PYTHON-5040: Allow cert overrides for all CSFLE KMS servers and add --tls-allow-invalid-certificates

.evergreen/csfle/kms_failpoint_server.py

@@ -41,8 +41,10 @@ def __init__(self, server_address, Handler, use_tls=True):
 
         if use_tls:
             server_dir = os.path.dirname(__file__)
-            cert_file = os.path.join(server_dir, "..", "x509gen", "server.pem")
-            ca_file = os.path.join(server_dir, "..", "x509gen", "ca.pem")
+            default_cert = os.path.join(server_dir, "..", "x509gen", "server.pem")
+            default_ca = os.path.join(server_dir, "..", "x509gen", "ca.pem")
+            cert_file = os.environ.get("CSFLE_TLS_CERT_FILE", default_cert)
+            ca_file = os.environ.get("CSFLE_TLS_CA_FILE", default_ca)
 
             context = ssl.SSLContext(ssl.PROTOCOL_TLS)
             context.load_verify_locations(ca_file)

.evergreen/csfle/setup-secrets.sh

@@ -15,11 +15,15 @@ PARENT_DIR=$(dirname $SCRIPT_DIR)
 export CSFLE_TLS_CA_FILE=${CSFLE_TLS_CA_FILE:-"$PARENT_DIR/x509gen/ca.pem"}
 export CSFLE_TLS_CERT_FILE=${CSFLE_TLS_CERT_FILE:-"$PARENT_DIR/x509gen/server.pem"}
 export CSFLE_TLS_CLIENT_CERT_FILE=${CSFLE_TLS_CLIENT_CERT_FILE:-"$PARENT_DIR/x509gen/client.pem"}
+export CSFLE_TLS_EXPIRED_FILE=${CSFLE_TLS_EXPIRED_FILE:-"$PARENT_DIR/x509gen/expired.pem"}
+export CSFLE_TLS_WRONG_HOST_FILE=${CSFLE_TLS_WRONG_HOST_FILE:-"$PARENT_DIR/x509gen/wrong-host.pem"}
 
 if [[ "${OSTYPE:?}" == cygwin ]]; then
     CSFLE_TLS_CA_FILE=$(cygpath -m $CSFLE_TLS_CA_FILE)
     CSFLE_TLS_CERT_FILE=$(cygpath -m $CSFLE_TLS_CERT_FILE)
     CSFLE_TLS_CLIENT_CERT_FILE=$(cygpath -m $CSFLE_TLS_CLIENT_CERT_FILE)
+    CSFLE_TLS_EXPIRED_FILE=$(cygpath -m $CSFLE_TLS_EXPIRED_FILE)
+    CSFLE_TLS_WRONG_HOST_FILE=$(cygpath -m $CSFLE_TLS_WRONG_HOST_FILE)
 fi
 
 pushd $SCRIPT_DIR

.evergreen/csfle/setup_secrets.py

@@ -144,6 +144,8 @@ def b64url(data: bytes) -> str:
         "CSFLE_TLS_CA_FILE",
         "CSFLE_TLS_CERT_FILE",
         "CSFLE_TLS_CLIENT_CERT_FILE",
+        "CSFLE_TLS_EXPIRED_FILE",
+        "CSFLE_TLS_WRONG_HOST_FILE",
     ]:
         fid.write(f'\nexport {key}="{os.environ[key]}"'.encode())
     fid.write(b"\n")

.evergreen/csfle/start-servers.sh

@@ -49,15 +49,15 @@ echo "Starting KMIP Server...done."
 
 
 echo "Starting HTTP Server 1..."
-$COMMAND kms_http_server.py --ca_file $CSFLE_TLS_CA_FILE --cert_file ../x509gen/expired.pem --port 9000 > http1.log 2>&1 &
+$COMMAND kms_http_server.py --ca_file $CSFLE_TLS_CA_FILE --cert_file $CSFLE_TLS_EXPIRED_FILE --port 9000 > http1.log 2>&1 &
 echo "$!" >> kmip_pids.pid
 sleep 1
 cat http1.log
 echo "Starting HTTP Server 1...done."
 
 
 echo "Starting HTTP Server 2..."
-$COMMAND kms_http_server.py --ca_file $CSFLE_TLS_CA_FILE --cert_file ../x509gen/wrong-host.pem --port 9001 > http2.log 2>&1 &
+$COMMAND kms_http_server.py --ca_file $CSFLE_TLS_CA_FILE --cert_file $CSFLE_TLS_WRONG_HOST_FILE --port 9001 > http2.log 2>&1 &
 echo "$!" >> kmip_pids.pid
 sleep 1
 cat http2.log

.evergreen/orchestration/drivers_orchestration.py

@@ -142,6 +142,11 @@ def get_options():
             "--tls-ca-file",
             help="A .pem file that contains the root certificate chain for the server",
         )
+        other_group.add_argument(
+            "--tls-allow-invalid-certificates",
+            action="store_true",
+            help="Whether to pass --tlsAllowInvalidCertificates to mongod",
+        )
         other_group.add_argument(
             "--arch",
             help="the architecture.  if unspecified, the arch will be inferred.",
@@ -366,6 +371,13 @@ def get_orchestration_data(opts):
             )
         data["requireApiVersion"] = "1"
 
+    if opts.tls_allow_invalid_certificates:
+        if "sslParams" not in data:
+            raise ValueError(
+                "--tls-allow-invalid-certificates requires TLS to be configured, but no sslParams found in orchestration data"
+            )
+        data["sslParams"]["tlsAllowInvalidCertificates"] = True
+
     # If running on Docker, update the orchestration file to be docker-friendly.
     if os.environ.get("DOCKER_RUNNING"):
         handle_docker_config(data)

.evergreen/orchestration/mongodb_runner.py

@@ -296,10 +296,9 @@ def _get_cluster_options(input: dict, opts: Any, static=False) -> Dict[str, Any]
         for key, value in input["sslParams"].items():
             if key == "sslPEMKeyFile":
                 key = "tlsCertificateKeyFile"  # noqa: PLW2901
-            if key == "sslCAFile":
+            elif key == "sslCAFile":
                 key = "tlsCAFile"  # noqa: PLW2901
             _append_arg(args, key, value)
-
     if input.get("login"):
         users.append(
             {