From cabfc7b402f83c58fa71afe97277f4567d1d9f59 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Tue, 23 Jun 2026 13:37:21 +0200 Subject: [PATCH 1/6] RUBY-3797 Migrate away from set-temp-creds.sh The legacy csfle/set-temp-creds.sh script is deprecated in drivers-evergreen-tools (DRIVERS-3433). The main run-tests.sh path already moved to setup-secrets.sh under RUBY-3886, and setup_secrets.py now produces the same CSFLE_AWS_TEMP_* credentials. The only remaining consumer was run-tests-serverless.sh, which is dead code: serverless testing was removed in RUBY-3652 and no Evergreen task references the script. Delete it, and fix the now-stale spec_config.rb comments that still pointed at set-temp-creds.sh. --- .evergreen/run-tests-serverless.sh | 121 ----------------------------- spec/support/spec_config.rb | 6 +- 2 files changed, 3 insertions(+), 124 deletions(-) delete mode 100755 .evergreen/run-tests-serverless.sh diff --git a/.evergreen/run-tests-serverless.sh b/.evergreen/run-tests-serverless.sh deleted file mode 100755 index 0459623a4b..0000000000 --- a/.evergreen/run-tests-serverless.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash - -set -ex - -. `dirname "$0"`/../spec/shared/shlib/distro.sh -. `dirname "$0"`/../spec/shared/shlib/set_env.sh -. `dirname "$0"`/functions.sh - -set_env_vars -set_env_python - - -# Install rbenv and download the requested ruby version -rm -rf ~/.rbenv -git clone https://github.com/rbenv/rbenv.git ~/.rbenv -rm -rf ~/.rbenv/versions/ -curl --retry 3 -fL http://boxes.10gen.com/build/toolchain-drivers/mongo-ruby-toolchain/library/`host_distro`/$RVM_RUBY.tar.xz |tar -xC $HOME/.rbenv/ -Jf - -export PATH="$HOME/.rbenv/bin:$PATH" -eval "$(rbenv init - bash)" -export FULL_RUBY_VERSION=$(ls ~/.rbenv/versions | head -n1) -rbenv global $FULL_RUBY_VERSION - -export JAVA_HOME=/opt/java/jdk21 -export JAVACMD=$JAVA_HOME/bin/java - -source ${DRIVERS_TOOLS}/.evergreen/serverless/secrets-export.sh - -bundle_install - -export MONGODB_URI=`echo ${SERVERLESS_URI} | sed -r 's/mongodb\+srv:\/\//mongodb\+srv:\/\/'"${SERVERLESS_ATLAS_USER}"':'"${SERVERLESS_ATLAS_PASSWORD}@"'/g'` - -export TOPOLOGY="load-balanced" - -if [ -n "${CRYPT_SHARED_LIB_PATH}" ]; then - echo crypt_shared already present at ${CRYPT_SHARED_LIB_PATH} -- using this version - export MONGO_RUBY_DRIVER_CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH -else - python3 -u .evergreen/mongodl.py --component crypt_shared -V ${SERVERLESS_MONGODB_VERSION} --out `pwd`/csfle_lib --target `host_distro` || true - if test -f `pwd`/csfle_lib/lib/mongo_crypt_v1.so - then - echo Using crypt shared library version ${SERVERLESS_MONGODB_VERSION} - export MONGO_RUBY_DRIVER_CRYPT_SHARED_LIB_PATH=`pwd`/csfle_lib/lib/mongo_crypt_v1.so - else - echo Failed to download crypt shared library - exit -1 - fi -fi - -if ! ( test -f /etc/os-release & grep -q ^ID.*ubuntu /etc/os-release & grep -q ^VERSION_ID.*22.04 /etc/os-release ); then - echo Serverless tests assume ubuntu2204 - echo If this has changed, update .evergreen/run-tests-serverless.sh as necessary - exit -1 -fi - -mkdir libmongocrypt -cd libmongocrypt -curl --retry 3 -fLo libmongocrypt-all.tar.gz "https://s3.amazonaws.com/mciuploads/libmongocrypt/all/master/latest/libmongocrypt-all.tar.gz" -tar xf libmongocrypt-all.tar.gz -# We assume that serverless tests always use ubuntu2204 -export LIBMONGOCRYPT_PATH=`pwd`/ubuntu2204-64/nocrypto/lib/libmongocrypt.so -cd - - -cd .evergreen/csfle -. ./activate-kmstlsvenv.sh - -pip install boto3~=1.19 