|
| 1 | +package e2e_encryption_kms |
| 2 | + |
| 3 | +import ( |
| 4 | + "context" |
| 5 | + "math/rand/v2" |
| 6 | + "testing" |
| 7 | + |
| 8 | + "k8s.io/apimachinery/pkg/runtime" |
| 9 | + |
| 10 | + configv1 "github.com/openshift/api/config/v1" |
| 11 | + operatorencryption "github.com/openshift/cluster-authentication-operator/test/library/encryption" |
| 12 | + library "github.com/openshift/library-go/test/library/encryption" |
| 13 | + librarykms "github.com/openshift/library-go/test/library/encryption/kms" |
| 14 | +) |
| 15 | + |
| 16 | +// TestKMSEncryptionOnOff tests KMS encryption on/off cycle. |
| 17 | +// This test: |
| 18 | +// 1. Creates a test OAuth access token (TokenOfLife) |
| 19 | +// 2. Enables KMS encryption |
| 20 | +// 3. Verifies token is encrypted |
| 21 | +// 4. Disables encryption (Identity) |
| 22 | +// 5. Verifies token is NOT encrypted |
| 23 | +// 6. Re-enables KMS encryption |
| 24 | +// 7. Verifies token is encrypted again |
| 25 | +// 8. Disables encryption (Identity) again |
| 26 | +// 9. Verifies token is NOT encrypted again |
| 27 | +func TestKMSEncryptionOnOff(t *testing.T) { |
| 28 | + // Deploy the mock KMS plugin for testing. |
| 29 | + // NOTE: This manual deployment is only required for KMS v1. In the future, |
| 30 | + // the platform will manage the KMS plugins, and this code will no longer be needed. |
| 31 | + librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage) |
| 32 | + library.TestEncryptionTurnOnAndOff(t, library.OnOffScenario{ |
| 33 | + BasicScenario: library.BasicScenario{ |
| 34 | + Namespace: "openshift-config-managed", |
| 35 | + LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver", |
| 36 | + EncryptionConfigSecretName: "encryption-config-openshift-oauth-apiserver", |
| 37 | + EncryptionConfigSecretNamespace: "openshift-config-managed", |
| 38 | + OperatorNamespace: "openshift-authentication-operator", |
| 39 | + TargetGRs: operatorencryption.DefaultTargetGRs, |
| 40 | + AssertFunc: operatorencryption.AssertTokens, |
| 41 | + }, |
| 42 | + CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object { |
| 43 | + return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t)) |
| 44 | + }, |
| 45 | + AssertResourceEncryptedFunc: operatorencryption.AssertTokenOfLifeEncrypted, |
| 46 | + AssertResourceNotEncryptedFunc: operatorencryption.AssertTokenOfLifeNotEncrypted, |
| 47 | + ResourceFunc: func(t testing.TB, _ string) runtime.Object { return operatorencryption.TokenOfLife(t) }, |
| 48 | + ResourceName: "TokenOfLife", |
| 49 | + EncryptionProvider: configv1.EncryptionTypeKMS, |
| 50 | + }) |
| 51 | +} |
| 52 | + |
| 53 | +// TestKMSEncryptionProvidersMigration tests migration between KMS and AES encryption providers. |
| 54 | +// This test: |
| 55 | +// 1. Deploys the mock KMS plugin |
| 56 | +// 2. Creates a test OAuth access token (TokenOfLife) |
| 57 | +// 3. Randomly picks one AES encryption provider (AESGCM or AESCBC) |
| 58 | +// 4. Shuffles the selected AES provider with KMS to create a randomized migration order |
| 59 | +// 5. Migrates between the providers in the shuffled order |
| 60 | +// 6. Verifies token is correctly encrypted after each migration |
| 61 | +func TestKMSEncryptionProvidersMigration(t *testing.T) { |
| 62 | + librarykms.DeployUpstreamMockKMSPlugin(context.Background(), t, library.GetClients(t).Kube, librarykms.WellKnownUpstreamMockKMSPluginNamespace, librarykms.WellKnownUpstreamMockKMSPluginImage) |
| 63 | + library.TestEncryptionProvidersMigration(t, library.ProvidersMigrationScenario{ |
| 64 | + BasicScenario: library.BasicScenario{ |
| 65 | + Namespace: "openshift-config-managed", |
| 66 | + LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver", |
| 67 | + EncryptionConfigSecretName: "encryption-config-openshift-oauth-apiserver", |
| 68 | + EncryptionConfigSecretNamespace: "openshift-config-managed", |
| 69 | + OperatorNamespace: "openshift-authentication-operator", |
| 70 | + TargetGRs: operatorencryption.DefaultTargetGRs, |
| 71 | + AssertFunc: operatorencryption.AssertTokens, |
| 72 | + }, |
| 73 | + CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object { |
| 74 | + return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t)) |
| 75 | + }, |
| 76 | + AssertResourceEncryptedFunc: operatorencryption.AssertTokenOfLifeEncrypted, |
| 77 | + AssertResourceNotEncryptedFunc: operatorencryption.AssertTokenOfLifeNotEncrypted, |
| 78 | + ResourceFunc: func(t testing.TB, _ string) runtime.Object { return operatorencryption.TokenOfLife(t) }, |
| 79 | + ResourceName: "TokenOfLife", |
| 80 | + EncryptionProviders: library.ShuffleEncryptionProviders([]configv1.EncryptionType{configv1.EncryptionTypeKMS, library.SupportedStaticEncryptionProviders[rand.IntN(len(library.SupportedStaticEncryptionProviders))]}), |
| 81 | + }) |
| 82 | +} |
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments