Migrate FLE/CSFLE test secrets to AWS Secrets Manager

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Done
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • Ruby Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Replace Evergreen project variables used for FLE/CSFLE testing with AWS Secrets Manager via drivers-evergreen-tools setup scripts.

      Scope

      Replace the "export FLE credentials" function in .evergreen/config/common.yml.erb (currently writes 17 credential variables to .env.private) with a subprocess.exec call to ${DRIVERS_TOOLS}/.evergreen/csfle/setup-secrets.sh.

      Also migrate the Azure KMS and GCP KMS task group variables (testazurekms_, testgcpkms_) to csfle/azurekms/setup-secrets.sh and csfle/gcpkms/setup-secrets.sh respectively.

      Migrate FLE mock server startup out of run-tests.sh into calls to ${DRIVERS_TOOLS}/.evergreen/csfle/start-servers.sh and stop-servers.sh.

      Files to change

      • .evergreen/config/common.yml.erb — replace export FLE credentials; fix run CSOT tests and run OTel tests functions which also inline ${fle_aws_*} vars; update Azure/GCP KMS task groups
      • .evergreen/config.yml — regenerate from ERB template
      • .evergreen/run-tests.sh — remove inline FLE mock server block; source ${DRIVERS_TOOLS}/.evergreen/csfle/secrets-export.sh and remap to MONGO_RUBY_DRIVER_* env var names

      Evergreen project variables eliminated (26)

      fle_aws_key, fle_aws_secret, fle_aws_region, fle_aws_arn, fle_azure_tenant_id, fle_azure_client_id, fle_azure_client_secret, fle_azure_identity_platform_endpoint, fle_azure_key_vault_endpoint, fle_azure_key_name, fle_gcp_email, fle_gcp_private_key, fle_gcp_project_id, fle_gcp_location, fle_gcp_key_ring, fle_gcp_key_name, fle_mongocryptd_port, testazurekms_clientid, testazurekms_tenantid, testazurekms_secret, testazurekms_resourcegroup, testazurekms_publickey, testazurekms_privatekey, testazurekms_scope, testgcpkms_key_file, testgcpkms_service_account

      Open question before starting

      The csfle/setup-secrets.sh generates temporary STS credentials (CSFLE_AWS_TEMP_*). Verify whether the drivers/csfle vault contains long-lived or temp credentials, and confirm the variable names to map to MONGO_RUBY_DRIVER_AWS_KEY etc. Compare against the Python driver's setup_tests.py mapping.

      Test plan

      Run a CI patch with FLE, Azure KMS, and GCP KMS build variants.

            Assignee:
            Dmitry Rybakov
            Reporter:
            Dmitry Rybakov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: