DRIVERS-2601 OIDC GCP and Azure Cleanup (mongodb-labs#427)

.evergreen/auth_oidc/azure/create-and-setup-vm.sh

@@ -90,11 +90,11 @@ echo "Untarring file ... end"
 popd
 
 # Start mongodb.
-AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/start-mongodb.sh" \
+AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/remote-scripts/start-mongodb.sh" \
     "$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
 
 # Run the self-test
-AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/run-test.sh" \
+AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/remote-scripts/run-self-test.sh" \
     "$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
 
 popd

.evergreen/auth_oidc/azure/run-test.sh → .evergreen/auth_oidc/azure/remote-scripts/run-self-test.sh

@@ -12,5 +12,5 @@ pushd mongo-python-driver
 python setup.py install --no_ext
 popd
 pip install -q requests
-python azure/test.py
+python azure/remote-scripts/test.py
 popd

.evergreen/auth_oidc/gcp/README.md

@@ -1,8 +1,8 @@
 # GCP OIDC Testing
 
-Testing OIDC with GCP integration involves launching an GCP VM,
+Testing OIDC with GCP integration involves launching an Atlas cluster and GCP VM,
 pushing the code to the VM, running the OIDC tests for the driver,
-and then tearing down the VM and its resources.
+and then tearing down the Atlas cluster, and VM and its resources.
 
 ## Background
 
@@ -20,7 +20,7 @@ should run the equivalent of the following, substituting your driver name:
 
 ```bash
 export GCPOIDC_VMNAME_PREFIX="PYTHON_DRIVER"
-$DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/create-and-setup-instance.sh
+$DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/setup.sh
 ```
 
 This script can be run locally or in CI.  The script also runs a self-test on the VM using the Python driver.
@@ -40,17 +40,19 @@ export GCPOIDC_TEST_CMD="source ./env.sh && OIDC_PROVIDER_NAME=gcp ./.evergreen/
 bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh
 ```
 
-In your tests, you can use the environment variables in `secrets-export.sh` to define the `TOKEN_AUDIENCE`
-auth mechanism property, e.g.
+The following variables can be used in your tests by sourcing `$DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/secrets-export.sh`:
 
-```python
-TOKEN_AUDIENCE=os.environ["GCPOIDC_AUDIENCE"]
+```bash
+MONGODB_URI         # The base, admin URI
+MONGODB_URI_SINGLE  # The OIDC connection string with auth mechanism and properties.
+OIDC_ADMIN_USER     # The username and password for use with an admin connection
+OIDC_ADMIN_PWD
 ```
 
 Finally, we tear down the vm:
 
 ```bash
-$DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/delete-instance.sh
+$DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/teardown.sh
 ```
 
