Tests for key manager upgrades #2517

kostko · 2020-01-06T11:04:30Z

Depends on #2516.

We should add E2E tests for key manager runtime upgrades (without production keys).

The process of upgrading the KM is the following:

First make sure an initial key manager is registered and operational.
Build an upgraded key manager runtime enclave (anything which changes MRENCLAVE should be fine).
Update the key manager policy to include the MRENCLAVE for the new runtime and wait for the policy to propagate.
Leave old key manager nodes running.
Spin up new key manager nodes with upgraded enclave.
Wait for the key manager nodes to replicate the master secret.
Verify that the key manager nodes work.
Take down old key manager nodes.
Verify that the key manager nodes work.

kostko added c:testing Category: testing c:key management Category: key management labels Jan 6, 2020

kostko assigned tjanez Feb 14, 2020

kostko assigned Yawning and unassigned tjanez Apr 13, 2020

kostko mentioned this issue Apr 24, 2020

Tests for runtime upgrades #2520

Closed

ptrus assigned ptrus and unassigned Yawning May 12, 2020

kostko mentioned this issue May 18, 2020

Notify runtimes of its key manager policy updates #2919

Closed

ptrus mentioned this issue May 18, 2020

KM upgrade E2E test #2920

Merged

3 tasks

ptrus closed this as completed in #2920 May 21, 2020

Provide feedback