Disk encryption e2e tests ci cluster creation and tests #1822
Conversation
|
Please rebase pull request. |
rolandmkunkel
force-pushed
the
disk-encryption-e2e-tests-ci-cluster-creation-and-tests
branch
from
d4cbb97 to
cf4a7d8
Compare
rolandmkunkel
force-pushed
the
disk-encryption-e2e-tests-ci-cluster-creation-and-tests
branch
from
cf4a7d8 to
5b63c3d
Compare
rolandmkunkel
requested review from
bennerv,
hawkowl,
jewzaam,
m1kola,
mwoodson and
rogbas
as code owners
| diskEncryptionSet, err := clients.DiskEncryptionSets.Get(ctx, vnetResourceGroup, fmt.Sprintf("%s-disk-encryption-set", vnetResourceGroup)) | ||
| Expect(err).NotTo(HaveOccurred()) | ||
| expectedResourceIDs = append(expectedResourceIDs, strings.ToLower(*diskEncryptionSet.ID)) | ||
|
|
There was a problem hiding this comment.
This solves work item 12050816. I assigned it to you.
m1kola
left a comment
m1kola
left a comment
There was a problem hiding this comment.
How does this work?
I see that in CI we create KV, key, disk encrpyiont set and they get deleted together with vnetResourceGroup.
When not in CI:
-
What is the experience with
go run ./hack/cluster create?which in case of our testing environment is either a shared key from the shared keyvault, or a generated one in case of CI.
Do I undersntad correctly that we use resources from the shared environemnt and only add
Microsoft.KeyVault/vaults/accessPolicies? If so, I think there is mismatch in names between this PR and #1793. For example, key vault name isconcat(take(resourceGroup().name,15), '-sharedKV')vsfmt.Sprintf("%s%s", vnetResourceGroup, sharedKeyVaultNameSuffix)in this PR. -
What is the experience with
go run ./hack/cluster delete?
Do I understand correctly that we don't have to delete anything when not in CI because we use shared kv, key and disk encryption set?
rolandmkunkel
force-pushed
the
disk-encryption-e2e-tests-ci-cluster-creation-and-tests
branch
3 times, most recently
from
3c19a43 to
2569226
Compare
|
Regarding the questions:
|
m1kola
left a comment
m1kola
left a comment
There was a problem hiding this comment.
I only have one question about condition for KV access policy (diskEncryptionKeyVaultAccessPolicy). Just double checking. If we actually don't need it - I'm happy to merge it as is.
Rest of the comments - let's create a small PR for them. These are 5 minutes changes and I don't want to hold this PR any longer becuase of them.
rolandmkunkel
force-pushed
the
disk-encryption-e2e-tests-ci-cluster-creation-and-tests
branch
from
2569226 to
8499c97
Compare
m1kola
left a comment
m1kola
left a comment
There was a problem hiding this comment.
Great job! I think this is ready to be merged once e2es are green 🎉
Reminder to myself: squash on merge.
2 participants
Which issue this PR addresses:
Second part of:
https://msazure.visualstudio.com/AzureRedHatOpenShift/_workitems/edit/7404076
What this PR does / why we need it:
This PR adds tests for end-to-end disk encryption. When creating a cluster in CI or via local deployment, all data and OS disks are encrypted with customer-owned keys, which in case of our testing environment is either a shared key from the shared keyvault, or a generated one in case of CI. The tests in this PR make sure that the default storage class uses disk encryption, and that all OS disks are encrypted.
Is there any documentation that needs to be updated for this PR?
no, everything works under the hood