From e13748f46dc7041bdc2f5f7c3dfe109904a52f85 Mon Sep 17 00:00:00 2001
From: Manuel Huber <manuelh@nvidia.com>
Date: Tue, 10 Mar 2026 21:26:57 -0700
Subject: [PATCH] tests: Adapt trusted ephemeral storage test

With the new CDH version, the LUKS header is moved off of the disk
into guest memory. We hence adapt the test's filesystem type checks.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
---
 .../k8s-trusted-ephemeral-data-storage.bats   | 28 ++++++++++---------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/tests/integration/kubernetes/k8s-trusted-ephemeral-data-storage.bats b/tests/integration/kubernetes/k8s-trusted-ephemeral-data-storage.bats
index 7cf35b5b7f..7ecdd40af9 100644
--- a/tests/integration/kubernetes/k8s-trusted-ephemeral-data-storage.bats
+++ b/tests/integration/kubernetes/k8s-trusted-ephemeral-data-storage.bats
@@ -19,6 +19,8 @@ setup() {
     mountpoint="/mnt/temp-encrypted"
 
     host_df="$(exec_host "${node}" df -PT -B1 "$(get_kubelet_data_dir)" | tail -n +2)"
+    info "host_df output:"
+    info "${host_df}"
     host_cap_bytes="$(echo "${host_df}" | awk '{print $3}')"
 
     yaml_file="${pod_config_dir}/pod-trusted-ephemeral-data-storage.yaml"
@@ -36,7 +38,7 @@ setup() {
 
     # With long device names, df adds line breaks by default, so we pass -P to prevent that.
     emptydir_df="$(kubectl exec "${pod_name}" -- df -PT -B1 "${mountpoint}" | tail -n +2)"
-    info "df output:"
+    info "emptydir_df output:"
     info "${emptydir_df}"
 
     dm_device="$(echo "${emptydir_df}" | awk '{print $1}')"
@@ -46,17 +48,18 @@ setup() {
 
     # The output of the cryptsetup command will contain something like this:
     #
-    #   /dev/mapper/encrypted_disk_N6PxO is active and is in use.
-    #     type:    LUKS2
-    #     cipher:  aes-xts-plain64
+    #   /dev/mapper/741ed4bf-3073-49ed-9b7a-d6fa7cce0db1 is active and is in use.
+    #     type:    n/a
+    #     cipher:  aes-xts-plain
     #     keysize: 768 bits
     #     key location: keyring
     #     integrity: hmac(sha256)
     #     integrity keysize: 256 bits
-    #     device:  /dev/vda
+    #     integrity tag size: 32 bytes
+    #     device:  /dev/sdd
     #     sector size:  4096
     #     offset:  0 sectors
-    #     size:    2031880 sectors
+    #     size:    300052568 sectors
     #     mode:    read/write
     crypt_status="$(kubectl exec "${pod_name}" -- cryptsetup status "${dm_device}")"
     info "cryptsetup status output:"
@@ -65,16 +68,15 @@ setup() {
     # Check filesystem type and capacity.
 
     [[ "${fs_type}" == "ext4" ]]
-    # Allow up to 7% LUKS metadata overhead.
-    (( emptydir_cap_bytes >= host_cap_bytes * 93 / 100 ))
-    # Allow up to 15% LUKS + ext4 metadata overhead.
-    (( emptydir_avail_bytes >= host_cap_bytes * 85 / 100 ))
+    # Allow up to 4% metadata overhead.
+    (( emptydir_cap_bytes >= host_cap_bytes * 96 / 100 ))
+    # Allow up to 10% metadata overhead.
+    (( emptydir_avail_bytes >= host_cap_bytes * 90 / 100 ))
 
     # Check encryption settings.
-
     grep -q "${dm_device} is active and is in use" <<< "${crypt_status}"
-    grep -Eq "type: +LUKS2" <<< "${crypt_status}"
-    grep -Eq "cipher: +aes-xts-plain64" <<< "${crypt_status}"
+    grep -Eq "type: +n/a" <<< "${crypt_status}" # The LUKS header is detached.
+    grep -Eq "cipher: +aes-xts-plain" <<< "${crypt_status}"
     grep -Eq "integrity: +hmac\(sha256\)" <<< "${crypt_status}"
 
     # Check I/O.