private endpoint: add support for regional mode

Author: tvdw-mongodb

api/condition.go

@@ -48,23 +48,24 @@ const (
 
 // AtlasProject condition types
 const (
-	ProjectReadyType                  ConditionType = "ProjectReady"
-	IPAccessListReadyType             ConditionType = "IPAccessListReady"
-	MaintenanceWindowReadyType        ConditionType = "MaintenanceWindowReady"
-	PrivateEndpointServiceReadyType   ConditionType = "PrivateEndpointServiceReady"
-	PrivateEndpointReadyType          ConditionType = "PrivateEndpointReady"
-	NetworkPeerReadyType              ConditionType = "NetworkPeerReady"
-	CloudProviderIntegrationReadyType ConditionType = "CloudProviderIntegrationReady"
-	IntegrationReadyType              ConditionType = "ThirdPartyIntegrationReady"
-	AlertConfigurationReadyType       ConditionType = "AlertConfigurationReady"
-	EncryptionAtRestReadyType         ConditionType = "EncryptionAtRestReady"
-	AuditingReadyType                 ConditionType = "AuditingReady"
-	ProjectSettingsReadyType          ConditionType = "ProjectSettingsReady"
-	ProjectCustomRolesReadyType       ConditionType = "ProjectCustomRolesReady"
-	ProjectTeamsReadyType             ConditionType = "ProjectTeamsReady"
-	SearchIndexesReadyType            ConditionType = "AtlasSearchIndexesReady"
-	BackupComplianceReadyType         ConditionType = "BackupCompliancePolicyReady"
-	X509AuthReadyType                 ConditionType = "X509AuthReady"
+	ProjectReadyType                     ConditionType = "ProjectReady"
+	IPAccessListReadyType                ConditionType = "IPAccessListReady"
+	MaintenanceWindowReadyType           ConditionType = "MaintenanceWindowReady"
+	PrivateEndpointServiceReadyType      ConditionType = "PrivateEndpointServiceReady"
+	RegionalizedPrivateEndpointReadyType ConditionType = "RegionalizedPrivateEndpointReady"
+	PrivateEndpointReadyType             ConditionType = "PrivateEndpointReady"
+	NetworkPeerReadyType                 ConditionType = "NetworkPeerReady"
+	CloudProviderIntegrationReadyType    ConditionType = "CloudProviderIntegrationReady"
+	IntegrationReadyType                 ConditionType = "ThirdPartyIntegrationReady"
+	AlertConfigurationReadyType          ConditionType = "AlertConfigurationReady"
+	EncryptionAtRestReadyType            ConditionType = "EncryptionAtRestReady"
+	AuditingReadyType                    ConditionType = "AuditingReady"
+	ProjectSettingsReadyType             ConditionType = "ProjectSettingsReady"
+	ProjectCustomRolesReadyType          ConditionType = "ProjectCustomRolesReady"
+	ProjectTeamsReadyType                ConditionType = "ProjectTeamsReady"
+	SearchIndexesReadyType               ConditionType = "AtlasSearchIndexesReady"
+	BackupComplianceReadyType            ConditionType = "BackupCompliancePolicyReady"
+	X509AuthReadyType                    ConditionType = "X509AuthReady"
 )
 
 // AtlasDeployment condition types

api/v1/atlasproject_types.go

@@ -72,6 +72,11 @@ type AtlasProjectSpec struct {
 	// PrivateEndpoints is a list of Private Endpoints configured for the current Project.
 	PrivateEndpoints []PrivateEndpoint `json:"privateEndpoints,omitempty"`
 
+	// RegionalizedPrivateEndpoint allows to enable regionalized private endpoints. See more at
+	// https://www.mongodb.com/docs/atlas/security-private-endpoint/
+	// +optional
+	RegionalizedPrivateEndpoint *project.RegionalizedPrivateEndpoint `json:"regionalizedPrivateEndpoint,omitempty"`
+
 	// CloudProviderAccessRoles is a list of Cloud Provider Access Roles configured for the current Project.
 	// Deprecated: This configuration was deprecated in favor of CloudProviderIntegrations
 	CloudProviderAccessRoles []CloudProviderAccessRole `json:"cloudProviderAccessRoles,omitempty"`

api/v1/project/regionalized_private_endpoint.go

@@ -0,0 +1,21 @@
+// Copyright 2025 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package project
+
+type RegionalizedPrivateEndpoint struct {
+	// Flag indicating whether regionalized private endpoint mode should be enabled.
+	// +optional
+	Enabled bool `json:"enabled,omitempty"`
+}

api/v1/zz_generated.deepcopy.go

@@ -902,6 +902,16 @@ spec:
                 - GOV_REGIONS_ONLY
                 - COMMERCIAL_FEDRAMP_REGIONS_ONLY
                 type: string
+              regionalizedPrivateEndpoint:
+                description: |-
+                  RegionalizedPrivateEndpoint allows to enable regionalized private endpoints. See more at
+                  https://www.mongodb.com/docs/atlas/security-private-endpoint/
+                properties:
+                  enabled:
+                    description: Flag indicating whether regionalized private endpoint
+                      mode should be enabled.
+                    type: boolean
+                type: object
               settings:
                 description: Settings allow to set Project Settings for the project
                 properties:

config/crd/bases/atlas.mongodb.com_atlasprojects.yaml

@@ -190,6 +190,11 @@ func (r *AtlasProjectReconciler) ensureProjectResources(workflowCtx *workflow.Co
 	}
 	results = append(results, result)
 
