mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

e2e: refactor KMS configuration and usage

Browse Source 
This adds a new `kmsConfig` interface that can be used to validate
different KMS services and setting. It makes checking for the available
support easier, and fetching the passphrase simpler.

The basicKMS mirrors the current validation of the KMS implementations
that use secrets and metadata. vaultKMS can be used to validate the
passphrase stored in a Vault service.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-07-09 13:49:23 +02:00
committed by mergify[bot]
parent 42f8d8d446
commit 855f9080d1
4 changed files with 143 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
e2e/rbd_helper.go
View File

@ -253,10 +253,6 @@ func validateImageOwner(pvcPath string, f *framework.Framework) error {
return deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
}
func kmsIsVault(kms string) bool {
return kms == "vault"
}
func logErrors(f *framework.Framework, msg string, wgErrs []error) int {
failures := 0
for i, err := range wgErrs {
@ -395,7 +391,7 @@ func validateCloneInDifferentPool(f *framework.Framework, snapshotPool, cloneSc,
return nil
}
func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framework.Framework) error {
func validateEncryptedPVCAndAppBinding(pvcPath, appPath string, kms kmsConfig, f *framework.Framework) error {
pvc, app, err := createPVCAndAppBinding(pvcPath, appPath, f, deployTimeout)
if err != nil {
return err
@ -411,9 +407,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
return err
}
if kmsIsVault(kms) || kms == vaultTokens {
if kms != noKMS && kms.canGetPassphrase() {
// check new passphrase created
_, stdErr := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
_, stdErr := kms.getPassphrase(f, imageData.csiVolumeHandle)
if stdErr != "" {
return fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
}
@ -424,9 +420,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
return err
}
if kmsIsVault(kms) || kms == vaultTokens {
if kms != noKMS && kms.canGetPassphrase() {
// check new passphrase created
stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
stdOut, _ := kms.getPassphrase(f, imageData.csiVolumeHandle)
if stdOut != "" {
return fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
}