mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
e2e: verify (non)existence of keys for VaultTokensKMS
Key existence and removal is only checked for the VaultKMS provider. It should also be done for the VaultTokensKMS provider. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
96fcc58095
commit
296f751d08
@ -225,6 +225,10 @@ func validateImageOwner(pvcPath string, f *framework.Framework) error {
|
|||||||
return deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
|
return deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func kmsIsVault(kms string) bool {
|
||||||
|
return kms == "vault"
|
||||||
|
}
|
||||||
|
|
||||||
func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framework.Framework) error {
|
func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framework.Framework) error {
|
||||||
pvc, app, err := createPVCAndAppBinding(pvcPath, appPath, f, deployTimeout)
|
pvc, app, err := createPVCAndAppBinding(pvcPath, appPath, f, deployTimeout)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -252,9 +256,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
|
|||||||
return fmt.Errorf("%v not equal to crypt", mountType)
|
return fmt.Errorf("%v not equal to crypt", mountType)
|
||||||
}
|
}
|
||||||
|
|
||||||
if kms == "vault" {
|
if kmsIsVault(kms) || kms == "vaulttokens" {
|
||||||
// check new passphrase created
|
// check new passphrase created
|
||||||
_, stdErr := readVaultSecret(imageData.csiVolumeHandle, f)
|
_, stdErr := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
|
||||||
if stdErr != "" {
|
if stdErr != "" {
|
||||||
return fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
|
return fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
|
||||||
}
|
}
|
||||||
@ -265,9 +269,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if kms == "vault" {
|
if kmsIsVault(kms) || kms == "vaulttokens" {
|
||||||
// check new passphrase created
|
// check new passphrase created
|
||||||
stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, f)
|
stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
|
||||||
if stdOut != "" {
|
if stdOut != "" {
|
||||||
return fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
|
return fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
|
||||||
}
|
}
|
||||||
|
17
e2e/utils.go
17
e2e/utils.go
@ -26,7 +26,12 @@ import (
|
|||||||
/* #nosec:G101, values not credententials, just a reference to the location.*/
|
/* #nosec:G101, values not credententials, just a reference to the location.*/
|
||||||
const (
|
const (
|
||||||
defaultNs = "default"
|
defaultNs = "default"
|
||||||
vaultSecretNs = "/secret/ceph-csi/"
|
|
||||||
|
// vaultBackendPath is the default VAULT_BACKEND_PATH for secrets
|
||||||
|
vaultBackendPath = "secret/"
|
||||||
|
// vaultPassphrasePath is an advanced configuration option, only
|
||||||
|
// available for the VaultKMS (not VaultTokensKMS) provider.
|
||||||
|
vaultPassphrasePath = "ceph-csi/"
|
||||||
|
|
||||||
rookToolBoxPodLabel = "app=rook-ceph-tools"
|
rookToolBoxPodLabel = "app=rook-ceph-tools"
|
||||||
rbdmountOptions = "mountOptions"
|
rbdmountOptions = "mountOptions"
|
||||||
@ -207,9 +212,15 @@ func getMountType(appName, appNamespace, mountPath string, f *framework.Framewor
|
|||||||
// * issue get request for particular key
|
// * issue get request for particular key
|
||||||
// resulting in stdOut (first entry in tuple) - output that contains the key
|
// resulting in stdOut (first entry in tuple) - output that contains the key
|
||||||
// or stdErr (second entry in tuple) - error getting the key.
|
// or stdErr (second entry in tuple) - error getting the key.
|
||||||
func readVaultSecret(key string, f *framework.Framework) (string, string) {
|
func readVaultSecret(key string, usePassphrasePath bool, f *framework.Framework) (string, string) {
|
||||||
|
extraPath := vaultPassphrasePath
|
||||||
|
if !usePassphrasePath {
|
||||||
|
extraPath = ""
|
||||||
|
}
|
||||||
|
|
||||||
loginCmd := fmt.Sprintf("vault login -address=%s sample_root_token_id > /dev/null", vaultAddr)
|
loginCmd := fmt.Sprintf("vault login -address=%s sample_root_token_id > /dev/null", vaultAddr)
|
||||||
readSecret := fmt.Sprintf("vault kv get -address=%s -field=data %s%s", vaultAddr, vaultSecretNs, key)
|
readSecret := fmt.Sprintf("vault kv get -address=%s -field=data %s%s%s",
|
||||||
|
vaultAddr, vaultBackendPath, extraPath, key)
|
||||||
cmd := fmt.Sprintf("%s && %s", loginCmd, readSecret)
|
cmd := fmt.Sprintf("%s && %s", loginCmd, readSecret)
|
||||||
opt := metav1.ListOptions{
|
opt := metav1.ListOptions{
|
||||||
LabelSelector: "app=vault",
|
LabelSelector: "app=vault",
|
||||||
|
Loading…
Reference in New Issue
Block a user