e2e: add test for VaultTokensKMS support

Signed-off-by: Niels de Vos <ndevos@redhat.com>

e2e/rbd.go

@@ -1,6 +1,7 @@
 package e2e
 
 import (
+	"context"
 	"fmt"
 	"strings"
 	"sync"
@@ -337,7 +338,7 @@ var _ = Describe("RBD", func() {
 				}
 			})
 
-			By("create a PVC and bind it to an app with encrypted RBD volume with Vault KMS", func() {
+			By("create a PVC and bind it to an app with encrypted RBD volume with VaultKMS", func() {
 				err := deleteResource(rbdExamplePath + "storageclass.yaml")
 				if err != nil {
 					e2elog.Failf("failed to delete storageclass with error %v", err)
@@ -366,6 +367,56 @@ var _ = Describe("RBD", func() {
 				}
 			})
 
+			By("create a PVC and bind it to an app with encrypted RBD volume with VaultTokensKMS", func() {
+				err := deleteResource(rbdExamplePath + "storageclass.yaml")
+				if err != nil {
+					e2elog.Failf("failed to delete storageclass with error %v", err)
+				}
+				scOpts := map[string]string{
+					"encrypted":       "true",
+					"encryptionKMSID": "vault-tokens-test",
+				}
+				err = createRBDStorageClass(f.ClientSet, f, nil, scOpts, deletePolicy)
+				if err != nil {
+					e2elog.Failf("failed to create storageclass with error %v", err)
+				}
+
+				// name(space) of the Tenant
+				tenant := f.UniqueName
+
+				// create the Secret with Vault Token in the Tenants namespace
+				token, err := getSecret(vaultExamplePath + "tenant-token.yaml")
+				if err != nil {
+					e2elog.Failf("failed to load tenant token from secret: %v", err)
+				}
+				_, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{})
+				if err != nil {
+					e2elog.Failf("failed to create Secret with tenant token: %v", err)
+				}
+
+				err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "vaulttokens", f)
+				if err != nil {
+					e2elog.Failf("failed to validate encrypted pvc with error %v", err)
+				}
+				// validate created backend rbd images
+				validateRBDImageCount(f, 0)
+
+				// delete the Secret of the Tenant
+				err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{})
+				if err != nil {
+					e2elog.Failf("failed to delete Secret with tenant token: %v", err)
+				}
+
+				err = deleteResource(rbdExamplePath + "storageclass.yaml")
+				if err != nil {
+					e2elog.Failf("failed to delete storageclass with error %v", err)
+				}
+				err = createRBDStorageClass(f.ClientSet, f, nil, nil, deletePolicy)
+				if err != nil {
+					e2elog.Failf("failed to create storageclass with error %v", err)
+				}
+			})
+
 			By("create a PVC clone and bind it to an app", func() {
 				// snapshot beta is only supported from v1.17+
 				if k8sVersionGreaterEquals(f.ClientSet, 1, 17) {

examples/kms/vault/kms-config.yaml

@@ -12,7 +12,25 @@ data:
         "vaultPassphraseRoot": "/v1/secret",
         "vaultPassphrasePath": "ceph-csi/",
         "vaultCAVerify": "false"
-      }
+      },
+      "vault-tokens-test": {
+          "encryptionKMSType": "vaulttokens",
+          "vaultAddress": "http://vault.default.svc.cluster.local:8200",
+          "vaultBackendPath": "secret/",
+          "vaultTLSServerName": "vault.default.svc.cluster.local",
+          "vaultCAVerify": "false",
+          "tenantConfigName": "ceph-csi-kms-config",
+          "tenantTokenName": "ceph-csi-kms-token",
+          "tenants": {
+              "my-app": {
+                  "vaultAddress": "https://vault.example.com",
+                  "vaultCAVerify": "true"
+              },
+              "an-other-app": {
+                  "tenantTokenName": "storage-encryption-token"
+              }
+          }
+       }
     }
 metadata:
   name: ceph-csi-encryption-kms-config

examples/kms/vault/tenant-token.yaml

@@ -0,0 +1,9 @@
+---
+# This is the Vault Token that can be created in a Kubernetes Namespace
+# (Tenant) for encrypting PVCs with the "vaulttokens" encryptionKMSType.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ceph-csi-kms-token
+stringData:
+  token: "sample_root_token_id"