mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
e2e: validate encryption keys in KMS
this commit is to validate if the encrypted keys are created and deleted properly while pvc-pvc clone images Updates: #2022 Signed-off-by: Yati Padia <ypadia@redhat.com>
This commit is contained in:
parent
36f4c0cabb
commit
3c773b24e5
38
e2e/rbd.go
38
e2e/rbd.go
@ -833,7 +833,7 @@ var _ = Describe("RBD", func() {
|
|||||||
snapshotPath,
|
snapshotPath,
|
||||||
pvcClonePath,
|
pvcClonePath,
|
||||||
appClonePath,
|
appClonePath,
|
||||||
"",
|
noKms,
|
||||||
f)
|
f)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -847,6 +847,7 @@ var _ = Describe("RBD", func() {
|
|||||||
appPath,
|
appPath,
|
||||||
pvcSmartClonePath,
|
pvcSmartClonePath,
|
||||||
appSmartClonePath,
|
appSmartClonePath,
|
||||||
|
noKms,
|
||||||
noPVCValidation,
|
noPVCValidation,
|
||||||
f)
|
f)
|
||||||
}
|
}
|
||||||
@ -868,7 +869,7 @@ var _ = Describe("RBD", func() {
|
|||||||
e2elog.Failf("failed to create storageclass with error %v", err)
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
validatePVCClone(1, pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, isThickPVC, f)
|
validatePVCClone(1, pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, noKms, isThickPVC, f)
|
||||||
|
|
||||||
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -928,7 +929,37 @@ var _ = Describe("RBD", func() {
|
|||||||
e2elog.Failf("failed to create storageclass with error %v", err)
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
validatePVCClone(1, pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, isEncryptedPVC, f)
|
validatePVCClone(1, pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, "secrets-metadata", isEncryptedPVC, f)
|
||||||
|
|
||||||
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
By("create an encrypted PVC-PVC clone and bind it to an app with VaultKMS", func() {
|
||||||
|
if !k8sVersionGreaterEquals(f.ClientSet, 1, 16) {
|
||||||
|
Skip("pvc clone is only supported from v1.16+")
|
||||||
|
}
|
||||||
|
|
||||||
|
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
scOpts := map[string]string{
|
||||||
|
"encrypted": "true",
|
||||||
|
"encryptionKMSID": "vault-test",
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
validatePVCClone(1, pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, "vault", isEncryptedPVC, f)
|
||||||
|
|
||||||
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -959,6 +990,7 @@ var _ = Describe("RBD", func() {
|
|||||||
rawAppPath,
|
rawAppPath,
|
||||||
pvcBlockSmartClonePath,
|
pvcBlockSmartClonePath,
|
||||||
appBlockSmartClonePath,
|
appBlockSmartClonePath,
|
||||||
|
noKms,
|
||||||
noPVCValidation,
|
noPVCValidation,
|
||||||
f)
|
f)
|
||||||
}
|
}
|
||||||
|
62
e2e/utils.go
62
e2e/utils.go
@ -47,6 +47,8 @@ const (
|
|||||||
// vaultTokens KMS type
|
// vaultTokens KMS type
|
||||||
vaultTokens = "vaulttokens"
|
vaultTokens = "vaulttokens"
|
||||||
noError = ""
|
noError = ""
|
||||||
|
|
||||||
|
noKms = ""
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -539,10 +541,10 @@ func writeDataAndCalChecksum(app *v1.Pod, opt *metav1.ListOptions, f *framework.
|
|||||||
return checkSum, nil
|
return checkSum, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// nolint:gocyclo,gocognit // reduce complexity
|
// nolint:gocyclo,gocognit,nestif // reduce complexity
|
||||||
func validatePVCClone(
|
func validatePVCClone(
|
||||||
totalCount int,
|
totalCount int,
|
||||||
sourcePvcPath, sourceAppPath, clonePvcPath, clonePvcAppPath string,
|
sourcePvcPath, sourceAppPath, clonePvcPath, clonePvcAppPath, kms string,
|
||||||
validatePVC validateFunc,
|
validatePVC validateFunc,
|
||||||
f *framework.Framework) {
|
f *framework.Framework) {
|
||||||
var wg sync.WaitGroup
|
var wg sync.WaitGroup
|
||||||
@ -609,6 +611,28 @@ func validatePVCClone(
|
|||||||
LabelSelector: fmt.Sprintf("%s=%s", appKey, label[appKey]),
|
LabelSelector: fmt.Sprintf("%s=%s", appKey, label[appKey]),
|
||||||
}
|
}
|
||||||
wgErrs[n] = createPVCAndApp(name, f, &p, &a, deployTimeout)
|
wgErrs[n] = createPVCAndApp(name, f, &p, &a, deployTimeout)
|
||||||
|
if wgErrs[n] == nil && kms != noKms {
|
||||||
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
|
imageData, sErr := getImageInfoFromPVC(p.Namespace, name, f)
|
||||||
|
if sErr != nil {
|
||||||
|
wgErrs[n] = fmt.Errorf(
|
||||||
|
"failed to get image info for %s namespace=%s volumehandle=%s error=%w",
|
||||||
|
name,
|
||||||
|
p.Namespace,
|
||||||
|
imageData.csiVolumeHandle,
|
||||||
|
sErr)
|
||||||
|
} else {
|
||||||
|
// check new passphrase created
|
||||||
|