'cryptography<3.4' pykmip~=0.10.0 'sqlalchemy<2.0.0' - -python -u ./kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 7999 & -python -u ./kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/expired.pem --port 8000 & -python -u ./kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/wrong-host.pem --port 8001 & -python -u ./kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 8002 --require_client_cert & -python -u ./kms_kmip_server.py & - -echo "Waiting for mock KMS servers to start..." -wait_for_kms_server() { - for i in $(seq 60); do - if curl -s "localhost:$1"; test $? -ne 7; then - return 0 - else - sleep 1 - fi - done - echo "Could not detect mock KMS server on port $1" - return 1 -} -wait_for_kms_server 8000 -wait_for_kms_server 8001 -wait_for_kms_server 8002 -wait_for_kms_server 5698 -echo "Waiting for mock KMS servers to start... done." - -# Obtain temporary AWS credentials -pip3 install boto3 -PYTHON=python3 . ./set-temp-creds.sh -cd - - -echo "Running specs" - -bundle exec rspec \ - spec/spec_tests/client_side_encryption_spec.rb \ - spec/spec_tests/crud_spec.rb \ - spec/spec_tests/retryable_reads_spec.rb \ - spec/spec_tests/retryable_writes_spec.rb \ - spec/spec_tests/transactions_spec.rb \ - spec/spec_tests/change_streams_unified_spec.rb \ - spec/spec_tests/client_side_encryption_unified_spec.rb \ - spec/spec_tests/command_monitoring_unified_spec.rb \ - spec/spec_tests/crud_unified_spec.rb \ - spec/spec_tests/gridfs_unified_spec.rb \ - spec/spec_tests/retryable_reads_unified_spec.rb \ - spec/spec_tests/retryable_writes_unified_spec.rb \ - spec/spec_tests/sdam_unified_spec.rb \ - spec/spec_tests/sessions_unified_spec.rb \ - spec/spec_tests/transactions_unified_spec.rb - -kill_jruby -# Terminate all kmip servers... and whatever else happens to be running -# that is a python script. -pkill python - -exit ${test_status} diff --git a/spec/support/spec_config.rb b/spec/support/spec_config.rb index 0566f73edb..d79efefa9c 100644 --- a/spec/support/spec_config.rb +++ b/spec/support/spec_config.rb @@ -411,17 +411,17 @@ def fle_aws_arn ENV['MONGO_RUBY_DRIVER_AWS_ARN'] end - # AWS temporary access key id (set by set-temp-creds.sh) + # AWS temporary access key id (set by setup-secrets.sh) def fle_aws_temp_key ENV['CSFLE_AWS_TEMP_ACCESS_KEY_ID'] end - # AWS temporary secret access key (set by set-temp-creds.sh) + # AWS temporary secret access key (set by setup-secrets.sh) def fle_aws_temp_secret ENV['CSFLE_AWS_TEMP_SECRET_ACCESS_KEY'] end - # AWS temporary session token (set by set-temp-creds.sh) + # AWS temporary session token (set by setup-secrets.sh) def fle_aws_temp_session_token ENV['CSFLE_AWS_TEMP_SESSION_TOKEN'] end From ed39d9c755dd3f18b9bae30b07c29293493c2fd1 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Tue, 23 Jun 2026 17:30:19 +0200 Subject: [PATCH 2/6] Bumpd det --- .mod/drivers-evergreen-tools | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.mod/drivers-evergreen-tools b/.mod/drivers-evergreen-tools index 4b02eb0136..9c21ebe36b 160000 --- a/.mod/drivers-evergreen-tools +++ b/.mod/drivers-evergreen-tools @@ -1 +1 @@ -Subproject commit 4b02eb0136a767b3c6bbdff32b3584c0ec6f5b6f +Subproject commit 9c21ebe36bf099988360cb83288e4820aa3bf27c From 9c512410958b2df6f0f2a65698456ff512f9b206 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 24 Jun 2026 14:38:06 +0200 Subject: [PATCH 3/6] RUBY-3797 Remove MongoDB 4.2 Evergreen variants MongoDB 4.2 is on the EOL track (RUBY-3811 deprecated it, RUBY-3819 covers the min-version bump to 4.4). Its CI variants are also currently broken at server bootstrap: drivers-evergreen-tools starts MongoDB >= 4.2 with mongodb-runner, which pins mongodb-runner but not its transitive bson dependency, so the recent bson 7.3.0 release crashes startup. Drop the 4.2 build variants: remove the 4.2 axis value and remove 4.2 from the mongo-4.x and "stress older" matrices. Regenerated config.yml via `rake eg:build`; `rake eg:validate` passes. 