Conversation
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
57560c9 to
32a46fa
Compare
|
Please rebase pull request. |
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
32a46fa to
85d81d1
Compare
mjudeikis
left a comment
mjudeikis
left a comment
There was a problem hiding this comment.
Few nits but getting close
pkg/util/cluster/cluster.go
Outdated
There was a problem hiding this comment.
So if this is not available? Maybe try again and not fail?
pkg/util/cluster/cluster.go
Outdated
There was a problem hiding this comment.
I think at this point we should probably rename vnetResourceGroup to something more generic as it now hold not only vnet, but key vault as well. I however don't have ideas apart from something stupid like "bring your own resource resource group" :)
There was a problem hiding this comment.
Also specificly for this line:
You do c.diskEncryptionSets.Get(...) here but you only use it to retreive diskEncryptionSet.ID. At the same time, few lines below you construct this ID (line 235):
{"/subscriptions/" + c.env.SubscriptionID() + "/resourceGroups/" + vnetResourceGroup + "/providers/Microsoft.Compute/diskEncryptionSets/" + diskEncryptionSetName, rbac.RoleReader},
test/e2e/disk_encryption.go
Outdated
There was a problem hiding this comment.
I think it is fine to check via VMs. But I'm wondering why you can't list disks by resoruce group?
There was a problem hiding this comment.
@rolandmkunkel we previously discussed that we need to add a code comment explaining why becasue it is not obvious.
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
2 times, most recently
from
ae46a5e to
a46840b
Compare
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
a46840b to
0847e8a
Compare
deploy/cluster-development-predeploy
Outdated
There was a problem hiding this comment.
renamed version of deploy/cluster-predeploy.json
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
7 times, most recently
from
b42758a to
792e4a8
Compare
|
Please rebase pull request. |
m1kola
left a comment
m1kola
left a comment
There was a problem hiding this comment.
I didn't finish reviewing this PR. Just positng early feedback.
test/e2e/disk_encryption.go
Outdated
There was a problem hiding this comment.
@rolandmkunkel we previously discussed that we need to add a code comment explaining why becasue it is not obvious.
test/e2e/disk_encryption.go
Outdated
There was a problem hiding this comment.
I guess this is how we check that PVCs with default storage class provision encrypted disks. Is it right? If so, then we should add a comment. Or even better add two separate By("...") (we might end up with two for loops for the same vms because of that, but that's fine IMO).
Anyway - I think we need some form of clarification here as it is not obvious.
pkg/util/keyvault/keyvault.go
Outdated
There was a problem hiding this comment.
I'm looking at GetSecret and it looks like we are simplifying the interface even further by ommiting keyVersion.
| func (m *manager) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeyvault.KeyBundle, error) { | |
| return m.kv.GetKey(ctx, m.keyvaultURI, keyName, keyVersion) | |
| } | |
| func (m *manager) GetKey(ctx context.Context, keyName string) (azkeyvault.KeyBundle, error) { | |
| return m.kv.GetKey(ctx, m.keyvaultURI, keyName, "") | |
| } |
This way can probably get rid of LatestKeyVersion constant.
m1kola
left a comment
m1kola
left a comment
There was a problem hiding this comment.
Still need to review pkg/util/cluster/cluster.go.
There was a problem hiding this comment.
I think we no longer use this. Everything is in BaseClient now.
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
792e4a8 to
32261e4
Compare
rolandmkunkel
requested review from
bennerv,
hawkowl,
mwoodson and
rogbas
as code owners
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
32261e4 to
04eb293
Compare
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
2 times, most recently
from
ba8eca9 to
e91acfc
Compare
rolandmkunkel
force-pushed
the
disc-encryption-e2e-tests
branch
from
e91acfc to
6a907bf
Compare
|
Please rebase pull request. |
There was a problem hiding this comment.
I have a lot of questions.
Also I think this PR now has too many things in the scope:
- Updating shared environemt
- Dealing with deployments in a non-shared resoruce group.
- Dealing with setting up e2e clusters
- E2Es tests on their own
I think part of this is my fault: I didn't realise it is earlier. Let's talk tomorrow on what to do with this.
pkg/util/cluster/cluster.go
Outdated
There was a problem hiding this comment.
Is it going to stay? If so, we might want to give it better message and use infof.
| res, err := serviceKeyvault.GetKey(ctx, keyName) | ||
| if err == nil && res.Key != nil { | ||
| c.log.Infoln("using existing key") | ||
| shouldCreateKey = false | ||
| } else { | ||
| err = serviceKeyvault.RecoverDeletedKey(ctx, keyName) | ||
| if err != nil { | ||
| c.log.Infoln("could not recover any existing key") | ||
| } else { | ||
| c.log.Infoln("recovered key") | ||
| shouldCreateKey = false | ||
| } | ||
| } |
There was a problem hiding this comment.
