e2e: add test for VaultTokensKMS support

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-09 17:10:43 +01:00 committed by mergify[bot]
parent cc5684dbd8
commit 6e2d16ed1e
3 changed files with 80 additions and 2 deletions

View File

@ -1,6 +1,7 @@
package e2e
import (
"context"
"fmt"
"strings"
"sync"
@ -337,7 +338,7 @@ var _ = Describe("RBD", func() {
}
})
By("create a PVC and bind it to an app with encrypted RBD volume with Vault KMS", func() {
By("create a PVC and bind it to an app with encrypted RBD volume with VaultKMS", func() {
err := deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass with error %v", err)
@ -366,6 +367,56 @@ var _ = Describe("RBD", func() {
}
})
By("create a PVC and bind it to an app with encrypted RBD volume with VaultTokensKMS", func() {
err := deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass with error %v", err)
}
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": "vault-tokens-test",
}
err = createRBDStorageClass(f.ClientSet, f, nil, scOpts, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass with error %v", err)
}
// name(space) of the Tenant
tenant := f.UniqueName
// create the Secret with Vault Token in the Tenants namespace
token, err := getSecret(vaultExamplePath + "tenant-token.yaml")
if err != nil {
e2elog.Failf("failed to load tenant token from secret: %v", err)
}
_, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{})
if err != nil {
e2elog.Failf("failed to create Secret with tenant token: %v", err)
}
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "vaulttokens", f)
if err != nil {
e2elog.Failf("failed to validate encrypted pvc with error %v", err)
}
// validate created backend rbd images
validateRBDImageCount(f, 0)
// delete the Secret of the Tenant
err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{})
if err != nil {
e2elog.Failf("failed to delete Secret with tenant token: %v", err)
}
err = deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass with error %v", err)
}
err = createRBDStorageClass(f.ClientSet, f, nil, nil, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass with error %v", err)
}
})
By("create a PVC clone and bind it to an app", func() {
// snapshot beta is only supported from v1.17+
if k8sVersionGreaterEquals(f.ClientSet, 1, 17) {

View File

@ -12,7 +12,25 @@ data:
"vaultPassphraseRoot": "/v1/secret",
"vaultPassphrasePath": "ceph-csi/",
"vaultCAVerify": "false"
}
},
"vault-tokens-test": {
"encryptionKMSType": "vaulttokens",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultBackendPath": "secret/",
"vaultTLSServerName": "vault.default.svc.cluster.local",
"vaultCAVerify": "false",
"tenantConfigName": "ceph-csi-kms-config",
"tenantTokenName": "ceph-csi-kms-token",
"tenants": {
"my-app": {
"vaultAddress": "https://vault.example.com",
"vaultCAVerify": "true"
},
"an-other-app": {
"tenantTokenName": "storage-encryption-token"
}
}
}
}
metadata:
name: ceph-csi-encryption-kms-config

View File

@ -0,0 +1,9 @@
---
# This is the Vault Token that can be created in a Kubernetes Namespace
# (Tenant) for encrypting PVCs with the "vaulttokens" encryptionKMSType.
apiVersion: v1
kind: Secret
metadata:
name: ceph-csi-kms-token
stringData:
token: "sample_root_token_id"