From f877719c451acb5a863d8bd9d044cf0abaf04133 Mon Sep 17 00:00:00 2001 From: Michael Morisi Date: Wed, 19 Feb 2025 16:14:00 -0500 Subject: [PATCH 1/3] DOCSP-42014: Add OIDC Kubernetes support --- .../kubernetes-connection-string.py | 8 ++++ .../authentication/kubernetes-mongoclient.py | 10 +++++ source/security/authentication/oidc.txt | 39 ++++++++++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 source/includes/authentication/kubernetes-connection-string.py create mode 100644 source/includes/authentication/kubernetes-mongoclient.py diff --git a/source/includes/authentication/kubernetes-connection-string.py b/source/includes/authentication/kubernetes-connection-string.py new file mode 100644 index 00000000..14046f95 --- /dev/null +++ b/source/includes/authentication/kubernetes-connection-string.py @@ -0,0 +1,8 @@ +from pymongo import MongoClient + +# start-kubernetes-connection-string +uri = ("mongodb[+srv]://:/?" + "authMechanism=MONGODB-OIDC" + "&authMechanismProperties=ENVIRONMENT:k8s") +client = MongoClient(uri) +# end-kubernetes-connection-string \ No newline at end of file diff --git a/source/includes/authentication/kubernetes-mongoclient.py b/source/includes/authentication/kubernetes-mongoclient.py new file mode 100644 index 00000000..099d0aef --- /dev/null +++ b/source/includes/authentication/kubernetes-mongoclient.py @@ -0,0 +1,10 @@ +from pymongo import MongoClient + +# start-kubernetes-mongoclient +properties = {"ENVIRONMENT": "k8s"} +client = MongoClient( + "mongodb[+srv]://:", + authMechanism="MONGODB-OIDC", + authMechanismProperties=properties +) +# end-kubernetes-mongoclient \ No newline at end of file diff --git a/source/security/authentication/oidc.txt b/source/security/authentication/oidc.txt index 00a40cfc..7c53f914 100644 --- a/source/security/authentication/oidc.txt +++ b/source/security/authentication/oidc.txt @@ -293,4 +293,41 @@ constructor: .. literalinclude:: /includes/authentication/gcp-gke-mongoclient.py :language: python :copyable: true - :emphasize-lines: 11-15 \ No newline at end of file + :emphasize-lines: 11-15 + +.. _pymongo-mongodb-oidc-kubernetes: + +Kubernetes +~~~~~~~~~~ + +If your application runs on a Kubernetes cluster, you can authenticate to MongoDB by using +{+driver-short+}'s built-in Kubernetes support. + +You can configure OIDC for Kubernetes in two ways: by passing arguments to the +``MongoClient`` constructor or through parameters in your connection string. + +.. tabs:: + + .. tab:: MongoClient + :tabid: mongoclient + + The following example shows how to configure your ``MongoClient`` to authenticate + to MongoDB by using Kubernetes: + + .. literalinclude:: /includes/authentication/kubernetes-mongoclient.py + :language: python + :copyable: true + :start-after: start-kubernetes-mongoclient + :end-before: end-kubernetes-mongoclient + + .. tab:: Connection String + :tabid: connectionstring + + The following example shows how to configure your connection string to authenticate + to MongoDB by using Kubernetes: + + .. literalinclude:: /includes/authentication/kubernetes-connection-string.py + :language: python + :copyable: true + :start-after: start-kubernetes-connection-string + :end-before: end-kubernetes-connection-string From 6998c0e19568e993baf7b6b88ab9c3e8305ddec3 Mon Sep 17 00:00:00 2001 From: Michael Morisi Date: Wed, 19 Feb 2025 16:19:35 -0500 Subject: [PATCH 2/3] Fix --- source/security/authentication/oidc.txt | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/source/security/authentication/oidc.txt b/source/security/authentication/oidc.txt index 7c53f914..5cbeaaf0 100644 --- a/source/security/authentication/oidc.txt +++ b/source/security/authentication/oidc.txt @@ -304,16 +304,14 @@ If your application runs on a Kubernetes cluster, you can authenticate to MongoD {+driver-short+}'s built-in Kubernetes support. You can configure OIDC for Kubernetes in two ways: by passing arguments to the -``MongoClient`` constructor or through parameters in your connection string. +``MongoClient`` constructor or through parameters in your connection string. Select from +the following tabs to see how to enable Kubernetes authentication for your application. .. tabs:: .. tab:: MongoClient :tabid: mongoclient - The following example shows how to configure your ``MongoClient`` to authenticate - to MongoDB by using Kubernetes: - .. literalinclude:: /includes/authentication/kubernetes-mongoclient.py :language: python :copyable: true @@ -323,9 +321,6 @@ You can configure OIDC for Kubernetes in two ways: by passing arguments to the .. tab:: Connection String :tabid: connectionstring - The following example shows how to configure your connection string to authenticate - to MongoDB by using Kubernetes: - .. literalinclude:: /includes/authentication/kubernetes-connection-string.py :language: python :copyable: true From 134086ffac82d41aa6df3e78a8da3125a922937f Mon Sep 17 00:00:00 2001 From: Michael Morisi Date: Thu, 20 Feb 2025 08:57:47 -0500 Subject: [PATCH 3/3] NR feedback --- source/security/authentication/oidc.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/security/authentication/oidc.txt b/source/security/authentication/oidc.txt index 5cbeaaf0..c68e4c2b 100644 --- a/source/security/authentication/oidc.txt +++ b/source/security/authentication/oidc.txt @@ -305,7 +305,7 @@ If your application runs on a Kubernetes cluster, you can authenticate to MongoD You can configure OIDC for Kubernetes in two ways: by passing arguments to the ``MongoClient`` constructor or through parameters in your connection string. Select from -the following tabs to see how to enable Kubernetes authentication for your application. +the following tabs to see how to enable Kubernetes authentication for your application: .. tabs::