DRIVERS-2416 Clean up OIDC Variables (mongodb-labs#435)

adriandole · Oct 7, 2024 · d8dccda · d8dccda
1 parent b9b2727
commit d8dccda
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 39 deletions.
diff --git a/.evergreen/atlas/atlas-utils.sh b/.evergreen/atlas/atlas-utils.sh
@@ -85,6 +85,10 @@ check_deployment ()
             PROP="['srvAddress']"
         fi
         SRV_ADDRESS=$($PYTHON -c "import json;d=json.loads('${RESP}');print(d${PROP})")
+        # Remove trailing CR
+        if [[ "$(uname -s)" == CYGWIN* ]]; then
+            SRV_ADDRESS=$(echo $SRV_ADDRESS | dos2unix)
+        fi
     fi
     count=$(( $count + 1 ))
   done

diff --git a/.evergreen/auth_oidc/azure/README.md b/.evergreen/auth_oidc/azure/README.md
@@ -12,8 +12,7 @@ They build on top of the scripts used in `csfle/azurekms`.
 See [Secrets Handling](../secrets_handling/README.md) for details on how the script accesses the `drivers/azureoidc` vault.
 These secrets are used to log in to Azure, and the rest of the secrets are fetched from the "OIDC-Key-Vault" in our Drivers Azure Subscription (https://portal.azure.com/#home).
 
-See the Azure machine flows section of the OIDC Configuration [wiki](https://wiki.corp.mongodb.com/display/ENG/OIDC+Configuration#OIDCConfiguration-ServiceAccounts/ManagedIdentities/MachineFlows) for more information
-about the Azure integration.
+See the [How-To: Set up Azure OIDC Infrastructure](https://wiki.corp.mongodb.com/display/DRIVERS/How-To%3A+Set+up+Azure+OIDC+Infrastructure) wiki for background on how the infrastructure is set up.
 
