CephNFS can enable different security flavours for exported volumes.
This can be configured in the optional `secTypes` parameter in the
StorageClass.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Deploy vault, analogue to the RBD upgrade suite to have the
ceph-csi-encryption-kms-config map ready when dependent
deployments/daemonsets are created.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Test storage class, pvc and app bind of an fscrypt encrypted Ceph FS
with secrets metadata, vault, vault tokens and vault tenant KMS.
Tests are based on the RBD block/file encryption tests.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Always deploy Vault as part of the the Ceph FS test suite.
Required by:
- fscrypt tests using any vault KMS type.
- Configuration in deploy/cephfs/*.yaml via the
ceph-csi-encryption-kms-config config map created during deployVault()
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
We need to unset the metadata on the clone
and restore PVC if the parent PVC was created
when setmetadata was set to true and it was
set to false when restore and clone pvc was
created.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
Add test-rbd-fscrypt feature flag to e2e suite. Default disabled as
the current CI system's kernel doesn't have the required features
enabled.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Replace `By` with `ByFileAndBlockEncryption` in all encryption related
tests to parameterize them to file and block encryption.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add a `By` wrapper to parameterize encryption related test functions
and run them on both block and file encryption
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Because the rbd-nbd tests fail with minikube and the Podman driver,
disable the tests for the time being.
Updates: #3431
Signed-off-by: Niels de Vos <ndevos@redhat.com>
There are occasions where deleting a PVC (or PV) never succeeds. The
reported status of the deleted object is sometimes empty, which suggests
that the PVC or PV was, in fact, deleted.
To diagnose the incorrect error checking, include the errors for
retrying in the logs.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
The scale down/up functions fail often with "deployment not found"
errors. Possibly deploying with Podman is slower than deploying in a
minikube VM, and there is a delay for the deployment to become
available.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Ginkgo v1 is deprecated and was replaced
with the v2.
Ref: https://onsi.github.io/ginkgo/
MIGRATING_TO_V2#upgrading-to-ginkgo-20
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
as PSP is deprecated in kubernetes 1.21
and will be removed in kubernetes 1.25
removing the existing PSP related templates
from the repo and updated the required documents.
fixes#1988
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit makes modification to nfs daemonset to use
nfs nodeserver. `nfs.NetNamespaceFilePath` example is
added.
Signed-off-by: Rakshith R <rar@redhat.com>
Some of the steps still refer to CephFS, likely missed some replacements
while copy/pasting. The logging is a little confusing when messages
claim something with CephFS failed, but the test is about NFS.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Sometimes executing a command in a Pod fails with "unable to upgrade
connection". This is most likely a temporary situation, and retrying
hopefully reduces the number of spurious failures because of it.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
k8sVersionGreaterEquals is not used anywhere but it
will be used in future if we need to have a kubernetes
version check. adding nolint for it now to skip it
from static check.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
We run CI jobs on kubernetes 1.22 by default
and we dont need to have a check to make sure
we have atleast Kubernetes 1.22 for few tests.
As we have CI runs on 1.22 by default, Removing
unwanted check.
updates: #3086
depends-on #3255
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
When getting the PVC or PV failed, the returned object may contain empty
values. If that happens, a retry uses the empty values for Namespace and
Name, which will never be successful.
Instead, use the Namespace and Name attributes from the original object,
and not from the object returned by the Get() call.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
When using `lock_on_read`, the RBD image needs to have the
`exclusive-lock` feature enabled too.
Fixes: #3221
Signed-off-by: Niels de Vos <ndevos@redhat.com>
CI is failing very frequently hitting resource leaks issue,
until we solve the root cause for resource leaks reducing the clone
count from 10 to 3.
related: #2327
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>