[mongo] No support for AKS or GKE workload identity OIDC providers #21187
Description
The pymongo library has built-in support for Azure and GCP's older IMDS authentication mechanism. This is sufficient for VM-based workloads, but not containerized workloads on Kubernetes.
Both Azure's Kubernetes Service (AKS) and Google's Kubernetes Engine (GKE) offer their own workload identity features which enable pods to authenticate as service accounts in a credential-less fashion. Rather than add vendor specific support for either of these authentication mechanisms, pymongo implemented an alternative approach to supporting them via its OIDCCallback base class.
Today, the Mongo Datadog check accepts an options map that enables users to pass string values for pymongo's authMechanismProperties. However, to use the newer OIDCCallback authentication, pymongo expects a callable to be passed for authMechanismProperties, e.g.
properties = {"OIDC_CALLBACK": MyCallback()}
client = MongoClient(
"mongodb[+srv]://<hostname>:<port>",
authMechanism="MONGODB-OIDC",
authMechanismProperties=properties
)Ideally, users of the Datadog Mongo check could configure a check instance to use AKS or GKE workload identity OIDC authentication and the module would pass an appropriate implementation of OIDCCallback to pymongo.