 ## Prerequisites
 
@@ -113,16 +112,3 @@ An example task group would look like:
   tasks:
     - oidc-auth-test-azure-latest
 ```
-
-### Environment Variables
-
-Below is an explananion of the environment variables stored in the Azure key vault.
-
-- AZUREOIDC_AUTHPREFIX - The auth prefix used for DB user and role names.
-- AZUREOIDC_AUTHCLAIM - The object ID of the Azure Group, used in the DB role name.
-- AZUREOIDC_USERNAME - The Object (principal) ID of the Azure Manager Identity, used for the `username`.
-- AZUREOIDC_RESOURCE - The escaped Application ID URI to use in the `TOKEN_RESOURCE` auth mechanism property.
-- AZUREOIDC_CLIENTID - The client ID of the Azure App registration, used to generate the unescaped Application ID URI.
-- AZUREOIDC_TENANTID - The tenant ID of the Azure App registration, used to derive the `issuer` URI.
-- AZUREKMS_IDENTITY - A space separated string with the Resource ID of the managed identity (`/subscriptions/...`).  Used to assign the identity to the VM.
-- AZUREOIDC_RESOURCEGROUP - The name of the Azure Resource Group, used when accessing the VM through the CLI.
diff --git a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
@@ -29,7 +29,7 @@ source ./secrets-export.sh
 
 export AZUREKMS_TENANTID=$AZUREOIDC_TENANTID
 export AZUREKMS_SECRET=$AZUREOIDC_SECRET
-export AZUREKMS_CLIENTID=$AZUREOIDC_CLIENTID
+export AZUREKMS_CLIENTID=$AZUREOIDC_APPID
 
 # Check for Azure Command-Line Interface (`az`) version 2.25.0 or newer.
 if ! command -v az &> /dev/null; then

diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py
@@ -10,8 +10,8 @@ def main():
     vault_name = os.environ["AZUREOIDC_KEYVAULT"]
     private_key_file = os.environ['AZUREKMS_PRIVATEKEYPATH']
     public_key_file = os.environ['AZUREKMS_PUBLICKEYPATH']
+    app_id = os.environ['AZUREOIDC_APPID']
     env_file = os.environ['AZUREOIDC_ENVPATH']
-    client_id = os.environ['AZUREOIDC_CLIENTID']
     tenant_id = os.environ['AZUREOIDC_TENANTID']
     vault_uri = f"https://{vault_name}.vault.azure.net"
     print('Getting secrets from vault ... begin')
@@ -25,8 +25,8 @@ def main():
     client = SecretClient(vault_url=vault_uri, credential=credential)
 
     secrets = dict()
-    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY',
-                   'TOKENCLIENT2', 'IDENTITY2', 'USERNAME', 'AUDIENCE']:
+    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY',
+                   'USERNAME', 'AUDIENCE']:
         retrieved = client.get_secret(secret)
         secrets[secret] = retrieved.value
 
@@ -36,10 +36,8 @@ def main():
     with open(env_file, 'w') as fid:
         fid.write(f'export AZUREOIDC_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
         fid.write(f'export AZUREKMS_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
-        fid.write(f'export AZUREOIDC_TOKENCLIENT={secrets["TOKENCLIENT"]}\n')
-        fid.write(f'export AZUREOIDC_TOKENCLIENT2={secrets["TOKENCLIENT2"]}\n')
         fid.write(f'export AZUREOIDC_AUTHCLAIM={secrets["AUTHCLAIM"]}\n')
-        fid.write(f'export AZUREOIDC_CLIENTID={client_id}\n')
+        fid.write(f'export AZUREOIDC_APPID={app_id}\n')
         fid.write(f'export AZUREOIDC_TENANTID={tenant_id}\n')
         fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n')
         fid.write(f'export AZUREKMS_IDENTITY="{secrets["IDENTITY"]}"\n')

diff --git a/.evergreen/auth_oidc/azure/remote-scripts/test.py b/.evergreen/auth_oidc/azure/remote-scripts/test.py
@@ -8,7 +8,7 @@
 # Force MONGODB-OIDC to be enabled.
 _AUTH_MAP["MONGODB-OIDC"] = _authenticate_oidc
 
-app_id = os.environ['AZUREOIDC_CLIENTID']
+app_id = os.environ['AZUREOIDC_APPID']
 client_id = os.environ['AZUREOIDC_USERNAME']
 
 class MyCallback(OIDCCallback):

diff --git a/.evergreen/auth_oidc/gcp/README.md b/.evergreen/auth_oidc/gcp/README.md
@@ -11,7 +11,7 @@ They build on top of the scripts used in `csfle/gcpkms`.
 
 See [Secrets Handling](../secrets_handling/README.md) for details on how the script accesses the `drivers/gcpoidc` vault.
 
-See the "GCP IMDS" section OIDC Configuration [wiki](https://wiki.corp.mongodb.com/display/ENG/OIDC+Configuration#OIDCConfiguration-GCPIMDS) for more information about the GCP integration.
+See the [How-To: Set up GCP OIDC Infrastructure](https://wiki.corp.mongodb.com/display/DRIVERS/How-To%3A+Set+up+GCP+OIDC+Infrastructure) wiki for information on how the infrastructure is set up.
 
 ## Usage
 
@@ -84,17 +84,3 @@ An example task group would look like:
   tasks:
     - oidc-auth-test-gcp
 ```
-
-### Environment Variables
-
-Below is an explanation of the environment variables used in the test:
-
-- GCPOIDC_AUDIENCE - The value used in the `TOKEN_RESOURCE` auth mechanism property.
-- GCPOIDC_SERVICEACCOUNT - The GCP Service Account to use for GCP access.
-- GCPOIDC_KEYFILE_CONTENT - The base64-encoded GCP keyfile content.
-- GCPOIDC_MACHINE - The GCE machine type to use for the VM.
-- GCPOIDC_ATLAS_USER - The username for admin database access.
-- GCPOIDC_ATLAS_PASSWORD - The password for admin database access.
-- OIDC_ATLAS_PUBLIC_API_KEY - The Atlas Publi API key used to create/delete clusters.
-- OIDC_ATLAS_PRIVATE_API_KEY - The Atlas Private API key.
-- OIDC_ATLAS_GROUP_ID - The Atlas Dev Group ID where the clusters are launched.
diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -15,7 +15,7 @@
 def azure():
     client_id = os.environ['AZUREOIDC_USERNAME']
     tenant_id = os.environ['AZUREOIDC_TENANTID']
-    app_id = os.environ['AZUREOIDC_CLIENTID']
+    app_id = os.environ['AZUREOIDC_APPID']
     auth_name_prefix = os.environ['AZUREOIDC_AUTHPREFIX']
 
     print("Bootstrapping OIDC config")