(DOCSP-44437) Modify DB User and Deployment resources. (#152)

* (DOCSP-44437) Modify DB User and Deployment resources.

* (DOCSP-44437) Incidental typo fix.

* (DOCSP-44437) General descriptions

Create the Independent CRD page, set up refs to it where necessary
in the general docs.

* (DOCSP-44437) Finalize first draft.

Flesh out Independent CRD page, add info about
spec.connectionSecretRef.name to both modified
resources.

* (DOCSP-44437) Tech review, part 1

* (DOCSP-44437) Technical review, part 2

* (DOCSP-44437) Technical review, part 3

* (DOCSP-44437) Technical review, part 4

* Technical review, part 5 + Copy review

* Technical review, part 6

* (DOCSP-44437) Technical review, part 7

* (DOCSP-44437)

* (DOCSP-44437)

* (DOCSP-44437) Technical review, part 8

* (DOCSP-44437) Tech review, part 9

* (DOCSP-44437) Technical review, part 10

* (DOCSP-44437) Technical review, part 11

* (DOCSP-44437) Formatting fix.

Author: lmkerbey-mdb

source/ak8so-get-started.txt

@@ -40,6 +40,18 @@ in the |service-fullname| for Government documentation.
 The :ref:`ak8so-for-gov-ref` page describes how to configure |ak8so| to 
 manage resources in |service| for Government.
 
+Independent Custom Resource Definitions
+---------------------------------------
+
+You can use |ak8so| to manage specific resources within an |service|
+project without configuring |ak8so| to manage the project itself. This
+allows you to use different programmatic infrastructure management
+systems for your projects, while you use |ak8so| to manage more
+frequently-altered resources such as database users or individual
+deployments.
+
+To learn more, see :ref:`ak8so-independent-crd`.
+
 Compatibility
 -------------
 
@@ -56,5 +68,6 @@ To learn more, see :ref:`ak8so-compatibility-ref`.
    Verify Integrity of Packages </ak8so-verify-packages>
    Helm Charts Quick Start </ak8so-quick-start-helm>
    Atlas for Government </ak8so-for-gov>
+   Independent Custom Resource Definitions </ak8so-independent-crd>
    Compatibility </ak8so-compatibility>
-   
+   

