From 8d38107fd6f71cd75f62d2631192b5e1149035cd Mon Sep 17 00:00:00 2001
From: Marcel Lauhoff <marcel.lauhoff@suse.com>
Date: Fri, 19 Aug 2022 18:30:16 +0200
Subject: [PATCH] e2e: add basic PVC Ceph FS fscrypt tests

Test storage class, pvc and app bind of an fscrypt encrypted Ceph FS
with secrets metadata, vault, vault tokens and vault tenant KMS.

Tests are based on the RBD block/file encryption tests.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
---
 e2e/cephfs.go | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/e2e/cephfs.go b/e2e/cephfs.go
index b46c9e4d3..2fb914450 100644
--- a/e2e/cephfs.go
+++ b/e2e/cephfs.go
@@ -417,6 +417,67 @@ var _ = Describe(cephfsType, func() {
 				}
 			})
 
+			if testCephFSFscrypt {
+				kmsToTest := map[string]kmsConfig{
+					"secrets-metadata-test": secretsMetadataKMS,
+					"vault-test":            vaultKMS,
+					"vault-tokens-test":     vaultTokensKMS,
+					"vault-tenant-sa-test":  vaultTenantSAKMS,
+				}
+
+				for kmsID, kmsConf := range kmsToTest {
+					kmsID := kmsID
+					kmsConf := kmsConf
+					By("create a storageclass with pool and an encrypted PVC then bind it to an app with "+kmsID, func() {
+						scOpts := map[string]string{
+							"encrypted":       "true",
+							"encryptionKMSID": kmsID,
+						}
+						err := createCephfsStorageClass(f.ClientSet, f, true, scOpts)
+						if err != nil {
+							e2elog.Failf("failed to create CephFS storageclass: %v", err)
+						}
+
+						if kmsID == "vault-tokens-test" {
+							var token v1.Secret
+							tenant := f.UniqueName
+							token, err = getSecret(vaultExamplePath + "tenant-token.yaml")
+							if err != nil {
+								e2elog.Failf("failed to load tenant token from secret: %v", err)
+							}
+							_, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{})
+							if err != nil {
+								e2elog.Failf("failed to create Secret with tenant token: %v", err)
+							}
+							defer func() {
+								err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{})
+								if err != nil {
+									e2elog.Failf("failed to delete Secret with tenant token: %v", err)
+								}
+							}()
+
+						}
+						if kmsID == "vault-tenant-sa-test" {
+							err = createTenantServiceAccount(f.ClientSet, f.UniqueName)
+							if err != nil {
+								e2elog.Failf("failed to create ServiceAccount: %v", err)
+							}
+							defer deleteTenantServiceAccount(f.UniqueName)
+						}
+
+						err = validateFscryptAndAppBinding(pvcPath, appPath, kmsConf, f)
+						if err != nil {
+							e2elog.Failf("failed to validate CephFS pvc and application binding: %v", err)
+						}
+
+						err = deleteResource(cephFSExamplePath + "storageclass.yaml")
+						if err != nil {
+							e2elog.Failf("failed to delete CephFS storageclass: %v", err)
+						}
+					})
+				}
+			}
+
 			By("create a PVC and check PVC/PV metadata on CephFS subvolume", func() {
 				err := createCephfsStorageClass(f.ClientSet, f, true, nil)
 				if err != nil {