stdOut, stdErr := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
|
||||||
|
if stdOut != "" {
|
||||||
|
e2elog.Logf("successfully read the passphrase from vault: %s", stdOut)
|
||||||
|
}
|
||||||
|
if stdErr != "" {
|
||||||
|
wgErrs[n] = fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
if *pvc.Spec.VolumeMode == v1.PersistentVolumeFilesystem && wgErrs[n] == nil {
|
if *pvc.Spec.VolumeMode == v1.PersistentVolumeFilesystem && wgErrs[n] == nil {
|
||||||
filePath := a.Spec.Containers[0].VolumeMounts[0].MountPath + "/test"
|
filePath := a.Spec.Containers[0].VolumeMounts[0].MountPath + "/test"
|
||||||
var checkSumClone string
|
var checkSumClone string
|
||||||
@ -622,7 +646,7 @@ func validatePVCClone(
|
|||||||
e2elog.Logf("checksum didn't match. checksum=%s and checksumclone=%s", checkSum, checkSumClone)
|
e2elog.Logf("checksum didn't match. checksum=%s and checksumclone=%s", checkSum, checkSumClone)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if wgErrs[n] == nil && validatePVC != nil {
|
if wgErrs[n] == nil && validatePVC != nil && kms != noKms {
|
||||||
wgErrs[n] = validatePVC(f, &p, &a)
|
wgErrs[n] = validatePVC(f, &p, &a)
|
||||||
}
|
}
|
||||||
wg.Done()
|
wg.Done()
|
||||||
@ -671,7 +695,33 @@ func validatePVCClone(
|
|||||||
go func(n int, p v1.PersistentVolumeClaim, a v1.Pod) {
|
go func(n int, p v1.PersistentVolumeClaim, a v1.Pod) {
|
||||||
name := fmt.Sprintf("%s%d", f.UniqueName, n)
|
name := fmt.Sprintf("%s%d", f.UniqueName, n)
|
||||||
p.Spec.DataSource.Name = name
|
p.Spec.DataSource.Name = name
|
||||||
|
var imageData imageInfoFromPVC
|
||||||
|
var sErr error
|
||||||
|
if kms != noKms {
|
||||||
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
|
imageData, sErr = getImageInfoFromPVC(p.Namespace, name, f)
|
||||||
|
if sErr != nil {
|
||||||
|
wgErrs[n] = fmt.Errorf(
|
||||||
|
"failed to get image info for %s namespace=%s volumehandle=%s error=%w",
|
||||||
|
name,
|
||||||
|
p.Namespace,
|
||||||
|
imageData.csiVolumeHandle,
|
||||||
|
sErr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if wgErrs[n] == nil {
|
||||||
wgErrs[n] = deletePVCAndApp(name, f, &p, &a)
|
wgErrs[n] = deletePVCAndApp(name, f, &p, &a)
|
||||||
|
if wgErrs[n] == nil && kms != noKms {
|
||||||
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
|
// check passphrase deleted
|
||||||
|
stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
|
||||||
|
if stdOut != "" {
|
||||||
|
wgErrs[n] = fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
wg.Done()
|
wg.Done()
|
||||||
}(i, *pvcClone, *appClone)
|
}(i, *pvcClone, *appClone)
|
||||||
}
|
}
|
||||||
@ -747,7 +797,7 @@ func validatePVCSnapshot(
|
|||||||
go func(n int, s snapapi.VolumeSnapshot) {
|
go func(n int, s snapapi.VolumeSnapshot) {
|
||||||
s.Name = fmt.Sprintf("%s%d", f.UniqueName, n)
|
s.Name = fmt.Sprintf("%s%d", f.UniqueName, n)
|
||||||
wgErrs[n] = createSnapshot(&s, deployTimeout)
|
wgErrs[n] = createSnapshot(&s, deployTimeout)
|
||||||
if wgErrs[n] == nil && kms != "" {
|
if wgErrs[n] == nil && kms != noKms {
|
||||||
if kmsIsVault(kms) || kms == vaultTokens {
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
content, sErr := getVolumeSnapshotContent(s.Namespace, s.Name)
|
content, sErr := getVolumeSnapshotContent(s.Namespace, s.Name)
|
||||||
if sErr != nil {
|
if sErr != nil {
|
||||||
@ -927,7 +977,7 @@ func validatePVCSnapshot(
|
|||||||
s.Name = fmt.Sprintf("%s%d", f.UniqueName, n)
|
s.Name = fmt.Sprintf("%s%d", f.UniqueName, n)
|
||||||
content := &snapapi.VolumeSnapshotContent{}
|
content := &snapapi.VolumeSnapshotContent{}
|
||||||
var err error
|
var err error
|
||||||
if kms != "" {
|
if kms != noKms {
|
||||||
if kmsIsVault(kms) || kms == vaultTokens {
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
content, err = getVolumeSnapshotContent(s.Namespace, s.Name)
|
content, err = getVolumeSnapshotContent(s.Namespace, s.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -941,7 +991,7 @@ func validatePVCSnapshot(
|
|||||||
}
|
}
|
||||||
if wgErrs[n] == nil {
|
if wgErrs[n] == nil {
|
||||||
wgErrs[n] = deleteSnapshot(&s, deployTimeout)
|
wgErrs[n] = deleteSnapshot(&s, deployTimeout)
|
||||||
if wgErrs[n] == nil && kms != "" {
|
if wgErrs[n] == nil && kms != noKms {
|
||||||
if kmsIsVault(kms) || kms == vaultTokens {
|
if kmsIsVault(kms) || kms == vaultTokens {
|
||||||
// check passphrase deleted
|
// check passphrase deleted
|
||||||
stdOut, _ := readVaultSecret(*content.Status.SnapshotHandle, kmsIsVault(kms), f)
|
stdOut, _ := readVaultSecret(*content.Status.SnapshotHandle, kmsIsVault(kms), f)
|
||||||
|
Loading…
Reference in New Issue
Block a user