DOCSP-47923: kubernetes oidc (#86)

* DOCSP-47923: kubernetes oidc

* ordering

* includes

Author: rustagir

source/includes/security/enterprise-auth.kt

@@ -121,6 +121,28 @@ val mongoClient = MongoClient.create(
         .build())
 // end-oidc-gcp-mongo-cred
 
+// start-oidc-k8s-connect-str
+val connectionString = ConnectionString(
+    "mongodb://<OIDC principal>@<hostname>:<port>/?" +
+            "authMechanism=MONGODB-OIDC" +
+            "&authMechanismProperties=ENVIRONMENT:k8s,TOKEN_RESOURCE:<percent-encoded audience>")
+val mongoClient = MongoClient.create(connectionString)
+// end-oidc-k8s-connect-str
+
+// start-oidc-k8s-mongo-cred
+val credential = MongoCredential.createOidcCredential("<OIDC principal>")
+    .withMechanismProperty("ENVIRONMENT", "k8s")
+    .withMechanismProperty("TOKEN_RESOURCE", "<audience>")
+
+val mongoClient = MongoClient.create(
+    MongoClientSettings.builder()
+        .applyToClusterSettings { builder ->
+            builder.hosts(listOf(ServerAddress("<hostname>", <port>)))
+        }
+        .credential(credential)
+        .build())
+// end-oidc-k8s-mongo-cred
+
 // start-oidc-custom-callback
 val credential = MongoCredential.createOidcCredential(null)
     .withMechanismProperty("OIDC_CALLBACK") { context: Context ->

source/security/enterprise-auth.txt

@@ -419,6 +419,52 @@ see the corresponding syntax.
          :start-after: start-oidc-gcp-mongo-cred
          :end-before: end-oidc-gcp-mongo-cred
 
+.. _kotlin-sync-auth-kubernetes:
+
+Kubernetes
+~~~~~~~~~~
+
+If your application runs on a Kubernetes cluster, you can authenticate
+to MongoDB by using the {+driver-short+}'s built-in Kubernetes support.
+
+Select from the :guilabel:`Connection String` or
+:guilabel:`MongoCredential` tabs to see the corresponding syntax.
+
+.. tabs::
+
+   .. tab:: Connection String
+      :tabid: mongodb-kubernetes-connection-string
+
+      To specify Kubernetes OIDC as the authentication mechanism, set the following 
+      options in your connection string:
+
+      - ``authMechanism``: Set to ``MONGODB-OIDC``.
+      - ``authMechanismProperties``: Set to ``ENVIRONMENT:k8s``. 
+
+      Replace the ``<percent-encoded audience>`` placeholder in the
+      following code with the percent-encoded value of the audience server
+      parameter configured on your MongoDB deployment.
+
+      .. literalinclude:: /includes/security/enterprise-auth.kt
+         :language: kotlin
+         :dedent:
+         :start-after: start-oidc-k8s-connect-str
+         :end-before: end-oidc-k8s-connect-str
+
+   .. tab:: MongoCredential
+      :tabid: mongodb-kubernetes-mongo-credential
+
+      Replace the ``hostname`` and ``port`` with the network address and port 
+      number of your MongoDB deployment. Also, replace the
+      ``<audience>`` placeholder with the value of the ``audience``
+      server parameter configured on your MongoDB deployment.
+
+      .. literalinclude:: /includes/security/enterprise-auth.kt
+         :language: kotlin
+         :dedent:
+         :start-after: start-oidc-k8s-mongo-cred
+         :end-before: end-oidc-k8s-mongo-cred
+
 Custom Callback
 ~~~~~~~~~~~~~~~
 

source/whats-new.txt

@@ -37,6 +37,11 @@ and features:
       :ref:`kotlin-sync-client-bulk-write-replace` sections of the Bulk Write
       Operations guide
 
+   .. replacement:: k8s-link
+
+      the :ref:`MONGODB-OIDC: Kubernetes <kotlin-sync-auth-kubernetes>`
+      section of the Enterprise Authentication Mechanisms guide
+
 .. _kotlin-sync-version-5.3:
 
 What's New in 5.3