mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-17 20:00:23 +00:00
e2e: validate encrypted image mount inside the nodeplugin
currently the mountType validation of the encrypted volume is done in the application, we should rather validate this inside the nodeplugin pod. Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
This commit is contained in:
parent
e6fa392df1
commit
0bf9db822b
@ -447,7 +447,7 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath string, kms kmsConfig, f
|
||||
}
|
||||
|
||||
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
|
||||
err = validateEncryptedImage(f, rbdImageSpec, app)
|
||||
err = validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -498,7 +498,7 @@ func isEncryptedPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *
|
||||
}
|
||||
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
|
||||
|
||||
return validateEncryptedImage(f, rbdImageSpec, app)
|
||||
return validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
|
||||
}
|
||||
|
||||
func isThickPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *v1.Pod) error {
|
||||
@ -538,7 +538,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
|
||||
// following checks are performed:
|
||||
// - Metadata of the image should be set with the encryption state;
|
||||
// - The pvc should be mounted by a pod, so the filesystem type can be fetched.
|
||||
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
|
||||
func validateEncryptedImage(f *framework.Framework, rbdImageSpec, pvName, appName string) error {
|
||||
encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -547,8 +547,19 @@ func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1
|
||||
return fmt.Errorf("%v not equal to encrypted", encryptedState)
|
||||
}
|
||||
|
||||
volumeMountPath := app.Spec.Containers[0].VolumeMounts[0].MountPath
|
||||
mountType, err := getMountType(app.Name, app.Namespace, volumeMountPath, f)
|
||||
pod, err := f.ClientSet.CoreV1().Pods(f.UniqueName).Get(context.TODO(), appName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get pod %q in namespace %q: %w", appName, f.UniqueName, err)
|
||||
}
|
||||
volumeMountPath := fmt.Sprintf(
|
||||
"/var/lib/kubelet/pods/%s/volumes/kubernetes.io~csi/%s/mount",
|
||||
pod.UID,
|
||||
pvName)
|
||||
selector, err := getDaemonSetLabelSelector(f, cephCSINamespace, rbdDaemonsetName)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get labels: %w", err)
|
||||
}
|
||||
mountType, err := getMountType(selector, volumeMountPath, f)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -20,7 +20,6 @@ import (
|
||||
scv1 "k8s.io/api/storage/v1"
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
utilyaml "k8s.io/apimachinery/pkg/util/yaml"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
@ -230,12 +229,12 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) e
|
||||
return err
|
||||
}
|
||||
|
||||
func getMountType(appName, appNamespace, mountPath string, f *framework.Framework) (string, error) {
|
||||
func getMountType(selector, mountPath string, f *framework.Framework) (string, error) {
|
||||
opt := metav1.ListOptions{
|
||||
FieldSelector: fields.OneTermEqualSelector("metadata.name", appName).String(),
|
||||
LabelSelector: selector,
|
||||
}
|
||||
cmd := fmt.Sprintf("lsblk -o TYPE,MOUNTPOINT | grep '%s' | awk '{print $1}'", mountPath)
|
||||
stdOut, stdErr, err := execCommandInPod(f, cmd, appNamespace, &opt)
|
||||
stdOut, stdErr, err := execCommandInContainer(f, cmd, cephCSINamespace, "csi-rbdplugin", &opt)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user