 An example task group would look like:
@@ -80,15 +82,19 @@ An example task group would look like:
           - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/gcp/teardown.sh
     - func: other teardown function
   tasks:
-    - oidc-auth-test-gcp-latest
+    - oidc-auth-test-gcp
 ```
 
 ### Environment Variables
 
-Below is an explananion of the environment variables used in the test:
+Below is an explanation of the environment variables used in the test:
 
-- GCPOIDC_AUDIENCE - The value to use in the `TOKEN_AUDIENCE` auth mechanism property.
-- GCPOIDC_ATLAS_URI - The URI of the Atlas cluster configured for OIDC GCP testing.
+- GCPOIDC_AUDIENCE - The value used in the `TOKEN_RESOURCE` auth mechanism property.
 - GCPOIDC_SERVICEACCOUNT - The GCP Service Account to use for GCP access.
 - GCPOIDC_KEYFILE_CONTENT - The base64-encoded GCP keyfile content.
 - GCPOIDC_MACHINE - The GCE machine type to use for the VM.
+- GCPOIDC_ATLAS_USER - The username for admin database access.
+- GCPOIDC_ATLAS_PASSWORD - The password for admin database access.
+- OIDC_ATLAS_PUBLIC_API_KEY - The Atlas Publi API key used to create/delete clusters.
+- OIDC_ATLAS_PRIVATE_API_KEY - The Atlas Private API key.
+- OIDC_ATLAS_GROUP_ID - The Atlas Dev Group ID where the clusters are launched.

.evergreen/auth_oidc/gcp/run-test.sh → .evergreen/auth_oidc/gcp/remote-scripts/run-self-test.sh

@@ -3,15 +3,13 @@ set -o errexit
 set -o pipefail
 
 echo "Installing dependencies ... begin"
-sudo apt-get update
-sudo apt-get -y -o DPkg::Lock::Timeout=-1 install git python3-pip python3-venv
 git clone https://github.com/mongodb/mongo-python-driver
 pushd mongo-python-driver
 python3 -m venv .venv
 source .venv/bin/activate
 pip install -U -q pip
 pip install -U -q requests setuptools
-python setup.py install --no_ext
+python setup.py -q install --no_ext
 popd
 echo "Installing dependencies ... end"
 

.evergreen/auth_oidc/gcp/test.py → .evergreen/auth_oidc/gcp/remote-scripts/test.py

@@ -9,7 +9,7 @@
 _AUTH_MAP["MONGODB-OIDC"] = _authenticate_oidc
 
 audience = os.environ['GCPOIDC_AUDIENCE']
-atlas_uri = os.environ["GCPOIDC_ATLAS_URI"]
+atlas_uri = os.environ["MONGODB_URI"]
 
 class MyCallback(OIDCCallback):
     def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:

.evergreen/auth_oidc/gcp/setup-instance.sh

@@ -14,26 +14,30 @@ if [ -z "$GCPKMS_GCLOUD" -o -z "$GCPKMS_PROJECT" -o -z "$GCPKMS_ZONE" -o -z "$GC
     exit 1
 fi
 
-echo "Copying test files to GCE instance ($GCPKMS_INSTANCENAME) ... begin"
+echo "Copying setup-gce-instance.sh to GCE instance ($GCPKMS_INSTANCENAME) ... begin"
 # Copy files to test. Use "-p" to preserve execute mode.
-$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-test.sh "$GCPKMS_INSTANCENAME":~ \
+$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/remote-scripts/setup-gce-instance.sh "$GCPKMS_INSTANCENAME":~ \
     --zone $GCPKMS_ZONE \
     --project $GCPKMS_PROJECT \
     --scp-flag="-p"
-$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/test.py "$GCPKMS_INSTANCENAME":~ \
+echo "Copying setup-gce-instance.sh to GCE instance ($GCPKMS_INSTANCENAME) ... end"
+
+echo "Running setup-gce-instance.sh on GCE instance ($GCPKMS_INSTANCENAME) ... begin"
+$GCPKMS_GCLOUD compute ssh "$GCPKMS_INSTANCENAME" \
     --zone $GCPKMS_ZONE \
     --project $GCPKMS_PROJECT \
-    --scp-flag="-p"
-$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/secrets-export.sh "$GCPKMS_INSTANCENAME":~ \
+    --command "./setup-gce-instance.sh"
+echo "Exit code of test-script is: $?"
+echo "Running setup-gce-instance.sh on GCE instance ($GCPKMS_INSTANCENAME) ... end"
+
+echo "Copying test files to GCE instance ($GCPKMS_INSTANCENAME) ... begin"
+# Copy files to test. Use "-p" to preserve execute mode.
+$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/remote-scripts/run-self-test.sh "$GCPKMS_INSTANCENAME":~ \
