-
Notifications
You must be signed in to change notification settings - Fork 91
added kmip server side encryption tests #2379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: development/2.14
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| #!/bin/bash | ||
| # setup-kmip.sh — Deploy PyKMIP mock server for KMIP SSE testing. | ||
| # Idempotent | ||
| # | ||
| # Deploys PyKMIP infra (certs, pod, service). The Zenko CR is patched | ||
| # by the CTST Before hook when @ServerSideEncryptionKmip tests start. | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| ZENKO_NAME="${ZENKO_NAME:-end2end}" | ||
| NAMESPACE="${NAMESPACE:-default}" | ||
|
|
||
| # 1. Certs + secrets | ||
|
|
||
| if kubectl get secret "${ZENKO_NAME}-kmip-certs" -n "${NAMESPACE}" &>/dev/null; then | ||
| echo "KMIP secrets already exist, skipping cert generation" | ||
| else | ||
| echo "Generating KMIP TLS certificates..." | ||
| D=$(mktemp -d) | ||
| trap 'rm -rf "$D"' EXIT | ||
|
|
||
| openssl genrsa -out "$D/ca.key" 4096 2>/dev/null | ||
| openssl req -new -x509 -key "$D/ca.key" -out "$D/ca.pem" \ | ||
| -days 3650 -subj "/CN=KMIP-CA" 2>/dev/null | ||
|
|
||
| openssl genrsa -out "$D/server.key" 4096 2>/dev/null | ||
| openssl req -new -key "$D/server.key" -out "$D/server.csr" \ | ||
| -subj "/CN=pykmip" 2>/dev/null | ||
| openssl x509 -req -in "$D/server.csr" -CA "$D/ca.pem" -CAkey "$D/ca.key" \ | ||
| -CAcreateserial -out "$D/server.crt" -days 3650 \ | ||
| -extfile <(printf "subjectAltName=DNS:pykmip,DNS:pykmip.%s.svc.cluster.local" "$NAMESPACE") \ | ||
| 2>/dev/null | ||
|
|
||
| openssl genrsa -out "$D/client.key" 4096 2>/dev/null | ||
| openssl req -new -key "$D/client.key" -out "$D/client.csr" \ | ||
| -subj "/CN=cloudserver-client" 2>/dev/null | ||
| openssl x509 -req -in "$D/client.csr" -CA "$D/ca.pem" -CAkey "$D/ca.key" \ | ||
| -CAcreateserial -out "$D/client.crt" -days 3650 \ | ||
| -extfile <(printf "extendedKeyUsage=clientAuth") 2>/dev/null | ||
|
|
||
| kubectl create secret generic "${ZENKO_NAME}-kmip-certs" \ | ||
| --from-file=ca.pem="$D/ca.pem" --from-file=cert.pem="$D/client.crt" \ | ||
| --from-file=key.pem="$D/client.key" \ | ||
| --dry-run=client -o yaml | kubectl apply -f - | ||
|
|
||
| kubectl create secret generic pykmip-server-certs \ | ||
| --from-file=ca.crt="$D/ca.pem" --from-file=server.crt="$D/server.crt" \ | ||
| --from-file=server.key="$D/server.key" \ | ||
| --dry-run=client -o yaml | kubectl apply -f - | ||
| fi | ||
|
|
||
| # 2. PyKMIP startup script | ||
|
|
||
| kubectl create configmap pykmip-server-script --dry-run=client -o yaml \ | ||
| --from-literal=run_pykmip.py=' | ||
| import logging; from kmip.services.server import KmipServer | ||
| logging.basicConfig(level=logging.INFO) | ||
| server = KmipServer(hostname="0.0.0.0", port=5696, | ||
| certificate_path="/certs/server.crt", key_path="/certs/server.key", | ||
| ca_path="/certs/ca.crt", auth_suite="TLS1.2", config_path=None, | ||
| enable_tls_client_auth=True, database_path="/tmp/pykmip.db") | ||
| with server: server.serve() | ||
| ' | kubectl apply -f - | ||
|
|
||
| # 3. Deploy PyKMIP pod + service (inline YAML) | ||
|
|
||
| if ! kubectl get deployment pykmip -n "${NAMESPACE}" &>/dev/null; then | ||
| kubectl apply -n "${NAMESPACE}" -f - <<'YAML' | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: pykmip | ||
| spec: | ||
| selector: { name: pykmip } | ||
| ports: [{ name: kmip, port: 5696, targetPort: 5696 }] | ||
| --- | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: pykmip | ||
| labels: { name: pykmip } | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: { name: pykmip } | ||
| template: | ||
| metadata: | ||
| labels: { name: pykmip } | ||
| spec: | ||
| initContainers: | ||
| - name: install | ||
| image: docker.io/library/python:3.10-slim | ||
| command: [pip, install, --target=/pykmip-libs, pykmip==0.10.0, -q] | ||
| volumeMounts: [{ name: pykmip-libs, mountPath: /pykmip-libs }] | ||
| containers: | ||
| - name: pykmip | ||
| image: docker.io/library/python:3.10-slim | ||
| command: [python3, /scripts/run_pykmip.py] | ||
| env: [{ name: PYTHONPATH, value: /pykmip-libs }] | ||
| ports: [{ containerPort: 5696 }] | ||
| readinessProbe: | ||
| tcpSocket: { port: 5696 } | ||
