github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 10:19:50 +00:00
Code Issues Projects Releases Wiki Activity

Revert "Run controlplane/transformation integration tests in parallel"

Browse Source
This commit is contained in:
Anish Ramasekar 2024-04-23 13:48:33 -07:00 committed by GitHub
parent f3a7aa7f92
commit 8d563c2cde
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 105 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
test/integration/controlplane/transformation/kms_transformation_test.go
View File

@ -131,8 +131,7 @@ func (r envelope) plainTextPayload(secretETCDPath string) ([]byte, error) {
func TestKMSProvider(t *testing.T) { func TestKMSProvider(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -142,10 +141,10 @@ resources:
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
providerName := "kms-provider" providerName := "kms-provider"
pluginMock := mock.NewBase64Plugin(t, socketPath) pluginMock := mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err) t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
@ -313,9 +312,8 @@ func TestEncryptionConfigHotReload(t *testing.T) {
// this makes the test super responsive. It's set to a default of 1 minute. // this makes the test super responsive. It's set to a default of 1 minute.
encryptionconfigcontroller.EncryptionConfigFileChangePollDuration = time.Second encryptionconfigcontroller.EncryptionConfigFileChangePollDuration = time.Second
socketPath := getSocketPath()
storageConfig := framework.SharedEtcd() storageConfig := framework.SharedEtcd()
encryptionConfig := fmt.Sprintf(` encryptionConfig := `
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -325,11 +323,11 @@ resources:
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
genericapiserver.SetHostnameFuncForTests("testAPIServerID") genericapiserver.SetHostnameFuncForTests("testAPIServerID")
_ = mock.NewBase64Plugin(t, socketPath) _ = mock.NewBase64Plugin(t, "@kms-provider.sock")
var restarted bool var restarted bool
test, err := newTransformTest(t, encryptionConfig, true, "", storageConfig) test, err := newTransformTest(t, encryptionConfig, true, "", storageConfig)
if err != nil { if err != nil {
@ -381,8 +379,7 @@ resources:
// test if hot reload controller is healthy // test if hot reload controller is healthy
mustBeHealthy(t, "/poststarthook/start-encryption-provider-config-automatic-reload", "ok", test.kubeAPIServer.ClientConfig) mustBeHealthy(t, "/poststarthook/start-encryption-provider-config-automatic-reload", "ok", test.kubeAPIServer.ClientConfig)
newKMSProviderSocketPath := getSocketPath() encryptionConfigWithNewProvider := `
encryptionConfigWithNewProvider := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -392,22 +389,22 @@ resources:
- kms: - kms:
name: new-kms-provider-for-secrets name: new-kms-provider-for-secrets
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
- resources: - resources:
- configmaps - configmaps
providers: providers:
- kms: - kms:
name: new-kms-provider-for-configmaps name: new-kms-provider-for-configmaps
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
- identity: {} - identity: {}
`, newKMSProviderSocketPath, socketPath, newKMSProviderSocketPath) `
// start new KMS Plugin // start new KMS Plugin
_ = mock.NewBase64Plugin(t, newKMSProviderSocketPath) _ = mock.NewBase64Plugin(t, "@new-kms-provider.sock")
// update encryption config // update encryption config
updateFile(t, test.configDir, encryptionConfigFileName, []byte(encryptionConfigWithNewProvider)) updateFile(t, test.configDir, encryptionConfigFileName, []byte(encryptionConfigWithNewProvider))
@ -484,13 +481,12 @@ resources:
t.Fatalf("expected configmap to be prefixed with %s, but got %s", wantPrefixForConfigmaps, rawConfigmapEnvelope.Kvs[0].Value) t.Fatalf("expected configmap to be prefixed with %s, but got %s", wantPrefixForConfigmaps, rawConfigmapEnvelope.Kvs[0].Value)
} }
newEncryptAllProviderSocketPath := getSocketPath()
// remove old KMS provider // remove old KMS provider
