Skip to content

Commit 35c703e

Browse files
baileympearsondurran
baileympearson
and
durran
authored
ci(NODE-6685): use secrets manager for FLE tests and consolidate FLE setup in CI tooling (#4386)
Co-authored-by: Durran Jordan <[email protected]>
1 parent fbefa6b commit 35c703e

26 files changed

+357
-774
lines changed

.evergreen/config.in.yml

+46-202
Original file line numberDiff line numberDiff line change
@@ -130,123 +130,40 @@ functions:
130130
DRIVERS_TOOLS: ${DRIVERS_TOOLS}
131131

132132
"run tests":
133-
- command: shell.exec
134-
type: test
133+
- command: ec2.assume_role
135134
params:
136-
silent: true
137-
working_dir: "src"
138-
script: |
139-
if [ -n "${CLIENT_ENCRYPTION}" ]; then
140-
cat <<EOT > prepare_client_encryption.sh
141-
export CLIENT_ENCRYPTION=${CLIENT_ENCRYPTION}
142-
export RUN_WITH_MONGOCRYPTD=${RUN_WITH_MONGOCRYPTD}
143-
export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
144-
export FLE_AWS_KEY2='${FLE_AWS_KEY2}'
145-
export FLE_AWS_SECRET2='${FLE_AWS_SECRET2}'
146-
export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
147-
export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
148-
export AWS_REGION='${AWS_REGION}'
149-
export AWS_CMK_ID='${AWS_CMK_ID}'
150-
export AWS_DEFAULT_REGION='us-east-1'
151-
export KMIP_TLS_CA_FILE="${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem"
152-
export KMIP_TLS_CERT_FILE="${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem"
153-
EOT
154-
fi
155-
- command: shell.exec
135+
role_arn: ${OIDC_AWS_ROLE_ARN}
136+
- command: subprocess.exec
156137
type: test
157138
params:
139+
env:
140+
TEST_CSFLE: "true"
141+
add_expansions_to_env: true
158142
working_dir: "src"
159143
timeout_secs: 300
160-
shell: bash
161-
script: |
162-
${PREPARE_SHELL}
163-
164-
if [ -n "${CLIENT_ENCRYPTION}" ]; then
165-
# Disable xtrace (just in case it was accidentally set).
166-
set +x
167-
. ./prepare_client_encryption.sh
168-
rm -f ./prepare_client_encryption.sh
169-
fi
170-
171-
export VERSION=${VERSION}
172-
export DRIVERS_TOOLS=${DRIVERS_TOOLS}
173-
174-
if [ -z "${RUN_WITH_MONGOCRYPTD}" ]; then
175-
# Set up crypt shared lib if we don't want to use mongocryptd
176-
source ${PROJECT_DIRECTORY}/.evergreen/prepare-crypt-shared-lib.sh
177-
echo "CRYPT_SHARED_LIB_PATH: $CRYPT_SHARED_LIB_PATH"
178-
else
179-
echo "CRYPT_SHARED_LIB_PATH not set; using mongocryptd"
180-
fi
181-
182-
TEST_NPM_SCRIPT="${TEST_NPM_SCRIPT|check:integration-coverage}" \
183-
MONGODB_URI="${MONGODB_URI}" \
184-
AUTH=${AUTH} SSL=${SSL} TEST_CSFLE=true \
185-
MONGODB_API_VERSION="${MONGODB_API_VERSION}" \
186-
SKIP_DEPS=${SKIP_DEPS|1} \
187-
bash ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
144+
binary: bash
145+
args:
146+
- .evergreen/run-tests.sh
188147

