Documentation
¶
Index ¶
- Variables
- func ApplyEncryption(ctx context.Context, t testing.TB, encryption configv1.APIServerEncryption)
- func AssertEncryptionConfig(t testing.TB, clientSet ClientSet, encryptionConfigSecretName string, ...)
- func AssertLastMigratedKey(t testing.TB, kubeClient kubernetes.Interface, ...)
- func AssertWellKnownRouteOfLifeEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)
- func AssertWellKnownRouteOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, ...)
- func AssertWellKnownRouteOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)
- func AssertWellKnownRoutes(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, ...)
- func AssertWellKnownSecretOfLifeEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)
- func AssertWellKnownSecretOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, ...)
- func AssertWellKnownSecretOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)
- func AssertWellKnownSecretsAndConfigMaps(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, ...)
- func AssertWellKnownTokenOfLifeEncrypted(t testing.TB, clientSet ClientSet, _ runtime.Object)
- func AssertWellKnownTokenOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, ...)
- func AssertWellKnownTokenOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, _ runtime.Object)
- func AssertWellKnownTokens(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, ...)
- func CreateAndStoreWellKnownRouteOfLife(ctx context.Context, t testing.TB, cs ClientSet, ns string) runtime.Object
- func CreateAndStoreWellKnownSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
- func CreateAndStoreWellKnownTokenOfLife(ctx context.Context, t testing.TB, cs ClientSet) runtime.Object
- func ForceKeyRotation(t testing.TB, updateUnsupportedConfig UpdateUnsupportedConfigFunc, ...) error
- func GetRawWellKnownRouteOfLife(t testing.TB, clientSet ClientSet, ns string) string
- func GetRawWellKnownSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) string
- func GetRawWellKnownTokenOfLife(t testing.TB, clientSet ClientSet) string
- func PrintEventsOnFailure(namespace string) func(*E)
- func TestEncryptionProvidersMigration(ctx context.Context, t testing.TB, scenario ProvidersMigrationScenario)
- func TestEncryptionRotation(ctx context.Context, t testing.TB, scenario RotationScenario)
- func TestEncryptionTurnOnAndOff(ctx context.Context, t testing.TB, scenario OnOffScenario)
- func TestEncryptionType(ctx context.Context, t testing.TB, scenario BasicScenario, ...)
- func TestEncryptionTypeAESCBC(ctx context.Context, t testing.TB, scenario BasicScenario, ...)
- func TestEncryptionTypeAESGCM(ctx context.Context, t testing.TB, scenario BasicScenario, ...)
- func TestEncryptionTypeIdentity(ctx context.Context, t testing.TB, scenario BasicScenario)
- func TestEncryptionTypeKMS(ctx context.Context, t testing.TB, scenario BasicScenario, ...)
- func TestEncryptionTypeUnset(ctx context.Context, t testing.TB, scenario BasicScenario)
- func TestKMSInPlaceUpdate(ctx context.Context, t testing.TB, scenario KMSInPlaceUpdateScenario)
- func TestPerfEncryption(ctx context.Context, t testing.TB, scenario PerfScenario)
- func VerifyResources(t testing.TB, etcdClient EtcdClient, etcdKeyPreifx string, expectedMode string, ...) (int, error)
- func WaitForCurrentKeyMigrated(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, ...)
- func WaitForEncryptionKeyBasedOn(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, ...)
- func WaitForNextMigratedKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, ...)
- func WaitForNoNewEncryptionKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, ...)
- func WaitForPodContainerCondition(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, ...)
- func WaitForPodImagePullBackOff(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, ...)
- func WellKnownRouteOfLife(_ testing.TB, ns string) runtime.Object
- func WellKnownSecretOfLife(_ testing.TB, namespace string) runtime.Object
- func WellKnownTokenOfLife(_ testing.TB, _ string) runtime.Object
- type BasicScenario
- type ClientSet
- type DBLoaderFuncType
- type E
- type EncryptionKeyMeta
- type EncryptionProvider
- type EtcdClient
- type ForceRotationFunc
- type GetOperatorConditionsFuncType
- type KMSInPlaceUpdateScenario
- type OnOffScenario
- type PerfScenario
- type ProvidersMigrationScenario
- type RotationScenario
- type UpdateUnsupportedConfigFunc
- type WaitForRotationCompleteFunc
Constants ¶
This section is empty.
