From b27d6319ca8b16004ecbc00f71393821594de712 Mon Sep 17 00:00:00 2001 From: Rakshith R Date: Mon, 5 Jul 2021 13:58:33 +0530 Subject: [PATCH] e2e: add e2e for user secret based metadata encryption This commit adds e2e for user secret based metadata encryption, adds user-secret.yaml and makes required changes in kms-connection-details, kms-config yamls. Signed-off-by: Rakshith R --- e2e/rbd.go | 102 ++++++++++++++++++ .../kms/vault/csi-kms-connection-details.yaml | 11 ++ examples/kms/vault/kms-config.yaml | 9 ++ examples/kms/vault/user-secret.yaml | 11 ++ 4 files changed, 133 insertions(+) create mode 100644 examples/kms/vault/user-secret.yaml diff --git a/e2e/rbd.go b/e2e/rbd.go index ae0c06927..640c0dd95 100644 --- a/e2e/rbd.go +++ b/e2e/rbd.go @@ -821,6 +821,108 @@ var _ = Describe("RBD", func() { } }) + By("test RBD volume encryption with user secrets based SecretsMetadataKMS", func() { + err := deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass: %v", err) + } + scOpts := map[string]string{ + "encrypted": "true", + "encryptionKMSID": "user-ns-secrets-metadata-test", + } + err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass: %v", err) + } + + // user provided namespace where secret will be created + namespace := cephCSINamespace + + // create user Secret + secret, err := getSecret(vaultExamplePath + "user-secret.yaml") + if err != nil { + e2elog.Failf("failed to load user Secret: %v", err) + } + _, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{}) + if err != nil { + e2elog.Failf("failed to create user Secret: %v", err) + } + + err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f) + if err != nil { + e2elog.Failf("failed to validate encrypted pvc: %v", err) + } + // validate created backend rbd images + validateRBDImageCount(f, 0, defaultRBDPool) + + // delete user secret + err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{}) + if err != nil { + e2elog.Failf("failed to delete user Secret: %v", err) + } + + err = deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass: %v", err) + } + err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass: %v", err) + } + }) + + By( + "test RBD volume encryption with user secrets based SecretsMetadataKMS with tenant namespace", + func() { + err := deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass: %v", err) + } + scOpts := map[string]string{ + "encrypted": "true", + "encryptionKMSID": "user-secrets-metadata-test", + } + err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, scOpts, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass: %v", err) + } + + // PVC creation namespace where secret will be created + namespace := f.UniqueName + + // create user Secret + secret, err := getSecret(vaultExamplePath + "user-secret.yaml") + if err != nil { + e2elog.Failf("failed to load user Secret: %v", err) + } + _, err = c.CoreV1().Secrets(namespace).Create(context.TODO(), &secret, metav1.CreateOptions{}) + if err != nil { + e2elog.Failf("failed to create user Secret: %v", err) + } + + err = validateEncryptedPVCAndAppBinding(pvcPath, appPath, "", f) + if err != nil { + e2elog.Failf("failed to validate encrypted pvc: %v", err) + } + // validate created backend rbd images + validateRBDImageCount(f, 0, defaultRBDPool) + + // delete user secret + err = c.CoreV1().Secrets(namespace).Delete(context.TODO(), secret.Name, metav1.DeleteOptions{}) + if err != nil { + e2elog.Failf("failed to delete user Secret: %v", err) + } + + err = deleteResource(rbdExamplePath + "storageclass.yaml") + if err != nil { + e2elog.Failf("failed to delete storageclass: %v", err) + } + err = createRBDStorageClass(f.ClientSet, f, defaultSCName, nil, nil, deletePolicy) + if err != nil { + e2elog.Failf("failed to create storageclass: %v", err) + } + }) + By( "create a PVC and Bind it to an app with journaling/exclusive-lock image-features and rbd-nbd mounter", func() { diff --git a/examples/kms/vault/csi-kms-connection-details.yaml b/examples/kms/vault/csi-kms-connection-details.yaml index c941721a6..6df4a2955 100644 --- a/examples/kms/vault/csi-kms-connection-details.yaml +++ b/examples/kms/vault/csi-kms-connection-details.yaml @@ -35,6 +35,17 @@ data: { "encryptionKMSType": "metadata" } + user-ns-secrets-metadata-test: |- + { + "encryptionKMSType": "metadata", + "secretName": "storage-encryption-secret", + "secretNamespace": "default" + } + user-secrets-metadata-test: |- + { + "encryptionKMSType": "metadata", + "secretName": "storage-encryption-secret" + } aws-metadata-test: |- { "KMS_PROVIDER": "aws-metadata", diff --git a/examples/kms/vault/kms-config.yaml b/examples/kms/vault/kms-config.yaml index 9fd554c5d..1af4c543c 100644 --- a/examples/kms/vault/kms-config.yaml +++ b/examples/kms/vault/kms-config.yaml @@ -33,6 +33,15 @@ data: }, "secrets-metadata-test": { "encryptionKMSType": "metadata" + }, + "user-ns-secrets-metadata-test": { + "encryptionKMSType": "metadata", + "secretName": "storage-encryption-secret", + "secretNamespace": "default" + }, + "user-secrets-metadata-test": { + "encryptionKMSType": "metadata", + "secretName": "storage-encryption-secret" } } metadata: diff --git a/examples/kms/vault/user-secret.yaml b/examples/kms/vault/user-secret.yaml new file mode 100644 index 000000000..a45e30a05 --- /dev/null +++ b/examples/kms/vault/user-secret.yaml @@ -0,0 +1,11 @@ +--- +# This is the user secret containing encryptionPasspharse that can be +# created in a Kubernetes Namespace for encrypting PVCs with the +# "user-ns-secrets-metadata-test" or "user-secrets-metadata-test" +# encryptionKMSID. +apiVersion: v1 +kind: Secret +metadata: + name: storage-encryption-secret +stringData: + encryptionPassphrase: test-encryption