Skip to content

Commit

Permalink
kms: add vault key rotation tests
Browse files Browse the repository at this point in the history
Signed-off-by: Praveen M <[email protected]>
  • Loading branch information
iPraveenParihar committed Oct 6, 2024
1 parent 372422e commit 8d3c3fc
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 1 deletion.
6 changes: 5 additions & 1 deletion pkg/util/kms/test/dev/kms_dev_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,11 @@ func checkExternalSecret(noobaa *nbv1.NooBaa, expectedNil bool) {
k := noobaa.Spec.Security.KeyManagementService
uid := string(noobaa.UID)
driver := kms.NewVault(noobaa.Name, noobaa.Namespace, uid)
path := k.ConnectionDetails[vault.VaultBackendPathKey] + driver.Path()
secretPath := driver.Path()
if v, ok := (driver.Version(nil)).(*kms.VersionRotatingSecret); ok {
secretPath = v.BackendSecretName()
}
path := k.ConnectionDetails[vault.VaultBackendPathKey] + secretPath
cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path)
logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args)
err := cmd.Run()
Expand Down
40 changes: 40 additions & 0 deletions pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package kmstlstestsa
import (
"os"

"github.com/libopenstorage/secrets"
"github.com/libopenstorage/secrets/vault"
nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
"github.com/noobaa/noobaa-operator/v5/pkg/options"
Expand Down Expand Up @@ -90,4 +91,43 @@ var _ = Describe("KMS - TLS Vault SA", func() {
})
})

Context("Verify Rotate", func() {
apiAddress, apiAddressFound := os.LookupEnv("API_ADDRESS")
noobaa := getMiniNooBaa()
noobaa.Spec.Security.KeyManagementService = tlsSAKMSSpec(apiAddress)
noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true
noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min

Specify("Verify API Address", func() {
Expect(apiAddressFound).To(BeTrue())
})
Specify("Create key rotate schedule system", func() {
Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue())
})
Specify("Verify KMS condition Type", func() {
Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue())
})
Specify("Verify KMS condition status Init", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue())
})
Specify("Restart NooBaa operator", func() {
podList := &corev1.PodList{}
podSelector, _ := labels.Parse("noobaa-operator=deployment")
listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector}

Expect(util.KubeList(podList, &listOptions)).To(BeTrue())
Expect(len(podList.Items)).To(BeEquivalentTo(1))
Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue())
})
Specify("Verify KMS condition status Sync", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue())
})
Specify("Verify KMS condition status Key Rotate", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue())
})
Specify("Delete NooBaa", func() {
Expect(util.KubeDelete(noobaa)).To(BeTrue())
})
})

})
44 changes: 44 additions & 0 deletions pkg/util/kms/test/tls-token/kms_tls_token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package kmstlstesttoken
import (
"os"

"github.com/libopenstorage/secrets"
"github.com/libopenstorage/secrets/vault"
nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
"github.com/noobaa/noobaa-operator/v5/pkg/options"
Expand Down Expand Up @@ -77,4 +78,47 @@ var _ = Describe("KMS - TLS Vault Token", func() {
Expect(util.KubeDelete(noobaa)).To(BeTrue())
})
})

Context("Verify Rotate", func() {
noobaa := getMiniNooBaa()
noobaa.Spec.Security.KeyManagementService = tlsTokenKMSSpec(tokenSecretName, apiAddress)
noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true
noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min

Specify("Verify API Address", func() {
Expect(apiAddressFound).To(BeTrue())
})
Specify("Verify Token secret", func() {
Expect(tokenSecretNameFound).To(BeTrue())
logger.Printf("💬 Found TOKEN_SECRET_NAME=%v", tokenSecretName)
logger.Printf("💬 KMS Spec %v", noobaa.Spec.Security.KeyManagementService)
})
Specify("Create key rotate schedule system", func() {
Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue())
})
Specify("Verify KMS condition Type", func() {
Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue())
})
Specify("Verify KMS condition status Init", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue())
})
Specify("Restart NooBaa operator", func() {
podList := &corev1.PodList{}
podSelector, _ := labels.Parse("noobaa-operator=deployment")
listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector}

Expect(util.KubeList(podList, &listOptions)).To(BeTrue())
Expect(len(podList.Items)).To(BeEquivalentTo(1))
Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue())
})
Specify("Verify KMS condition status Sync", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue())
})
Specify("Verify KMS condition status Key Rotate", func() {
Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue())
})
Specify("Delete NooBaa", func() {
Expect(util.KubeDelete(noobaa)).To(BeTrue())
})
})
})

0 comments on commit 8d3c3fc

Please sign in to comment.