4.4 coverage is kept. --- .evergreen/config.yml | 9 ++------- .evergreen/config/axes.yml.erb | 5 ----- .evergreen/config/standard.yml.erb | 4 ++-- 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 23c1fe14a2..2ee92c018c 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -711,11 +711,6 @@ axes: variables: MONGODB_VERSION: "4.4" CRYPT_SHARED_VERSION: "6.0.5" - - id: "4.2" - display_name: "4.2" - variables: - MONGODB_VERSION: "4.2" - CRYPT_SHARED_VERSION: "6.0.5" - id: "topology" display_name: Topology @@ -1131,7 +1126,7 @@ buildvariants: - matrix_name: "mongo-4.x" matrix_spec: ruby: ["ruby-3.0", "ruby-2.7"] - mongodb-version: ['4.4', '4.2'] + mongodb-version: ['4.4'] topology: ["standalone", "replica-set", "sharded-cluster"] os: ubuntu1804 display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" @@ -1258,7 +1253,7 @@ buildvariants: matrix_spec: stress: on ruby: "ruby-2.7" - mongodb-version: ['4.4', '4.2'] + mongodb-version: ['4.4'] topology: replica-set os: ubuntu1804 display_name: "${mongodb-version} ${topology} stress ${ruby}" diff --git a/.evergreen/config/axes.yml.erb b/.evergreen/config/axes.yml.erb index b7bad1c93a..9b305d1570 100644 --- a/.evergreen/config/axes.yml.erb +++ b/.evergreen/config/axes.yml.erb @@ -32,11 +32,6 @@ axes: variables: MONGODB_VERSION: "4.4" CRYPT_SHARED_VERSION: "6.0.5" - - id: "4.2" - display_name: "4.2" - variables: - MONGODB_VERSION: "4.2" - CRYPT_SHARED_VERSION: "6.0.5" - id: "topology" display_name: Topology diff --git a/.evergreen/config/standard.yml.erb b/.evergreen/config/standard.yml.erb index ec7250d472..0dea064ddd 100644 --- a/.evergreen/config/standard.yml.erb +++ b/.evergreen/config/standard.yml.erb @@ -105,7 +105,7 @@ buildvariants: - matrix_name: "mongo-4.x" matrix_spec: ruby: <%= older_rubies %> - mongodb-version: ['4.4', '4.2'] + mongodb-version: ['4.4'] topology: <%= topologies %> os: ubuntu1804 display_name: "${mongodb-version} ${topology} ${auth-and-ssl} ${ruby}" @@ -232,7 +232,7 @@ buildvariants: matrix_spec: stress: on ruby: <%= supported_mri_ruby_2 %> - mongodb-version: ['4.4', '4.2'] + mongodb-version: ['4.4'] topology: replica-set os: ubuntu1804 display_name: "${mongodb-version} ${topology} stress ${ruby}" From 08e78a6cb150fe8bcbbe299e5bbd67fb03feb32e Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 24 Jun 2026 15:44:14 +0200 Subject: [PATCH 4/6] Run latest-server variant on master, not on PRs Change activate: false to patchable: false so the latest-server build variant runs automatically on mainline commits but is skipped on patches. This keeps PRs unblocked while still catching breakage from unreleased MongoDB builds on master. --- .evergreen/config.yml | 6 +++--- .evergreen/config/standard.yml.erb | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 2ee92c018c..b4cbb24532 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -1453,10 +1453,10 @@ buildvariants: # tasks: # - name: "test-fle" - # Runs specs against the latest server. This is not automatically run on PR's - # because we don't want to block PR's when the latest DB breaks