Add CMEK E2E Test #218
Add CMEK E2E Test #218
Conversation
k8s-ci-robot
added
the
approved
k8s-ci-robot
added
size/XXL
| }, | ||
| } | ||
| key, err := kmsClient.CreateCryptoKey(ctx, keyReq) | ||
| if !gce.IsGCEError(err, "alreadyExists") { |
There was a problem hiding this comment.
should it already exist if we're generating uuid every time?
There was a problem hiding this comment.
no. I guess it should be a hard failure. this code exists from before I was creating UUID's or cleaning up crypto keys
|
|
||
| // The resource name of the key rings. | ||
| parentName := fmt.Sprintf("projects/%s/locations/%s", p, locationID) | ||
| keyRingId := "gce-pd-csi-test-ring" |
There was a problem hiding this comment.
Is there any possible issue of multiple tests sharing the same key ring? Or leaving a key ring around at the end of the test?
There was a problem hiding this comment.
key ring resource names are immutable.. all the tests will share the same key ring and the key ring will exist for the forseeable future. Talked to the CMEK TL and this is intended behavior
| defer func() { | ||
| // Delete Disk | ||
| controllerClient.DeleteVolume(volID) | ||
| Expect(err).To(BeNil(), "DeleteVolume failed") |
There was a problem hiding this comment.
previous line but it got lost somehow
test/e2e/utils/utils.go
Outdated
|
|
||
| // Set Cloud KMS permissions on compute service account | ||
| // TODO: Use the API to make this call instead of exec-ing gcloud command | ||
| computeSystemSA := fmt.Sprintf("service-%[email protected]", resp.ProjectNumber) |
There was a problem hiding this comment.
i'm not sure if this is the proper way we should be adding iam roles to project wide system accounts
There was a problem hiding this comment.
agreed, looking into alternatives now
| // Detach Disk | ||
| err = client.ControllerUnpublishVolume(volID, instance.GetNodeID()) | ||
| Expect(err).To(BeNil(), "ControllerUnpublishVolume failed with error") | ||
| _ = client.ControllerUnpublishVolume(volID, instance.GetNodeID()) |
There was a problem hiding this comment.
why do we not check for err?
davidz627
force-pushed
the
feature/CMEKTest
branch
from
48245d2 to
7721771
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidz627 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
davidz627
force-pushed
the
feature/CMEKTest
branch
from
7721771 to
5ffca02
Compare
|
/retest |
1 similar comment
|
/retest |
|
/test pull-gcp-compute-persistent-disk-csi-driver-e2e |
2 similar comments
|
/test pull-gcp-compute-persistent-disk-csi-driver-e2e |
|
/test pull-gcp-compute-persistent-disk-csi-driver-e2e |
davidz627
force-pushed
the
feature/CMEKTest
branch
2 times, most recently
from
d247734 to
5b8b082
Compare
|
/test pull-gcp-compute-persistent-disk-csi-driver-e2e |
|
|
||
| // Defer deletion of all key versions | ||
| // https://cloud.google.com/kms/docs/destroy-restore | ||
| // Temporarily disable revokation of CMEK key because of test infra CI permissions |
There was a problem hiding this comment.
this is still not resolved? will we be leaking resources?
There was a problem hiding this comment.
I'll add the permission for this. we are already leaking keyrings by design anyway (keyrings don't support deletion).
test/run-e2e-local.sh
Outdated
| ginkgo -v -focus=CMEK "test/e2e/tests" --logtostderr -- --project ${PROJECT} --service-account ${IAM_NAME} --v=4 |
There was a problem hiding this comment.
accidental git add
davidz627
force-pushed
the
feature/CMEKTest
branch
from
5b8b082 to
d042fcf
Compare
davidz627
force-pushed
the
feature/CMEKTest
branch
from
d042fcf to
3b8add3
Compare
|
/test pull-gcp-compute-persistent-disk-csi-driver-e2e |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
984feece Merge pull request kubernetes-sigs#234 from siddhikhapare/csi-tools 1f7e6059 fixed broken links of testgrid dashboard de2fba88 Merge pull request kubernetes-sigs#233 from andyzhangx/andyzhangx-patch-1 cee895e1 remove windows 20H2 build since it's EOL long time ago 670bb0ef Merge pull request kubernetes-sigs#229 from marosset/fix-codespell-errors 35d5e783 Merge pull request kubernetes-sigs#219 from yashsingh74/update-registry 63473cc9 Merge pull request kubernetes-sigs#231 from coulof/bump-go-version-1.20.5 29a5c76c Merge pull request kubernetes-sigs#228 from mowangdk/chore/adopt_kubernetes_recommand_labels 8dd28211 Update cloudbuild image with go 1.20.5 1df23dba Merge pull request kubernetes-sigs#230 from msau42/prow 1f92b7e7 Add ginkgo timeout to e2e tests to help catch any stuck tests 2b8b80ea fixing some codespell errors c10b6780 Merge pull request kubernetes-sigs#227 from coulof/check-sidecar-supported-versions 72984ec0 chore: adopt kubernetes recommand label b0555351 Header bd0a10b6 typo c39d73c3 Add comments f6491af0 Script to verify EOL sidecar version 4133d1df Merge pull request kubernetes-sigs#226 from msau42/cloudbuild 8d519d23 Pin buildkit to v0.10.6 to workaround v0.11 bug with docker manifest 6e04a030 Merge pull request kubernetes-sigs#224 from msau42/cloudbuild 26fdfffd Update cloudbuild image 6613c398 Merge pull request kubernetes-sigs#223 from sunnylovestiramisu/update 0e7ae993 Update k8s image repo url 77e47cce Merge pull request kubernetes-sigs#222 from xinydev/fix-dep-version 155854b0 Fix dep version mismatch 8f839056 Merge pull request kubernetes-sigs#221 from sunnylovestiramisu/go-update 1d3f94dd Update go version to 1.20 to match k/k v1.27 e322ce5e Merge pull request kubernetes-sigs#220 from andyzhangx/fix-golint-error b74a5120 test: fix golint error 901bcb5a Update registry k8s.gcr.io -> registry.k8s.io aa61bfd0 Merge pull request kubernetes-sigs#218 from xing-yang/update_csi_driver 7563d196 Update CSI_PROW_DRIVER_VERSION to v1.11.0 a2171bef Merge pull request kubernetes-sigs#216 from msau42/process cb987826 Merge pull request kubernetes-sigs#217 from msau42/owners a11216e4 add new reviewers and remove inactive reviewers dd986754 Add step for checking builds b66c0824 Merge pull request kubernetes-sigs#214 from pohly/junit-fixes b9b6763b filter-junit.go: fix loss of testcases when parsing Ginkgo v2 JUnit d4277839 filter-junit.go: preserve system error log 38e11468 prow.sh: publish individual JUnit files as separate artifacts git-subtree-dir: release-tools git-subtree-split: 984feece4bafac3aad74deeed76a500a0c485fb1
/assign @saad-ali @msau42
A CMEK E2E test that provisions with CMEK, tests lifecycle, revokes key, makes sure disk usage fails, activates key, makes sure lifecycle succeeds again.