ci(NODE-6685): use secrets manager for FLE tests and consolidate FLE setup in CI tooling #4386

baileympearson · 2025-01-29T16:33:00Z

Description

What is changing?

Okay, this might look like a huge PR but I promise the changes are pretty manageable, just bear with me as I explain the changes overall. There's a lot of deleted code here too 🙂

I started out making this a preliminary refactor before migrating to secrets manager. However, once I finished the refactor, I realized I was basically already there so I just made the last change and voila.

All FLE environment setup¹ is now consolidated into a single script - setup-fle.sh. This script handles what we used to have multiple different scripts for:
a. This script fetches all credentials from secrets-manager (replacing some coming from our evergreen project and then loading them with prepare_client_encryption.sh).
b. Secrets manager automatically loads environment variables containing paths to the necessary certificate files, so this is handled automatically. But the names are different (see bullet 2).
c. Downloads crypt_shared and adds it to the path (or not, when we don't want it).
The names of the environment variables that drivers-evergreen-tools uses for TLS certificate files are different from what we use. I've renamed all usages to the new names so we can rely on drivers-evergreen-tools to set them for us.
All usages of CSFLE_KMS_PROVIDERS have been removed in favor of a single file that abstracts away the retrieval of the credentials. This is intended to make switching to secrets manager simpler. Secrets manager instead stores each variable individually instead of in an EJSON stringified object, so with this change, we can adopt secrets manager without modifying any test code that uses CSFLE_KMS_PROVIDERS.

Notably, I haven't made changes to how we launch kms/kmip servers. drivers-evergreen-tools has tooling to start and stop these servers for us, but the ports it launches on are different from our ports, so for the sake of PR size I left that alone. I am happy to reconsider and instead use the shared kms server tooling.

¹ except launching KMS servers

Is there new documentation needed for these changes?

no.

What is the motivation for this change?

Release Highlight

Fill in title or leave empty for no highlight

Double check the following

Ran npm run check:lint script
Self-review completed using the steps outlined here
PR title follows the correct format: type(NODE-xxxx)[!]: description
- Example: feat(NODE-1234)!: rewriting everything in coffeescript
Changes are covered by tests
New TODOs have a related JIRA ticket

.evergreen/run-tests.sh

test/integration/client-side-operations-timeout/client_side_operations_timeout.unit.test.ts

test/csfle-kms-providers.js

.evergreen/config.in.yml

.evergreen/generate_evergreen_tasks.js

.evergreen/prepare-crypt-shared-lib.sh

crypt_shared.sh