(DOCSP-11271): Add LDAP authentication (#325)

* (DOCSP-11271): Add LDAP authentication

* Copy review

Author: melissamahoney-mongodb

source/includes/options-k8s-replica-set.yaml

@@ -366,6 +366,69 @@ inherit:
   file: options-k8s-shared.yaml
 ---
 program: k8sRsConf
+name: spec.security.authentication.ldap
+inherit:
+  name: spec.security.authentication.ldap
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.servers
+inherit:
+  name: spec.security.authentication.ldap.servers
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.transportSecurity
+inherit:
+  name: spec.security.authentication.ldap.transportSecurity
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.caConfigMapRef
+inherit:
+  name: spec.security.authentication.ldap.caConfigMapRef
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.caConfigMapRef.name
+inherit:
+  name: spec.security.authentication.ldap.caConfigMapRef.name
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.caConfigMapRef.key
+inherit:
+  name: spec.security.authentication.ldap.caConfigMapRef.key
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.bindQueryUser
+inherit:
+  name: spec.security.authentication.ldap.bindQueryUser
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.bindQueryPasswordSecretRef
+inherit:
+  name: spec.security.authentication.ldap.bindQueryPasswordSecretRef
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
+name: spec.security.authentication.ldap.bindQueryPasswordSecretRef.name
+inherit:
+  name: spec.security.authentication.ldap.bindQueryPasswordSecretRef.name
+  program: _shared
+  file: options-k8s-shared.yaml
+---
+program: k8sRsConf
 name: spec.additionalMongodConfig.net.ssl.mode
 inherit:
   name: spec.additionalMongodConfig.net.ssl.mode

source/includes/options-k8s-shared.yaml

@@ -538,14 +538,17 @@ directive: setting
 optional: true
 description: |
   Specifies the authentication mechanism that your MongoDB deployment 
-  uses. Valid values are ``SCRAM`` and ``X509``.
+  uses. Valid values are ``SCRAM``, ``X509``, and ``LDAP``.
 
-  To enable :ref:`X.509 internal cluster authentication
-  <x509-internal-authentication>` for the |com| project, set this value
-  to ``["X509"]`` and specify the following settings:
+  .. admonition:: X.509 Internal Cluster Authentication
+     :class: note
 
-  - :setting:`spec.security.authentication.internalCluster` ``: "X509"``
-  - :setting:`spec.security.tls.enabled` ``: true``
+     To enable :ref:`X.509 internal cluster authentication
+     <x509-internal-authentication>` for the |com| project, set this
+     value to ``["X509"]`` and specify the following settings:
+
+     - :setting:`spec.security.authentication.internalCluster` ``: "X509"``
+     - :setting:`spec.security.tls.enabled` ``: true``
 
 ---
 program: _shared
@@ -574,6 +577,107 @@ description: |
   To manage database users directly through the |mongod| or |mongos|, set to ``true``.
 ---
 program: _shared
+name: spec.security.authentication.ldap
+type: collection
+directive: setting
+optional: true
+description: |
+  *Required for LDAP authentication.* 
+
+  Configures |ldap| authentication for the |com| project. To enable
+  |ldap| authentication, set
+  :setting:`spec.security.authentication.modes` to ``["LDAP"]``.
+---
+program: _shared
+name: spec.security.authentication.ldap.servers
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication.* 
+  
+  Hostname and port of an |ldap| server in the format
+  ``<hostname>:<port>``.
+  
+  To specify multiple |ldap| servers, use a
+  comma-separated list. For example, specify
+  ``"<hostname1>:<port1>,<hostname2>:<port2>"``.
+---
+program: _shared
+name: spec.security.authentication.ldap.transportSecurity
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication.* 
+  
+  Specifies whether the |ldap| server accepts |tls|.
+  
+  If the |ldap| server accepts |tls|, set to ``tls``. If the |ldap|
+  server doesn't accept |tls|, leave this value blank.
+---
+program: _shared
+name: spec.security.authentication.ldap.caConfigMapRef
+type: collection
+directive: setting
+description: |
+  *Required for LDAP authentication with TLS.* 
+  
+  |k8s-configmap| that contains a |certauth| which validates the |ldap| 
+  server's |tls| certificate.
+---
+program: _shared
+name: spec.security.authentication.ldap.caConfigMapRef.name
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication with TLS.* 
+  
+  Name of the |k8s-configmap| that contains a |certauth| which validates
+  the |ldap| server's |tls| certificate.
+---
+program: _shared
+name: spec.security.authentication.ldap.caConfigMapRef.key
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication with TLS.* 
+  
+  Field name that stores the |certauth| which validates the |ldap|
+  server's |tls| certificate.
+---
+program: _shared
+name: spec.security.authentication.ldap.bindQueryUser
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication.* 
+  
+  |ldap| Distinguished Name to which MongoDB binds when connecting to
+  the |ldap| server.
+---
+program: _shared
+name: spec.security.authentication.ldap.bindQueryPasswordSecretRef
+type: collection
+directive: setting
+description: |
+  *Required for LDAP authentication.* 
+  
+  Specifies the |k8s-secret| that contains the password with which
+  MongoDB binds when connecting to the |ldap| server.
+---
+program: _shared
+name: spec.security.authentication.ldap.bindQueryPasswordSecretRef.name
+type: string
+directive: setting
+description: |
+  *Required for LDAP authentication.* 
+  
+  Name of the |k8s-secret| that contains the password with which MongoDB
+  binds when connecting to the |ldap| server.
+  
+  The |k8s-secret| must contain only one ``password`` field which stores
+  the password.
+---
+program: _shared
 name: spec.additionalMongodConfig.net.ssl.mode
 type: string
 directive: setting

source/reference/k8s-operator-specification.txt

@@ -196,17 +196,26 @@ The following settings only apply to sharded cluster resource types:
 Security Settings
 -----------------
 
-The following |tls| settings only apply to replica set and sharded
+The following security settings only apply to replica set and sharded
 cluster resource types:
 
 .. include:: /includes/option/setting-k8sRsConf-spec.security.tls.enabled.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.tls.ca.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.tls.additionalCertificateDomains.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.additionalMongodConfig.net.ssl.mode.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.enabled.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.modes.rst
 .. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.internalCluster.rst
-.. include:: /includes/option/setting-k8sRsConf-spec.security.tls.additionalCertificateDomains.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.servers.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.transportSecurity.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.caConfigMapRef.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.caConfigMapRef.name.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.caConfigMapRef.key.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.bindQueryUser.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.bindQueryPasswordSecretRef.rst
+.. include:: /includes/option/setting-k8sRsConf-spec.security.authentication.ldap.bindQueryPasswordSecretRef.name.rst
 
 Examples
 --------