline"`
+
 	// Project is a reference to AtlasProject resource the user belongs to
 	Project common.ResourceRefNamespaced `json:"projectRef"`
 
@@ -296,6 +298,10 @@ func (p *AtlasDatabaseUser) WithDeleteAfterDate(date string) *AtlasDatabaseUser
 	return p
 }
 
+func (p *AtlasDatabaseUser) Credentials() *api.LocalObjectReference {
+	return p.Spec.Credentials()
+}
+
 func DefaultDBUser(namespace, username, projectName string) *AtlasDatabaseUser {
 	return NewDBUser(namespace, username, username, projectName).WithRole("clusterMonitor", "admin", "")
 }

pkg/controller/atlasdatabaseuser/atlasdatabaseuser_controller.go

@@ -127,7 +127,16 @@ func (r *AtlasDatabaseUserReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		return result.ReconcileResult(), nil
 	}
 
-	dus, err := dbuser.NewAtlasDatabaseUsersService(ctx, r.AtlasProvider, project.ConnectionSecretObjectKey(), log)
+	credentialsSecret, err := customresource.ComputeSecret(project, databaseUser)
+	if err != nil {
+		result = workflow.Terminate(workflow.Internal, err.Error())
+		workflowCtx.SetConditionFromResult(api.DatabaseUserReadyType, result)
+		log.Error(result.GetMessage())
+
+		return result.ReconcileResult(), nil
+	}
+
+	dus, err := dbuser.NewAtlasDatabaseUsersService(ctx, r.AtlasProvider, credentialsSecret, log)
 	if err != nil {
 		result = workflow.Terminate(workflow.AtlasAPIAccessNotConfigured, err.Error())
 		workflowCtx.SetConditionFromResult(api.DatabaseUserReadyType, result)
@@ -157,7 +166,7 @@ func (r *AtlasDatabaseUserReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		return result.ReconcileResult(), nil
 	}
 
-	ds, err := deployment.NewAtlasDeploymentsService(ctx, r.AtlasProvider, project.ConnectionSecretObjectKey(), log, r.AtlasProvider.IsCloudGov())
+	ds, err := deployment.NewAtlasDeploymentsService(ctx, r.AtlasProvider, credentialsSecret, log, r.AtlasProvider.IsCloudGov())
 	if err != nil {
 		result = workflow.Terminate(workflow.AtlasAPIAccessNotConfigured, err.Error())
 		workflowCtx.SetConditionFromResult(api.DatabaseUserReadyType, result)

pkg/controller/atlasproject/atlasproject_controller_test.go

@@ -36,7 +36,7 @@ import (
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/indexer"
 )
 
-func TestRenconcile(t *testing.T) {
+func TestReconcile(t *testing.T) {
 	tests := map[string]struct {
 		atlasClientMocker func() *mongodbatlas.Client
 		atlasSDKMocker    func() *admin.APIClient

pkg/controller/customresource/customresource.go

@@ -4,13 +4,12 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/Masterminds/semver"
 	"go.uber.org/zap"
 	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/Masterminds/semver"
-
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/controller/workflow"
@@ -139,3 +138,20 @@ func SetAnnotation(resource api.AtlasCustomResource, key, value string) {
 	annot[key] = value
 	resource.SetAnnotations(annot)
 }
+
+func ComputeSecret(project *akov2.AtlasProject, resource api.ResourceWithCredentials) (*client.ObjectKey, error) {
+	if resource == nil {
+		return nil, fmt.Errorf("resource cannot be nil")
+	}
+	creds := resource.Credentials()
+	if creds != nil && creds.Name != "" {
+		return &client.ObjectKey{
+			Namespace: resource.GetNamespace(),
+			Name:      creds.Name,
+		}, nil
+	}
+	if project == nil {
+		return nil, fmt.Errorf("project cannot be nil")
+	}
+	return project.ConnectionSecretObjectKey(), nil
+}

pkg/controller/customresource/customresource_test.go

@@ -6,11 +6,14 @@ import (
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/common"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/api/v1/status"
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/pkg/version"
 