source/ak8so-independent-crd.txt

@@ -0,0 +1,174 @@
+.. _ak8so-independent-crd:
+
+=======================================
+Independent Custom Resource Definitions
+=======================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+You can use |ak8so| to manage resources in an |service| project
+without using |ak8so| to manage the project itself. In this
+independent custom resource definition ("independent CRD") model, you
+associate resources such as :ref:`atlasdeployment-custom-resource` and
+:ref:`atlasdatabaseuser-custom-resource` with an |service| project
+directly by its |service| :atlas:`ID <project-id>`.
+
+Independent CRDs allow you to use different programmatic
+infrastructure management systems for your projects, while you use
+|ak8so| to manage more frequently-altered resources such as database
+users or individual deployments.
+
+By separating the management of the |service| project from the
+management of subresources such as users and deployments, independent
+CRDs allow you to allocate these responsibilities to different
+personnel or different teams within your organization as suits your
+needs.
+
+.. _ak8so-independent-crd-considerations:
+
+Considerations
+--------------
+
+When you use |ak8so| to manage a project, you can either configure
+{+atlas-admin-api+} authentication using the
+``spec.connectionSecretRef.name`` parameter of the ``atlasProject``
+resource, or leave this parameter unset to default to global |service|
+:ref:`credentials <ak8so-secrets>`. When using independent CRDs, you
+can specify a ``spec.connectionSecret.name`` for each resource. This
+parameter, if set, takes precedence over
+``spec.connectionSecretRef.name`` or global |service|
+credentials.
+
+Setting this parameter is required for any resource whose parent
+resource is referenced using an |service| :atlas:`project ID
+<project-id>`, and optional otherwise.
+
+.. example::
+
+   You define an ``atlasDeployment`` CRD that references its parent
+   project by |service| ID instead of an ``atlasProject``
+   ``spec.name`` parameter.  You must define a
+   ``spec.connectSecret.name`` for the ``atlasDeployment``
+   resource, as in the following:
+
+   .. code-block::
+
+      apiVersion: atlas.mongodb.com/v1
+      kind: AtlasDeployment
+      metadata:
+	name: test-cluster-name
+	namespace: mongodb-atlas-system
+      spec:
+	externalProjectRef:
+	  id: 671998971c8520583f24f411
+	connectionSecret:
+	  name: my-atlas-key
+	deploymentSpec:
+	  clusterType: REPLICASET
+	  name: service-name
+	  tags: 
+	  - key: "environment"
+	    value: "production"
+	  backupEnabled: true
+	  replicationSpecs:
+	    - zoneName: US-Zone
+	      numShards: 3
+	      regionConfigs:
+		- regionName: CENTRAL_US
+		  providerName: GCP
+		  backingProviderName: GCP
+		  priority: 7
+		  electableSpecs:
+		    instanceSize: M10
+		    nodeCount: 3       
+
+.. _ak8so-independent-crd-migrate:
+
+Migration to Independent CRD
+----------------------------
+
+To migrate existing CRDs from ``atlasProject``-level management to
+independent management:
+
+.. procedure::
+   :style: normal
+
+   .. step:: Disable project reconciliation and edit subresource
+      references
+
+      1. Add the ``mongodb.com/atlas-reconciliation-policy: "skip"``
+         annotation to the parent resource's ``metadata``. This
+         prevents |ak8so| from attempting to reconcile the parent
+         resource and its subresources. Consider the following:
+
+	 .. code-block::
+	    :emphasize-lines: 5-6
+
+	    apiVersion: atlas.mongodb.com/v1
+	    kind: AtlasProject
+	    metadata:
+	     name: my-project
+	     annotations: 
+	       mongodb.com/atlas-reconciliation-policy: "skip"
+	    spec:
+	     name: Test project
+	     connectionSecretRef:
+	       name: my-atlas-key
+	     projectIpAccessList:
+	       - cidrBlock: "203.0.113.0/24"
+		 comment: "CIDR block for Application Server B - D"     
+
+         .. warning::
+
+            If you do not apply this annotation, |ak8so| will continue
+	    to attempt reconciliation as you modify your other
+	    resources. For users with :ref:`<deletion-protection>`
+	    disabled, this can result in |ak8so| removing the
+	    |service| project when you remove the ``atlasProject``
+	    resource, or entering a blocked state attempting to remove
+	    a project with active subresources such as database users
+	    or deployments.
+
+      #. Modify the project reference to point to an |service|
+         :atlas:`project ID <project-id>` instead of an
+         ``atlasProject`` name.
+
+	 For example, to decouple an ``atlasDatabaseUser`` resource:
+
+	 .. code-block::
+	    :emphasize-lines: 9-10
+
+	    apiVersion: atlas.mongodb.com/v1
+	    kind: AtlasDatabaseUser
+	    metadata:
+	     name: my-database-user
+	    spec:
+	     roles:
+	       - roleName: readWriteAnyDatabase
+		 databaseName: admin
+	     externalProjectRef:
+	       id: 671998971c8520583f24f411
+	     username: theuser
+	     passwordSecretRef:
+	       name: the-user-password       
+
+   .. step:: Wait for |ak8so| to sync the new resource status.
+
+   .. step:: (Conditional) Remove the ``atlasProject`` CRD.
+
+      To stop managing your project with |ak8so|, you can now remove
+      the ``atlasProject`` CRD. To continue managing your project and
+      attached subresources with |ak8so|, skip to the next step.
+      
+   .. step:: (Conditional) Remove the reconciliation policy annotation
+
+      If you want to continue managing your project with |ak8so|, as in
+      a scenario where you still have resources subordinate to your
+      ``atlasProject``, reactivate reconciliation by removing the
+      reconciliation policy annotation from the ``atlasProject`` CRD.

source/ak8so-unified-access.txt

@@ -17,6 +17,15 @@ Set Up Unified Cloud Provider Integrations
 You can use |ak8so| to set up unified access for an |aws| |iam| role
 in the :ref:`atlasproject-custom-resource`.
 
+.. important::
+
+   If you operate |ak8so| under an :ref:`independent CRD model
+   <ak8so-independent-crd>`, you cannot configure |aws| |iam|
+   authentication using ``atlasProject`` parameters. To configure
+   |aws| |iam| authentication for your |service| project directly,
+   please see :ref:`aws-iam-authentication <Set Up Authentication with
+   AWS IAM>`.
+
 Prerequisites
 -------------
 
@@ -167,4 +176,4 @@ Procedure
            but you have not specified the 
            ``spec.cloudProviderIntegrations.iamAssumedRoleArn``.
          - If the status is ``READY``, |service| has created the role
-           and you have authorized it within |aws|.
+           and you have authorized it within |aws|.

source/atlasdatabaseuser-custom-resource.txt

@@ -331,6 +331,27 @@ to customize your specifications.
       * - ROLE
         - User who authenticates with the |aws| |iam| credentials associated with the user's role.
 
+.. setting:: spec.connectionSecret.name
+
+   *Type*: string
+
+   *Conditional*
+
+   Name of the opaque |k8s-secret| that contains the organization ID
+   and :ref:`API keys <about-org-api-keys>` that |ak8so| uses to
+   :ref:`connect <ak8so-access-to-atlas-ref>` to |service|.  If
+   unspecified, |ak8so| falls back to either:
+
+   - The ``spec.connectionSecretRef.name`` parameter of the parent
+     ``atlasProject``
+   - The default ``global`` secret, if ``spec.connectionSecretRef.name``
+     is undefined for the parent ``atlasProject``
+
+   This parameter is mandatory for :ref:`independent CRDs
+   <ak8so-independent-crd>`.
+   
+   .. include:: /includes/fact-ak8so-label-secret.rst
+
 .. setting:: spec.databaseName
 
    *Type*: string
@@ -347,6 +368,24 @@ to customize your specifications.
    If the database user authenticates with :ref:`X.509 <ak8so-x509>`, 
    this value must be ``\$external``.
 
