e2e: validate encrypted image mount inside the nodeplugin

currently the mountType validation of the encrypted volume is done in
the application, we should rather validate this inside the nodeplugin
pod.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
(cherry picked from commit 0bf9db822b)
This commit is contained in:
Prasanna Kumar Kalever 2021-11-15 17:11:24 +05:30 committed by mergify[bot]
parent e18435fc63
commit 2441fe8515
3 changed files with 20 additions and 9 deletions

View File

@ -229,6 +229,7 @@ func execCommandInPod(f *framework.Framework, c, ns string, opt *metav1.ListOpti
return stdOut, stdErr, err return stdOut, stdErr, err
} }
// nolint:unparam // cn is always "csi-rbdplugin", introduced with #2665.
func execCommandInContainer( func execCommandInContainer(
f *framework.Framework, c, ns, cn string, opt *metav1.ListOptions) (string, string, error) { f *framework.Framework, c, ns, cn string, opt *metav1.ListOptions) (string, string, error) {
podOpt, err := getCommandInPodOpts(f, c, ns, cn, opt) podOpt, err := getCommandInPodOpts(f, c, ns, cn, opt)

View File

@ -411,7 +411,7 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath string, kms kmsConfig, f
} }
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName) rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
err = validateEncryptedImage(f, rbdImageSpec, app) err = validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
if err != nil { if err != nil {
return err return err
} }
@ -453,7 +453,7 @@ func isEncryptedPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *
} }
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName) rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
return validateEncryptedImage(f, rbdImageSpec, app) return validateEncryptedImage(f, rbdImageSpec, imageData.pvName, app.Name)
} }
func isThickPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *v1.Pod) error { func isThickPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *v1.Pod) error {
@ -493,7 +493,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
// following checks are performed: // following checks are performed:
// - Metadata of the image should be set with the encryption state; // - Metadata of the image should be set with the encryption state;
// - The pvc should be mounted by a pod, so the filesystem type can be fetched. // - The pvc should be mounted by a pod, so the filesystem type can be fetched.
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error { func validateEncryptedImage(f *framework.Framework, rbdImageSpec, pvName, appName string) error {
encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f) encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
if err != nil { if err != nil {
return err return err
@ -502,8 +502,19 @@ func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1
return fmt.Errorf("%v not equal to encrypted", encryptedState) return fmt.Errorf("%v not equal to encrypted", encryptedState)
} }
volumeMountPath := app.Spec.Containers[0].VolumeMounts[0].MountPath pod, err := f.ClientSet.CoreV1().Pods(f.UniqueName).Get(context.TODO(), appName, metav1.GetOptions{})
mountType, err := getMountType(app.Name, app.Namespace, volumeMountPath, f) if err != nil {
return fmt.Errorf("failed to get pod %q in namespace %q: %w", appName, f.UniqueName, err)
}
volumeMountPath := fmt.Sprintf(
"/var/lib/kubelet/pods/%s/volumes/kubernetes.io~csi/%s/mount",
pod.UID,
pvName)
selector, err := getDaemonSetLabelSelector(f, cephCSINamespace, rbdDaemonsetName)
if err != nil {
return fmt.Errorf("failed to get labels: %w", err)
}
mountType, err := getMountType(selector, volumeMountPath, f)
if err != nil { if err != nil {
return err return err
} }

View File

@ -19,7 +19,6 @@ import (
scv1 "k8s.io/api/storage/v1" scv1 "k8s.io/api/storage/v1"
"k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
utilyaml "k8s.io/apimachinery/pkg/util/yaml" utilyaml "k8s.io/apimachinery/pkg/util/yaml"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
@ -211,12 +210,12 @@ func validatePVCAndAppBinding(pvcPath, appPath string, f *framework.Framework) e
return err return err
} }
func getMountType(appName, appNamespace, mountPath string, f *framework.Framework) (string, error) { func getMountType(selector, mountPath string, f *framework.Framework) (string, error) {
opt := metav1.ListOptions{ opt := metav1.ListOptions{
FieldSelector: fields.OneTermEqualSelector("metadata.name", appName).String(), LabelSelector: selector,
} }
cmd := fmt.Sprintf("lsblk -o TYPE,MOUNTPOINT | grep '%s' | awk '{print $1}'", mountPath) cmd := fmt.Sprintf("lsblk -o TYPE,MOUNTPOINT | grep '%s' | awk '{print $1}'", mountPath)
stdOut, stdErr, err := execCommandInPod(f, cmd, appNamespace, &opt) stdOut, stdErr, err := execCommandInContainer(f, cmd, cephCSINamespace, "csi-rbdplugin", &opt)
if err != nil { if err != nil {
return "", err return "", err
} }