mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 22:30:23 +00:00
e2e: add e2e for user secret based metadata encryption
This commit adds e2e for user secret based metadata encryption, adds user-secret.yaml and makes required changes in kms-connection-details, kms-config yamls. Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
parent
3352d4aabd
commit
b27d6319ca
102
e2e/rbd.go
102
e2e/rbd.go
@ -821,6 +821,108 @@ var _ = Describe("RBD", func() {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
By("test RBD volume encryption with user secrets based SecretsMetadataKMS", func() {
|
||||||
|
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass: %v", err)
|
||||||
|
}
|
||||||
|
scOpts := map[string]string{
|
||||||
|
"encrypted": "true",
|
||||||
|
"encryptionKMSID": "user-ns-secrets-metadata-test",
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// user provided namespace where secret will be created
|
||||||
|
namespace := cephCSINamespace
|
||||||
|
|
||||||
|
// create user Secret
|
||||||
|
secret, err := getSecret(vaultExamplePath + "user-secret.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to load user Secret: %v", err)
|
||||||
|
}
|
||||||
|
_, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{})
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create user Secret: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to validate encrypted pvc: %v", err)
|
||||||
|
}
|
||||||
|
// validate created backend rbd images
|
||||||
|
validateRBDImageCount(f, 0, defaultRBDPool)
|
||||||
|
|
||||||
|
// delete user secret
|
||||||
|
err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete user Secret: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass: %v", err)
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass: %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
By(
|
||||||
|
"test RBD volume encryption with user secrets based SecretsMetadataKMS with tenant namespace",
|
||||||
|
func() {
|
||||||
|
err := deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass: %v", err)
|
||||||
|
}
|
||||||
|
scOpts := map[string]string{
|
||||||
|
"encrypted": "true",
|
||||||
|
"encryptionKMSID": "user-secrets-metadata-test",
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// PVC creation namespace where secret will be created
|
||||||
|
namespace := f.UniqueName
|
||||||
|
|
||||||
|
// create user Secret
|
||||||
|
secret, err := getSecret(vaultExamplePath + "user-secret.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to load user Secret: %v", err)
|
||||||
|
}
|
||||||
|
_, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{})
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create user Secret: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to validate encrypted pvc: %v", err)
|
||||||
|
}
|
||||||
|
// validate created backend rbd images
|
||||||
|
validateRBDImageCount(f, 0, defaultRBDPool)
|
||||||
|
|
||||||
|
// delete user secret
|
||||||
|
err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete user Secret: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = deleteResource(rbdExamplePath + "storageclass.yaml")
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to delete storageclass: %v", err)
|
||||||
|
}
|
||||||
|
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy)
|
||||||
|
if err != nil {
|
||||||
|
e2elog.Failf("failed to create storageclass: %v", err)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
By(
|
By(
|
||||||
"create a PVC and Bind it to an app with journaling/exclusive-lock image-features and rbd-nbd mounter",
|
"create a PVC and Bind it to an app with journaling/exclusive-lock image-features and rbd-nbd mounter",
|
||||||
func() {
|
func() {
|
||||||
|
@ -35,6 +35,17 @@ data:
|
|||||||
{
|
{
|
||||||
"encryptionKMSType": "metadata"
|
"encryptionKMSType": "metadata"
|
||||||
}
|
}
|
||||||
|
user-ns-secrets-metadata-test: |-
|
||||||
|
{
|
||||||
|
"encryptionKMSType": "metadata",
|
||||||
|
"secretName": "storage-encryption-secret",
|
||||||
|
"secretNamespace": "default"
|
||||||
|
}
|
||||||
|
user-secrets-metadata-test: |-
|
||||||
|
{
|
||||||
|
"encryptionKMSType": "metadata",
|
||||||
|
"secretName": "storage-encryption-secret"
|
||||||
|
}
|
||||||
aws-metadata-test: |-
|
aws-metadata-test: |-
|
||||||
{
|
{
|
||||||
"KMS_PROVIDER": "aws-metadata",
|
"KMS_PROVIDER": "aws-metadata",
|
||||||
|
@ -33,6 +33,15 @@ data:
|
|||||||
},
|
},
|
||||||
"secrets-metadata-test": {
|
"secrets-metadata-test": {
|
||||||
"encryptionKMSType": "metadata"
|
"encryptionKMSType": "metadata"
|
||||||
|
},
|
||||||
|
"user-ns-secrets-metadata-test": {
|
||||||
|
"encryptionKMSType": "metadata",
|
||||||
|
"secretName": "storage-encryption-secret",
|
||||||
|
"secretNamespace": "default"
|
||||||
|
},
|
||||||
|
"user-secrets-metadata-test": {
|
||||||
|
"encryptionKMSType": "metadata",
|
||||||
|
"secretName": "storage-encryption-secret"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
metadata:
|
metadata:
|
||||||
|
11
examples/kms/vault/user-secret.yaml
Normal file
11
examples/kms/vault/user-secret.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
# This is the user secret containing encryptionPasspharse that can be
|
||||||
|
# created in a Kubernetes Namespace for encrypting PVCs with the
|
||||||
|
# "user-ns-secrets-metadata-test" or "user-secrets-metadata-test"
|
||||||
|
# encryptionKMSID.
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: storage-encryption-secret
|
||||||
|
stringData:
|
||||||
|
encryptionPassphrase: test-encryption
|
Loading…
Reference in New Issue
Block a user