// verifyIfKMSTransformersSwapped sometimes passes even before the changes in the encryption config file are observed. // verifyIfKMSTransformersSwapped sometimes passes even before the changes in the encryption config file are observed.
// this causes the metrics tests to fail, which validate two config changes. // this causes the metrics tests to fail, which validate two config changes.
// this may happen when an existing KMS provider is already running (e.g., new-kms-provider-for-secrets in this case). // this may happen when an existing KMS provider is already running (e.g., new-kms-provider-for-secrets in this case).
// to ensure that the changes are observed, we added one more provider (kms-provider-to-encrypt-all) and are validating it in verifyIfKMSTransformersSwapped. // to ensure that the changes are observed, we added one more provider (kms-provider-to-encrypt-all) and are validating it in verifyIfKMSTransformersSwapped.
encryptionConfigWithoutOldProvider := fmt.Sprintf(` encryptionConfigWithoutOldProvider := `
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -500,25 +496,25 @@ resources:
- kms: - kms:
name: new-kms-provider-for-secrets name: new-kms-provider-for-secrets
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
- resources: - resources:
- configmaps - configmaps
providers: providers:
- kms: - kms:
name: new-kms-provider-for-configmaps name: new-kms-provider-for-configmaps
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
- resources: - resources:
- '*.*' - '*.*'
providers: providers:
- kms: - kms:
name: kms-provider-to-encrypt-all name: kms-provider-to-encrypt-all
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-encrypt-all-kms-provider.sock
- identity: {} - identity: {}
`, newKMSProviderSocketPath, newKMSProviderSocketPath, newEncryptAllProviderSocketPath) `
// start new KMS Plugin // start new KMS Plugin
_ = mock.NewBase64Plugin(t, newEncryptAllProviderSocketPath) _ = mock.NewBase64Plugin(t, "@new-encrypt-all-kms-provider.sock")
// update encryption config and wait for hot reload // update encryption config and wait for hot reload
updateFile(t, test.configDir, encryptionConfigFileName, []byte(encryptionConfigWithoutOldProvider)) updateFile(t, test.configDir, encryptionConfigFileName, []byte(encryptionConfigWithoutOldProvider))
@ -609,8 +605,7 @@ resources:
} }
func TestEncryptAll(t *testing.T) { func TestEncryptAll(t *testing.T) {
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -620,11 +615,11 @@ resources:
- kms: - kms:
name: encrypt-all-kms-provider name: encrypt-all-kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@encrypt-all-kms-provider.sock
`, socketPath) `
t.Run("encrypt all resources", func(t *testing.T) { t.Run("encrypt all resources", func(t *testing.T) {
_ = mock.NewBase64Plugin(t, socketPath) _ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
// To ensure we are checking all REST resources // To ensure we are checking all REST resources
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllAlpha", true)()
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, "AllBeta", true)()
@ -729,9 +724,7 @@ resources:
} }
func TestEncryptAllWithWildcard(t *testing.T) { func TestEncryptAllWithWildcard(t *testing.T) {
socketPath1 := getSocketPath() encryptionConfig := `
socketPath2 := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -745,17 +738,17 @@ resources:
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
- resources: - resources:
- '*.*' - '*.*'
providers: providers:
- kms: - kms:
name: encrypt-all-kms-provider name: encrypt-all-kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@encrypt-all-kms-provider.sock
`, socketPath1, socketPath2) `
_ = mock.NewBase64Plugin(t, socketPath1) _ = mock.NewBase64Plugin(t, "@kms-provider.sock")
_ = mock.NewBase64Plugin(t, socketPath2) _ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
@ -890,12 +883,8 @@ func TestEncryptionConfigHotReloadFilePolling(t *testing.T) {
} }
for _, tc := range testCases { for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
t.Parallel() encryptionConfig := `
