-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GODRIVER-3168 Retry KMS requests on transient errors. #1887
base: master
Are you sure you want to change the base?
Conversation
API Change Report./v2/mongoincompatible changes(*ReplaceOneModel).SetSort: removed ./v2/mongo/optionsincompatible changes(*AutoEncryptionOptions).SetBypassAutoEncryption: removed compatible changesAutoEncryptionOptionsBuilder: added ./v2/x/mongo/driverincompatible changes##WriteCommandError.Retryable: changed from func(./v2/x/mongo/driver/description.ServerKind, ./v2/x/mongo/driver/description.VersionRange) bool to func(./v2/x/mongo/driver/description.VersionRange) bool ./v2/x/mongo/driver/authincompatible changesHandshakeOptions.OuterLibraryName: removed ./v2/x/mongo/driver/mongocryptcompatible changes(*KmsContext).RequestError: added ./v2/x/mongo/driver/operationincompatible changes(*Distinct).Hint: removed ./v2/x/mongo/driver/topologyincompatible changes##ConvertToDriverAPIOptions: changed from func(*./v2/mongo/options.ServerAPIOptions) *./v2/x/mongo/driver.ServerAPIOptions to func(./v2/mongo/options.Lister[./v2/mongo/options.ServerAPIOptions]) ./v2/x/mongo/driver.ServerAPIOptions compatible changesNewConfigFromOptions: added |
b11c2a5
to
93ebd31
Compare
4d94342
to
fd682b7
Compare
6ecb7c2
to
ddc0900
Compare
77cf4a1
to
d4a0765
Compare
074d596
to
50549f6
Compare
58a6a49
to
db03cdf
Compare
db03cdf
to
701bd46
Compare
x/mongo/driver/crypt.go
Outdated
@@ -399,7 +397,10 @@ func (c *crypt) decryptKey(kmsCtx *mongocrypt.KmsContext) error { | |||
|
|||
res := make([]byte, bytesNeeded) | |||
bytesRead, err := conn.Read(res) | |||
if err != nil && !errors.Is(err, io.EOF) { | |||
if err != nil { | |||
if kmsCtx.Fail() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See MONGOCRYPT-752. When mongocrypt_kms_ctx_fail
returns false, consider wrapping the error message from mongocrypt_ctx_kms_status
. The error from mongocrypt_ctx_kms_status
may help identify a retry occurred (e.g. "KMS request failed after 3 retries due to a network error: last attempt failed with: ")
4c20d77
to
614aba5
Compare
if tlsCAFile := os.Getenv("KMS_FAILPOINT_CA_FILE"); tlsCAFile == "" { | ||
require.Fail(mt, "failed to load CA file") | ||
} else { | ||
var err error | ||
clientAndCATlsMap := map[string]interface{}{ | ||
"tlsCAFile": tlsCAFile, | ||
} | ||
tlsCfg, err = options.BuildTLSConfig(clientAndCATlsMap) | ||
require.Nil(mt, err, "BuildTLSConfig error: %v", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since require.*
stops test execution when a test fails, an if/else here isn't required.
if tlsCAFile := os.Getenv("KMS_FAILPOINT_CA_FILE"); tlsCAFile == "" { | |
require.Fail(mt, "failed to load CA file") | |
} else { | |
var err error | |
clientAndCATlsMap := map[string]interface{}{ | |
"tlsCAFile": tlsCAFile, | |
} | |
tlsCfg, err = options.BuildTLSConfig(clientAndCATlsMap) | |
require.Nil(mt, err, "BuildTLSConfig error: %v", err) | |
} | |
tlsCAFile := os.Getenv("KMS_FAILPOINT_CA_FILE") | |
require.NotEmpty(mt, tlsCAFile, "failed to load CA file") | |
tlsCfg, err = options.BuildTLSConfig(map[string]interface{}{"tlsCAFile": tlsCAFile}) | |
require.Nil(mt, err, "BuildTLSConfig error: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with minor edit
Co-authored-by: Preston Vasquez <[email protected]>
.evergreen/config.yml
Outdated
- command: subprocess.exec | ||
params: | ||
binary: python3 | ||
background: true | ||
args: ["-u", "${DRIVERS_TOOLS}/.evergreen/csfle/kms_failpoint_server.py", "--port", "9003"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This step is already done by start-servers.sh.
.evergreen/config.yml
Outdated
@@ -553,6 +553,39 @@ functions: | |||
KMS_MOCK_SERVERS_RUNNING: "true" | |||
args: [*task-runner, evg-test-kmip] | |||
|
|||
start-kms-failpoint-server: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function seems like mostly a duplicate of start-cse-servers
. Can we use that existing function instead of this one?
@@ -2979,6 +2981,147 @@ func TestClientSideEncryptionProse(t *testing.T) { | |||
assert.Greater(t, len(payload.Data), len(payloadDefaults.Data), "the returned payload size is expected to be greater than %d", len(payloadDefaults.Data)) | |||
}) | |||
}) | |||
|
|||
mt.RunOpts("24. kms retry tests", noClientOpts, func(mt *mtest.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional: Consider separating this into its own test function.
.evergreen/config.yml
Outdated
- matrix_name: "retry-kms-requests-test" | ||
matrix_spec: { version: ["7.0"], os-ssl-40: ["rhel87-64"] } | ||
display_name: "Retry KMS Requests ${os-ssl-40}" | ||
tasks: | ||
- name: ".retry-kms-requests" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of making a new matrix, can we roll this up into a general "KMS Test" that contains all ".kms-tls" and ".retry-kms-requests" tests?
3908e83
to
f5ccc05
Compare
GODRIVER-3168
Summary
Retry KMS requests on transient errors.
Background & Motivation
Changes described here: https://github.com/mongodb/libmongocrypt/blob/master/integrating.md#state-mongocrypt_ctx_need_kms
New tests: https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/tests/README.md#24-kms-retry-tests