DOCSP-47923: kubernetes oidc

Author: rustagir

source/security/enterprise-auth.txt

@@ -369,6 +369,62 @@ see the corresponding syntax.
          :start-after: start-oidc-azure-mongo-cred
          :end-before: end-oidc-azure-mongo-cred
 
+.. _kotlin-sync-auth-kubernetes:
+
+Kubernetes
+~~~~~~~~~~
+
+If your application runs on a Kubernetes cluster, you can authenticate
+to MongoDB by using the {+driver-short+}'s built-in Kubernetes support.
+
+Select from the :guilabel:`Connection String` or
+:guilabel:`MongoCredential` tabs to see the corresponding syntax.
+
+.. tabs::
+
+   .. tab:: Connection String
+      :tabid: mongodb-kubernetes-connection-string
+
+      To specify Kubernetes OIDC as the authentication mechanism, set the following 
+      options in your connection string:
+
+      - ``authMechanism``: Set to ``MONGODB-OIDC``.
+      - ``authMechanismProperties``: Set to ``ENVIRONMENT:k8s``. 
+
+      Replace the ``<percent-encoded audience>`` placeholder in the
+      following code with the percent-encoded value of the audience server
+      parameter configured on your MongoDB deployment.
+
+      .. code-block:: kotlin
+      
+         val connectionString = ConnectionString(
+             "mongodb://<OIDC principal>@<hostname>:<port>/?" +
+                     "authMechanism=MONGODB-OIDC" +
+                     "&authMechanismProperties=ENVIRONMENT:k8s,TOKEN_RESOURCE:<percent-encoded audience>")
+         val mongoClient = MongoClient.create(connectionString)
+
+   .. tab:: MongoCredential
+      :tabid: mongodb-kubernetes-mongo-credential
+
+      Replace the ``hostname`` and ``port`` with the network address and port 
+      number of your MongoDB deployment. Also, replace the
+      ``<audience>`` placeholder with the value of the ``audience``
+      server parameter configured on your MongoDB deployment.
+
+      .. code-block:: kotlin
+      
+         val credential = MongoCredential.createOidcCredential("<OIDC principal>")
+             .withMechanismProperty("ENVIRONMENT", "k8s")
+             .withMechanismProperty("TOKEN_RESOURCE", "<audience>")
+         
+         val mongoClient = MongoClient.create(
+             MongoClientSettings.builder()
+                 .applyToClusterSettings { builder ->
+                     builder.hosts(listOf(ServerAddress("<hostname>", <port>)))
+                 }
+                 .credential(credential)
+                 .build())
+
 .. _kotlin-mongodb-oidc-gcp-imds:
 
 GCP IMDS

source/whats-new.txt

@@ -37,6 +37,11 @@ and features:
       :ref:`kotlin-sync-client-bulk-write-replace` sections of the Bulk Write
       Operations guide
 
+   .. replacement:: k8s-link
+
+      the :ref:`MONGODB-OIDC: Kubernetes <kotlin-sync-auth-kubernetes>`
+      section of the Enterprise Authentication Mechanisms guide
+
 .. _kotlin-sync-version-5.3:
 
 What's New in 5.3