CLOUDP-373260 Atlas Service Accounts support - phase 1

Author: MaciejKaras

docs/dev/td-service-accounts-phase1.md

@@ -26,6 +26,7 @@ import (
 	"github.com/mongodb-forks/digest"
 	v20250312 "go.mongodb.org/atlas-sdk/v20250312018/admin"
 	"go.uber.org/zap"
+	"golang.org/x/oauth2"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1"
@@ -62,10 +63,11 @@ type ConnectionConfig struct {
 }
 
 // Credentials is the type that holds credentials to authenticate against the Atlas API.
-// Currently, only API keys are support but more credential types could be added,
-// see https://www.mongodb.com/docs/atlas/configure-api-access/.
+// Either APIKeys or ServiceAccount must be set, but not both.
+// See https://www.mongodb.com/docs/atlas/configure-api-access/.
 type Credentials struct {
-	APIKeys *APIKeys
+	APIKeys        *APIKeys
+	ServiceAccount *ServiceAccountToken
 }
 
 // APIKeys is the type that holds Public/Private API keys to authenticate against the Atlas API.
@@ -74,6 +76,12 @@ type APIKeys struct {
 	PrivateKey string
 }
 
+// ServiceAccountToken holds a pre-fetched OAuth2 bearer token obtained
+// by the service-account controller via the client credentials flow.
+type ServiceAccountToken struct {
+	BearerToken string
+}
+
 func NewProductionProvider(atlasDomain string, dryRun, isLogInDebug bool) *ProductionProvider {
 	return &ProductionProvider{
 		domain:       atlasDomain,
@@ -123,8 +131,21 @@ func (p *ProductionProvider) IsResourceSupported(resource api.AtlasCustomResourc
 }
 
 func (p *ProductionProvider) SdkClientSet(ctx context.Context, creds *Credentials, log *zap.SugaredLogger) (*ClientSet, error) {
-	var transport http.RoundTripper = digest.NewTransport(creds.APIKeys.PublicKey, creds.APIKeys.PrivateKey)
-	transport = p.newTransport(transport, log)
+	var baseTransport http.RoundTripper
+	switch {
+	case creds.ServiceAccount != nil:
+		baseTransport = &oauth2.Transport{
+			Source: oauth2.StaticTokenSource(&oauth2.Token{
+				AccessToken: creds.ServiceAccount.BearerToken,
+			}),
+		}
+	case creds.APIKeys != nil:
+		baseTransport = digest.NewTransport(creds.APIKeys.PublicKey, creds.APIKeys.PrivateKey)
+	default:
+		return nil, fmt.Errorf("no credentials provided")
+	}
+
+	transport := p.newTransport(baseTransport, log)
 	transport = httputil.NewLoggingTransport(log, false, transport)
 	if p.isLogInDebug {
 		log.Debug("JSON payload diff is enabled for Atlas API requests (PATCH & PUT)")
@@ -133,7 +154,7 @@ func (p *ProductionProvider) SdkClientSet(ctx context.Context, creds *Credential
 
 	httpClient := &http.Client{Transport: transport}
 
-	return NewSDKClientSet(p.domain, creds.APIKeys.PublicKey, creds.APIKeys.PrivateKey, httpClient)
+	return NewSDKClientSet(p.domain, httpClient)
 }
 
 func (p *ProductionProvider) newTransport(delegate http.RoundTripper, log *zap.SugaredLogger) http.RoundTripper {
@@ -152,7 +173,7 @@ func operatorUserAgent() string {
 	return fmt.Sprintf("%s/%s (%s;%s)", "MongoDBAtlasKubernetesOperator", version.Version, runtime.GOOS, runtime.GOARCH)
 }
 
-func NewSDKClientSet(domain, publicKey, privateKey string, httpClient *http.Client) (*ClientSet, error) {
+func NewSDKClientSet(domain string, httpClient *http.Client) (*ClientSet, error) {
 	clientv20250312, err := v20250312.NewClient(
 		v20250312.UseBaseURL(domain),
 		v20250312.UseHTTPClient(httpClient),

internal/controller/atlas/provider.go

@@ -15,10 +15,15 @@
 package atlas
 
 import (
+	"context"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+	"golang.org/x/oauth2"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/api"
 	akov2 "github.com/mongodb/mongodb-atlas-kubernetes/v2/api/v1"
@@ -143,6 +148,51 @@ func TestProvider_IsResourceSupported(t *testing.T) {
 	}
 }
 
