Skip to content

Commit cacc6e7

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#119531 from ritazh/kmsv2-test-enablement-restart
kmsv2 test feature enablement disablement and restart
2 parents 86b44a3 + 6776943 commit cacc6e7

File tree

6 files changed

+256
-43
lines changed

6 files changed

+256
-43
lines changed

test/integration/controlplane/transformation/all_transformation_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ resources:
9494
- name: key1
9595
secret: c2VjcmV0IGlzIHNlY3VyZQ==
9696
`
97-
test, err := newTransformTest(t, encryptionConfig, false, "")
97+
test, err := newTransformTest(t, encryptionConfig, false, "", nil)
9898
if err != nil {
9999
t.Fatalf("failed to start Kube API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
100100
}

test/integration/controlplane/transformation/kms_transformation_test.go

Lines changed: 31 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@ import (
2828
"fmt"
2929
"math/rand"
3030
"os"
31-
"path"
3231
"path/filepath"
3332
"strings"
3433
"testing"
@@ -49,6 +48,7 @@ import (
4948
kmsapi "k8s.io/kms/apis/v1beta1"
5049
"k8s.io/kubernetes/test/integration"
5150
"k8s.io/kubernetes/test/integration/etcd"
51+
"k8s.io/kubernetes/test/integration/framework"
5252
)
5353

5454
const (
@@ -133,7 +133,7 @@ resources:
133133
`
134134
providerName := "kms-provider"
135135
pluginMock := mock.NewBase64Plugin(t, "@kms-provider.sock")
136-
test, err := newTransformTest(t, encryptionConfig, false, "")
136+
test, err := newTransformTest(t, encryptionConfig, false, "", nil)
137137
if err != nil {
138138
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
139139
}
@@ -295,6 +295,7 @@ resources:
295295
// 10. confirm that cluster wide secret read still works
296296
// 11. confirm that api server can restart with last applied encryption config
297297
func TestEncryptionConfigHotReload(t *testing.T) {
298+
storageConfig := framework.SharedEtcd()
298299
encryptionConfig := `
299300
kind: EncryptionConfiguration
300301
apiVersion: apiserver.config.k8s.io/v1
@@ -309,7 +310,7 @@ resources:
309310
`
310311
_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
311312
var restarted bool
312-
test, err := newTransformTest(t, encryptionConfig, true, "")
313+
test, err := newTransformTest(t, encryptionConfig, true, "", storageConfig)
313314
if err != nil {
314315
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
315316
}
@@ -365,7 +366,7 @@ resources:
365366
// start new KMS Plugin
366367
_ = mock.NewBase64Plugin(t, "@new-kms-provider.sock")
367368
// update encryption config
368-
if err := os.WriteFile(path.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithNewProvider), 0644); err != nil {
369+
if err := os.WriteFile(filepath.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithNewProvider), 0644); err != nil {
369370
t.Fatalf("failed to update encryption config, err: %v", err)
370371
}
371372

@@ -377,8 +378,9 @@ resources:
377378

378379
// run storage migration
379380
// get secrets
381+
ctx := testContext(t)
380382
secretsList, err := test.restClient.CoreV1().Secrets("").List(
381-
context.TODO(),
383+
ctx,
382384
metav1.ListOptions{},
383385
)
384386
if err != nil {
@@ -388,7 +390,7 @@ resources:
388390
for _, secret := range secretsList.Items {
389391
// update secret
390392
_, err = test.restClient.CoreV1().Secrets(secret.Namespace).Update(
391-
context.TODO(),
393+
ctx,
392394
&secret,
393395
metav1.UpdateOptions{},
394396
)
@@ -399,7 +401,7 @@ resources:
399401

400402
// get configmaps
401403
configmapsList, err := test.restClient.CoreV1().ConfigMaps("").List(
402-
context.TODO(),
404+
ctx,
403405
metav1.ListOptions{},
404406
)
405407
if err != nil {
@@ -409,7 +411,7 @@ resources:
409411
for _, configmap := range configmapsList.Items {
410412
// update configmap
411413
_, err = test.restClient.CoreV1().ConfigMaps(configmap.Namespace).Update(
412-
context.TODO(),
414+
ctx,
413415
&configmap,
414416
metav1.UpdateOptions{},
415417
)
@@ -463,7 +465,7 @@ resources:
463465
`
464466

465467
// update encryption config and wait for hot reload
466-
if err := os.WriteFile(path.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithoutOldProvider), 0644); err != nil {
468+
if err := os.WriteFile(filepath.Join(test.configDir, encryptionConfigFileName), []byte(encryptionConfigWithoutOldProvider), 0644); err != nil {
467469
t.Fatalf("failed to update encryption config, err: %v", err)
468470
}
469471

