feat(NODE-6069): OIDC k8s machine workflow (#4270)

Author: durran

.evergreen/config.in.yml

@@ -1265,6 +1265,60 @@ tasks:
           args:
             - src/.evergreen/run-azure-kms-tests.sh
 
+  - name: "oidc-auth-test-k8s-latest-eks"
+    commands:
+      - func: "install dependencies"
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: eks
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
+
+  - name: "oidc-auth-test-k8s-latest-gke"
+    commands:
+      - func: "install dependencies"
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: gke
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
+    
+  - name: "oidc-auth-test-k8s-latest-aks"
+    commands:
+      - func: "install dependencies"
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: aks
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
+
   - name: "oidc-auth-test-azure-latest"
     commands:
       - func: "install dependencies"
@@ -1475,6 +1529,72 @@ task_groups:
     tasks:
       - test-azurekms-task
 
+  - name: testk8soidc_task_group_eks
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-eks
+
+  - name: testk8soidc_task_group_gke
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-gke
+
+  - name: testk8soidc_task_group_aks
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-aks
+
   - name: testtestoidc_task_group
     setup_group:
       - func: fetch source

.evergreen/config.yml

@@ -1217,6 +1217,66 @@ tasks:
             EXPECTED_AZUREKMS_OUTCOME: failure
           args:
             - src/.evergreen/run-azure-kms-tests.sh
+  - name: oidc-auth-test-k8s-latest-eks
+    commands:
+      - func: install dependencies
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: eks
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
+  - name: oidc-auth-test-k8s-latest-gke
+    commands:
+      - func: install dependencies
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: gke
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
+  - name: oidc-auth-test-k8s-latest-aks
+    commands:
+      - func: install dependencies
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: src
+          binary: bash
+          env:
+            DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+            PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+            ENVIRONMENT: k8s
+            K8S_VARIANT: aks
+            SCRIPT: run-oidc-prose-tests.sh
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - .evergreen/run-oidc-tests-k8s.sh
   - name: oidc-auth-test-azure-latest
     commands:
       - func: install dependencies
@@ -4410,6 +4470,69 @@ task_groups:
             - ${DRIVERS_TOOLS}/.evergreen/csfle/azurekms/teardown.sh
     tasks:
       - test-azurekms-task
+  - name: testk8soidc_task_group_eks
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-eks
+  - name: testk8soidc_task_group_gke
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-gke
+  - name: testk8soidc_task_group_aks
+    setup_group:
+      - func: fetch source
+      - command: ec2.assume_role
+        params:
+          role_arn: ${OIDC_AWS_ROLE_ARN}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/k8s/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-k8s-latest-aks
   - name: testtestoidc_task_group
     setup_group:
       - func: fetch source
@@ -5093,6 +5216,9 @@ buildvariants:
       - testtestoidc_task_group
       - testazureoidc_task_group
       - testgcpoidc_task_group
+      - testk8soidc_task_group_eks
+      - testk8soidc_task_group_gke
+      - testk8soidc_task_group_aks
   - name: rhel8-test-atlas
     display_name: Atlas Cluster Tests
     run_on: rhel80-large

.evergreen/generate_evergreen_tasks.js

@@ -721,7 +721,10 @@ BUILD_VARIANTS.push({
   tasks: [
     'testtestoidc_task_group',
     'testazureoidc_task_group',
-    'testgcpoidc_task_group'
+    'testgcpoidc_task_group',
+    'testk8soidc_task_group_eks',
+    'testk8soidc_task_group_gke',
+    'testk8soidc_task_group_aks'
   ]
 });
 

.evergreen/run-oidc-prose-tests.sh

@@ -19,10 +19,16 @@ if [ "$ENVIRONMENT" = "azure" ]; then
   npm run check:oidc-azure
 elif [ "$ENVIRONMENT" = "gcp" ]; then
   npm run check:oidc-gcp
-else
+elif [ "$ENVIRONMENT" = "test" ]; then
   if [ -z "${OIDC_TOKEN_FILE}" ]; then
     echo "Must specify OIDC_TOKEN_FILE"
     exit 1
   fi
   npm run check:oidc-test
+else
+  if [ -z "${K8S_VARIANT}" ]; then
+    echo "Must specify K8S_VARIANT"
+    exit 1
+  fi
+  npm run check:oidc-k8s
 fi

