e2e: add e2e for user secret based metadata encryption

This commit adds e2e for user secret based metadata encryption,
adds user-secret.yaml and makes required changes in kms-connection-details,
kms-config yamls.

Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
Rakshith R 2021-07-05 13:58:33 +05:30 committed by mergify[bot]
parent 3352d4aabd
commit b27d6319ca
4 changed files with 133 additions and 0 deletions

View File

@ -821,6 +821,108 @@ var _ = Describe("RBD", func() {
} }
}) })
By("test RBD volume encryption with user secrets based SecretsMetadataKMS", func() {
err := deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": "user-ns-secrets-metadata-test",
}
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass: %v", err)
}
// user provided namespace where secret will be created
namespace := cephCSINamespace
// create user Secret
secret, err := getSecret(vaultExamplePath + "user-secret.yaml")
if err != nil {
e2elog.Failf("failed to load user Secret: %v", err)
}
_, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{})
if err != nil {
e2elog.Failf("failed to create user Secret: %v", err)
}
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f)
if err != nil {
e2elog.Failf("failed to validate encrypted pvc: %v", err)
}
// validate created backend rbd images
validateRBDImageCount(f, 0, defaultRBDPool)
// delete user secret
err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
if err != nil {
e2elog.Failf("failed to delete user Secret: %v", err)
}
err = deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass: %v", err)
}
})
By(
"test RBD volume encryption with user secrets based SecretsMetadataKMS with tenant namespace",
func() {
err := deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": "user-secrets-metadata-test",
}
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass: %v", err)
}
// PVC creation namespace where secret will be created
namespace := f.UniqueName
// create user Secret
secret, err := getSecret(vaultExamplePath + "user-secret.yaml")
if err != nil {
e2elog.Failf("failed to load user Secret: %v", err)
}
_, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{})
if err != nil {
e2elog.Failf("failed to create user Secret: %v", err)
}
err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f)
if err != nil {
e2elog.Failf("failed to validate encrypted pvc: %v", err)
}
// validate created backend rbd images
validateRBDImageCount(f, 0, defaultRBDPool)
// delete user secret
err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{})
if err != nil {
e2elog.Failf("failed to delete user Secret: %v", err)
}
err = deleteResource(rbdExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy)
if err != nil {
e2elog.Failf("failed to create storageclass: %v", err)
}
})
By( By(
"create a PVC and Bind it to an app with journaling/exclusive-lock image-features and rbd-nbd mounter", "create a PVC and Bind it to an app with journaling/exclusive-lock image-features and rbd-nbd mounter",
func() { func() {

View File

@ -35,6 +35,17 @@ data:
{ {
"encryptionKMSType": "metadata" "encryptionKMSType": "metadata"
} }
user-ns-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret",
"secretNamespace": "default"
}
user-secrets-metadata-test: |-
{
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret"
}
aws-metadata-test: |- aws-metadata-test: |-
{ {
"KMS_PROVIDER": "aws-metadata", "KMS_PROVIDER": "aws-metadata",

View File

@ -33,6 +33,15 @@ data:
}, },
"secrets-metadata-test": { "secrets-metadata-test": {
"encryptionKMSType": "metadata" "encryptionKMSType": "metadata"
},
"user-ns-secrets-metadata-test": {
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret",
"secretNamespace": "default"
},
"user-secrets-metadata-test": {
"encryptionKMSType": "metadata",
"secretName": "storage-encryption-secret"
} }
} }
metadata: metadata:

View File

@ -0,0 +1,11 @@
---
# This is the user secret containing encryptionPasspharse that can be
# created in a Kubernetes Namespace for encrypting PVCs with the
# "user-ns-secrets-metadata-test" or "user-secrets-metadata-test"
# encryptionKMSID.
apiVersion: v1
kind: Secret
metadata:
name: storage-encryption-secret
stringData:
encryptionPassphrase: test-encryption