e2e disk encryption tests

[rolandmkunkel]

Which issue this PR addresses:

• extends e2e tests to create cluster with disk encryption enabled with customer managed keys.

• adds e2e test to confirm following:
  All vms has disk encryption set
  Storage class is set to provision encrypted disk

Fixes https://msazure.visualstudio.com/AzureRedHatOpenShift/_workitems/edit/7404076

What this PR does / why we need it:

Helps us testing the e2e disk encryption feature and gives us more confidence to ship it.

[github-actions]

Please rebase pull request.

[mjudeikis]

Few nits but getting close

[mjudeikis]

So if this is not available? Maybe try again and not fail?

[m1kola]

Few questions/suggestions, but in general looks good so far.

[m1kola]

I think at this point we should probably rename vnetResourceGroup to something more generic as it now hold not only vnet, but key vault as well. I however don't have ideas apart from something stupid like "bring your own resource resource group" :)

[m1kola]

Also specificly for this line:

You do c.diskEncryptionSets.Get(...) here but you only use it to retreive diskEncryptionSet.ID. At the same time, few lines below you construct this ID (line 235):

{"/subscriptions/" + c.env.SubscriptionID() + "/resourceGroups/" + vnetResourceGroup + "/providers/Microsoft.Compute/diskEncryptionSets/" + diskEncryptionSetName, rbac.RoleReader},

[m1kola]

I think it is fine to check via VMs. But I'm wondering why you can't list disks by resoruce group?

[m1kola]

@rolandmkunkel we previously discussed that we need to add a code comment explaining why becasue it is not obvious.

[rolandmkunkel]

renamed version of deploy/cluster-predeploy.json

[github-actions]

Please rebase pull request.

[m1kola]

I didn't finish reviewing this PR. Just positng early feedback.

[m1kola]

@rolandmkunkel we previously discussed that we need to add a code comment explaining why becasue it is not obvious.

[m1kola]

I guess this is how we check that PVCs with default storage class provision encrypted disks. Is it right? If so, then we should add a comment. Or even better add two separate By("...") (we might end up with two for loops for the same vms because of that, but that's fine IMO).

Anyway - I think we need some form of clarification here as it is not obvious.

[m1kola]

I'm looking at GetSecret and it looks like we are simplifying the interface even further by ommiting keyVersion.

Suggested change

	func (m *manager) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeyvault.KeyBundle, error) {
	return m.kv.GetKey(ctx, m.keyvaultURI, keyName, keyVersion)
	}
	func (m *manager) GetKey(ctx context.Context, keyName string) (azkeyvault.KeyBundle, error) {
	return m.kv.GetKey(ctx, m.keyvaultURI, keyName, "")
	}

This way can probably get rid of LatestKeyVersion constant.

[m1kola]

Still need to review pkg/util/cluster/cluster.go.

[m1kola]

I think we no longer use this. Everything is in BaseClient now.

[github-actions]

Please rebase pull request.

[m1kola]

I have a lot of questions.

Also I think this PR now has too many things in the scope:

• Updating shared environemt
• Dealing with deployments in a non-shared resoruce group.
• Dealing with setting up e2e clusters
• E2Es tests on their own

I think part of this is my fault: I didn't realise it is earlier. Let's talk tomorrow on what to do with this.

[m1kola]

Is it going to stay? If so, we might want to give it better message and use infof.

[m1kola]

What is the reason why we should reuse keys? Can we create a new key each time for both CI and dev runs?

I would like to get rid of this logic, if possible.

[m1kola]

Nit: on formatting.

Suggested change

	Keys: &[]mgmtkeyvault.KeyPermissions{mgmtkeyvault.KeyPermissionsCreate, mgmtkeyvault.KeyPermissionsGet, mgmtkeyvault.KeyPermissionsDelete, mgmtkeyvault.KeyPermissionsRecover},
	Keys: &[]mgmtkeyvault.KeyPermissions{
	mgmtkeyvault.KeyPermissionsCreate,
	mgmtkeyvault.KeyPermissionsGet,
	mgmtkeyvault.KeyPermissionsDelete,
	mgmtkeyvault.KeyPermissionsRecover,
	},

[m1kola]

Why?

[m1kola]

Why are we creating VM here?

[m1kola]

Why not have it in g.keyVault(...)?

Same question for devDiskEncryptionKeyvault() in pkg/deploy/generator/resources_dev.go.

---

Also take a look at virtualNetwork: we accept condition and dependsOn as params. Should we do something similar for g.keyVault(...)?

ARO-RP/pkg/deploy/generator/resources.go

Line 92 in af54d36

func (g *generator) virtualNetwork(name, addressPrefix string, subnets *[]mgmtnetwork.Subnet, condition interface{}, dependsOn []string) *arm.Resource {

[m1kola]

Can't we just use [parameters('ci')] as a condition?

[m1kola]

Should we have a constant for "-des"?

[m1kola]

Giving these permissions to RP service principal doesn't sound right. RP SP is for RP resources, not cluster/customer resoruces.

[m1kola]

This should be about validating that default storrage class creates disks with disk encryption enabled.

See "How to test that default PV is encrypted" in for manual steps: #1627

But I think this PR is too big already: it is very hard to follow. Let's deal wtih it once we merge this.