socketPath := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -905,10 +894,10 @@ resources:
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
timeout: 1s timeout: 1s
`, socketPath) `
_ = mock.NewBase64Plugin(t, socketPath) _ = mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, true, "", nil) test, err := newTransformTest(t, encryptionConfig, true, "", nil)
if err != nil { if err != nil {
@ -924,8 +913,7 @@ resources:
// test if hot reload controller is healthy // test if hot reload controller is healthy
mustBeHealthy(t, "/poststarthook/start-encryption-provider-config-automatic-reload", "ok", test.kubeAPIServer.ClientConfig) mustBeHealthy(t, "/poststarthook/start-encryption-provider-config-automatic-reload", "ok", test.kubeAPIServer.ClientConfig)
newKMSProviderSocketPath := getSocketPath() encryptionConfigWithNewProvider := `
encryptionConfigWithNewProvider := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -935,12 +923,12 @@ resources:
- kms: - kms:
name: new-kms-provider-for-secrets name: new-kms-provider-for-secrets
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
timeout: 1s timeout: 1s
- kms: - kms:
name: kms-provider name: kms-provider
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
timeout: 1s timeout: 1s
- resources: - resources:
- configmaps - configmaps
@ -948,12 +936,12 @@ resources:
- kms: - kms:
name: new-kms-provider-for-configmaps name: new-kms-provider-for-configmaps
cachesize: 1000 cachesize: 1000
endpoint: unix:///%s endpoint: unix:///@new-kms-provider.sock
timeout: 1s timeout: 1s
- identity: {} - identity: {}
`, newKMSProviderSocketPath, socketPath, newKMSProviderSocketPath) `
// start new KMS Plugin // start new KMS Plugin
_ = mock.NewBase64Plugin(t, newKMSProviderSocketPath) _ = mock.NewBase64Plugin(t, "@new-kms-provider.sock")
// update encryption config // update encryption config
if err := tc.updateFile(filepath.Join(test.configDir, encryptionConfigFileName), encryptionConfigWithNewProvider); err != nil { if err := tc.updateFile(filepath.Join(test.configDir, encryptionConfigFileName), encryptionConfigWithNewProvider); err != nil {
t.Fatalf("failed to update encryption config, err: %v", err) t.Fatalf("failed to update encryption config, err: %v", err)
@ -1105,9 +1093,7 @@ func updateFile(t *testing.T, configDir, filename string, newContent []byte) {
func TestKMSHealthz(t *testing.T) { func TestKMSHealthz(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
socketPath1 := getSocketPath() encryptionConfig := `
socketPath2 := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -1116,14 +1102,14 @@ resources:
providers: providers:
- kms: - kms:
name: provider-1 name: provider-1
endpoint: unix:///%s endpoint: unix:///@kms-provider-1.sock
- kms: - kms:
name: provider-2 name: provider-2
endpoint: unix:///%s endpoint: unix:///@kms-provider-2.sock
`, socketPath1, socketPath2) `
pluginMock1 := mock.NewBase64Plugin(t, socketPath1) pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
pluginMock2 := mock.NewBase64Plugin(t, socketPath2) pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -1170,9 +1156,7 @@ resources:
func TestKMSHealthzWithReload(t *testing.T) { func TestKMSHealthzWithReload(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()
socketPath1 := getSocketPath() encryptionConfig := `
socketPath2 := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -1181,14 +1165,14 @@ resources:
providers: providers:
- kms: - kms:
name: provider-1 name: provider-1
endpoint: unix:///%s endpoint: unix:///@kms-provider-1.sock
- kms: - kms:
name: provider-2 name: provider-2
endpoint: unix:///%s endpoint: unix:///@kms-provider-2.sock
`, socketPath1, socketPath2) `
pluginMock1 := mock.NewBase64Plugin(t, socketPath1) pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
pluginMock2 := mock.NewBase64Plugin(t, socketPath2) pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
test, err := newTransformTest(t, encryptionConfig, true, "", nil) test, err := newTransformTest(t, encryptionConfig, true, "", nil)
if err != nil { if err != nil {

