From 8d3c3fccb798fa3223ca48e56720b8d03d44eeca Mon Sep 17 00:00:00 2001
From: Praveen M <m.praveen@ibm.com>
Date: Sun, 6 Oct 2024 19:35:39 +0530
Subject: [PATCH] kms: add vault key rotation tests

Signed-off-by: Praveen M <m.praveen@ibm.com>
---
 pkg/util/kms/test/dev/kms_dev_test.go         |  6 ++-
 pkg/util/kms/test/tls-sa/kms_tls_sa_test.go   | 40 +++++++++++++++++
 .../kms/test/tls-token/kms_tls_token_test.go  | 44 +++++++++++++++++++
 3 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/pkg/util/kms/test/dev/kms_dev_test.go b/pkg/util/kms/test/dev/kms_dev_test.go
index 82fc81cf9..d41601a4b 100644
--- a/pkg/util/kms/test/dev/kms_dev_test.go
+++ b/pkg/util/kms/test/dev/kms_dev_test.go
@@ -42,7 +42,11 @@ func checkExternalSecret(noobaa *nbv1.NooBaa, expectedNil bool) {
 	k := noobaa.Spec.Security.KeyManagementService
 	uid := string(noobaa.UID)
 	driver := kms.NewVault(noobaa.Name, noobaa.Namespace, uid)
-	path := k.ConnectionDetails[vault.VaultBackendPathKey] + driver.Path()
+	secretPath := driver.Path()
+	if v, ok := (driver.Version(nil)).(*kms.VersionRotatingSecret); ok {
+		secretPath = v.BackendSecretName()
+	}
+	path := k.ConnectionDetails[vault.VaultBackendPathKey] + secretPath
 	cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path)
 	logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args)
 	err := cmd.Run()
diff --git a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
index f2e3d84f2..f960b6c91 100644
--- a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
+++ b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go
@@ -3,6 +3,7 @@ package kmstlstestsa
 import (
 	"os"
 
+	"github.com/libopenstorage/secrets"
 	"github.com/libopenstorage/secrets/vault"
 	nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
 	"github.com/noobaa/noobaa-operator/v5/pkg/options"
@@ -90,4 +91,43 @@ var _ = Describe("KMS - TLS Vault SA", func() {
 		})
 	})
 
+	Context("Verify Rotate", func() {
+		apiAddress, apiAddressFound := os.LookupEnv("API_ADDRESS")
+		noobaa := getMiniNooBaa()
+		noobaa.Spec.Security.KeyManagementService = tlsSAKMSSpec(apiAddress)
+		noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true
+		noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min
+
+		Specify("Verify API Address", func() {
+			Expect(apiAddressFound).To(BeTrue())
+		})
+		Specify("Create key rotate schedule system", func() {
+			Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue())
+		})
+		Specify("Verify KMS condition Type", func() {
+			Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Init", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue())
+		})
+		Specify("Restart NooBaa operator", func() {
+			podList := &corev1.PodList{}
+			podSelector, _ := labels.Parse("noobaa-operator=deployment")
+			listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector}
+
+			Expect(util.KubeList(podList, &listOptions)).To(BeTrue())
+			Expect(len(podList.Items)).To(BeEquivalentTo(1))
+			Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Sync", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Key Rotate", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue())
+		})
+		Specify("Delete NooBaa", func() {
+			Expect(util.KubeDelete(noobaa)).To(BeTrue())
+		})
+	})
+
 })
diff --git a/pkg/util/kms/test/tls-token/kms_tls_token_test.go b/pkg/util/kms/test/tls-token/kms_tls_token_test.go
index 10320fb49..7397b5a5a 100644
--- a/pkg/util/kms/test/tls-token/kms_tls_token_test.go
+++ b/pkg/util/kms/test/tls-token/kms_tls_token_test.go
@@ -3,6 +3,7 @@ package kmstlstesttoken
 import (
 	"os"
 
+	"github.com/libopenstorage/secrets"
 	"github.com/libopenstorage/secrets/vault"
 	nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
 	"github.com/noobaa/noobaa-operator/v5/pkg/options"
@@ -77,4 +78,47 @@ var _ = Describe("KMS - TLS Vault Token", func() {
 			Expect(util.KubeDelete(noobaa)).To(BeTrue())
 		})
 	})
+
+	Context("Verify Rotate", func() {
+		noobaa := getMiniNooBaa()
+		noobaa.Spec.Security.KeyManagementService = tlsTokenKMSSpec(tokenSecretName, apiAddress)
+		noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true
+		noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min
+
+		Specify("Verify API Address", func() {
+			Expect(apiAddressFound).To(BeTrue())
+		})
+		Specify("Verify Token secret", func() {
+			Expect(tokenSecretNameFound).To(BeTrue())
+			logger.Printf("💬 Found TOKEN_SECRET_NAME=%v", tokenSecretName)
+			logger.Printf("💬 KMS Spec %v", noobaa.Spec.Security.KeyManagementService)
+		})
+		Specify("Create key rotate schedule system", func() {
+			Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue())
+		})
+		Specify("Verify KMS condition Type", func() {
+			Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Init", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue())
+		})
+		Specify("Restart NooBaa operator", func() {
+			podList := &corev1.PodList{}
+			podSelector, _ := labels.Parse("noobaa-operator=deployment")
+			listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector}
+
+			Expect(util.KubeList(podList, &listOptions)).To(BeTrue())
+			Expect(len(podList.Items)).To(BeEquivalentTo(1))
+			Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Sync", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeTrue())
+		})
+		Specify("Verify KMS condition status Key Rotate", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeTrue())
+		})
+		Specify("Delete NooBaa", func() {
+			Expect(util.KubeDelete(noobaa)).To(BeTrue())
+		})
+	})
 })