something. + # Runs specs against the latest server. Not run on PRs to avoid blocking + # merges when an unreleased MongoDB build breaks something. - name: 'latest-server' - activate: false + patchable: false display_name: 'Latest MongoDB Server' run_on: ubuntu2204-small expansions: diff --git a/.evergreen/config/standard.yml.erb b/.evergreen/config/standard.yml.erb index 0dea064ddd..9af8ac2cf8 100644 --- a/.evergreen/config/standard.yml.erb +++ b/.evergreen/config/standard.yml.erb @@ -372,10 +372,10 @@ buildvariants: # tasks: # - name: "test-fle" - # Runs specs against the latest server. This is not automatically run on PR's - # because we don't want to block PR's when the latest DB breaks something. + # Runs specs against the latest server. Not run on PRs to avoid blocking + # merges when an unreleased MongoDB build breaks something. - name: 'latest-server' - activate: false + patchable: false display_name: 'Latest MongoDB Server' run_on: ubuntu2204-small expansions: From 460c6d5930559908a9e138d2b61a0277a99eab05 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 24 Jun 2026 16:56:27 +0200 Subject: [PATCH 5/6] RUBY-3472 Fix TLS URI options for non-connectivity OCSP variants The RUBY-3472 migration removed the mlaunch-based calculate_server_args() call, which had added tls=true, tlsCAFile, and tlsCertificateKeyFile to the URI when OCSP_ALGORITHM was set. The new drivers-tools orchestration writes a plain mongodb://127.0.0.1:27017 URI, but the server is started with sslOnNormalPorts:true via the OCSP orchestration file. The driver could not connect because the URI lacked TLS options. Add TLS URI options for OCSP variants that are not ocsp-connectivity (which already had them). This restores the pre-migration behavior for ocsp-must-staple and ocsp-unknown variants. --- .evergreen/run-tests.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.evergreen/run-tests.sh b/.evergreen/run-tests.sh index a020e984fc..1444cae4e9 100755 --- a/.evergreen/run-tests.sh +++ b/.evergreen/run-tests.sh @@ -279,6 +279,10 @@ fi if test -n "$OCSP_CONNECTIVITY"; then add_uri_option tls=true add_uri_option "tlsCAFile=$DRIVERS_TOOLS/.evergreen/ocsp/$OCSP_ALGORITHM/ca.pem" +elif test -n "${OCSP_ALGORITHM:-}"; then + add_uri_option tls=true + add_uri_option "tlsCAFile=$_ocsp_ca" + add_uri_option "tlsCertificateKeyFile=spec/support/ocsp/$OCSP_ALGORITHM/server.pem" fi if test -n "$EXTRA_URI_OPTIONS"; then From 56ce80bdc4814884b5d29410bae11ffc552f22d9 Mon Sep 17 00:00:00 2001 From: Dmitry Rybakov Date: Wed, 24 Jun 2026 21:06:15 +0200 Subject: [PATCH 6/6] RUBY-3824 Fix session_spec lint failure in pin_to_server test The #unpin double-call test was using pin_to_server(server) with a replica set primary, triggering the lint guard that requires a mongos. Use instance_variable_set to bypass the guard since we are testing unpin, not pin_to_server. --- spec/mongo/session_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/spec/mongo/session_spec.rb b/spec/mongo/session_spec.rb index b6bfdab699..1b9ee54c3f 100644 --- a/spec/mongo/session_spec.rb +++ b/spec/mongo/session_spec.rb @@ -399,7 +399,9 @@ it 'does not raise on the second call' do server = authorized_client.cluster.next_primary server.with_connection do |connection| - session.pin_to_server(server) + # Set @pinned_server directly to avoid the lint check in pin_to_server, + # which requires a mongos. We are testing unpin, not pin_to_server. + session.instance_variable_set(:@pinned_server, server) session.unpin(connection) expect do