From 797432281ba6ac49b73bd4a7ae7a81aa5a17ffe9 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 30 Jul 2024 08:38:54 -0500 Subject: [PATCH 1/2] DRIVERS-2882 Add Kubernetes Support for OIDC --- .pre-commit-config.yaml | 2 +- source/auth/auth.md | 39 +++++++++++++++++-- .../auth/tests/legacy/connection-string.json | 20 ++++++++++ .../auth/tests/legacy/connection-string.yml | 15 +++++++ source/auth/tests/mongodb-oidc.md | 2 +- 5 files changed, 72 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5355d35978..114a70edcf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -72,7 +72,7 @@ repos: rev: "v2.3.0" hooks: - id: codespell - args: ["-L", "fle,re-use,merchantibility,synching,crate,nin,infinit,te,checkin"] + args: ["-L", "fle,re-use,merchantibility,synching,crate,nin,infinit,te,checkin,aks"] exclude: | (?x)^(.*\.rst )$ diff --git a/source/auth/auth.md b/source/auth/auth.md index b3150d1e15..1ae4062575 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1217,15 +1217,15 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - ENVIRONMENT\ Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration - to use to obtain credentials. If provided, the value MUST be one of `["test", "azure", "gcp"]`. If both + to use to obtain credentials. If provided, the value MUST be one of `["test", "azure", "gcp", "k8s"]`. If both `ENVIRONMENT` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. - TOKEN_RESOURCE\ The URI of the target resource. If `TOKEN_RESOURCE` is provided and `ENVIRONMENT` is not one of - `["azure", "gcp"]` or `TOKEN_RESOURCE` is not provided and `ENVIRONMENT` is one of `["azure", "gcp"]`, the driver - MUST raise an error. Note: because the `TOKEN_RESOURCE` is often itself a URL, drivers MUST document that a - `TOKEN_RESOURCE` with a comma `,` must be given as a `MongoClient` configuration and not as part of the connection + `["azure", "gcp", "k8s"]` or `TOKEN_RESOURCE` is not provided and `ENVIRONMENT` is one of `["azure", "gcp", "k8s"]`, + the driver MUST raise an error. Note: because the `TOKEN_RESOURCE` is often itself a URL, drivers MUST document that + a `TOKEN_RESOURCE` with a comma `,` must be given as a `MongoClient` configuration and not as part of the connection string, and that the `TOKEN_RESOURCE` value can contain a colon `:` character. - OIDC_CALLBACK\ @@ -1375,6 +1375,35 @@ callback had been provided by the user. For details on test environment setup, see the README in [Drivers-Evergreen-Tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/gcp/README.md). +***Kubernetes*** + +The Kubernetes integration is enabled by setting auth mechanism property `ENVIRONMENT:k8s`. In this configuration, the +driver is expected to be running inside a Kubernetes environment with a configured +[ServiceAccount](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume). + +If enabled, drivers MUST read the contents of the token from the local file path found using the following algorithm: + +```python +if 'AZURE_FEDERATED_TOKEN_FILE' in os.environ: + fname = os.environ['AZURE_FEDERATED_TOKEN_FILE'] +elif 'AWS_WEB_IDENTITY_TOKEN_FILE' in os.environ: + fname = os.environ['AWS_WEB_IDENTITY_TOKEN_FILE'] +else: + fname = '/var/run/secrets/kubernetes.io/serviceaccount/token' +``` + +Where `AZURE_FEDERATED_TOKEN_FILE` contains the file path on Azure Kubernetes Service (AKS), +`AWS_WEB_IDENTITY_TOKEN_FILE` contains the file path on Elastic Kubernetes Service (EKS), and +`/var/run/secrets/kubernetes.io/serviceaccount/token` is the default path for a Kubernetes +[ServiceAccount token](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller), +which is used by Google Kubernetes Engine (GKE). + +The callback itself MUST not perform any caching, and the driver MUST cache its tokens in the same way as if a custom +callback had been provided by the user. + +For details on test environment setup, see the README in +[Drivers-Evergreen-Tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/k8s/README.md). + #### OIDC Callback Drivers MUST allow users to provide a callback that returns an OIDC access token. The purpose of the callback is to @@ -2042,6 +2071,8 @@ to EC2 instance metadata in ECS, for security reasons, Amazon states it's best p ## Changelog +- 2024-07-29: Add Kubernetes built-in OIDC provider integration. + - 2024-05-29: Disallow comma character when `TOKEN_RESOURCE` is given in a connection string. - 2024-05-03: Clarify timeout behavior for OIDC machine callback. Add `serverless:forbid` to OIDC unified tests. Add an diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 67aafbff6e..9b0af7853b 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -626,6 +626,26 @@ "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp", "valid": false, "credential": null + }, + { + "description": "should recognise the mechanism with k8s provider (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", + "valid": true, + "credential": { + "username": null, + "password": null, + "source": "$external", + "mechanism": "MONGODB-OIDC", + "mechanism_properties": { + "ENVIRONMENT": "k8s" + } + } + }, + { + "description": "should throw an error for a username and password with k8s provider (MONGODB-OIDC)", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", + "valid": false, + "credential": null } ] } diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index ded258f29d..1f5d470041 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -454,3 +454,18 @@ tests: uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp valid: false credential: null +- description: should recognise the mechanism with k8s provider (MONGODB-OIDC) + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s + valid: true + credential: + username: null + password: null + source: $external + mechanism: MONGODB-OIDC + mechanism_properties: + ENVIRONMENT: k8s +- description: should throw an error for a username and password with k8s provider + (MONGODB-OIDC) + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s + valid: false + credential: null diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index d551ef8dda..e9dbd62d58 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -21,7 +21,7 @@ ______________________________________________________________________ Drivers MUST run the machine prose tests when `OIDC_TOKEN_DIR` is set. Drivers can either set the `ENVIRONMENT:test` auth mechanism property, or use a custom callback that also reads the file. -Drivers can also choose to run the machine prose tests on GCP or Azure VMs. +Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters. Drivers MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be configured with `retryReads=false`. From 9a1434f42cfe826c9d3ab8b866e129ba67246f8b Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 2 Oct 2024 07:06:40 -0500 Subject: [PATCH 2/2] lint --- .../auth/tests/legacy/connection-string.json | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 9b0af7853b..3a099c8137 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -628,24 +628,24 @@ "credential": null }, { - "description": "should recognise the mechanism with k8s provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", - "valid": true, - "credential": { - "username": null, - "password": null, - "source": "$external", - "mechanism": "MONGODB-OIDC", - "mechanism_properties": { - "ENVIRONMENT": "k8s" - } + "description": "should recognise the mechanism with k8s provider (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", + "valid": true, + "credential": { + "username": null, + "password": null, + "source": "$external", + "mechanism": "MONGODB-OIDC", + "mechanism_properties": { + "ENVIRONMENT": "k8s" } + } }, { - "description": "should throw an error for a username and password with k8s provider (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", - "valid": false, - "credential": null + "description": "should throw an error for a username and password with k8s provider (MONGODB-OIDC)", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s", + "valid": false, + "credential": null } ] }