189148
"run serverless tests":
190149
- command: timeout.update
191150
params:
192151
exec_timeout_secs: 1800
193-
- command: shell.exec
194-
type: test
152+
- command: ec2.assume_role
195153
params:
196-
silent: true
197-
working_dir: src
198-
script: |
199-
cat <<EOT > prepare_client_encryption.sh
200-
export CLIENT_ENCRYPTION=${CLIENT_ENCRYPTION}
201-
export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
202-
export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
203-
export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
204-
export FLE_AWS_KEY2='${FLE_AWS_KEY2}'
205-
export FLE_AWS_SECRET2='${FLE_AWS_SECRET2}'
206-
export AWS_REGION='${AWS_REGION}'
207-
export AWS_CMK_ID='${AWS_CMK_ID}'
208-
export AWS_DEFAULT_REGION='us-east-1'
209-
export KMIP_TLS_CA_FILE="${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem"
210-
export KMIP_TLS_CERT_FILE="${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem"
211-
EOT
212-
- command: shell.exec
154+
role_arn: ${OIDC_AWS_ROLE_ARN}
155+
- command: subprocess.exec
213156
type: test
214157
params:
215-
working_dir: src
216158
timeout_secs: 300
217-
shell: bash
218-
script: |
219-
${PREPARE_SHELL}
220-
221-
# Disable xtrace (just in case it was accidentally set).
222-
set +x
223-
source ./prepare_client_encryption.sh
224-
rm -f ./prepare_client_encryption.sh
225-
226-
export VERSION=${VERSION}
227-
export DRIVERS_TOOLS=${DRIVERS_TOOLS}
228-
229-
source ${PROJECT_DIRECTORY}/.evergreen/prepare-crypt-shared-lib.sh
230-
231-
echo "CRYPT_SHARED_LIB_PATH: $CRYPT_SHARED_LIB_PATH"
232-
233-
# Get access to the AWS temporary credentials:
234-
echo "adding temporary AWS credentials to environment"
235-
# CSFLE_AWS_TEMP_ACCESS_KEY_ID, CSFLE_AWS_TEMP_SECRET_ACCESS_KEY, CSFLE_AWS_TEMP_SESSION_TOKEN
236-
pushd "$DRIVERS_TOOLS"/.evergreen/csfle
237-
. ./activate-kmstlsvenv.sh
238-
. ./set-temp-creds.sh
239-
popd
240-
241-
export MONGODB_API_VERSION="${MONGODB_API_VERSION}"
242-
export AUTH="auth"
243-
export SSL="ssl"
244-
export TEST_CSFLE=true
245-
246-
source secrets-export.sh
247-
source serverless.env
248-
249-
bash ${PROJECT_DIRECTORY}/.evergreen/run-serverless-tests.sh
159+
working_dir: src
160+
binary: bash
161+
env:
162+
AUTH: 'auth'
163+
SSL: 'ssl'
164+
add_expansions_to_env: true
165+
args:
166+
- .evergreen/run-serverless-tests.sh
250167

251168
"start-load-balancer":
252169
- command: shell.exec
@@ -264,43 +181,26 @@ functions:
264181
bash ${DRIVERS_TOOLS}/.evergreen/run-load-balancer.sh stop
265182
266183
"run-lb-tests":
267-
- command: shell.exec
184+
- command: subprocess.exec
268185
type: test
269186
params:
270-
shell: bash
187+
add_expansions_to_env: true
188+
binary: bash
271189
working_dir: src
272190
timeout_secs: 300
273-
script: |
274-
${PREPARE_SHELL}
275-
276-
MONGODB_URI="${MONGODB_URI}" \
277-
AUTH=${AUTH} \
278-
SSL=${SSL} \
279-
MONGODB_API_VERSION="${MONGODB_API_VERSION}" \
280-
SINGLE_MONGOS_LB_URI="${SINGLE_MONGOS_LB_URI}" \
281-
MULTI_MONGOS_LB_URI="${MULTI_MONGOS_LB_URI}" \
282-
TOPOLOGY="${TOPOLOGY}" \
283-
SKIP_DEPS=${SKIP_DEPS|1} \
284-
LOAD_BALANCER="${LOAD_BALANCER}" \
285-
bash ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
191+
args:
192+
- .evergreen/run-tests.sh
286193

287194
"run-compression-tests":
288-
- command: shell.exec
195+
- command: subprocess.exec
289196
type: test
290197
params:
198+
binary: bash
291199
working_dir: src
292200
timeout_secs: 300
293-
script: |
294-
${PREPARE_SHELL}
295-
296-
MONGODB_URI="${MONGODB_URI}" \
297-
AUTH=${AUTH} \
298-
SSL=${SSL} \
299-
MONGODB_API_VERSION="${MONGODB_API_VERSION}" \
300-
TOPOLOGY="${TOPOLOGY}" \
301-
COMPRESSOR="${COMPRESSOR}" \
302-
SKIP_DEPS=${SKIP_DEPS|1} \
303-
bash ${PROJECT_DIRECTORY}/.evergreen/run-tests.sh
201+
add_expansions_to_env: true
202+
args:
203+
- .evergreen/run-tests.sh
304204

305205
"install package":
306206
- command: shell.exec
@@ -492,44 +392,17 @@ functions:
492392
- .evergreen/run-atlas-tests.sh
493393