Variables ¶
var ( SupportedStaticEncryptionProviders = []EncryptionProvider{ {APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionTypeAESGCM}}, {APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionTypeAESCBC}}, } )
var WellKnownAuthTargetGRs = []schema.GroupResource{
{Group: "oauth.openshift.io", Resource: "oauthaccesstokens"},
{Group: "oauth.openshift.io", Resource: "oauthauthorizetokens"},
}
var WellKnownKASTargetGRs = []schema.GroupResource{
{Group: "", Resource: "secrets"},
{Group: "", Resource: "configmaps"},
}
var WellKnownOASTargetGRs = []schema.GroupResource{
{Group: "route.openshift.io", Resource: "routes"},
}
Functions ¶
func ApplyEncryption ¶
ApplyEncryption applies the given encryption config to apiserver/cluster without waiting for completion.
func AssertEncryptionConfig ¶
func AssertEncryptionConfig(t testing.TB, clientSet ClientSet, encryptionConfigSecretName string, namespace string, targetGRs []schema.GroupResource)
AssertEncryptionConfig checks if the encryption config holds only targetGRs, this ensures that only those resources were encrypted, we don't check the keys because e2e tests are run randomly and we would have to consider all encryption secrets to get the right order of the keys. We test the content of the encryption config in more detail in unit and integration tests
func AssertLastMigratedKey ¶
func AssertLastMigratedKey(t testing.TB, kubeClient kubernetes.Interface, targetGRs []schema.GroupResource, namespace, labelSelector string)
func AssertWellKnownRoutes ¶
func AssertWellKnownTokens ¶
func ForceKeyRotation ¶
func ForceKeyRotation(t testing.TB, updateUnsupportedConfig UpdateUnsupportedConfigFunc, reason string) error
func PrintEventsOnFailure ¶
func TestEncryptionProvidersMigration ¶
func TestEncryptionProvidersMigration(ctx context.Context, t testing.TB, scenario ProvidersMigrationScenario)
TestEncryptionProvidersMigration tests migration between given encryption providers. It creates a resource, migrates through each provider, verifies the resource is encrypted after each migration, and finally switches to identity (off).
func TestEncryptionRotation ¶
func TestEncryptionRotation(ctx context.Context, t testing.TB, scenario RotationScenario)
TestEncryptionRotation encrypts data, forces a provider-specific key rotation, waits for re-migration to complete, and verifies the resource was re-encrypted with different content.
func TestEncryptionTurnOnAndOff ¶
func TestEncryptionTurnOnAndOff(ctx context.Context, t testing.TB, scenario OnOffScenario)
func TestEncryptionType ¶
func TestEncryptionType(ctx context.Context, t testing.TB, scenario BasicScenario, provider EncryptionProvider)
func TestEncryptionTypeAESCBC ¶
func TestEncryptionTypeAESCBC(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)
func TestEncryptionTypeAESGCM ¶
func TestEncryptionTypeAESGCM(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)
func TestEncryptionTypeIdentity ¶
func TestEncryptionTypeIdentity(ctx context.Context, t testing.TB, scenario BasicScenario)
func TestEncryptionTypeKMS ¶
func TestEncryptionTypeKMS(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)
func TestEncryptionTypeUnset ¶
func TestEncryptionTypeUnset(ctx context.Context, t testing.TB, scenario BasicScenario)
func TestKMSInPlaceUpdate ¶
func TestKMSInPlaceUpdate(ctx context.Context, t testing.TB, scenario KMSInPlaceUpdateScenario)
TestKMSInPlaceUpdate validates in-place KMS config field updates:
- Apply valid provider and verify migration
- Update in-place field and verify no new encryption key is created
- WaitForPropagation — caller verifies the change took effect
func TestPerfEncryption ¶
func TestPerfEncryption(ctx context.Context, t testing.TB, scenario PerfScenario)
func VerifyResources ¶
func WaitForCurrentKeyMigrated ¶
func WaitForCurrentKeyMigrated(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, targetGRs []schema.GroupResource, namespace, labelSelector string)
WaitForCurrentKeyMigrated waits until the current (latest) encryption key has completed migration for all target group resources. It fails if the key changes unexpectedly (i.e. a different key than prevKeyMeta appears).