97
test/integration/controlplane/transformation/kmsv2_transformation_test.go
View File

@ -179,8 +179,7 @@ func TestDefaultValues(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Minute) ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
t.Cleanup(cancel) t.Cleanup(cancel)
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -190,9 +189,9 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(t, socketPath) _ = kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -262,8 +261,7 @@ func TestKMSv2Provider(t *testing.T) {
} }
func testKMSv2Provider(t *testing.T, useSeed bool) { func testKMSv2Provider(t *testing.T, useSeed bool) {
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -273,11 +271,11 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
genericapiserver.SetHostnameFuncForTests("testAPIServerID") genericapiserver.SetHostnameFuncForTests("testAPIServerID")
providerName := "kms-provider" providerName := "kms-provider"
pluginMock := kmsv2mock.NewBase64Plugin(t, socketPath) pluginMock := kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -412,9 +410,7 @@ func TestKMSv2ProviderKeyIDStaleness(t *testing.T) {
} }
func testKMSv2ProviderKeyIDStaleness(t *testing.T) { func testKMSv2ProviderKeyIDStaleness(t *testing.T) {
t.Parallel() encryptionConfig := `
socketPath := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -425,9 +421,9 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
pluginMock := kmsv2mock.NewBase64Plugin(t, socketPath) pluginMock := kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -707,8 +703,7 @@ func testKMSv2ProviderDEKSourceReuse(t *testing.T, f checkFunc) {
ctx, cancel := context.WithTimeout(context.Background(), time.Minute) ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
t.Cleanup(cancel) t.Cleanup(cancel)
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -718,9 +713,9 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(t, socketPath) _ = kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -840,9 +835,7 @@ func assertPodDEKSources(ctx context.Context, t *testing.T, config storagebacken
func TestKMSv2Healthz(t *testing.T) { func TestKMSv2Healthz(t *testing.T) {
defer encryptionconfig.SetKDFForTests(randomBool())() defer encryptionconfig.SetKDFForTests(randomBool())()
socketPath1 := getSocketPath() encryptionConfig := `
socketPath2 := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -852,15 +845,15 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: provider-1 name: provider-1
endpoint: unix:///%s endpoint: unix:///@kms-provider-1.sock
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: provider-2 name: provider-2
endpoint: unix:///%s endpoint: unix:///@kms-provider-2.sock
`, socketPath1, socketPath2) `
pluginMock1 := kmsv2mock.NewBase64Plugin(t, socketPath1) pluginMock1 := kmsv2mock.NewBase64Plugin(t, "@kms-provider-1.sock")
pluginMock2 := kmsv2mock.NewBase64Plugin(t, socketPath2) pluginMock2 := kmsv2mock.NewBase64Plugin(t, "@kms-provider-2.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -917,12 +910,11 @@ func TestKMSv2SingleService(t *testing.T) {
encryptionconfig.EnvelopeKMSv2ServiceFactory = origEnvelopeKMSv2ServiceFactory encryptionconfig.EnvelopeKMSv2ServiceFactory = origEnvelopeKMSv2ServiceFactory
}) })
socketPath := getSocketPath()
// check resources provided by the three servers that we have wired together // check resources provided by the three servers that we have wired together
// - pods and config maps from KAS // - pods and config maps from KAS
// - CRDs and CRs from API extensions // - CRDs and CRs from API extensions
// - API services from aggregator // - API services from aggregator
encryptionConfig := fmt.Sprintf(` encryptionConfig := `
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -936,10 +928,10 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(t, socketPath) _ = kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
test, err := newTransformTest(t, encryptionConfig, false, "", nil) test, err := newTransformTest(t, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -979,8 +971,7 @@ resources:
// 2. After a restart, loading a encryptionConfig with the same KMSv2 plugin from 1 should work, // 2. After a restart, loading a encryptionConfig with the same KMSv2 plugin from 1 should work,
// decryption of data encrypted with v2 should work // decryption of data encrypted with v2 should work
func TestKMSv2FeatureFlag(t *testing.T) { func TestKMSv2FeatureFlag(t *testing.T) {
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -990,10 +981,10 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
providerName := "kms-provider" providerName := "kms-provider"
pluginMock := kmsv2mock.NewBase64Plugin(t, socketPath) pluginMock := kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
storageConfig := framework.SharedEtcd() storageConfig := framework.SharedEtcd()
// KMSv2 is enabled by default. Loading a encryptionConfig with KMSv2 should work // KMSv2 is enabled by default. Loading a encryptionConfig with KMSv2 should work
@ -1103,8 +1094,7 @@ func BenchmarkKMSv2KDF(b *testing.B) {
ctx = request.WithNamespace(ctx, testNamespace) ctx = request.WithNamespace(ctx, testNamespace)
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -1114,9 +1104,9 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(b, socketPath) _ = kmsv2mock.NewBase64Plugin(b, "@kms-provider.sock")
test, err := newTransformTest(b, encryptionConfig, false, "", nil) test, err := newTransformTest(b, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -1257,8 +1247,7 @@ func BenchmarkKMSv2REST(b *testing.B) {
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute) ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
b.Cleanup(cancel) b.Cleanup(cancel)
socketPath := getSocketPath() encryptionConfig := `
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -1268,9 +1257,9 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(b, socketPath) _ = kmsv2mock.NewBase64Plugin(b, "@kms-provider.sock")
test, err := newTransformTest(b, encryptionConfig, false, "", nil) test, err := newTransformTest(b, encryptionConfig, false, "", nil)
if err != nil { if err != nil {
@ -1348,9 +1337,7 @@ func TestKMSv2ProviderLegacyData(t *testing.T) {
} }
func testKMSv2ProviderLegacyData(t *testing.T) { func testKMSv2ProviderLegacyData(t *testing.T) {
t.Parallel() encryptionConfig := `
socketPath := getSocketPath()
encryptionConfig := fmt.Sprintf(`
kind: EncryptionConfiguration kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1 apiVersion: apiserver.config.k8s.io/v1
resources: resources:
@ -1360,10 +1347,10 @@ resources:
- kms: - kms:
apiVersion: v2 apiVersion: v2
name: kms-provider name: kms-provider
endpoint: unix:///%s endpoint: unix:///@kms-provider.sock
`, socketPath) `
_ = kmsv2mock.NewBase64Plugin(t, socketPath) _ = kmsv2mock.NewBase64Plugin(t, "@kms-provider.sock")
// the value.Context.AuthenticatedData during read is the etcd storage path of the associated resource // the value.Context.AuthenticatedData during read is the etcd storage path of the associated resource
// thus we need to manually construct the storage config so that we can have a static path // thus we need to manually construct the storage config so that we can have a static path

