-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Unknown
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
None
-
Ruby Drivers
-
Not Needed
-
None
-
None
-
None
-
None
-
None
-
None
Replace Evergreen project variables used for FLE/CSFLE testing with AWS Secrets Manager via drivers-evergreen-tools setup scripts.
Scope
Replace the "export FLE credentials" function in .evergreen/config/common.yml.erb (currently writes 17 credential variables to .env.private) with a subprocess.exec call to ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh.
Also migrate the Azure KMS and GCP KMS task group variables (testazurekms_, testgcpkms_) to csfle/azurekms/setup-secrets.sh and csfle/gcpkms/setup-secrets.sh respectively.
Migrate FLE mock server startup out of run-tests.sh into calls to ${DRIVERS_TOOLS}/.evergreen/csfle/start-servers.sh and stop-servers.sh.
Files to change
- .evergreen/config/common.yml.erb — replace export FLE credentials; fix run CSOT tests and run OTel tests functions which also inline ${fle_aws_*} vars; update Azure/GCP KMS task groups
- .evergreen/config.yml — regenerate from ERB template
- .evergreen/run-tests.sh — remove inline FLE mock server block; source ${DRIVERS_TOOLS}/.evergreen/csfle/secrets-export.sh and remap to MONGO_RUBY_DRIVER_* env var names
Evergreen project variables eliminated (26)
fle_aws_key, fle_aws_secret, fle_aws_region, fle_aws_arn, fle_azure_tenant_id, fle_azure_client_id, fle_azure_client_secret, fle_azure_identity_platform_endpoint, fle_azure_key_vault_endpoint, fle_azure_key_name, fle_gcp_email, fle_gcp_private_key, fle_gcp_project_id, fle_gcp_location, fle_gcp_key_ring, fle_gcp_key_name, fle_mongocryptd_port, testazurekms_clientid, testazurekms_tenantid, testazurekms_secret, testazurekms_resourcegroup, testazurekms_publickey, testazurekms_privatekey, testazurekms_scope, testgcpkms_key_file, testgcpkms_service_account
Open question before starting
The csfle/setup-secrets.sh generates temporary STS credentials (CSFLE_AWS_TEMP_*). Verify whether the drivers/csfle vault contains long-lived or temp credentials, and confirm the variable names to map to MONGO_RUBY_DRIVER_AWS_KEY etc. Compare against the Python driver's setup_tests.py mapping.
Test plan
Run a CI patch with FLE, Azure KMS, and GCP KMS build variants.
- is fixed by
-
RUBY-3311 Use AWS Secrets Manager for Evergreen Test Secrets
-
- Backlog
-