     --zone $GCPKMS_ZONE \
     --project $GCPKMS_PROJECT \
     --scp-flag="-p"
-echo "Copying test files to GCE instance ($GCPKMS_INSTANCENAME) ... end"
-
-echo "Running run-test.sh on GCE instance ($GCPKMS_INSTANCENAME) ... begin"
-$GCPKMS_GCLOUD compute ssh "$GCPKMS_INSTANCENAME" \
+$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/remote-scripts/test.py "$GCPKMS_INSTANCENAME":~ \
     --zone $GCPKMS_ZONE \
     --project $GCPKMS_PROJECT \
-    --command "./run-test.sh"
-echo "Exit code of test-script is: $?"
-echo "Running run-test.sh on GCE instance ($GCPKMS_INSTANCENAME) ... end"
+    --scp-flag="-p"
+echo "Copying test files to GCE instance ($GCPKMS_INSTANCENAME) ... end"

.evergreen/auth_oidc/gcp/setup-secrets.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -o errexit  # Exit the script with error if any of the commands fail
+set -x
+
+SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]})
+. $SCRIPT_DIR/../../handle-paths.sh
+pushd $SCRIPT_DIR
+. ../../secrets_handling/setup-secrets.sh drivers/gcpoidc
+popd

.evergreen/auth_oidc/gcp/setup.sh

@@ -4,5 +4,120 @@ set -o errexit
 
 SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]})
 . $SCRIPT_DIR/../../handle-paths.sh
+pushd $SCRIPT_DIR
 
-. $SCRIPT_DIR/create-and-setup-instance.sh
+# Handle secrets from vault.
+rm -f secrets-export.sh
+. ./setup-secrets.sh
+
+########################
+# Start an Atlas Cluster
+
+# Get the utility functions
+. ../../atlas/atlas-utils.sh
+
+# Generate a random cluster name.
+# See: https://docs.atlas.mongodb.com/reference/atlas-limits/#label-limits
+DEPLOYMENT_NAME="$RANDOM-DRIVERGCP"
+echo "export CLUSTER_NAME=$DEPLOYMENT_NAME" >> "secrets-export.sh"
+
+# Set the create cluster configuration.
+export DEPLOYMENT_DATA=$(cat <<EOF
+{
+  "autoScaling" : {
+    "autoIndexingEnabled" : false,
+    "compute" : {
+      "enabled" : true,
+      "scaleDownEnabled" : true
+    },
+    "diskGBEnabled" : true
+  },
+  "backupEnabled" : false,
+  "biConnector" : {
+    "enabled" : false,
+    "readPreference" : "secondary"
+  },
+  "clusterType" : "REPLICASET",
+  "diskSizeGB" : 10.0,
+  "encryptionAtRestProvider" : "NONE",
+  "mongoDBMajorVersion" : "7.0",
+  "name" : "${DEPLOYMENT_NAME}",
+  "numShards" : 1,
+  "paused" : false,
+  "pitEnabled" : false,
+  "providerBackupEnabled" : false,
+  "providerSettings" : {
+    "providerName" : "AWS",
+    "autoScaling" : {
+      "compute" : {
+        "maxInstanceSize" : "M20",
+        "minInstanceSize" : "M10"
+      }
+    },
+    "diskIOPS" : 3000,
+    "encryptEBSVolume" : true,
+    "instanceSizeName" : "M10",
+    "regionName" : "US_EAST_1",
+    "volumeType" : "STANDARD"
+  },
+  "replicationFactor" : 3,
+  "rootCertType" : "ISRGROOTX1",
+  "terminationProtectionEnabled" : false,
+  "versionReleaseSystem" : "LTS"
+}
+EOF
+)
+
+export ATLAS_PUBLIC_API_KEY=$OIDC_ATLAS_PUBLIC_API_KEY
+export ATLAS_PRIVATE_API_KEY=$OIDC_ATLAS_PRIVATE_API_KEY
+export ATLAS_GROUP_ID=$OIDC_ATLAS_GROUP_ID
+
+create_deployment
+
+########################
+# Set up the GCE instance.
+
+# Set up variables for GCPKMS scripts.
+export GCPKMS_SECRETS_FILE="$SCRIPT_DIR/secrets-export.sh"
+export GCPKMS_SERVICEACCOUNT=$GCPOIDC_SERVICEACCOUNT
+export GCPKMS_MACHINE=$GCPOIDC_MACHINE
+export GCPKMS_SETUP_INSTANCE="$SCRIPT_DIR/setup-instance.sh"
+
+# Write the keyfile content to a local JSON path.
+export GCPKMS_KEYFILE=/tmp/testgcpkms_key_file.json
+# convert content from base64 to JSON and write to file
+echo ${GCPOIDC_KEYFILE_CONTENT} | base64 --decode > $GCPKMS_KEYFILE
+
+# Create the instance using the script.
+bash $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/create-and-setup-instance.sh
+
+########################
+# Wait for the Atlas Cluster
+URI=$(check_deployment)
+
+cat <<EOF >> "secrets-export.sh"
+export MONGODB_URI="$URI"
