mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
e2e: add validation for cloning encrypted volumes
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
b1d05a1840
commit
3fde636685
34
e2e/rbd.go
34
e2e/rbd.go
@ -745,7 +745,37 @@ var _ = Describe("RBD", func() {
|
|||||||
By("create a PVC-PVC clone and bind it to an app", func() {
|
By("create a PVC-PVC clone and bind it to an app", func() {
|
||||||
// pvc clone is only supported from v1.16+
|
// pvc clone is only supported from v1.16+
|
||||||
if k8sVersionGreaterEquals(f.ClientSet, 1, 16) {
|
if k8sVersionGreaterEquals(f.ClientSet, 1, 16) {
|
||||||
validatePVCClone(pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, f)
|
validatePVCClone(pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, false, f)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
By("create an encrypted PVC-PVC clone and bind it to an app", func() {
|
||||||
|
if !k8sVersionGreaterEquals(f.ClientSet, 1, 16) {
|
||||||
|
Skip("pvc clone is only supported from v1.16+")
|
||||||
|
}
|
||||||
|
|
||||||
|
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
scOpts := map[string]string{
|
||||||
|
"encrypted": "true",
|
||||||
|
"encryptionKMSID": "secrets-metadata-test",
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, nil, scOpts, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
validatePVCClone(pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, true, f)
|
||||||
|
|
||||||
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, nil, nil, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
@ -762,7 +792,7 @@ var _ = Describe("RBD", func() {
|
|||||||
}
|
}
|
||||||
// pvc clone is only supported from v1.16+
|
// pvc clone is only supported from v1.16+
|
||||||
if v.Major > "1" || (v.Major == "1" && v.Minor >= "16") {
|
if v.Major > "1" || (v.Major == "1" && v.Minor >= "16") {
|
||||||
validatePVCClone(rawPvcPath, rawAppPath, pvcBlockSmartClonePath, appBlockSmartClonePath, f)
|
validatePVCClone(rawPvcPath, rawAppPath, pvcBlockSmartClonePath, appBlockSmartClonePath, false, f)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
By("create/delete multiple PVCs and Apps", func() {
|
By("create/delete multiple PVCs and Apps", func() {
|
||||||
|
@ -238,23 +238,12 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
|
|
||||||
encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if encryptedState != "encrypted" {
|
|
||||||
return fmt.Errorf("%v not equal to encrypted", encryptedState)
|
|
||||||
}
|
|
||||||
|
|
||||||
volumeMountPath := app.Spec.Containers[0].VolumeMounts[0].MountPath
|
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
|
||||||
mountType, err := getMountType(app.Name, app.Namespace, volumeMountPath, f)
|
err = validateEncryptedImage(f, rbdImageSpec, app)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if mountType != "crypt" {
|
|
||||||
return fmt.Errorf("%v not equal to crypt", mountType)
|
|
||||||
}
|
|
||||||
|
|
||||||
if kmsIsVault(kms) || kms == "vaulttokens" {
|
if kmsIsVault(kms) || kms == "vaulttokens" {
|
||||||
// check new passphrase created
|
// check new passphrase created
|
||||||
@ -279,6 +268,41 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateEncryptedPVC(f *framework.Framework, pvc *v1.PersistentVolumeClaim, app *v1.Pod) error {
|
||||||
|
imageData, err := getImageInfoFromPVC(pvc.Namespace, pvc.Name, f)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
rbdImageSpec := imageSpec(defaultRBDPool, imageData.imageName)
|
||||||
|
|
||||||
|
return validateEncryptedImage(f, rbdImageSpec, app)
|
||||||
|
}
|
||||||
|
|
||||||
|
// validateEncryptedImage verifies that the RBD image is encrypted. The
|
||||||
|
// following checks are performed:
|
||||||
|
// - Metadata of the image should be set with the encryption state;
|
||||||
|
// - The pvc should be mounted by a pod, so the filesystem type can be fetched.
|
||||||
|
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
|
||||||
|
encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if encryptedState != "encrypted" {
|
||||||
|
return fmt.Errorf("%v not equal to encrypted", encryptedState)
|
||||||
|
}
|
||||||
|
|
||||||
|
volumeMountPath := app.Spec.Containers[0].VolumeMounts[0].MountPath
|
||||||
|
mountType, err := getMountType(app.Name, app.Namespace, volumeMountPath, f)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if mountType != "crypt" {
|
||||||
|
return fmt.Errorf("%v not equal to crypt", mountType)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func listRBDImages(f *framework.Framework) ([]string, error) {
|
func listRBDImages(f *framework.Framework) ([]string, error) {
|
||||||
var imgInfos []string
|
var imgInfos []string
|
||||||
|
|
||||||
|
@ -504,8 +504,8 @@ func writeDataAndCalChecksum(app *v1.Pod, opt *metav1.ListOptions, f *framework.
|
|||||||
return checkSum, nil
|
return checkSum, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// nolint:gocyclo // reduce complexity
|
// nolint:gocyclo,gocognit // reduce complexity
|
||||||
func validatePVCClone(sourcePvcPath, sourceAppPath, clonePvcPath, clonePvcAppPath string, f *framework.Framework) {
|
func validatePVCClone(sourcePvcPath, sourceAppPath, clonePvcPath, clonePvcAppPath string, validateEncryption bool, f *framework.Framework) {
|
||||||
var wg sync.WaitGroup
|
var wg sync.WaitGroup
|
||||||
totalCount := 10
|
totalCount := 10
|
||||||
wgErrs := make([]error, totalCount)
|
wgErrs := make([]error, totalCount)
|
||||||
@ -582,6 +582,9 @@ func validatePVCClone(sourcePvcPath, sourceAppPath, clonePvcPath, clonePvcAppPat
|
|||||||
e2elog.Logf("checksum didn't match. checksum=%s and checksumclone=%s", checkSum, checkSumClone)
|
e2elog.Logf("checksum didn't match. checksum=%s and checksumclone=%s", checkSum, checkSumClone)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if wgErrs[n] == nil && validateEncryption {
|
||||||
|
wgErrs[n] = validateEncryptedPVC(f, &p, &a)
|
||||||
|
}
|
||||||
w.Done()
|
w.Done()
|
||||||
}(&wg, i, *pvcClone, *appClone)
|
}(&wg, i, *pvcClone, *appClone)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user