SERVER-52706 Make tenant migration donor use a separate NetworkInterface and x509 certificate to connect to recipient

1 files changed, 90 insertions, 0 deletions

diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index 6b071dc883f..eaf9f690a10 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -299,6 +299,96 @@ certs:
     subjectAltName:
       DNS: ['localhost', '127.0.0.1', '::1']
 
+# For tenant migration testing.
+- name: 'rs0.pem'
+  description: General purpose server certificate file.
+  Subject:
+    OU: 'rs0'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [serverAuth]
+    authorityKeyIdentifier: issuer
+
+- name: 'rs0_tenant_migration.pem'
+  description: Client certificate file for tenant migration donor or recipient.
+  Subject:
+    OU: 'rs0_tenant_migration'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: backup, db: admin}
+    - {role: advanceClusterTimeRole, db: admin}
+
+- name: 'rs0_tenant_migration_expired.pem'
+  description:
+    Client certificate file for tenant migration donor or recipient which has passed its expiration
+    date.
+  not_before: -10000000
+  not_after: -1000000
+  Subject:
+    OU: 'rs0_tenant_migration'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: backup, db: admin}
+    - {role: advanceClusterTimeRole, db: admin}
+
+- name: 'rs1.pem'
+  description: General purpose server certificate file.
+  Subject:
+    OU: 'rs1'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [serverAuth]
+    authorityKeyIdentifier: issuer
+
+- name: 'rs1_tenant_migration.pem'
+  description: Client certificate file for tenant migration donor or recipient.
+  Subject:
+    OU: 'rs1_tenant_migration'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: backup, db: admin}
+    - {role: advanceClusterTimeRole, db: admin}
+
+- name: 'rs2.pem'
+  description: General purpose server certificate file.
+  Subject:
+    OU: 'rs2'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [serverAuth]
+    authorityKeyIdentifier: issuer
+
+- name: 'rs2_tenant_migration.pem'
+  description: Client certificate file for tenant migration donor or recipient.
+  Subject:
+    OU: 'rs2_tenant_migration'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: backup, db: admin}
+    - {role: advanceClusterTimeRole, db: admin}
+
 ###
 # Certificates not based on the primary root ca.pem
 ###