From 6e2d16ed1ef5d311ba8a3b004d7f7db58de99926 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 9 Dec 2020 17:10:43 +0100 Subject: [PATCH] e2e: add test for VaultTokensKMS support Signed-off-by: Niels de Vos --- e2e/rbd.go | 53 +++++++++++++++++++++++++++- examples/kms/vault/kms-config.yaml | 20 ++++++++++- examples/kms/vault/tenant-token.yaml | 9 +++++ 3 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 examples/kms/vault/tenant-token.yaml diff --git a/e2e/rbd.go b/e2e/rbd.go index 6fb38ba94..ec3f9d4fc 100644 --- a/e2e/rbd.go +++ b/e2e/rbd.go @@ -1,6 +1,7 @@ package e2e import ( + "context" "fmt" "strings" "sync" @@ -337,7 +338,7 @@ var _ = Describe("RBD", func() { } }) - By("create a PVC and bind it to an app with encrypted RBD volume with Vault KMS", func() { + By("create a PVC and bind it to an app with encrypted RBD volume with VaultKMS", func() { err := deleteResource(rbdExamplePath + "storageclass.yaml") if err != nil { e2elog.Failf("failed to delete storageclass with error %v", err) @@ -366,6 +367,56 @@ var _ = Describe("RBD", func() { } }) + By("create a PVC and bind it to an app with encrypted RBD volume with VaultTokensKMS", func() { + err := deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass with error %v", err) + } + scOpts := map[string]string{ + "encrypted": "true", + "encryptionKMSID": "vault-tokens-test", + } + err = createRBDStorageClass(f.ClientSet, f, nil, scOpts, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass with error %v", err) + } + + // name(space) of the Tenant + tenant := f.UniqueName + + // create the Secret with Vault Token in the Tenants namespace + token, err := getSecret(vaultExamplePath + "tenant-token.yaml") + if err != nil { + e2elog.Failf("failed to load tenant token from secret: %v", err) + } + _, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{}) + if err != nil { + e2elog.Failf("failed to create Secret with tenant token: %v", err) + } + + err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "vaulttokens", f) + if err != nil { + e2elog.Failf("failed to validate encrypted pvc with error %v", err) + } + // validate created backend rbd images + validateRBDImageCount(f, 0) + + // delete the Secret of the Tenant + err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{}) + if err != nil { + e2elog.Failf("failed to delete Secret with tenant token: %v", err) + } + + err = deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass with error %v", err) + } + err = createRBDStorageClass(f.ClientSet, f, nil, nil, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass with error %v", err) + } + }) + By("create a PVC clone and bind it to an app", func() { // snapshot beta is only supported from v1.17+ if k8sVersionGreaterEquals(f.ClientSet, 1, 17) { diff --git a/examples/kms/vault/kms-config.yaml b/examples/kms/vault/kms-config.yaml index f3a773584..b35610fdf 100644 --- a/examples/kms/vault/kms-config.yaml +++ b/examples/kms/vault/kms-config.yaml @@ -12,7 +12,25 @@ data: "vaultPassphraseRoot": "/v1/secret", "vaultPassphrasePath": "ceph-csi/", "vaultCAVerify": "false" - } + }, + "vault-tokens-test": { + "encryptionKMSType": "vaulttokens", + "vaultAddress": "http://vault.default.svc.cluster.local:8200", + "vaultBackendPath": "secret/", + "vaultTLSServerName": "vault.default.svc.cluster.local", + "vaultCAVerify": "false", + "tenantConfigName": "ceph-csi-kms-config", + "tenantTokenName": "ceph-csi-kms-token", + "tenants": { + "my-app": { + "vaultAddress": "https://vault.example.com", + "vaultCAVerify": "true" + }, + "an-other-app": { + "tenantTokenName": "storage-encryption-token" + } + } + } } metadata: name: ceph-csi-encryption-kms-config diff --git a/examples/kms/vault/tenant-token.yaml b/examples/kms/vault/tenant-token.yaml new file mode 100644 index 000000000..76f305c9e --- /dev/null +++ b/examples/kms/vault/tenant-token.yaml @@ -0,0 +1,9 @@ +--- +# This is the Vault Token that can be created in a Kubernetes Namespace +# (Tenant) for encrypting PVCs with the "vaulttokens" encryptionKMSType. +apiVersion: v1 +kind: Secret +metadata: + name: ceph-csi-kms-token +stringData: + token: "sample_root_token_id"