+	if result = r.ensureRegionalizedPrivateEndpointMode(workflowCtx, project); result.IsOk() {
+		r.EventRecorder.Event(project, "Normal", string(api.RegionalizedPrivateEndpointReadyType), "")
+	}
+	results = append(results, result)
+
 	if result = ensureCloudProviderIntegration(workflowCtx, project); result.IsOk() {
 		r.EventRecorder.Event(project, "Normal", string(api.CloudProviderIntegrationReadyType), "")
 	}

internal/controller/atlasproject/atlasproject_controller.go

@@ -0,0 +1,52 @@
+// Copyright 2025 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package atlasproject
+
+import (
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
+	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/workflow"
+	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/translation/privateendpoint"
+)
+
+// ensureRegionalizedPrivateEndpointMode ensures that if the AtlasProject spec
+// defines a regionalized private endpoint setting, it is reflected in Atlas.
+func (r *AtlasProjectReconciler) ensureRegionalizedPrivateEndpointMode(workflowCtx *workflow.Context, atlasProject *akov2.AtlasProject) workflow.DeprecatedResult {
+	if atlasProject.Spec.RegionalizedPrivateEndpoint == nil {
+		workflowCtx.UnsetCondition(api.RegionalizedPrivateEndpointReadyType)
+		return workflow.OK()
+	}
+
+	expectedMode := atlasProject.Spec.RegionalizedPrivateEndpoint.Enabled
+
+	peApi := privateendpoint.NewPrivateEndpointAPI(workflowCtx.SdkClientSet.SdkClient20250312002.PrivateEndpointServicesApi)
+	currentMode, err := peApi.GetRegionalizedPrivateEndpointSetting(workflowCtx.Context, atlasProject.ID())
+	if err != nil {
+		result := workflow.Terminate(workflow.ProjectRegionalizedEndpointModeIsNotReadyInAtlas, err)
+		workflowCtx.SetConditionFromResult(api.RegionalizedPrivateEndpointReadyType, result)
+		return result
+	}
+
+	if currentMode != expectedMode {
+		if _, err := peApi.ToggleRegionalizedPrivateEndpointSetting(workflowCtx.Context, atlasProject.ID(), expectedMode); err != nil {
+			result := workflow.Terminate(workflow.ProjectRegionalizedEndpointModeIsNotReadyInAtlas, err)
+			workflowCtx.SetConditionFromResult(api.RegionalizedPrivateEndpointReadyType, result)
+			return result
+		}
+	}
+
+	workflowCtx.SetConditionTrue(api.RegionalizedPrivateEndpointReadyType)
+	return workflow.OK()
+}

