From 53d299b22acb3bf86db8520711442a6a40c15efe Mon Sep 17 00:00:00 2001 From: Praveen M Date: Mon, 7 Oct 2024 16:51:21 +0530 Subject: [PATCH] kms: add key rotation tests for vault Signed-off-by: Praveen M --- pkg/util/kms/test/dev/kms_dev_test.go | 8 +++- pkg/util/kms/test/tls-sa/kms_tls_sa_test.go | 40 +++++++++++++++++ .../kms/test/tls-token/kms_tls_token_test.go | 44 +++++++++++++++++++ 3 files changed, 90 insertions(+), 2 deletions(-) diff --git a/pkg/util/kms/test/dev/kms_dev_test.go b/pkg/util/kms/test/dev/kms_dev_test.go index c828bb458..cdcec0365 100644 --- a/pkg/util/kms/test/dev/kms_dev_test.go +++ b/pkg/util/kms/test/dev/kms_dev_test.go @@ -41,8 +41,12 @@ func simpleKmsSpec(token, apiAddress string) nbv1.KeyManagementServiceSpec { func checkExternalSecret(noobaa *nbv1.NooBaa, expectedNil bool) { k := noobaa.Spec.Security.KeyManagementService uid := string(noobaa.UID) - driver := &kms.Vault{UID: uid} - path := k.ConnectionDetails[vault.VaultBackendPathKey] + driver.Path() + driver := kms.NewVault(noobaa.Name, noobaa.Namespace, uid) + secretPath := driver.Path() + if v, ok := (driver.Version(nil)).(*kms.VersionRotatingSecret); ok { + secretPath = v.BackendSecretName() + } + path := k.ConnectionDetails[vault.VaultBackendPathKey] + secretPath cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path) logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args) err := cmd.Run() diff --git a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go index dc5ba2640..785f8604f 100644 --- a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go +++ b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go @@ -3,6 +3,7 @@ package kmstlstestsa import ( "os" + "github.com/libopenstorage/secrets" "github.com/libopenstorage/secrets/vault" nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1" "github.com/noobaa/noobaa-operator/v5/pkg/options" @@ -90,4 +91,43 @@ var _ = Describe("KMS - TLS Vault SA", func() { }) }) + Context("Verify Rotate", func() { + apiAddress, apiAddressFound := os.LookupEnv("API_ADDRESS") + noobaa := getMiniNooBaa() + noobaa.Spec.Security.KeyManagementService = tlsSAKMSSpec(apiAddress) + noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true + noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min + + Specify("Verify API Address", func() { + Expect(apiAddressFound).To(BeTrue()) + }) + Specify("Create key rotate schedule system", func() { + Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) + }) + Specify("Verify KMS condition Type", func() { + Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue()) + }) + Specify("Verify KMS condition status Init", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) + }) + Specify("Restart NooBaa operator", func() { + podList := &corev1.PodList{} + podSelector, _ := labels.Parse("noobaa-operator=deployment") + listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector} + + Expect(util.KubeList(podList, &listOptions)).To(BeTrue()) + Expect(len(podList.Items)).To(BeEquivalentTo(1)) + Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue()) + }) + Specify("Verify KMS condition status Sync", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue()) + }) + Specify("Verify KMS condition status Key Rotate", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue()) + }) + Specify("Delete NooBaa", func() { + Expect(util.KubeDelete(noobaa)).To(BeTrue()) + }) + }) + }) diff --git a/pkg/util/kms/test/tls-token/kms_tls_token_test.go b/pkg/util/kms/test/tls-token/kms_tls_token_test.go index 8900ab10f..cf081224e 100644 --- a/pkg/util/kms/test/tls-token/kms_tls_token_test.go +++ b/pkg/util/kms/test/tls-token/kms_tls_token_test.go @@ -3,6 +3,7 @@ package kmstlstesttoken import ( "os" + "github.com/libopenstorage/secrets" "github.com/libopenstorage/secrets/vault" nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1" "github.com/noobaa/noobaa-operator/v5/pkg/options" @@ -77,4 +78,47 @@ var _ = Describe("KMS - TLS Vault Token", func() { Expect(util.KubeDelete(noobaa)).To(BeTrue()) }) }) + + Context("Verify Rotate", func() { + noobaa := getMiniNooBaa() + noobaa.Spec.Security.KeyManagementService = tlsTokenKMSSpec(tokenSecretName, apiAddress) + noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true + noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min + + Specify("Verify API Address", func() { + Expect(apiAddressFound).To(BeTrue()) + }) + Specify("Verify Token secret", func() { + Expect(tokenSecretNameFound).To(BeTrue()) + logger.Printf("💬 Found TOKEN_SECRET_NAME=%v", tokenSecretName) + logger.Printf("💬 KMS Spec %v", noobaa.Spec.Security.KeyManagementService) + }) + Specify("Create key rotate schedule system", func() { + Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) + }) + Specify("Verify KMS condition Type", func() { + Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue()) + }) + Specify("Verify KMS condition status Init", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) + }) + Specify("Restart NooBaa operator", func() { + podList := &corev1.PodList{} + podSelector, _ := labels.Parse("noobaa-operator=deployment") + listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector} + + Expect(util.KubeList(podList, &listOptions)).To(BeTrue()) + Expect(len(podList.Items)).To(BeEquivalentTo(1)) + Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue()) + }) + Specify("Verify KMS condition status Sync", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue()) + }) + Specify("Verify KMS condition status Key Rotate", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue()) + }) + Specify("Delete NooBaa", func() { + Expect(util.KubeDelete(noobaa)).To(BeTrue()) + }) + }) })