+func TestProvider_SdkClientSet_NilCredentials(t *testing.T) {
+	p := NewProductionProvider("https://cloud.mongodb.com", false, false)
+	_, err := p.SdkClientSet(context.Background(), &Credentials{}, nil)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "no credentials provided")
+}
+
+func TestProvider_SdkClientSet_APIKeys(t *testing.T) {
+	p := NewProductionProvider("https://cloud.mongodb.com", false, false)
+	creds := &Credentials{APIKeys: &APIKeys{PublicKey: "pub", PrivateKey: "priv"}}
+	cs, err := p.SdkClientSet(context.Background(), creds, zap.NewNop().Sugar())
+	require.NoError(t, err)
+	assert.NotNil(t, cs)
+	assert.NotNil(t, cs.SdkClient20250312)
+}
+
+func TestProvider_SdkClientSet_ServiceAccount(t *testing.T) {
+	p := NewProductionProvider("https://cloud.mongodb.com", false, false)
+	creds := &Credentials{ServiceAccount: &ServiceAccountToken{BearerToken: "test-token"}}
+	cs, err := p.SdkClientSet(context.Background(), creds, zap.NewNop().Sugar())
+	require.NoError(t, err)
+	assert.NotNil(t, cs)
+	assert.NotNil(t, cs.SdkClient20250312)
+}
+
+func TestBearerTokenTransport(t *testing.T) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "Bearer my-token", r.Header.Get("Authorization"))
+		w.WriteHeader(http.StatusOK)
+	})
+	server := httptest.NewServer(handler)
+	defer server.Close()
+
+	transport := &oauth2.Transport{
+		Source: oauth2.StaticTokenSource(&oauth2.Token{AccessToken: "my-token"}),
+	}
+	httpClient := &http.Client{Transport: transport}
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, nil)
+	require.NoError(t, err)
+	resp, err := httpClient.Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+}
+
 func TestOperatorUserAgent(t *testing.T) {
 	userAgent := operatorUserAgent()
 

internal/controller/atlas/provider_test.go

@@ -16,9 +16,13 @@ package reconciler
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"hash/fnv"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/rand"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/controller/atlas"
@@ -29,8 +33,29 @@ const (
 	orgIDKey      = "orgId"
 	publicAPIKey  = "publicApiKey"
 	privateAPIKey = "privateApiKey"
+
+	clientIDKey     = "clientId"
+	clientSecretKey = "clientSecret"
+
+	accessTokenKey          = "accessToken"
+	credentialsHashKey      = "credentialsHash"
+	accessTokenSecretPrefix = "atlas-access-token-"
 )
 
+// CredentialsHash returns a deterministic, non-cryptographic fingerprint of
+// the (clientID, clientSecret) pair. The service-account-token controller
+// stores this fingerprint on the Access Token Secret under credentialsHashKey
+// so any component reading the Secret can detect that the source credentials
+// have been rotated since the cached bearer token was issued. The nul
+// separator disambiguates ("ab","c") from ("a","bc").
+func CredentialsHash(clientID, clientSecret string) (string, error) {
+	h := fnv.New64a()
+	if _, err := h.Write([]byte(clientID + "\x00" + clientSecret)); err != nil {
+		return "", fmt.Errorf("failed to compute credentials hash: %w", err)
+	}
+	return fmt.Sprint(h.Sum64()), nil
+}
+
 func (r *AtlasReconciler) ResolveConnectionConfig(ctx context.Context, referrer project.ProjectReferrerObject) (*atlas.ConnectionConfig, error) {
 	connectionSecret := r.connectionSecretRef(referrer)
 	if connectionSecret != nil && connectionSecret.Name != "" {
@@ -78,49 +103,136 @@ func GetConnectionConfig(ctx context.Context, k8sClient client.Client, secretRef
 		return nil, fmt.Errorf("failed to read Atlas API credentials from the secret %s: %w", secretRef.String(), err)
 	}
 
-	cfg := &atlas.ConnectionConfig{
+	if err := validateConnectionSecret(secret); err != nil {
+		return nil, fmt.Errorf("invalid connection secret %s: %w", secretRef, err)
+	}
+
+	if isServiceAccountCredentials(secret) {
+		bearerToken, err := getServiceAccountAccessToken(ctx, k8sClient, secret)
+		if err != nil {
+			return nil, err
+		}
+
+		return &atlas.ConnectionConfig{
+			OrgID: string(secret.Data[orgIDKey]),
+			Credentials: &atlas.Credentials{
+				ServiceAccount: &atlas.ServiceAccountToken{
+					BearerToken: bearerToken,
+				},
+			},
+		}, nil
+	}
+
+	return &atlas.ConnectionConfig{
 		OrgID: string(secret.Data[orgIDKey]),
 		Credentials: &atlas.Credentials{
 			APIKeys: &atlas.APIKeys{
 				PublicKey:  string(secret.Data[publicAPIKey]),
 				PrivateKey: string(secret.Data[privateAPIKey]),
 			},
 		},
+	}, nil
+}
+
+// DeriveAccessTokenSecretName returns the deterministic name of the Access Token Secret for a given Connection Secret.
+// The Connection Secret name is included literally for operator debuggability; it is truncated when the total
+// exceeds the Kubernetes 253-character DNS-subdomain limit.
+func DeriveAccessTokenSecretName(namespace, connectionSecretName string) (string, error) {
+	hasher := fnv.New64a()
+	_, err := hasher.Write([]byte(namespace + "/" + connectionSecretName))
+	if err != nil {
+		return "", fmt.Errorf("failed to compute hash for access token secret name: %w", err)
 	}
+	hash := rand.SafeEncodeString(fmt.Sprint(hasher.Sum64()))
 
