mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 23:19:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
e9082768b6
ceph-csi/e2e/deploy-vault.go

87 lines
2.8 KiB
Go
Raw Normal View History

Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
package e2e
import (
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
"context"
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
"strings"
Add cephcsi namespace and rook namespace flag Added namespace flag to cephcsi to deploy cephcsi resouces in different namespace. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-25 11:45:54 +00:00
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
. "github.com/onsi/gomega" // nolint
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/kubernetes/test/e2e/framework"
e2elog "k8s.io/kubernetes/test/e2e/framework/log"
)
var (
vaultExamplePath = "../examples/kms/vault/"
vaultServicePath = "vault.yaml"
vaultPSPPath = "vault-psp.yaml"
vaultRBACPath = "csi-vaulttokenreview-rbac.yaml"
vaultConfigPath = "kms-config.yaml"
)
func deployVault(c kubernetes.Interface, deployTimeout int) {
helm: add helm charts E2E This PR adds the support for helm installation, and cephcsi helm charts deployment and teardown and also runs E2E on for helm charts. Add socat to provide port forwadring access for helm Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-01 07:20:43 +00:00
// hack to make helm E2E pass as helm charts creates this configmap as part
// of cephcsi deployment
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
_, err := framework.RunKubectl(cephCSINamespace, "delete", "cm", "ceph-csi-encryption-kms-config", "--namespace", cephCSINamespace, "--ignore-not-found=true")
helm: add helm charts E2E This PR adds the support for helm installation, and cephcsi helm charts deployment and teardown and also runs E2E on for helm charts. Add socat to provide port forwadring access for helm Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-01 07:20:43 +00:00
Expect(err).Should(BeNil())
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
createORDeleteVault("create")
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
opt := metav1.ListOptions{
LabelSelector: "app=vault",
}
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
pods, err := c.CoreV1().Pods(cephCSINamespace).List(context.TODO(), opt)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
Expect(err).Should(BeNil())
Expect(len(pods.Items)).Should(Equal(1))
name := pods.Items[0].Name
Add cephcsi namespace and rook namespace flag Added namespace flag to cephcsi to deploy cephcsi resouces in different namespace. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-25 11:45:54 +00:00
err = waitForPodInRunningState(name, cephCSINamespace, c, deployTimeout)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
Expect(err).Should(BeNil())
}
func deleteVault() {
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
createORDeleteVault("delete")
}
func createORDeleteVault(action string) {
data, err := replaceNamespaceInTemplate(vaultExamplePath + vaultServicePath)
if err != nil {
e2elog.Logf("failed to read content from %s %v", vaultExamplePath+vaultServicePath, err)
}
data = strings.ReplaceAll(data, "vault.default", "vault."+cephCSINamespace)
data = strings.ReplaceAll(data, "value: default", "value: "+cephCSINamespace)
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
_, err = framework.RunKubectlInput(cephCSINamespace, data, action, ns, "-f", "-")
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
if err != nil {
e2elog.Logf("failed to %s vault statefulset %v", action, err)
}
data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultRBACPath)
if err != nil {
e2elog.Logf("failed to read content from %s %v", vaultExamplePath+vaultRBACPath, err)
}
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
_, err = framework.RunKubectlInput(cephCSINamespace, data, action, ns, "-f", "-")
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
if err != nil {
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
e2elog.Logf("failed to %s vault statefulset %v", action, err)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
}
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultConfigPath)
if err != nil {
e2elog.Logf("failed to read content from %s %v", vaultExamplePath+vaultConfigPath, err)
}
data = strings.ReplaceAll(data, "default", cephCSINamespace)
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
_, err = framework.RunKubectlInput(cephCSINamespace, data, action, ns, "-f", "-")
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
if err != nil {
doc: make sure configmap object referred or documented correctly Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2020-06-10 06:23:03 +00:00
e2elog.Logf("failed to %s vault configmap %v", action, err)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
}
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultPSPPath)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
if err != nil {
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
e2elog.Logf("failed to read content from %s %v", vaultExamplePath+vaultPSPPath, err)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
}
Changes to e2e to accomodate client-go changes and RunKubectlInput With client-go v1.18.0 there is a change where Signatures on methods in generated clientsets, dynamic, metadata, and scale clients have been modified to accept context.Context as a first argument. Signatures of Create, Update, and Patch methods have been updated to accept CreateOptions, UpdateOptions and PatchOptions respectively. Signatures of Delete and DeleteCollection methods now accept DeleteOptions by value instead of by reference The framework.RunkubectlInput now accepts namespace as the first parameter which is also accommodated with this PR. Signed-off-by: Humble Chirammal hchiramm@redhat.com
2020-04-14 06:59:04 +00:00
_, err = framework.RunKubectlInput(cephCSINamespace, data, action, ns, "-f", "-")
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
if err != nil {
Refractor E2E to reduce code duplication Updated E2E to reduce code duplication and create resouces in different namespaces. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-26 08:11:05 +00:00
e2elog.Logf("failed to %s vault psp %v", action, err)
Adds per volume encryption with Vault integration - adds proposal document for PVC encryption from PR448 - adds per-volume encription by generating encryption passphrase for each volume and storing it in a KMS - adds HashiCorp Vault integration as a KMS for encryption passphrases - avoids encrypting volume second time if it was already encrypted but no file system created - avoids unnecessary checks if volume is a mapped device when encryption was not requested - prevents resizing encrypted volumes (it is not currently supported) - prevents creating snapshots from encrypted volumes to prevent attack on encryption key (security guard until re-encryption of volumes implemented) Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Fixes #420 Fixes #744
2020-01-29 11:44:45 +00:00
}
}
Reference in New Issue Copy Permalink