PYTHON-5398 Support for AWS EKS Pod Identity

Author: blink1073

.evergreen/generated_configs/tasks.yml

@@ -114,6 +114,19 @@ tasks:
           SUB_TEST_NAME: ecs
           PYTHON_VERSION: "3.10"
     tags: [auth-aws, auth-aws-ecs]
+  - name: test-auth-aws-4.4-eks-python3.11
+    commands:
+      - func: run server
+        vars:
+          AUTH_AWS: "1"
+          VERSION: "4.4"
+      - func: assume ec2 role
+      - func: run tests
+        vars:
+          TEST_NAME: auth_aws
+          SUB_TEST_NAME: eks
+          PYTHON_VERSION: "3.11"
+    tags: [auth-aws, auth-aws-eks]
 
   # Backport pr tests
   - name: backport-pr

.evergreen/generated_configs/variants.yml

@@ -98,14 +98,14 @@ buildvariants:
     tags: []
   - name: auth-aws-win64
     tasks:
-      - name: .auth-aws !.auth-aws-ecs
+      - name: .auth-aws !.auth-aws-ecs !.auth-aws-eks
     display_name: Auth AWS Win64
     run_on:
       - windows-64-vsMulti-small
     tags: []
   - name: auth-aws-macos
     tasks:
-      - name: .auth-aws !.auth-aws-web-identity !.auth-aws-ecs !.auth-aws-ec2
+      - name: .auth-aws !.auth-aws-web-identity !.auth-aws-ecs !.auth-aws-ec2 !.auth-aws-eks
     display_name: Auth AWS macOS
     run_on:
       - macos-14

.evergreen/scripts/configure-env.sh

@@ -76,6 +76,8 @@ EOT
 rm -rf $DRIVERS_TOOLS
 BRANCH=master
 ORG=mongodb-labs
+BRANCH=DRIVERS-2945
+ORG=blink1073
 git clone --branch $BRANCH https://github.com/$ORG/drivers-evergreen-tools.git $DRIVERS_TOOLS
 
 cat <<EOT > ${DRIVERS_TOOLS}/.env

.evergreen/scripts/generate_config.py

@@ -488,10 +488,12 @@ def create_aws_auth_variants():
         tasks = [".auth-aws"]
         tags = []
         if host_name == "macos":
-            tasks = [".auth-aws !.auth-aws-web-identity !.auth-aws-ecs !.auth-aws-ec2"]
+            tasks = [
+                ".auth-aws !.auth-aws-web-identity !.auth-aws-ecs !.auth-aws-ec2 !.auth-aws-eks"
+            ]
             tags = ["pr"]
         elif host_name == "win64":
-            tasks = [".auth-aws !.auth-aws-ecs"]
+            tasks = [".auth-aws !.auth-aws-ecs !.auth-aws-eks"]
         host = HOSTS[host_name]
         variant = create_variant(
             tasks,
@@ -742,6 +744,7 @@ def create_aws_tasks():
         "session-creds",
         "web-identity",
         "ecs",
+        "eks",
     ]
     for version, test_type, python in zip_cycle(get_versions_from("4.4"), aws_test_types, CPYTHONS):
         base_name = f"test-auth-aws-{version}"

.evergreen/run-mongodb-aws-ecs-test.sh renamed to .evergreen/scripts/run-aws-container-test.sh

@@ -11,7 +11,7 @@
 from shutil import which
 
 import pytest
-from utils import DRIVERS_TOOLS, LOGGER, ROOT, run_command
+from utils import DRIVERS_TOOLS, HERE, LOGGER, ROOT, run_command
 
 AUTH = os.environ.get("AUTH", "noauth")
 SSL = os.environ.get("SSL", "nossl")
@@ -159,9 +159,12 @@ def run() -> None:
         result = main("-E -b doctest doc ./doc/_build/doctest".split())
         sys.exit(result)
 
-    # Send ecs tests to run remotely.
-    if TEST_NAME == "auth_aws" and SUB_TEST_NAME == "ecs":
-        run_command(f"{DRIVERS_TOOLS}/.evergreen/auth_aws/aws_setup.sh ecs")
+    # Send ecs and eks tests to run remotely.
+    if TEST_NAME == "auth_aws" and SUB_TEST_NAME in ["ecs", "eks"]:
+        target = f"run-mongodb-aws-{SUB_TEST_NAME}-test.sh"
+        text = (HERE / "run-aws-container-test.sh").read_text()
+        (HERE.parent / target).write_text(text)
+        run_command(f"{DRIVERS_TOOLS}/.evergreen/auth_aws/aws_setup.sh {SUB_TEST_NAME}")
         return
 
     # Send OIDC tests to run remotely.

.evergreen/scripts/run_tests.py

@@ -415,11 +415,11 @@ def handle_test_env() -> None:
 
         setup_kms(sub_test_name)
 
-    if test_name == "auth_aws" and sub_test_name != "ecs-remote":
+    if test_name == "auth_aws" and sub_test_name not in ["ecs-remote", "eks-remote"]:
         auth_aws_dir = f"{DRIVERS_TOOLS}/.evergreen/auth_aws"
         if "AWS_ROLE_SESSION_NAME" in os.environ:
             write_env("AWS_ROLE_SESSION_NAME")
-        if sub_test_name != "ecs":
+        if sub_test_name not in ["ecs", "eks"]:
             aws_setup = f"{auth_aws_dir}/aws_setup.sh"
             run_command(f"bash {aws_setup} {sub_test_name}")
             creds = read_env(f"{auth_aws_dir}/test-env.sh")

.evergreen/scripts/setup_tests.py

@@ -143,8 +143,8 @@ def get_test_options(
         raise ValueError(f"Test '{test_name}' requires a sub_test_name")
     if "auth" in test_name or os.environ.get("AUTH") == "auth":
         opts.auth = True
-        # 'auth_aws ecs' shouldn't have extra auth set.
-        if test_name == "auth_aws" and sub_test_name == "ecs":
+        # auth_aws ecs or eks shouldn't have extra auth set.
+        if test_name == "auth_aws" and sub_test_name in ["ecs", "eks"]:
             opts.auth = False
     if os.environ.get("SSL") == "ssl":
         opts.ssl = True

.evergreen/scripts/utils.py

@@ -30,6 +30,8 @@ expansion.yml
 .evergreen/scripts/test-env.sh
 specifications/
 results.json
+.evergreen/run-mongodb-aws-eks-test.sh
+.evergreen/run-mongodb-aws-ecs-test.sh
 
 # Lambda temp files
 test/lambda/.aws-sam