-	if missingFields, valid := validate(cfg); !valid {
-		return nil, fmt.Errorf("the following fields are missing in the secret %v: %v", secretRef, missingFields)
+	const k8sNameLimit = 253
+	maxNameLen := k8sNameLimit - len(accessTokenSecretPrefix) - 1 - len(hash)
+	name := connectionSecretName
+	if len(name) > maxNameLen {
+		name = name[:maxNameLen]
 	}
 
-	return cfg, nil
+	return accessTokenSecretPrefix + name + "-" + hash, nil
 }
 
-func validate(cfg *atlas.ConnectionConfig) ([]string, bool) {
-	missingFields := make([]string, 0, 3)
+func getServiceAccountAccessToken(ctx context.Context, k8sClient client.Client, secret *corev1.Secret) (string, error) {
+	tokenSecretName, err := DeriveAccessTokenSecretName(secret.Namespace, secret.Name)
+	if err != nil {
+		return "", err
+	}
+	tokenRef := client.ObjectKey{Namespace: secret.Namespace, Name: tokenSecretName}
 
-	if cfg == nil {
-		return []string{orgIDKey, publicAPIKey, privateAPIKey}, false
+	tokenSecret := &corev1.Secret{}
+	if err := k8sClient.Get(ctx, tokenRef, tokenSecret); err != nil {
+		if apierrors.IsNotFound(err) {
+			return "", fmt.Errorf("access token secret %s does not exist yet", tokenRef.String())
+		}
+		return "", fmt.Errorf("failed to read access token secret %s: %w", tokenRef.String(), err)
 	}
 
-	if cfg.OrgID == "" {
-		missingFields = append(missingFields, orgIDKey)
+	// Guard against a stale cached token — if the credential Secret was
+	// rotated since the token was issued, the service-account-token controller
+	// may not have caught up yet. Returning an error prompts the downstream
+	// reconciler to retry rather than hitting Atlas with revoked credentials.
+	currentHash, err := CredentialsHash(string(secret.Data[clientIDKey]), string(secret.Data[clientSecretKey]))
+	if err != nil {
+		return "", err
 	}
+	if string(tokenSecret.Data[credentialsHashKey]) != currentHash {
+		return "", fmt.Errorf("access token secret %s is stale (credentials rotated); waiting for the service-account-token controller to refresh", tokenRef.String())
+	}
+
+	bearerToken := string(tokenSecret.Data[accessTokenKey])
+	if bearerToken == "" {
+		return "", fmt.Errorf("access token secret %s has an empty accessToken field", tokenRef.String())
+	}
+
+	return bearerToken, nil
+}
+
+func isServiceAccountCredentials(credentials *corev1.Secret) bool {
+	clientID := credentials.Data[clientIDKey]
+	clientSecret := credentials.Data[clientSecretKey]
 
-	if cfg.Credentials == nil || cfg.Credentials.APIKeys == nil {
-		return append(missingFields, []string{publicAPIKey, privateAPIKey}...), false
+	return len(clientID) > 0 && len(clientSecret) > 0
+}
+
+func validateConnectionSecret(secret *corev1.Secret) error {
+	hasAnyAPIKey := len(secret.Data[publicAPIKey]) > 0 || len(secret.Data[privateAPIKey]) > 0
+	hasAnySA := len(secret.Data[clientIDKey]) > 0 || len(secret.Data[clientSecretKey]) > 0
+
+	if hasAnyAPIKey && hasAnySA {
+		return errors.New("secret contains both API key and service account credentials; only one type is allowed")
 	}
 
-	if cfg.Credentials.APIKeys.PublicKey == "" {
-		missingFields = append(missingFields, publicAPIKey)
+	var missingFields []string
+
+	if len(secret.Data[orgIDKey]) == 0 {
+		missingFields = append(missingFields, orgIDKey)
 	}
 
-	if cfg.Credentials.APIKeys.PrivateKey == "" {
-		missingFields = append(missingFields, privateAPIKey)
+	if hasAnyAPIKey {
+		if len(secret.Data[publicAPIKey]) == 0 {
+			missingFields = append(missingFields, publicAPIKey)
+		}
+		if len(secret.Data[privateAPIKey]) == 0 {
+			missingFields = append(missingFields, privateAPIKey)
+		}
+	} else if hasAnySA {
+		if len(secret.Data[clientIDKey]) == 0 {
+			missingFields = append(missingFields, clientIDKey)
+		}
+		if len(secret.Data[clientSecretKey]) == 0 {
+			missingFields = append(missingFields, clientSecretKey)
+		}
+	} else {
+		//By default, we are expecting API keys
+		missingFields = append(missingFields, publicAPIKey, privateAPIKey)
 	}
 
 	if len(missingFields) > 0 {
-		return missingFields, false
+		return fmt.Errorf("missing required fields: %v", missingFields)
 	}
 
-	return nil, true
+	return nil
 }