25
test/integration/controlplane/transformation/secrets_transformation_test.go
View File

@ -85,20 +85,17 @@ func TestSecretsShouldBeTransformed(t *testing.T) {
// TODO: add secretbox // TODO: add secretbox
} }
for _, tt := range testCases { for _, tt := range testCases {
tt := tt test, err := newTransformTest(t, tt.transformerConfigContent, false, "", nil)
t.Run(tt.transformerPrefix, func(t *testing.T) { if err != nil {
t.Parallel() t.Fatalf("failed to setup test for envelop %s, error was %v", tt.transformerPrefix, err)
test, err := newTransformTest(t, tt.transformerConfigContent, false, "", nil) continue
if err != nil { }
t.Fatalf("failed to setup test for envelop %s, error was %v", tt.transformerPrefix, err) test.secret, err = test.createSecret(testSecret, testNamespace)
} if err != nil {
test.secret, err = test.createSecret(testSecret, testNamespace) t.Fatalf("Failed to create test secret, error: %v", err)
if err != nil { }
t.Fatalf("Failed to create test secret, error: %v", err) test.runResource(test.logger, tt.unSealFunc, tt.transformerPrefix, "", "v1", "secrets", test.secret.Name, test.secret.Namespace)
} test.cleanUp()
test.runResource(test.logger, tt.unSealFunc, tt.transformerPrefix, "", "v1", "secrets", test.secret.Name, test.secret.Namespace)
test.cleanUp()
})
} }
} }

5
test/integration/controlplane/transformation/transformation_test.go
View File

@ -37,7 +37,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/rand"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1" apiserverv1 "k8s.io/apiserver/pkg/apis/apiserver/v1"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
@ -639,7 +638,3 @@ func getLivez(checkName string, clientConfig *rest.Config, excludes ...string) (
body, err := req.DoRaw(context.TODO()) // we can still have a response body during an error case body, err := req.DoRaw(context.TODO()) // we can still have a response body during an error case
return string(body), err == nil, nil return string(body), err == nil, nil
} }
func getSocketPath() string {
return fmt.Sprintf("@%s.sock", rand.String(10))
}