Support for authentication via kubernetes bound service account tokens

[raffaelespazzoli]

Support for authentication via kubernetes bound service account tokens, docs.
A workload running on kubernetes would be able to authenticated using an Oauth token provisioned by kubernetes and trusted by cockroachDB.
This feature depends on #65607

Describe the solution you'd like
There is some provisions in cockroach db to establish trust with an OIDC provider and accept authentication with an OAuth token.
There is a mutating web hook that simplifies setting up the pod configuration to use the bound service account token to be used to authenticate. This is a good example of how such mutating wbe hook could work:
https://github.com/aws/amazon-eks-pod-identity-webhook

Describe alternatives you've considered
For limited duration credentials representing a workload and not a person, alternative can be TLS certificates or Vault support for rotating credentials.

Jira issue: CRDB-7815

[blathers-crl]

Hello, I am Blathers. I am here to help you get the issue triaged.

It looks like you have not filled out the issue in the format of any of our templates. To best assist you, we advise you to use one of these templates.

I have CC'd a few people who may be able to assist you:

• @joshimhoff (found keywords: kubernetes)
• @knz (author of server: enable SQL clients to log in with a token #65607)
• @jordanlewis (commented on server: enable SQL clients to log in with a token #65607)

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.}

[knz]

@raffaelespazzoli are you aware that you can delegate authentication to a process outside of cockroachdb? You can use something like pgbouncer or some other postgres-compatible program to do authentication, then have that program connect to crdb without authentication (using the trust HBA method)

Would this help?

[raffaelespazzoli]

I was not aware of that approach, if these external authentication processes support oauth, then yes it would help.

[github-actions]

We have marked this issue as stale because it has been inactive for
18 months. If this issue is still relevant, removing the stale label
or adding a comment will keep it active. Otherwise, we'll close it in
10 days to keep the issue queue tidy. Thank you for your contribution
to CockroachDB!