internal/controller/atlasproject/regionalized_private_endpoint.go

@@ -33,32 +33,33 @@ const (
 
 // Atlas Project reasons
 const (
-	ProjectNotCreatedInAtlas                   ConditionReason = "ProjectNotCreatedInAtlas"
-	ProjectBeingConfiguredInAtlas              ConditionReason = "ProjectBeingConfiguredInAtlas"
-	ProjectIPAccessInvalid                     ConditionReason = "ProjectIPAccessListInvalid"
-	ProjectIPNotCreatedInAtlas                 ConditionReason = "ProjectIPAccessListNotCreatedInAtlas"
-	ProjectWindowInvalid                       ConditionReason = "ProjectWindowInvalid"
-	ProjectWindowNotObtainedFromAtlas          ConditionReason = "ProjectWindowNotObtainedFromAtlas"
-	ProjectWindowNotCreatedInAtlas             ConditionReason = "ProjectWindowNotCreatedInAtlas"
-	ProjectWindowNotDeletedInAtlas             ConditionReason = "projectWindowNotDeletedInAtlas"
-	ProjectWindowNotDeferredInAtlas            ConditionReason = "ProjectWindowNotDeferredInAtlas"
-	ProjectWindowNotAutoDeferredInAtlas        ConditionReason = "ProjectWindowNotAutoDeferredInAtlas"
-	ProjectPEServiceIsNotReadyInAtlas          ConditionReason = "ProjectPrivateEndpointServiceIsNotReadyInAtlas"
-	ProjectPEInterfaceIsNotReadyInAtlas        ConditionReason = "ProjectPrivateEndpointIsNotReadyInAtlas"
-	ProjectIPAccessListNotActive               ConditionReason = "ProjectIPAccessListNotActive"
-	ProjectIntegrationInternal                 ConditionReason = "ProjectIntegrationInternalError"
-	ProjectIntegrationRequest                  ConditionReason = "ProjectIntegrationRequestError"
-	ProjectIntegrationReady                    ConditionReason = "ProjectIntegrationReady"
-	ProjectPrivateEndpointIsNotReadyInAtlas    ConditionReason = "ProjectPrivateEndpointIsNotReadyInAtlas"
-	ProjectNetworkPeerIsNotReadyInAtlas        ConditionReason = "ProjectNetworkPeerIsNotReadyInAtlas"
-	ProjectEncryptionAtRestReady               ConditionReason = "ProjectEncryptionAtRestReady"
-	ProjectCloudIntegrationsIsNotReadyInAtlas  ConditionReason = "ProjectCloudIntegrationsIsNotReadyInAtlas"
-	ProjectAuditingReady                       ConditionReason = "ProjectAuditingReady"
-	ProjectSettingsReady                       ConditionReason = "ProjectSettingsReady"
-	ProjectAlertConfigurationIsNotReadyInAtlas ConditionReason = "ProjectAlertConfigurationIsNotReadyInAtlas"
-	ProjectCustomRolesReady                    ConditionReason = "ProjectCustomRolesReady"
-	ProjectTeamUnavailable                     ConditionReason = "ProjectTeamUnavailable"
-	ProjectX509NotConfigured                   ConditionReason = "ProjectX509NotConfigured"
+	ProjectNotCreatedInAtlas                         ConditionReason = "ProjectNotCreatedInAtlas"
+	ProjectBeingConfiguredInAtlas                    ConditionReason = "ProjectBeingConfiguredInAtlas"
+	ProjectIPAccessInvalid                           ConditionReason = "ProjectIPAccessListInvalid"
+	ProjectIPNotCreatedInAtlas                       ConditionReason = "ProjectIPAccessListNotCreatedInAtlas"
+	ProjectWindowInvalid                             ConditionReason = "ProjectWindowInvalid"
+	ProjectWindowNotObtainedFromAtlas                ConditionReason = "ProjectWindowNotObtainedFromAtlas"
+	ProjectWindowNotCreatedInAtlas                   ConditionReason = "ProjectWindowNotCreatedInAtlas"
+	ProjectWindowNotDeletedInAtlas                   ConditionReason = "projectWindowNotDeletedInAtlas"
+	ProjectWindowNotDeferredInAtlas                  ConditionReason = "ProjectWindowNotDeferredInAtlas"
+	ProjectWindowNotAutoDeferredInAtlas              ConditionReason = "ProjectWindowNotAutoDeferredInAtlas"
+	ProjectPEServiceIsNotReadyInAtlas                ConditionReason = "ProjectPrivateEndpointServiceIsNotReadyInAtlas"
+	ProjectPEInterfaceIsNotReadyInAtlas              ConditionReason = "ProjectPrivateEndpointIsNotReadyInAtlas"
+	ProjectIPAccessListNotActive                     ConditionReason = "ProjectIPAccessListNotActive"
+	ProjectIntegrationInternal                       ConditionReason = "ProjectIntegrationInternalError"
+	ProjectIntegrationRequest                        ConditionReason = "ProjectIntegrationRequestError"
+	ProjectIntegrationReady                          ConditionReason = "ProjectIntegrationReady"
+	ProjectPrivateEndpointIsNotReadyInAtlas          ConditionReason = "ProjectPrivateEndpointIsNotReadyInAtlas"
+	ProjectRegionalizedEndpointModeIsNotReadyInAtlas ConditionReason = "ProjectRegionalizedEndpointModeIsNotReadyInAtlas"
+	ProjectNetworkPeerIsNotReadyInAtlas              ConditionReason = "ProjectNetworkPeerIsNotReadyInAtlas"
+	ProjectEncryptionAtRestReady                     ConditionReason = "ProjectEncryptionAtRestReady"
+	ProjectCloudIntegrationsIsNotReadyInAtlas        ConditionReason = "ProjectCloudIntegrationsIsNotReadyInAtlas"
+	ProjectAuditingReady                             ConditionReason = "ProjectAuditingReady"
+	ProjectSettingsReady                             ConditionReason = "ProjectSettingsReady"
+	ProjectAlertConfigurationIsNotReadyInAtlas       ConditionReason = "ProjectAlertConfigurationIsNotReadyInAtlas"
+	ProjectCustomRolesReady                          ConditionReason = "ProjectCustomRolesReady"
+	ProjectTeamUnavailable                           ConditionReason = "ProjectTeamUnavailable"
+	ProjectX509NotConfigured                         ConditionReason = "ProjectX509NotConfigured"
 )
 
 // Atlas Backup Compliance Policy reasons