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func TestResourceShouldBeLeftInAtlas(t *testing.T) {
@@ -227,3 +230,102 @@ func TestResourceVersionIsValid(t *testing.T) {
 		})
 	}
 }
+
+func TestComputeSecret(t *testing.T) {
+	for _, tt := range []struct {
+		name         string
+		project      *akov2.AtlasProject
+		resource     api.ResourceWithCredentials
+		wantRef      *types.NamespacedName
+		wantErrorMsg string
+	}{
+		{
+			name:         "nil inputs fails with resource cannot be nil",
+			wantErrorMsg: "resource cannot be nil",
+		},
+
+		{
+			name: "nil project ignored if resource is set",
+			resource: &akov2.AtlasDatabaseUser{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "local"},
+				Spec: akov2.AtlasDatabaseUserSpec{
+					LocalCredentialHolder: api.LocalCredentialHolder{
+						ConnectionSecret: &api.LocalObjectReference{Name: "local-secret"},
+					},
+				},
+			},
+			wantRef: &client.ObjectKey{
+				Name:      "local-secret",
+				Namespace: "local",
+			},
+		},
+
+		{
+			name:         "nil resource and empty project fails",
+			project:      &akov2.AtlasProject{},
+			wantErrorMsg: "resource cannot be nil",
+		},
+
+		{
+			name:     "when both are set empty it renders nil",
+			project:  &akov2.AtlasProject{},
+			resource: &akov2.AtlasDatabaseUser{},
+		},
+
+		{
+			name: "empty resource and proper project get creds from project",
+			project: &akov2.AtlasProject{
+				Spec: akov2.AtlasProjectSpec{
+					Name:                    "",
+					RegionUsageRestrictions: "",
+					ConnectionSecret: &common.ResourceRefNamespaced{
+						Name:      "project-secret",
+						Namespace: "some-namespace",
+					},
+				},
+			},
+			resource: &akov2.AtlasDatabaseUser{},
+			wantRef: &client.ObjectKey{
+				Name:      "project-secret",
+				Namespace: "some-namespace",
+			},
+		},
+
+		{
+			name: "when both are properly set the resource wins",
+			project: &akov2.AtlasProject{
+				Spec: akov2.AtlasProjectSpec{
+					Name:                    "",
+					RegionUsageRestrictions: "",
+					ConnectionSecret: &common.ResourceRefNamespaced{
+						Name:      "project-secret",
+						Namespace: "some-namespace",
+					},
+				},
+			},
+			resource: &akov2.AtlasDatabaseUser{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "local"},
+				Spec: akov2.AtlasDatabaseUserSpec{
+					LocalCredentialHolder: api.LocalCredentialHolder{
+						ConnectionSecret: &api.LocalObjectReference{Name: "local-secret"},
+					},
+				},
+			},
+			wantRef: &client.ObjectKey{
+				Name:      "local-secret",
+				Namespace: "local",
+			},
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := ComputeSecret(tt.project, tt.resource)
+			if tt.wantErrorMsg != "" {
+				assert.Nil(t, result, nil)
+				assert.ErrorContains(t, err, tt.wantErrorMsg)
+			} else {
+				assert.Equal(t, result, tt.wantRef)
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

pkg/operator/builder.go

@@ -262,14 +262,14 @@ func (b *Builder) Build(ctx context.Context) (manager.Manager, error) {
 		return nil, fmt.Errorf("unable to create controller AtlasFederatedAuth: %w", err)
 	}
 
-	streamsInstanceReconiler := atlasstream.NewAtlasStreamsInstanceReconciler(
+	streamsInstanceReconciler := atlasstream.NewAtlasStreamsInstanceReconciler(
 		mgr,
 		b.predicates,
 		b.atlasProvider,
 		b.deletionProtection,
 		b.logger,
 	)
-	if err = streamsInstanceReconiler.SetupWithManager(mgr, b.skipNameValidation); err != nil {
+	if err = streamsInstanceReconciler.SetupWithManager(mgr, b.skipNameValidation); err != nil {
 		return nil, fmt.Errorf("unable to create controller AtlasStreamsInstance: %w", err)
 	}