Add OIDC k8s provider #1576
Add OIDC k8s provider #1576
Conversation
.evergreen/.evg.yml
Outdated
| - name: "oidc-auth-test-k8s" | ||
| commands: | ||
| - command: ec2.assume_role | ||
| params: | ||
| role_arn: ${aws_test_secrets_role} | ||
| duration_seconds: 1800 | ||
| - func: "oidc-auth-test-k8s-func" | ||
| vars: | ||
| VARIANT: eks | ||
| # - func: "oidc-auth-test-k8s-func" TODO disabled, memory issue, consider forking and increasing here: https://github.com/mongodb-labs/drivers-evergreen-tools/commit/4bc3e500b6f0e8ab01f052c4a1bfb782d6a29b4e | ||
| # vars: | ||
| # VARIANT: gke |
There was a problem hiding this comment.
Variant is disabled due to failure:
[2024/12/05 13:34:17.109] Compiling build file '/tmp/test/build.gradle' using BuildScriptTransformer.
[2024/12/05 13:34:17.109] Starting process 'command 'git''. Working directory: /tmp/test Command: git describe --tags --always --dirty
[2024/12/05 13:34:22.782] debconf: delaying package configuration, since apt-utils is not installed
[2024/12/05 13:34:22.782] command terminated with exit code 137
See note in TODO comment (must be removed before merging).
Otherwise, eks and aks are both passing.
katcharov
force-pushed
the
JAVA-5405-oidc-k8s
branch
from
87a54fb to
05f6ba2
Compare
| new DropDatabaseOperation(getDefaultDatabaseName(), WriteConcern.ACKNOWLEDGED).execute(getBinding()); | ||
| try { | ||
| new DropDatabaseOperation(getDefaultDatabaseName(), WriteConcern.ACKNOWLEDGED).execute(getBinding()); | ||
| } catch (MongoCommandException e) { | ||
| // if we do not have permission to drop the database, assume it is cleaned up in some other way | ||
| if (!e.getMessage().contains("Command dropDatabase requires authentication")) { | ||
| throw e; | ||
| } | ||
| } | ||
| cluster.close(); |
There was a problem hiding this comment.
As of this PR, we will sometimes lack permission to drop the database.
katcharov
force-pushed
the
JAVA-5405-oidc-k8s
branch
from
05f6ba2 to
1a2c6c5
Compare
JAVA-5405
katcharov
force-pushed
the
JAVA-5405-oidc-k8s
branch
from
1a2c6c5 to
7e40dbd
Compare
| @@ -38,6 +38,7 @@ | |||
| import org.bson.BsonDocument; | |||
| import org.bson.BsonString; | |||
| import org.bson.RawBsonDocument; | |||
| import org.jetbrains.annotations.NotNull; | |||
There was a problem hiding this comment.
| import org.jetbrains.annotations.NotNull; |
| return readTokenFromFile(path); | ||
| } | ||
|
|
||
| @NotNull |
| - name: "oidc-auth-test-k8s" | ||
| commands: | ||
| - command: ec2.assume_role | ||
| params: | ||
| role_arn: ${aws_test_secrets_role} | ||
| duration_seconds: 1800 | ||
| - func: "oidc-auth-test-k8s-func" | ||
| vars: | ||
| VARIANT: eks | ||
| - func: "oidc-auth-test-k8s-func" | ||
| vars: | ||
| VARIANT: aks | ||
| - func: "oidc-auth-test-k8s-func" | ||
| vars: | ||
| VARIANT: gke |
There was a problem hiding this comment.
I suggest we break this into separate tasks and list them in the test-oidc-k8s-task-group task group. This would allow us to:
- Run specific tests for EKS, AKS, or GCE individually if needed (currently, all three run together).
- Reduce test runtime by leveraging Evergreen’s parallel execution of tasks.
.evergreen/run-mongodb-oidc-test.sh
Outdated
| fi | ||
|
|
||
| if [ $VARIANT == "gke" ]; then | ||
| echo "Skipping gke test to avoid error code 137 when running gradle" |
There was a problem hiding this comment.
Based on our previous investigation, I ran diagnostics on the failing GKE pod and found that the provisioned ephemeral storage was insufficient for Gradle to store dependencies. Diagnostics can be found here: Diagnostic logs.
I increased the storage from 2GB to 4GB, and the tests seem to have executed successfully: Successful run. Based on this, I’ve opened a PR with the fix in drivers-evergreen-tools: PR #598. This should resolve the issue with pod execution.
There was a problem hiding this comment.
Great! Let's push the diagnostic changes up as a PR?
There was a problem hiding this comment.
I will block this on the other PR
# Conflicts: # .evergreen/.evg.yml
This reverts commit d7f9c34.
JAVA-5405