mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
e2e: add test for VaultTokensKMS support
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
cc5684dbd8
commit
6e2d16ed1e
53
e2e/rbd.go
53
e2e/rbd.go
@ -1,6 +1,7 @@
|
||||
package e2e
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"sync"
|
||||
@ -337,7 +338,7 @@ var _ = Describe("RBD", func() {
|
||||
}
|
||||
})
|
||||
|
||||
By("create a PVC and bind it to an app with encrypted RBD volume with Vault KMS", func() {
|
||||
By("create a PVC and bind it to an app with encrypted RBD volume with VaultKMS", func() {
|
||||
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||
@ -366,6 +367,56 @@ var _ = Describe("RBD", func() {
|
||||
}
|
||||
})
|
||||
|
||||
By("create a PVC and bind it to an app with encrypted RBD volume with VaultTokensKMS", func() {
|
||||
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||
}
|
||||
scOpts := map[string]string{
|
||||
"encrypted": "true",
|
||||
"encryptionKMSID": "vault-tokens-test",
|
||||
}
|
||||
err = createRBDStorageClass(f.ClientSet, f, nil, scOpts, deletePolicy)
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||
}
|
||||
|
||||
// name(space) of the Tenant
|
||||
tenant := f.UniqueName
|
||||
|
||||
// create the Secret with Vault Token in the Tenants namespace
|
||||
token, err := getSecret(vaultExamplePath + "tenant-token.yaml")
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to load tenant token from secret: %v", err)
|
||||
}
|
||||
_, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to create Secret with tenant token: %v", err)
|
||||
}
|
||||
|
||||
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "vaulttokens", f)
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to validate encrypted pvc with error %v", err)
|
||||
}
|
||||
// validate created backend rbd images
|
||||
validateRBDImageCount(f, 0)
|
||||
|
||||
// delete the Secret of the Tenant
|
||||
err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{})
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to delete Secret with tenant token: %v", err)
|
||||
}
|
||||
|
||||
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to delete storageclass with error %v", err)
|
||||
}
|
||||
err = createRBDStorageClass(f.ClientSet, f, nil, nil, deletePolicy)
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to create storageclass with error %v", err)
|
||||
}
|
||||
})
|
||||
|
||||
By("create a PVC clone and bind it to an app", func() {
|
||||
// snapshot beta is only supported from v1.17+
|
||||
if k8sVersionGreaterEquals(f.ClientSet, 1, 17) {
|
||||
|
@ -12,7 +12,25 @@ data:
|
||||
"vaultPassphraseRoot": "/v1/secret",
|
||||
"vaultPassphrasePath": "ceph-csi/",
|
||||
"vaultCAVerify": "false"
|
||||
}
|
||||
},
|
||||
"vault-tokens-test": {
|
||||
"encryptionKMSType": "vaulttokens",
|
||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||
"vaultBackendPath": "secret/",
|
||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||
"vaultCAVerify": "false",
|
||||
"tenantConfigName": "ceph-csi-kms-config",
|
||||
"tenantTokenName": "ceph-csi-kms-token",
|
||||
"tenants": {
|
||||
"my-app": {
|
||||
"vaultAddress": "https://vault.example.com",
|
||||
"vaultCAVerify": "true"
|
||||
},
|
||||
"an-other-app": {
|
||||
"tenantTokenName": "storage-encryption-token"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
metadata:
|
||||
name: ceph-csi-encryption-kms-config
|
||||
|
9
examples/kms/vault/tenant-token.yaml
Normal file
9
examples/kms/vault/tenant-token.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
# This is the Vault Token that can be created in a Kubernetes Namespace
|
||||
# (Tenant) for encrypting PVCs with the "vaulttokens" encryptionKMSType.
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ceph-csi-kms-token
|
||||
stringData:
|
||||
token: "sample_root_token_id"
|
Loading…
Reference in New Issue
Block a user