| initialDelaySeconds: 5 | ||
| periodSeconds: 3 | ||
| volumeMounts: | ||
| - { name: certs, mountPath: /certs, readOnly: true } | ||
| - { name: scripts, mountPath: /scripts, readOnly: true } | ||
| - { name: pykmip-libs, mountPath: /pykmip-libs } | ||
| volumes: | ||
| - { name: certs, secret: { secretName: pykmip-server-certs } } | ||
| - { name: scripts, configMap: { name: pykmip-server-script } } | ||
| - { name: pykmip-libs, emptyDir: {} } | ||
| YAML | ||
| echo "Waiting for PyKMIP..." | ||
| kubectl wait --for=condition=Available deployment/pykmip -n "${NAMESPACE}" --timeout=5m | ||
| else | ||
| echo "PyKMIP already deployed" | ||
| fi | ||
|
|
||
| echo "PyKMIP infra ready" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,7 @@ import { | |
| ITestCaseHookParameter, | ||
| } from '@cucumber/cucumber'; | ||
| import Zenko from '../world/Zenko'; | ||
| import { CacheHelper, Identity } from 'cli-testing'; | ||
| import { CacheHelper, Identity, WorkCoordination } from 'cli-testing'; | ||
| import { prepareQuotaScenarios, teardownQuotaScenarios } from 'steps/quotas/quotas'; | ||
| import { prepareUtilizationScenarios } from 'steps/utilization/utilizationAPI'; | ||
| import { prepareMetricsScenarios } from './utils'; | ||
|
|
@@ -16,6 +16,7 @@ import { displayDebuggingInformation, preparePRA } from 'steps/pra'; | |
| import { | ||
| cleanupAccount, | ||
| } from './utils'; | ||
| import { createKubeCustomObjectClient, waitForZenkoToStabilize } from 'steps/utils/kubernetes'; | ||
|
|
||
| import 'cli-testing/hooks/KeycloakSetup'; | ||
| import 'cli-testing/hooks/Logger'; | ||
|
|
@@ -33,6 +34,7 @@ const noParallelRun = atMostOnePicklePerTag([ | |
| '@AfterAll', | ||
| '@PRA', | ||
| '@ColdStorage', | ||
| '@ServerSideEncryption', | ||
| ...replicationLockTags | ||
| ]); | ||
|
|
||
|
|
@@ -75,6 +77,65 @@ Before({ tags: '@PrepareStorageUsageReportingScenarios', timeout: 1200000 }, asy | |
| }); | ||
| }); | ||
|
|
||
| Before({ tags: '@ServerSideEncryptionKmip', timeout: 15 * 60 * 1000 }, | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. best i can come up with in CUCUMBER TESTS to have certains tests ran after others |
||
| // Patch the Zenko CR with KMIP configuration before running any KMIP-related tests | ||
| async function (this: Zenko) { | ||
| const lockName = `kmip-cr-patch-${process.ppid}`; | ||
| await WorkCoordination.runOnceAcrossWorkers( | ||
| { lockName, logger: this.logger }, | ||
| async () => { | ||
| const namespace = 'default'; | ||
| const zenkoName = 'end2end'; | ||
| const client = createKubeCustomObjectClient(this); | ||
| const cr = await client.getNamespacedCustomObject({ | ||
| group: 'zenko.io', | ||
| version: 'v1alpha2', | ||
| namespace, | ||
| plural: 'zenkos', | ||
| name: zenkoName, | ||
| }) as { | ||
| spec?: { | ||
| kms?: { | ||
| kmip?: { | ||
| providerName?: string; | ||
| tlsSecretName?: string; | ||
| endpoints?: { host?: string; port?: number }[]; | ||
| }; | ||
| }; | ||
| }; | ||
| }; | ||
| const alreadyConfigured = | ||
| cr?.spec?.kms?.kmip?.providerName === 'pykmip' | ||
| && cr?.spec?.kms?.kmip?.endpoints?.some( | ||
| ep => ep.host === `pykmip.${namespace}.svc.cluster.local` && ep.port === 5696, | ||
| ); | ||
| if (alreadyConfigured) { | ||
| return; | ||
| } | ||
|
|
||
| const kmipValue = { | ||
| providerName: 'pykmip', | ||
| tlsSecretName: `${zenkoName}-kmip-certs`, | ||
| endpoints: [{ | ||
| host: `pykmip.${namespace}.svc.cluster.local`, | ||
| port: 5696, | ||
| }], | ||
| }; | ||
|
|
||
| await client.patchNamespacedCustomObject({ | ||
| group: 'zenko.io', | ||
| version: 'v1alpha2', | ||
| namespace, | ||
| plural: 'zenkos', | ||
| name: zenkoName, | ||
| body: [{ op: 'add', path: '/spec/kms', value: { kmip: kmipValue } }], | ||
| }); | ||
| await waitForZenkoToStabilize(this, true); | ||
| }, | ||
| ); | ||
| }, | ||
| ); | ||
|
|
||
| After(async function (this: Zenko, results) { | ||
| // Reset any configuration set on the endpoint (ssl, port) | ||
| CacheHelper.parameters.ssl = this.parameters.ssl; | ||
|
|
||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. again, might have added too many tests that aren't super useful for FUNCTIONAL testing 🤔 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TO BE DONE
!