Connection string secret is duplicated in other namespaces

[sunib]

What did you do to encounter the bug?

We are building a cloud solution where we want to give every customer it's own dedicated environment to prevent data leakage and performance influence. Kubernetes is used for this and we give every customer it's own namespace.

Inside this customer namespace, we create an AtlasDeployment and AtlasDatabaseUser.

{{- $databaseName := printf "%s-%s" .Release.Namespace "microservice" }}
apiVersion: atlas.mongodb.com/v1
kind: AtlasDatabaseUser
metadata:
  name: atlas-deployment-user
  labels:
    {{- include "microservice.labels" . | nindent 4 }}
spec:
  username: {{ $databaseName }}-dotnet-user
  passwordSecretRef:
    name: {{ $secretName }}
  projectRef:
    name: mongodb-atlas-project
    namespace: mongodb-atlas
  roles:
    - databaseName: {{ $databaseName }}
      roleName: readWrite
---
apiVersion: atlas.mongodb.com/v1
kind: AtlasDeployment
metadata:
  name: atlas-deployment
  labels:
    {{- include "microservice.labels" . | nindent 4 }}
spec:
  projectRef:
    name: mongodb-atlas-project
    namespace: mongodb-atlas
  backupRef:  # For now we don't do backups! We want to switch to serverless but this does not create the required secret automatically ()!
    name: ''
    namespace: ''
  deploymentSpec:
    name: {{ $databaseName }}   # For example: customer1-acceptance-microservice, namespace in front to make searching easier
    providerSettings:
      instanceSizeName: M2
      backingProviderName: AZURE
      regionName: EUROPE_NORTH
      providerName: TENANT

This all creates the database, and even the connectionstring secret. But it also seems to itterate all the users from other namespaces. So what happens is that I also get the connectionstrings for other users in my namespace.

What did you expect?

I only expect the connectionstring in the namespace where the AtlasDeployment is created.

What happened instead?

It's now duplicated in all namespaces.

Customer 1:

• Namespace: customer1
  • AtlasDeployment (named atlas-deployment).
  • Secret for AtlasDeployment customer 1
  • Secret for AtlasDeployment customer 2 Customer 2:
• Namespace: customer2
  • AtlasDeployment (named also atlas-deployment, should not matter that it's not unique?).
  • Secret for AtlasDeployment customer 1
  • Secret for AtlasDeployment customer 2

Operator Information

https://mongodb.github.io/helm-charts mongodb-atlas-operator 1.5.0

No value overrides.

Kubernetes Cluster Information AKS 1.24.3

[Sugar-pack]

Hi @sunib. By default, the user has access to all deployments in the project. You can define user access to some deployments by adding a scope section. For example:

spec:
  passwordSecretRef:
    name: atlas-user-password2
  projectRef:
    name: my-project
    namespace: default
  roles:
    - databaseName: some-database
      roleName: readWrite
  scopes:
    - name: some-instance
      type: CLUSTER
  username: user2

Also, you can create separate projects for customers.

[sunib]

Thanks! I tried it and it actually works as I expected.