RUBY-3889 Remove legacy .env.private pattern and Kerberos CI#3052
Merged
Conversation
Remove the "delete private environment" post-task function and all .env.private fallback paths from shell scripts, completing the migration to AWS Secrets Manager that started with RUBY-3672, RUBY-3886, and RUBY-3888. Also remove the Kerberos CI build variant and all associated scripts (run-tests-kerberos-unit.sh, run-tests-kerberos-integration.sh, functions-kerberos.sh) since those tests have not been run and the secrets were never migrated (RUBY-3887 skipped).
Contributor
There was a problem hiding this comment.
Pull request overview
Completes the AWS Secrets Manager migration by removing the legacy .env.private fallback pattern from CI scripts and eliminates the Kerberos CI infrastructure (task, buildvariant, functions, and helper scripts) that was never migrated.
Changes:
- Remove
.env.privatefallback branches fromfunctions-aws.sh,run-tests-aws-auth.sh, andrun-tests-docker.sh; AWS auth scripts now unconditionally source${DRIVERS_TOOLS}/.evergreen/auth_aws/secrets-export.sh. - Remove Kerberos Evergreen wiring:
export Kerberos credentials/run Kerberos unit testsfunctions,delete private environmentpost-task,test-kerberostask, andkerberos-unitbuildvariant fromcommon.yml.erb/config.yml/standard.yml.erb. - Delete
run-tests-kerberos-unit.sh,run-tests-kerberos-integration.sh,functions-kerberos.sh, and the Kerberos local-testing example from.evergreen/README.md.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .evergreen/run-tests-kerberos-unit.sh | Deleted dead Kerberos unit test runner script. |
| .evergreen/run-tests-kerberos-integration.sh | Deleted dead Kerberos integration test runner script. |
| .evergreen/run-tests-docker.sh | Drops .env.private auto-mount and dotenv install branch. |
| .evergreen/run-tests-aws-auth.sh | Hard-requires DRIVERS_TOOLS AWS secrets export instead of fallback. |
| .evergreen/README.md | Removes Kerberos integration docker example tied to deleted script. |
| .evergreen/functions-kerberos.sh | Deleted Kerberos configuration helper functions. |
| .evergreen/functions-aws.sh | Hard-requires DRIVERS_TOOLS AWS secrets export inside clear_instance_profile. |
| .evergreen/config/standard.yml.erb | Removes kerberos-unit buildvariant. |
| .evergreen/config/common.yml.erb | Removes Kerberos credentials/test functions, post-task private env cleanup, and test-kerberos task. |
| .evergreen/config.yml | Regenerated to mirror erb changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jamis
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Completes the AWS Secrets Manager migration (RUBY-3311) by removing the old
.env.privatepattern and the Kerberos CI build that was never migrated.Changes
"delete private environment"post-task function fromcommon.yml.erb(and regeneratedconfig.yml). All secrets now come from AWS Secrets Manager; there is nothing left to clean up after a task..env.privatefallback branches fromfunctions-aws.sh,run-tests-aws-auth.sh, andrun-tests-docker.sh. These branches were kept during the migration window to preserve backward compatibility with the old Evergreen project variables; that window is now closed."export Kerberos credentials"function,"run Kerberos unit tests"function,"test-kerberos"task, andkerberos-unitbuild matrix. The Kerberos tests have not been run in CI, and RUBY-3887 (migrate Kerberos secrets) is being skipped.run-tests-kerberos-unit.sh,run-tests-kerberos-integration.sh,functions-kerberos.sh.README.mdto remove the Kerberos local-testing example.Related tickets