func WaitForEncryptionKeyBasedOn ¶
func WaitForEncryptionKeyBasedOn(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, encryptionType configv1.EncryptionType, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string)
func WaitForNextMigratedKey ¶
func WaitForNextMigratedKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string)
func WaitForNoNewEncryptionKey ¶
func WaitForNoNewEncryptionKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, namespace, labelSelector string)
func WaitForPodContainerCondition ¶
func WaitForPodContainerCondition(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector, keyName string, match func(pod corev1.Pod, keyName string) bool)
WaitForPodContainerCondition polls pods until at least one pod satisfies the given condition. keyName is the current encryption key secret name, passed to match so callers can correlate pod container names with the active key (e.g. vault-kms-plugin-42).
func WaitForPodImagePullBackOff ¶
func WaitForPodImagePullBackOff(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector string, timeout time.Duration)
WaitForPodImagePullBackOff polls pods in the given namespace until at least one pod has a container stuck in ImagePullBackOff or ErrImagePull. When a KMS plugin image is invalid, the operator cannot progress because the sidecar container fails to start. The operator does not report Degraded in this case — it only gets stuck in Progressing. This function detects that stuck state by observing the pod-level image pull failure, which is the earliest signal that the invalid config has taken effect.
func WellKnownSecretOfLife ¶
Types ¶
type BasicScenario ¶
type BasicScenario struct {
Namespace string
LabelSelector string
EncryptionConfigSecretName string
EncryptionConfigSecretNamespace string
OperatorNamespace string
TargetGRs []schema.GroupResource
AssertFunc func(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string)
}
type ClientSet ¶
type ClientSet struct {
Etcd EtcdClient
ApiServerConfig configv1client.APIServerInterface
Kube kubernetes.Interface
DynamicClient dynamic.Interface
}
func GetClients ¶
func SetAndWaitForEncryptionType ¶
func SetAndWaitForEncryptionType(ctx context.Context, t testing.TB, provider EncryptionProvider, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string) ClientSet
type DBLoaderFuncType ¶
func DBLoaderRepeat ¶
func DBLoaderRepeat(times int, genNamespaceName bool, workToRepeatFunc ...DBLoaderFuncType) DBLoaderFuncType
func DBLoaderRepeatParallel ¶
func DBLoaderRepeatParallel(times int, workers int, genNamespaceName bool, workToRepeatFunc ...DBLoaderFuncType) DBLoaderFuncType
type E ¶
E is like testing.T except it overloads some methods to print to stdout when the encryption tests are run from a local machine
type EncryptionKeyMeta ¶
type EncryptionKeyMeta struct {
Name string
Migrated []schema.GroupResource
Mode string
}
func GetLastKeyMeta ¶
func GetLastKeyMeta(t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector string) (EncryptionKeyMeta, error)
type EncryptionProvider ¶
type EncryptionProvider struct {
configv1.APIServerEncryption
// Setup is called once before the provider is first used. May be nil.
Setup func(ctx context.Context, t testing.TB)
}
EncryptionProvider pairs an encryption config with an optional setup function that ensures prerequisites (secrets, credentials, infrastructure) are in place.
func ShuffleEncryptionProviders ¶
func ShuffleEncryptionProviders(providers []EncryptionProvider) []EncryptionProvider
ShuffleEncryptionProviders returns a new slice with the providers in random order, leaving the original slice unchanged. Use this to test different migration orderings.