@@ -472,7 +474,7 @@ resources:
472474

473475
// confirm that reading secrets still works
474476
_, err = test.restClient.CoreV1().Secrets(testNamespace).Get(
475-
context.TODO(),
477+
ctx,
476478
testSecret,
477479
metav1.GetOptions{},
478480
)
@@ -481,13 +483,13 @@ resources:
481483
}
482484

483485
// make sure cluster wide secrets read still works
484-
_, err = test.restClient.CoreV1().Secrets("").List(context.TODO(), metav1.ListOptions{})
486+
_, err = test.restClient.CoreV1().Secrets("").List(ctx, metav1.ListOptions{})
485487
if err != nil {
486488
t.Fatalf("failed to list secrets, err: %v", err)
487489
}
488490

489491
// make sure cluster wide configmaps read still works
490-
_, err = test.restClient.CoreV1().ConfigMaps("").List(context.TODO(), metav1.ListOptions{})
492+
_, err = test.restClient.CoreV1().ConfigMaps("").List(ctx, metav1.ListOptions{})
491493
if err != nil {
492494
t.Fatalf("failed to list configmaps, err: %v", err)
493495
}
@@ -496,19 +498,28 @@ resources:
496498
previousConfigDir := test.configDir
497499
test.shutdownAPIServer()
498500
restarted = true
499-
test, err = newTransformTest(t, "", true, previousConfigDir)
501+
test, err = newTransformTest(t, test.transformerConfig, true, previousConfigDir, storageConfig)
500502
if err != nil {
501503
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
502504
}
503505
defer test.cleanUp()
504506

507+
_, err = test.restClient.CoreV1().Secrets(testNamespace).Get(
508+
ctx,
509+
testSecret,
510+
metav1.GetOptions{},
511+
)
512+
if err != nil {
513+
t.Fatalf("failed to read secret, err: %v", err)
514+
}
515+
505516
// confirm that reading cluster wide secrets still works after restart
506-
if _, err = test.restClient.CoreV1().Secrets("").List(context.TODO(), metav1.ListOptions{}); err != nil {
517+
if _, err = test.restClient.CoreV1().Secrets("").List(ctx, metav1.ListOptions{}); err != nil {
507518
t.Fatalf("failed to list secrets, err: %v", err)
508519
}
509520

510521
// make sure cluster wide configmaps read still works
511-
if _, err = test.restClient.CoreV1().ConfigMaps("").List(context.TODO(), metav1.ListOptions{}); err != nil {
522+
if _, err = test.restClient.CoreV1().ConfigMaps("").List(ctx, metav1.ListOptions{}); err != nil {
512523
t.Fatalf("failed to list configmaps, err: %v", err)
513524
}
514525
}
@@ -531,7 +542,7 @@ resources:
531542
_ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
532543
defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)()
533544
defer featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)()
534-
test, err := newTransformTest(t, encryptionConfig, false, "")
545+
test, err := newTransformTest(t, encryptionConfig, false, "", nil)
535546
if err != nil {
536547
t.Fatalf("failed to start KUBE API Server with encryptionConfig")
537548
}
@@ -643,7 +654,7 @@ resources:
643654
_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
644655
_ = mock.NewBase64Plugin(t, "@encrypt-all-kms-provider.sock")
645656

646-
test, err := newTransformTest(t, encryptionConfig, false, "")
657+
test, err := newTransformTest(t, encryptionConfig, false, "", nil)
647658
if err != nil {
648659
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
649660
}
@@ -785,9 +796,8 @@ resources:
785796
`
786797
_ = mock.NewBase64Plugin(t, "@kms-provider.sock")
787798

788-
test, err := newTransformTest(t, encryptionConfig, true, "")
799+
test, err := newTransformTest(t, encryptionConfig, true, "", nil)
789800
if err != nil {
790-
test.cleanUp()
791801
t.Fatalf("failed to start KUBE API Server with encryptionConfig\n %s, error: %v", encryptionConfig, err)
792802
}
793803
defer test.cleanUp()
@@ -950,7 +960,7 @@ resources:
950960
pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
951961
pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
952962

953-
test, err := newTransformTest(t, encryptionConfig, false, "")
963+
test, err := newTransformTest(t, encryptionConfig, false, "", nil)
954964
if err != nil {
955965
t.Fatalf("failed to start kube-apiserver, error: %v", err)
956966
}
@@ -1006,7 +1016,7 @@ resources:
10061016
pluginMock1 := mock.NewBase64Plugin(t, "@kms-provider-1.sock")
10071017
pluginMock2 := mock.NewBase64Plugin(t, "@kms-provider-2.sock")
10081018

1009-
test, err := newTransformTest(t, encryptionConfig, true, "")
1019+
test, err := newTransformTest(t, encryptionConfig, true, "", nil)
10101020
if err != nil {
10111021
t.Fatalf("Failed to start kube-apiserver, error: %v", err)
10121022
}

0 commit comments

Comments
 (0)