+export MONGODB_URI_SINGLE="$URI/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:$GCPOIDC_AUDIENCE"
+export OIDC_ADMIN_USER=$GCPOIDC_ATLAS_USER
+export OIDC_ADMIN_PWD=$GCPOIDC_ATLAS_PASSWORD
+EOF
+
+########################
+# Run the self test.
+source ./secrets-export.sh
+echo "Copying secrets file to GCE instance ($GCPKMS_INSTANCENAME) ... begin"
+$GCPKMS_GCLOUD compute scp $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/secrets-export.sh "$GCPKMS_INSTANCENAME":~ \
+    --zone $GCPKMS_ZONE \
+    --project $GCPKMS_PROJECT \
+    --scp-flag="-p"
+echo "Copying secrets file to GCE instance ($GCPKMS_INSTANCENAME) ... end"
+
+echo "Running run-self-test.sh on GCE instance ($GCPKMS_INSTANCENAME) ... begin"
+$GCPKMS_GCLOUD compute ssh "$GCPKMS_INSTANCENAME" \
+    --zone $GCPKMS_ZONE \
+    --project $GCPKMS_PROJECT \
+    --command "./run-self-test.sh"
+echo "Exit code of test-script is: $?"
+echo "Running run-self-test.sh on GCE instance ($GCPKMS_INSTANCENAME) ... end"
+
+popd

.evergreen/auth_oidc/gcp/teardown.sh

@@ -4,5 +4,18 @@ set -o errexit
 
 SCRIPT_DIR=$(dirname ${BASH_SOURCE[0]})
 . $SCRIPT_DIR/../../handle-paths.sh
+pushd $SCRIPT_DIR
 
-. $SCRIPT_DIR/delete-instance.sh
+# Source the secrets.
+source ./secrets-export.sh
+
+# Tear down the VM.
+bash $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/delete-instance.sh
+
+# Tear down the Atlas Cluster
+export DRIVERS_ATLAS_PUBLIC_API_KEY=$OIDC_ATLAS_PUBLIC_API_KEY
+export DRIVERS_ATLAS_PRIVATE_API_KEY=$OIDC_ATLAS_PRIVATE_API_KEY
+export DRIVERS_ATLAS_GROUP_ID=$OIDC_ATLAS_GROUP_ID
+bash ../../atlas/teardown-atlas-cluster.sh
+
+popd

.evergreen/config.yml

@@ -1081,13 +1081,13 @@ buildvariants:
 - name: tests-docker
   display_name: Docker
   run_on:
-    - ubuntu2004-large
+    - ubuntu2204-large
   tasks:
     - ".docker"  # Run all tasks with the "docker" tag
 
 - name: tests-oidc
   display_name: OIDC
-  run_on: ubuntu2004-small
+  run_on: ubuntu2204-small
   tasks:
     - "test-oidc"
     - "testgcpoidc_task_group"

.evergreen/csfle/azurekms/remote-scripts/setup-azure-vm.sh

@@ -2,18 +2,16 @@
 set -o errexit
 set -o pipefail
 # Do not error on unset variables. run-orchestration.sh accesses unset variables.
-sudo DEBIAN_FRONTEND=noninteractive apt-get update
 
-echo "Install jq ... begin"
-sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::Lock::Timeout=-1 install jq
-echo "Install jq ... end"
-
-echo "Installing MongoDB dependencies ... begin"
+echo "Installing dependencies ... begin"
+# Make apt-get non-interactive.
+echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections
+# Skip the "Processing triggers for man-db" step.
+echo "set man-db/auto-update false" | sudo debconf-communicate; sudo dpkg-reconfigure -f noninteractive man-db
+sudo apt-get -qq update
+OPTIONS="-y -qq -o DPkg::Lock::Timeout=-1"
 # Dependencies for mongod: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-enterprise-on-debian-tarball/
-sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::Lock::Timeout=-1 install libcurl4 libgssapi-krb5-2 libldap-2.4-2 libwrap0 libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit snmp openssl liblzma5
-# Dependencies for run-orchestration.sh
-sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::Lock::Timeout=-1 install python3.9-venv
-sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::Lock::Timeout=-1 install python3-pip
-# Install git.
-sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::Lock::Timeout=-1 install git
-echo "Installing MongoDB dependencies ... end"
+sudo apt-get install $OPTIONS libcurl4 libgssapi-krb5-2 libldap-2.4-2 libwrap0 libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit snmp openssl liblzma5
+# Dependencies for drivers-evergreen-tools
+sudo apt-get install $OPTIONS python3-pip python3.9-venv git
+echo "Installing dependencies ... end"