Skip to content

PYTHON-3396 Support the Azure VM-assigned Managed Identity for Automatic KMS Credentials #1105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 41 commits into from
Nov 8, 2022
Merged

PYTHON-3396 Support the Azure VM-assigned Managed Identity for Automatic KMS Credentials #1105

merged 41 commits into from
Nov 8, 2022

Conversation

@blink1073
Copy link
Member

@blink1073 blink1073 commented Nov 2, 2022
edited
Loading

Companion to mongodb/libmongocrypt#484

Also fixes a bug in PYTHON-3367 where we we were running the test file but not actually running the GCP tests.

@blink1073 blink1073 marked this pull request as ready for review November 3, 2022 11:34
@blink1073 blink1073 requested a review from juliusgeo as a code owner November 3, 2022 11:34
ShaneHarvey
ShaneHarvey requested changes Nov 7, 2022
View reviewed changes
.evergreen/run-mongodb-fle-azure-auto.sh Outdated
curl -O https://s3.amazonaws.com/mciuploads/libmongocrypt/all/master/latest/libmongocrypt-all.tar.gz
mkdir libmongocrypt-all && tar xzf libmongocrypt-all.tar.gz -C libmongocrypt-all
$PYTHON -m pip install '.'
PYMONGOCRYPT_LIB=$(pwd)/libmongocrypt-all/debian10/nocrypto/lib/libmongocrypt.so TEST_FLE_AZURE_AUTO=1 $PYTHON test/test_on_demand_csfle.py
Copy link
Member

@ShaneHarvey ShaneHarvey Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file looks almost identical to the gcp one. Can we reuse that file rather than introducing another? In fact, I believe we could even reuse run-tests.sh with some minor changes to the TEST_ARGS logic.

Copy link
Member Author

@blink1073 blink1073 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Member

@ShaneHarvey ShaneHarvey Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any thoughts about the second suggestion to use run-tests.sh? That file already knows how to download and setup libmongocrypt.

Copy link
Member Author

@blink1073 blink1073 Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@blink1073 blink1073 requested a review from ShaneHarvey November 7, 2022 21:08
ShaneHarvey
ShaneHarvey reviewed Nov 7, 2022
View reviewed changes
.evergreen/config.yml Outdated
export AZUREKMS_VMNAME=${AZUREKMS_VMNAME}
export AZUREKMS_PRIVATEKEYPATH=/tmp/testazurekms_privatekey
AZUREKMS_CMD="MONGODB_URI='mongodb://localhost:27017' KEY_NAME='${testazurekms_keyname}' KEY_VAULT_ENDPOINT='${testazurekms_keyvaultendpoint}' SUCCESS=true TEST_FLE_AZURE_AUTO=1 ./.evergreen/run-mongodb-fle-auto.sh" \
AZUREKMS_CMD="MONGODB_URI='mongodb://localhost:27017' KEY_NAME='${testazurekms_keyname}' KEY_VAULT_ENDPOINT='${testazurekms_keyvaultendpoint}' SUCCESS=true TEST_ENCRYPTION=1 TEST_FLE_AZURE_AUTO=1 ./.evergreen/run-tests.sh" \
Copy link
Member

@ShaneHarvey ShaneHarvey Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might need to pass the right LIBMONGOCRYPT_URL for the remote azure host here.

Copy link
Member Author

@blink1073 blink1073 Nov 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

.evergreen/config.yml Outdated
export GCPKMS_ZONE=${GCPKMS_ZONE}
export GCPKMS_INSTANCENAME=${GCPKMS_INSTANCENAME}
GCPKMS_CMD="SUCCESS=true TEST_FLE_GCP_AUTO=1 ./.evergreen/run-mongodb-fle-auto.sh mongodb://localhost:27017" $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh
GCPKMS_CMD="SUCCESS=true TEST_ENCRYPTION=1 TEST_FLE_GCP_AUTO=1 ./.evergreen/run-tests.sh" $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh
Copy link
Member

@ShaneHarvey ShaneHarvey Nov 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might need to pass the right LIBMONGOCRYPT_URL for the remote gcp host here.

Copy link
Member Author

@blink1073 blink1073 Nov 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@blink1073
Copy link
Member Author

blink1073 commented Nov 8, 2022

Apparently the |- was needed, it is the chomping indicator: "Stripping is specified by the “-” chomping indicator. In this case, the final line break and any trailing empty lines are excluded from the scalar’s content."

ShaneHarvey
ShaneHarvey approved these changes Nov 8, 2022
View reviewed changes
Copy link
Member

@ShaneHarvey ShaneHarvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, the final line break and any trailing empty lines are excluded from the scalar’s content

I don't understand how the final newline could change the behavior here but LGTM.

@blink1073 blink1073 merged commit bcb0ac0 into mongodb:master Nov 8, 2022
@blink1073 blink1073 deleted the PYTHON-3396 branch November 8, 2022 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShaneHarvey ShaneHarvey ShaneHarvey approved these changes

@juliusgeo juliusgeo Awaiting requested review from juliusgeo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@blink1073 @ShaneHarvey