From 772ce5318e97ddba497cfe849f9356ca1ea28810 Mon Sep 17 00:00:00 2001 From: rustagir Date: Mon, 17 Mar 2025 13:24:04 -0400 Subject: [PATCH 1/3] DOCSP-47923: kubernetes oidc --- source/security/enterprise-auth.txt | 56 +++++++++++++++++++++++++++++ source/whats-new.txt | 5 +++ 2 files changed, 61 insertions(+) diff --git a/source/security/enterprise-auth.txt b/source/security/enterprise-auth.txt index 512e4293..19deb9b5 100644 --- a/source/security/enterprise-auth.txt +++ b/source/security/enterprise-auth.txt @@ -369,6 +369,62 @@ see the corresponding syntax. :start-after: start-oidc-azure-mongo-cred :end-before: end-oidc-azure-mongo-cred +.. _kotlin-sync-auth-kubernetes: + +Kubernetes +~~~~~~~~~~ + +If your application runs on a Kubernetes cluster, you can authenticate +to MongoDB by using the {+driver-short+}'s built-in Kubernetes support. + +Select from the :guilabel:`Connection String` or +:guilabel:`MongoCredential` tabs to see the corresponding syntax. + +.. tabs:: + + .. tab:: Connection String + :tabid: mongodb-kubernetes-connection-string + + To specify Kubernetes OIDC as the authentication mechanism, set the following + options in your connection string: + + - ``authMechanism``: Set to ``MONGODB-OIDC``. + - ``authMechanismProperties``: Set to ``ENVIRONMENT:k8s``. + + Replace the ```` placeholder in the + following code with the percent-encoded value of the audience server + parameter configured on your MongoDB deployment. + + .. code-block:: kotlin + + val connectionString = ConnectionString( + "mongodb://@:/?" + + "authMechanism=MONGODB-OIDC" + + "&authMechanismProperties=ENVIRONMENT:k8s,TOKEN_RESOURCE:") + val mongoClient = MongoClient.create(connectionString) + + .. tab:: MongoCredential + :tabid: mongodb-kubernetes-mongo-credential + + Replace the ``hostname`` and ``port`` with the network address and port + number of your MongoDB deployment. Also, replace the + ```` placeholder with the value of the ``audience`` + server parameter configured on your MongoDB deployment. + + .. code-block:: kotlin + + val credential = MongoCredential.createOidcCredential("") + .withMechanismProperty("ENVIRONMENT", "k8s") + .withMechanismProperty("TOKEN_RESOURCE", "") + + val mongoClient = MongoClient.create( + MongoClientSettings.builder() + .applyToClusterSettings { builder -> + builder.hosts(listOf(ServerAddress("", ))) + } + .credential(credential) + .build()) + .. _kotlin-mongodb-oidc-gcp-imds: GCP IMDS diff --git a/source/whats-new.txt b/source/whats-new.txt index eaab4c79..a2f4d56d 100644 --- a/source/whats-new.txt +++ b/source/whats-new.txt @@ -37,6 +37,11 @@ and features: :ref:`kotlin-sync-client-bulk-write-replace` sections of the Bulk Write Operations guide + .. replacement:: k8s-link + + the :ref:`MONGODB-OIDC: Kubernetes ` + section of the Enterprise Authentication Mechanisms guide + .. _kotlin-sync-version-5.3: What's New in 5.3 From a97dcdff468be6953ecd7ad48cc028881a0be7e8 Mon Sep 17 00:00:00 2001 From: rustagir Date: Mon, 17 Mar 2025 13:25:49 -0400 Subject: [PATCH 2/3] ordering --- source/security/enterprise-auth.txt | 100 ++++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/source/security/enterprise-auth.txt b/source/security/enterprise-auth.txt index 19deb9b5..c51b7933 100644 --- a/source/security/enterprise-auth.txt +++ b/source/security/enterprise-auth.txt @@ -369,6 +369,56 @@ see the corresponding syntax. :start-after: start-oidc-azure-mongo-cred :end-before: end-oidc-azure-mongo-cred +.. _kotlin-mongodb-oidc-gcp-imds: + +GCP IMDS +~~~~~~~~ + +If your application runs on a Google Compute Engine VM, or otherwise uses the +`GCP Instance Metadata Service `__, +you can authenticate to MongoDB by using the {+driver-short+}'s built-in GCP +support. + +You can specify GCP IMDS OIDC authentication either by +using a ``MongoCredential`` instance or by specifying your credentials +in the connection string. + +Select from the :guilabel:`Connection String` or :guilabel:`MongoCredential` tabs to +see the corresponding syntax. + +.. tabs:: + + .. tab:: Connection String + :tabid: mongodb-gcp-imds-connection-string + + Replace the ```` placeholder in the + following code with the percent-encoded value of the audience server + parameter configured on your MongoDB deployment. + + The comma (``,``) character and its encoding (``%2C``) are + reserved, and using these characters in a value causes the + driver to interpret commas as delimiters of key-value pairs. + You must specify values that contain commas in a ``MongoCredential`` instance, as + demonstrated in the :guilabel:`MongoCredential` tab. + + .. literalinclude:: /includes/security/enterprise-auth.kt + :language: kotlin + :dedent: + :start-after: start-oidc-gcp-connect-str + :end-before: end-oidc-gcp-connect-str + + .. tab:: MongoCredential + :tabid: mongodb-gcp-mongo-credential + + Replace the ```` placeholder with the value of the + ``audience`` server parameter configured on your MongoDB deployment. + + .. literalinclude:: /includes/security/enterprise-auth.kt + :language: kotlin + :dedent: + :start-after: start-oidc-gcp-mongo-cred + :end-before: end-oidc-gcp-mongo-cred + .. _kotlin-sync-auth-kubernetes: Kubernetes @@ -425,56 +475,6 @@ Select from the :guilabel:`Connection String` or .credential(credential) .build()) -.. _kotlin-mongodb-oidc-gcp-imds: - -GCP IMDS -~~~~~~~~ - -If your application runs on a Google Compute Engine VM, or otherwise uses the -`GCP Instance Metadata Service `__, -you can authenticate to MongoDB by using the {+driver-short+}'s built-in GCP -support. - -You can specify GCP IMDS OIDC authentication either by -using a ``MongoCredential`` instance or by specifying your credentials -in the connection string. - -Select from the :guilabel:`Connection String` or :guilabel:`MongoCredential` tabs to -see the corresponding syntax. - -.. tabs:: - - .. tab:: Connection String - :tabid: mongodb-gcp-imds-connection-string - - Replace the ```` placeholder in the - following code with the percent-encoded value of the audience server - parameter configured on your MongoDB deployment. - - The comma (``,``) character and its encoding (``%2C``) are - reserved, and using these characters in a value causes the - driver to interpret commas as delimiters of key-value pairs. - You must specify values that contain commas in a ``MongoCredential`` instance, as - demonstrated in the :guilabel:`MongoCredential` tab. - - .. literalinclude:: /includes/security/enterprise-auth.kt - :language: kotlin - :dedent: - :start-after: start-oidc-gcp-connect-str - :end-before: end-oidc-gcp-connect-str - - .. tab:: MongoCredential - :tabid: mongodb-gcp-mongo-credential - - Replace the ```` placeholder with the value of the - ``audience`` server parameter configured on your MongoDB deployment. - - .. literalinclude:: /includes/security/enterprise-auth.kt - :language: kotlin - :dedent: - :start-after: start-oidc-gcp-mongo-cred - :end-before: end-oidc-gcp-mongo-cred - Custom Callback ~~~~~~~~~~~~~~~ From 286d77cd5b3ed95e98eabce262f245d4f36f1936 Mon Sep 17 00:00:00 2001 From: rustagir Date: Mon, 17 Mar 2025 13:28:22 -0400 Subject: [PATCH 3/3] includes --- source/includes/security/enterprise-auth.kt | 22 +++++++++++++++ source/security/enterprise-auth.txt | 30 +++++++-------------- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/source/includes/security/enterprise-auth.kt b/source/includes/security/enterprise-auth.kt index 698ce9ab..9e8ee11e 100644 --- a/source/includes/security/enterprise-auth.kt +++ b/source/includes/security/enterprise-auth.kt @@ -121,6 +121,28 @@ val mongoClient = MongoClient.create( .build()) // end-oidc-gcp-mongo-cred +// start-oidc-k8s-connect-str +val connectionString = ConnectionString( + "mongodb://@:/?" + + "authMechanism=MONGODB-OIDC" + + "&authMechanismProperties=ENVIRONMENT:k8s,TOKEN_RESOURCE:") +val mongoClient = MongoClient.create(connectionString) +// end-oidc-k8s-connect-str + +// start-oidc-k8s-mongo-cred +val credential = MongoCredential.createOidcCredential("") + .withMechanismProperty("ENVIRONMENT", "k8s") + .withMechanismProperty("TOKEN_RESOURCE", "") + +val mongoClient = MongoClient.create( + MongoClientSettings.builder() + .applyToClusterSettings { builder -> + builder.hosts(listOf(ServerAddress("", ))) + } + .credential(credential) + .build()) +// end-oidc-k8s-mongo-cred + // start-oidc-custom-callback val credential = MongoCredential.createOidcCredential(null) .withMechanismProperty("OIDC_CALLBACK") { context: Context -> diff --git a/source/security/enterprise-auth.txt b/source/security/enterprise-auth.txt index c51b7933..b47fb495 100644 --- a/source/security/enterprise-auth.txt +++ b/source/security/enterprise-auth.txt @@ -445,13 +445,11 @@ Select from the :guilabel:`Connection String` or following code with the percent-encoded value of the audience server parameter configured on your MongoDB deployment. - .. code-block:: kotlin - - val connectionString = ConnectionString( - "mongodb://@:/?" + - "authMechanism=MONGODB-OIDC" + - "&authMechanismProperties=ENVIRONMENT:k8s,TOKEN_RESOURCE:") - val mongoClient = MongoClient.create(connectionString) + .. literalinclude:: /includes/security/enterprise-auth.kt + :language: kotlin + :dedent: + :start-after: start-oidc-k8s-connect-str + :end-before: end-oidc-k8s-connect-str .. tab:: MongoCredential :tabid: mongodb-kubernetes-mongo-credential @@ -461,19 +459,11 @@ Select from the :guilabel:`Connection String` or ```` placeholder with the value of the ``audience`` server parameter configured on your MongoDB deployment. - .. code-block:: kotlin - - val credential = MongoCredential.createOidcCredential("") - .withMechanismProperty("ENVIRONMENT", "k8s") - .withMechanismProperty("TOKEN_RESOURCE", "") - - val mongoClient = MongoClient.create( - MongoClientSettings.builder() - .applyToClusterSettings { builder -> - builder.hosts(listOf(ServerAddress("", ))) - } - .credential(credential) - .build()) + .. literalinclude:: /includes/security/enterprise-auth.kt + :language: kotlin + :dedent: + :start-after: start-oidc-k8s-mongo-cred + :end-before: end-oidc-k8s-mongo-cred Custom Callback ~~~~~~~~~~~~~~~