494394
"run socks5 tests":
495-
- command: shell.exec
496-
type: test
395+
- command: ec2.assume_role
497396
params:
498-
silent: true
499-
working_dir: "src"
500-
script: |
501-
${PREPARE_SHELL}
502-
cat <<EOT > prepare_client_encryption.sh
503-
export CLIENT_ENCRYPTION='${CLIENT_ENCRYPTION}'
504-
export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
505-
export FLE_AWS_KEY2='${FLE_AWS_KEY2}'
506-
export FLE_AWS_SECRET2='${FLE_AWS_SECRET2}'
507-
export AWS_REGION='${AWS_REGION}'
508-
export AWS_CMK_ID='${AWS_CMK_ID}'
509-
export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
510-
export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
511-
EOT
512-
- command: shell.exec
397+
role_arn: ${OIDC_AWS_ROLE_ARN}
398+
- command: subprocess.exec
513399
type: test
514400
params:
515-
working_dir: "src"
516-
script: |
517-
${PREPARE_SHELL}
518-
519-
export PYTHON_BINARY=$([ "Windows_NT" = "$OS" ] && echo "/cygdrive/c/python/python38/python.exe" || echo "/opt/mongodbtoolchain/v3/bin/python3")
520-
export PROJECT_DIRECTORY="$(pwd)"
521-
export DRIVERS_TOOLS="${DRIVERS_TOOLS}"
522-
export NODE_LTS_VERSION='${NODE_LTS_VERSION}'
523-
export MONGODB_URI="${MONGODB_URI}"
524-
export TEST_SOCKS5_CSFLE="${TEST_SOCKS5_CSFLE}"
525-
export SSL="${SSL}"
526-
527-
# Disable xtrace (just in case it was accidentally set).
528-
set +x
529-
. ./prepare_client_encryption.sh
530-
rm -f ./prepare_client_encryption.sh
531-
532-
bash ${PROJECT_DIRECTORY}/.evergreen/run-socks5-tests.sh
401+
add_expansions_to_env: true
402+
working_dir: src
403+
binary: bash
404+
args:
405+
- .evergreen/run-socks5-tests.sh
533406

534407
"run kerberos tests":
535408
- command: subprocess.exec
@@ -939,46 +812,17 @@ functions:
939812
--fault revoked
940813
941814
"run custom csfle tests":
942-
- command: shell.exec
943-
type: test
815+
- command: ec2.assume_role
944816
params:
945-
silent: true
946-
working_dir: "src"
947-
script: |
948-
${PREPARE_SHELL}
949-
cat <<EOT > prepare_client_encryption.sh
950-
export CLIENT_ENCRYPTION='${CLIENT_ENCRYPTION}'
951-
export CSFLE_KMS_PROVIDERS='${CSFLE_KMS_PROVIDERS}'
952-
export FLE_AWS_KEY2='${FLE_AWS_KEY2}'
953-
export FLE_AWS_SECRET2='${FLE_AWS_SECRET2}'
954-
export AWS_ACCESS_KEY_ID='${AWS_ACCESS_KEY_ID}'
955-
export AWS_SECRET_ACCESS_KEY='${AWS_SECRET_ACCESS_KEY}'
956-
export AWS_REGION='${AWS_REGION}'
957-
export AWS_CMK_ID='${AWS_CMK_ID}'
958-
EOT
959-
- command: shell.exec
817+
role_arn: ${OIDC_AWS_ROLE_ARN}
818+
- command: subprocess.exec
960819
type: test
961820
params:
962-
working_dir: "src"
963-
timeout_secs: 60
964-
shell: bash
965-
script: |
966-
${PREPARE_SHELL}
967-
968-
# Disable xtrace (just in case it was accidentally set).
969-
set +x
970-
source ./prepare_client_encryption.sh
971-
rm -f ./prepare_client_encryption.sh
972-
973-
export VERSION=${VERSION}
974-
export DRIVERS_TOOLS=${DRIVERS_TOOLS}
975-
976-
source ${PROJECT_DIRECTORY}/.evergreen/prepare-crypt-shared-lib.sh
977-
export MONGODB_URI="${MONGODB_URI}"
978-
979-
echo "CRYPT_SHARED_LIB_PATH: $CRYPT_SHARED_LIB_PATH"
980-
981-
bash ${PROJECT_DIRECTORY}/.evergreen/run-custom-csfle-tests.sh
821+
working_dir: src
822+
add_expansions_to_env: true
823+
binary: bash
824+
args:
825+
- .evergreen/run-custom-csfle-tests.sh
982826

983827
"run lambda handler example tests":
984828
- command: subprocess.exec

0 commit comments

Comments
 (0)