.evergreen/run-oidc-tests-k8s.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -o xtrace   # Write all commands first to stderr
+set -o errexit  # Exit the script with error if any of the commands fail
+
+export K8S_DRIVERS_TAR_FILE=/tmp/node-mongodb-native.tgz
+cd ..
+tar -czf $K8S_DRIVERS_TAR_FILE src drivers-tools
+cd -
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/setup-pod.sh
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/run-self-test.sh
+export K8S_TEST_CMD="cd src && DRIVERS_TOOLS=${DRIVERS_TOOLS} ENVIRONMENT=k8s ./.evergreen/${SCRIPT}"
+source $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/secrets-export.sh
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/run-driver-test.sh
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/k8s/teardown-pod.sh

package.json

@@ -151,6 +151,7 @@
     "check:oidc-test": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.prose.test.ts",
     "check:oidc-azure": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_azure.prose.05.test.ts",
     "check:oidc-gcp": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_gcp.prose.06.test.ts",
+    "check:oidc-k8s": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_k8s.prose.07.test.ts",
     "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
     "check:kerberos": "nyc mocha --config test/manual/mocharc.json test/manual/kerberos.test.ts",
     "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.ts",

src/cmap/auth/mongo_credentials.ts

@@ -31,7 +31,8 @@ function getDefaultAuthMechanism(hello: Document | null): AuthMechanism {
 const ALLOWED_ENVIRONMENT_NAMES: AuthMechanismProperties['ENVIRONMENT'][] = [
   'test',
   'azure',
-  'gcp'
+  'gcp',
+  'k8s'
 ];
 const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
 
@@ -62,7 +63,7 @@ export interface AuthMechanismProperties extends Document {
   /** A user provided OIDC human interacted callback function. */
   OIDC_HUMAN_CALLBACK?: OIDCCallbackFunction;
   /** The OIDC environment. Note that 'test' is for internal use only. */
-  ENVIRONMENT?: 'test' | 'azure' | 'gcp';
+  ENVIRONMENT?: 'test' | 'azure' | 'gcp' | 'k8s';
   /** Allowed hosts that OIDC auth can connect to. */
   ALLOWED_HOSTS?: string[];
   /** The resource token for OIDC auth in Azure and GCP. */

src/cmap/auth/mongodb_oidc.ts

@@ -6,6 +6,7 @@ import { type AuthContext, AuthProvider } from './auth_provider';
 import type { MongoCredentials } from './mongo_credentials';
 import { AzureMachineWorkflow } from './mongodb_oidc/azure_machine_workflow';
 import { GCPMachineWorkflow } from './mongodb_oidc/gcp_machine_workflow';
+import { K8SMachineWorkflow } from './mongodb_oidc/k8s_machine_workflow';
 import { TokenCache } from './mongodb_oidc/token_cache';
 import { TokenMachineWorkflow } from './mongodb_oidc/token_machine_workflow';
 
@@ -88,7 +89,7 @@ export type OIDCCallbackFunction = (params: OIDCCallbackParams) => Promise<OIDCR
 /** The current version of OIDC implementation. */
 export const OIDC_VERSION = 1;
 
-type EnvironmentName = 'test' | 'azure' | 'gcp' | undefined;
+type EnvironmentName = 'test' | 'azure' | 'gcp' | 'k8s' | undefined;
 
 /** @internal */
 export interface Workflow {
@@ -118,6 +119,7 @@ export const OIDC_WORKFLOWS: Map<EnvironmentName, () => Workflow> = new Map();
 OIDC_WORKFLOWS.set('test', () => new TokenMachineWorkflow(new TokenCache()));
 OIDC_WORKFLOWS.set('azure', () => new AzureMachineWorkflow(new TokenCache()));
 OIDC_WORKFLOWS.set('gcp', () => new GCPMachineWorkflow(new TokenCache()));
+OIDC_WORKFLOWS.set('k8s', () => new K8SMachineWorkflow(new TokenCache()));
 
 /**
  * OIDC auth provider.