type EtcdClient ¶
type EtcdClient interface {
Get(ctx context.Context, key string, opts ...clientv3.OpOption) (*clientv3.GetResponse, error)
}
func NewEtcdClient ¶
func NewEtcdClient(kubeClient kubernetes.Interface) EtcdClient
type ForceRotationFunc ¶
ForceRotationFunc triggers a key rotation in a provider-specific way. Static encryption (AES-CBC/AES-GCM) sets encryption.reason in unsupported config; KMS rotates the external KMS key (for example Vault transit).
func StaticEncryptionForceRotation ¶
func StaticEncryptionForceRotation(updateUnsupportedConfig UpdateUnsupportedConfigFunc) ForceRotationFunc
StaticEncryptionForceRotation returns a ForceRotationFunc that mints a new key via encryption.reason.
type GetOperatorConditionsFuncType ¶
type GetOperatorConditionsFuncType func(t testing.TB) ([]v1.OperatorCondition, error)
type KMSInPlaceUpdateScenario ¶
type KMSInPlaceUpdateScenario struct {
BasicScenario
Provider EncryptionProvider
UpdatedProvider EncryptionProvider
// WaitForPropagation is called after the in-place update to verify the change
// took effect. Receives the current encryption key so callers can match pod
// container names to the active key. Same pattern as WaitForStuck in
// KMSInvalidEncryptionRecoveryScenario.
WaitForPropagation func(ctx context.Context, t testing.TB, keyMeta EncryptionKeyMeta)
}
KMSInPlaceUpdateScenario tests that updating an in-place KMS config field (e.g. kmsPluginImage) takes effect without creating a new encryption key. The caller supplies Provider (initial valid config) and UpdatedProvider (same config with one in-place field changed).
type OnOffScenario ¶
type OnOffScenario struct {
BasicScenario
CreateResourceFunc func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
AssertResourceEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
AssertResourceNotEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
ResourceFunc func(t testing.TB, namespace string) runtime.Object
ResourceName string
EncryptionProvider EncryptionProvider
}
type PerfScenario ¶
type PerfScenario struct {
BasicScenario
GetOperatorConditionsFunc GetOperatorConditionsFuncType
DBLoaderFunc DBLoaderFuncType
AssertDBPopulatedFunc func(t testing.TB, errorStore map[string]int, statStore map[string]int)
AssertMigrationTime func(t testing.TB, migrationTime time.Duration)
// DBLoaderWorker is the number of workers that will execute DBLoaderFunc
DBLoaderWorkers int
EncryptionProvider EncryptionProvider
}
type ProvidersMigrationScenario ¶
type ProvidersMigrationScenario struct {
BasicScenario
CreateResourceFunc func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
AssertResourceEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
AssertResourceNotEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
ResourceFunc func(t testing.TB, namespace string) runtime.Object
ResourceName string
// EncryptionProviders is the list of encryption providers to migrate through.
// The test will migrate through each provider in order, then always end by
// switching to identity (off) to verify the resource is re-written unencrypted.
EncryptionProviders []EncryptionProvider
}
ProvidersMigrationScenario defines a test scenario for migrating encryption between multiple providers.
See TestEncryptionProvidersMigration for more details.
type RotationScenario ¶
type RotationScenario struct {
BasicScenario
CreateResourceFunc func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
GetRawResourceFunc func(t testing.TB, clientSet ClientSet, namespace string) string
EncryptionProvider EncryptionProvider
ForceRotationFunc ForceRotationFunc
WaitForRotationCompleteFunc WaitForRotationCompleteFunc
}
type WaitForRotationCompleteFunc ¶
type WaitForRotationCompleteFunc func(t testing.TB, clientSet ClientSet, prevKeyMeta EncryptionKeyMeta, scenario BasicScenario)
WaitForRotationCompleteFunc waits until re-migration after rotation has finished. Static encryption waits for the next encryption key secret to be migrated; KMS waits for a new finished entry in KeyRotationStatus, created by the rotation controller.
func WaitForNextEncryptionKeyRotation ¶
func WaitForNextEncryptionKeyRotation() WaitForRotationCompleteFunc
WaitForNextEncryptionKeyRotation waits until a new encryption key secret is fully migrated.