What is the reason why we should reuse keys? Can we create a new key each time for both CI and dev runs?
I would like to get rid of this logic, if possible.
| { | ||
| ObjectID: to.StringPtr("[parameters('azureServicePrincipalId')]"), | ||
| Permissions: &mgmtkeyvault.Permissions{ | ||
| Keys: &[]mgmtkeyvault.KeyPermissions{mgmtkeyvault.KeyPermissionsCreate, mgmtkeyvault.KeyPermissionsGet, mgmtkeyvault.KeyPermissionsDelete, mgmtkeyvault.KeyPermissionsRecover}, |
There was a problem hiding this comment.
Nit: on formatting.
| Keys: &[]mgmtkeyvault.KeyPermissions{mgmtkeyvault.KeyPermissionsCreate, mgmtkeyvault.KeyPermissionsGet, mgmtkeyvault.KeyPermissionsDelete, mgmtkeyvault.KeyPermissionsRecover}, | |
| Keys: &[]mgmtkeyvault.KeyPermissions{ | |
| mgmtkeyvault.KeyPermissionsCreate, | |
| mgmtkeyvault.KeyPermissionsGet, | |
| mgmtkeyvault.KeyPermissionsDelete, | |
| mgmtkeyvault.KeyPermissionsRecover, | |
| }, |
| ) | ||
|
|
||
| var _ = Describe("Encryption at host should be enabled", func() { | ||
| BeforeEach(skipIfNotInDevelopmentEnv) |
| for _, vm := range vms { | ||
| vm.StorageProfile.DataDisks = &[]mgmtcompute.DataDisk{{ | ||
| Lun: to.Int32Ptr(0), | ||
| CreateOption: mgmtcompute.DiskCreateOptionTypesEmpty, | ||
| DiskSizeGB: to.Int32Ptr(1), | ||
| ManagedDisk: &mgmtcompute.ManagedDiskParameters{ | ||
| DiskEncryptionSet: &mgmtcompute.DiskEncryptionSetParameters{ID: to.StringPtr(diskEncryptionSetId)}, | ||
| }, | ||
| }} | ||
| err = clients.VirtualMachines.CreateOrUpdateAndWait(ctx, clusterResourceGroup, *vm.Name, vm) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| } |
There was a problem hiding this comment.
Why are we creating VM here?
| }, | ||
| }) | ||
|
|
||
| vaultResource.APIVersion = azureclient.APIVersion("Microsoft.KeyVault") |
There was a problem hiding this comment.
Why not have it in g.keyVault(...)?
Same question for devDiskEncryptionKeyvault() in pkg/deploy/generator/resources_dev.go.
Also take a look at virtualNetwork: we accept condition and dependsOn as params. Should we do something similar for g.keyVault(...)?
ARO-RP/pkg/deploy/generator/resources.go
Line 92 in af54d36
| }) | ||
|
|
||
| vaultResource.APIVersion = azureclient.APIVersion("Microsoft.KeyVault") | ||
| vaultResource.Condition = to.StringPtr("[equals(parameters('shouldCreateKeyVault'), 'true')]") |
There was a problem hiding this comment.
Can't we just use [parameters('ci')] as a condition?
| } | ||
| } | ||
|
|
||
| diskEncryptionSetName := clusterName + "-des" |
There was a problem hiding this comment.
Should we have a constant for "-des"?
| { | ||
| TenantID: &tenantUUIDHack, | ||
| ObjectID: to.StringPtr("[parameters('rpServicePrincipalId')]"), | ||
| Permissions: &mgmtkeyvault.Permissions{ | ||
| Keys: &[]mgmtkeyvault.KeyPermissions{ | ||
| mgmtkeyvault.KeyPermissions(mgmtkeyvault.Create), | ||
| mgmtkeyvault.KeyPermissions(mgmtkeyvault.Delete), | ||
| }, | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Giving these permissions to RP service principal doesn't sound right. RP SP is for RP resources, not cluster/customer resoruces.
| Expect(osDisk.Encryption.Type).To(Equal(mgmtcompute.EncryptionAtRestWithCustomerKey)) | ||
| } | ||
|
|
||
| By("checking the encryption property on each data disk of each VM") |
There was a problem hiding this comment.
This should be about validating that default storrage class creates disks with disk encryption enabled.
See "How to test that default PV is encrypted" in for manual steps: #1627
But I think this PR is too big already: it is very hard to follow. Let's deal wtih it once we merge this.
3 participants
Which issue this PR addresses:
extends e2e tests to create cluster with disk encryption enabled with customer managed keys.
adds e2e test to confirm following:
All vms has disk encryption set
Storage class is set to provision encrypted disk
Fixes https://msazure.visualstudio.com/AzureRedHatOpenShift/_workitems/edit/7404076
What this PR does / why we need it:
Helps us testing the e2e disk encryption feature and gives us more confidence to ship it.