e2e: validate encrypted image mount inside the nodeplugin

currently the mountType validation of the encrypted volume is done in
the application, we should rather validate this inside the nodeplugin
pod.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
(cherry picked from commit 0bf9db822b)

e2e/pod.go

@@ -229,6 +229,7 @@ func execCommandInPod(f *framework.Framework, c, ns string, opt *metav1.ListOpti
 	return stdOut, stdErr, err
 }
 
+// nolint:unparam // cn is always "csi-rbdplugin", introduced with #2665.
 func execCommandInContainer(
 	f *framework.Framework, c, ns, cn string, opt *metav1.ListOptions) (string, string, error) {
 	podOpt, err := getCommandInPodOpts(f, c, ns, cn, opt)

e2e/rbd_helper.go

@@ -411,7 +411,7 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath string, kms kmsConfig, f
 	}
 
 	rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
-	err = validateEncryptedImage(f, rbdImageSpec, app)
+	err = validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
 	if err != nil {
 		return err
 	}
@@ -453,7 +453,7 @@ func isEncryptedPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *
 	}
 	rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
 
-	return validateEncryptedImage(f, rbdImageSpec, app)
+	return validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
 }
 
 func isThickPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *v1.Pod) error {
@@ -493,7 +493,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
 // following checks are performed:
 // - Metadata of the image should be set with the encryption state;
 // - The pvc should be mounted by a pod, so the filesystem type can be fetched.
-func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
+func validateEncryptedImage(f *framework.Framework, rbdImageSpec, pvName, appName string) error {
 	encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
 	if err != nil {
 		return err
@@ -502,8 +502,19 @@ func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1
 		return fmt.Errorf("%v not equal to encrypted", encryptedState)
 	}
 
-	volumeMountPath := app.Spec.Containers[0].VolumeMounts[0].MountPath
+	pod, err := f.ClientSet.CoreV1().Pods(f.UniqueName).Get(context.TODO(), appName, metav1.GetOptions{})
-	mountType, err := getMountType(app.Name, app.Namespace, volumeMountPath, f)
+	if err != nil {
+		return fmt.Errorf("failed to get pod %q in namespace %q: %w", appName, f.UniqueName, err)
+	}
+	volumeMountPath := fmt.Sprintf(
+		"/var/lib/kubelet/pods/%s/volumes/kubernetes.io~csi/%s/mount",
+		pod.UID,
+		pvName)
+	selector, err := getDaemonSetLabelSelector(f, cephCSINamespace, rbdDaemonsetName)
+	if err != nil {
+		return fmt.Errorf("failed to get labels: %w", err)
+	}
+	mountType, err := getMountType(selector, volumeMountPath, f)
 	if err != nil {
 		return err
 	}

e2e/utils.go

@@ -19,7 +19,6 @@ import (
 	scv1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes"
@@ -211,12 +210,12 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) e
 	return err
 }
 
-func getMountType(appName, appNamespace, mountPath string, f *framework.Framework) (string, error) {
+func getMountType(selector, mountPath string, f *framework.Framework) (string, error) {
 	opt := metav1.ListOptions{
-		FieldSelector: fields.OneTermEqualSelector("metadata.name", appName).String(),
+		LabelSelector: selector,
 	}
 	cmd := fmt.Sprintf("lsblk -o TYPE,MOUNTPOINT | grep '%s' | awk '{print $1}'", mountPath)
-	stdOut, stdErr, err := execCommandInPod(f, cmd, appNamespace, &opt)
+	stdOut, stdErr, err := execCommandInContainer(f, cmd, cephCSINamespace, "csi-rbdplugin", &opt)
 	if err != nil {
 		return "", err
 	}