+.. setting:: spec.externalProjectRef.id
+
+   *Type*: string
+
+   *Conditional*
+
+   ID of the project to which the database user belongs. You must
+   specify the project ID of an existing :ref:`Atlas Project
+   <manage-projects>`. This parameter is required for database users
+   who belong to projects managed by either:
+
+   - A different instance of |ak8so|
+   - Tooling other than |ak8so|
+
+   For database users who belong to projects managed by
+   the same instance of |ak8so|, use ``spec.projectRef.name`` if you
+   do not use ``spec.externalProjectRef.id``.
+
 .. setting:: spec.oidcAuthType
 
    *Type*: string
@@ -369,13 +408,23 @@ to customize your specifications.
    :manual:`SCRAM-SHA </core/security-scram>` authentication method 
    requires this parameter.
 
-:setting:`spec.projectRef.name`
+.. setting:: spec.projectRef.name
+
    *Type*: string
 
-   *Required*
+   *Conditional*
+
+   Name of the project to which the database user belongs. You must
+   specify an existing :ref:`atlasproject-custom-resource`. This
+   parameter applies only to database users who belong to projects
+   managed by the same instance |ak8so|.
+
+   For database users who belong to projects managed by either:
+
+   - a different instance of |ak8so|
+   - tooling other than |ak8so|
 
-   Name of the project where the database user belongs. You must 
-   specify an existing :ref:`atlasproject-custom-resource`.
+   use ``spec.externalProjectRef.name``.
 
 .. setting:: spec.roles
 

source/atlasdeployment-custom-resource.txt

@@ -460,6 +460,27 @@ examples, and the |api| documentation.
    :ref:`atlasbackupschedule-custom-resource` for the backup schedule
    that you want to apply.
 
+.. setting:: spec.connectionSecret.name
+
+   *Type*: string
+
+   *Conditional*
+
+   Name of the opaque |k8s-secret| that contains the organization ID
+   and :ref:`API keys <about-org-api-keys>` that |ak8so| uses to
+   :ref:`connect <ak8so-access-to-atlas-ref>` to |service|.  If
+   unspecified, |ak8so| falls back to either:
+
+   - The ``spec.connectionSecretRef.name`` parameter of the parent
+     ``atlasProject``
+   - The default ``global`` secret, if ``spec.connectionSecretRef.name``
+     is undefined for the parent ``atlasProject``
+
+   This parameter is mandatory for :ref:`independent CRDs
+   <ak8so-independent-crd>`.
+   
+   .. include:: /includes/fact-ak8so-label-secret.rst
+
 .. setting:: spec.deploymentSpec
 
    *Type*: array
@@ -1350,6 +1371,24 @@ examples, and the |api| documentation.
      If you set this parameter to ``CONTINUOUS``, you must omit the 
      :setting:`spec.deploymentSpec.mongoDBMajorVersion` parameter.
 
+.. setting:: spec.externalProjectRef.id
+
+   *Type*: string
+
+   *Conditional*
+
+   ID of the project to which the deployment belongs. You must
+   specify the project ID of an existing :ref:`Atlas Project
+   <manage-projects>`. This parameter is required for deployments
+   who belong to projects managed by either:
+
+   - A different instance of |ak8so|
+   - Tooling other than |ak8so|
+
+   For deployments who belong to projects managed by
+   the same instance of |ak8so|, use ``spec.projectRef.name`` if you
+   do not use ``spec.externalProjectRef.id``.
+
 .. setting:: spec.processArgs
 
    *Type*: object
@@ -1488,11 +1527,20 @@ examples, and the |api| documentation.
 
    *Type*: string
 
-   *Required*
+   *Conditional*
+
+   Name of the project to which the deployment belongs. You must
+   specify an existing :ref:`atlasproject-custom-resource`. This
+   parameter applies only to deployments that belong to projects
+   managed by the same instance |ak8so|.
 
-   Name of the project where the {+cluster+} belongs. You must specify 
-   an existing :ref:`atlasproject-custom-resource`.
+   For deployments that belong to projects managed by either:
 
+   - a different instance of |ak8so|
+   - tooling other than |ak8so|
+
+   use ``spec.externalProjectRef.name``.
+   
 .. setting:: spec.serverlessSpec
 
    *Type*: array

source/includes/unified-access-intro.rst

@@ -2,7 +2,7 @@ Some |service| features, including :ref:`Data Federation
 <atlas-data-federation>` and :ref:`Encryption at Rest 
 <security-aws-kms>`, authenticate with |aws| `IAM roles 
 <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html>`__. 
-When |service| accesses |aws| services, 
+When |service| accesses |aws| services, it
 `assumes an IAM role
 <https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html>`__.