2021-12-07 22:31:32 +00:00
|
|
|
package integration
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"regexp"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2022-03-15 17:29:56 +00:00
|
|
|
testutil "github.com/k3s-io/k3s/tests/integration"
|
2022-02-09 16:22:53 +00:00
|
|
|
. "github.com/onsi/ginkgo/v2"
|
2021-12-07 22:31:32 +00:00
|
|
|
. "github.com/onsi/gomega"
|
|
|
|
)
|
|
|
|
|
|
|
|
var secretsEncryptionServer *testutil.K3sServer
|
|
|
|
var secretsEncryptionDataDir = "/tmp/k3sse"
|
|
|
|
var secretsEncryptionServerArgs = []string{"--secrets-encryption", "-d", secretsEncryptionDataDir}
|
2022-02-25 16:42:21 +00:00
|
|
|
var testLock int
|
|
|
|
|
2021-12-07 22:31:32 +00:00
|
|
|
var _ = BeforeSuite(func() {
|
|
|
|
if !testutil.IsExistingServer() {
|
|
|
|
var err error
|
2022-02-25 16:42:21 +00:00
|
|
|
testLock, err = testutil.K3sTestLock()
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
2021-12-07 22:31:32 +00:00
|
|
|
secretsEncryptionServer, err = testutil.K3sStartServer(secretsEncryptionServerArgs...)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
2022-08-31 22:40:17 +00:00
|
|
|
var _ = Describe("secrets encryption rotation", Ordered, func() {
|
2021-12-07 22:31:32 +00:00
|
|
|
BeforeEach(func() {
|
|
|
|
if testutil.IsExistingServer() {
|
|
|
|
Skip("Test does not support running on existing k3s servers")
|
|
|
|
}
|
|
|
|
})
|
|
|
|
When("A server starts with secrets encryption", func() {
|
|
|
|
It("starts up with no problems", func() {
|
2022-06-13 20:32:13 +00:00
|
|
|
Eventually(func() error {
|
|
|
|
return testutil.K3sDefaultDeployments()
|
|
|
|
}, "180s", "5s").Should(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
})
|
|
|
|
It("it creates a encryption key", func() {
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("Encryption Status: Enabled"))
|
|
|
|
Expect(result).To(ContainSubstring("Current Rotation Stage: start"))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
When("A server rotates encryption keys", func() {
|
|
|
|
It("it prepares to rotate", func() {
|
2022-01-06 16:05:56 +00:00
|
|
|
Expect(testutil.K3sCmd("secrets-encrypt prepare -d", secretsEncryptionDataDir)).
|
2021-12-07 22:31:32 +00:00
|
|
|
To(ContainSubstring("prepare completed successfully"))
|
|
|
|
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("Current Rotation Stage: prepare"))
|
|
|
|
reg, err := regexp.Compile(`AES-CBC.+aescbckey.*`)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
keys := reg.FindAllString(result, -1)
|
|
|
|
Expect(keys).To(HaveLen(2))
|
|
|
|
Expect(keys[0]).To(ContainSubstring("aescbckey"))
|
|
|
|
Expect(keys[1]).To(ContainSubstring("aescbckey-" + fmt.Sprint(time.Now().Year())))
|
|
|
|
})
|
|
|
|
It("restarts the server", func() {
|
|
|
|
var err error
|
2022-02-25 16:42:21 +00:00
|
|
|
Expect(testutil.K3sKillServer(secretsEncryptionServer)).To(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
secretsEncryptionServer, err = testutil.K3sStartServer(secretsEncryptionServerArgs...)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
2022-06-13 20:32:13 +00:00
|
|
|
Eventually(func() error {
|
|
|
|
return testutil.K3sDefaultDeployments()
|
|
|
|
}, "180s", "5s").Should(Succeed())
|
2022-10-08 00:36:57 +00:00
|
|
|
Eventually(func() (string, error) {
|
|
|
|
return testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
|
|
|
}, "30s", "5s").Should(ContainSubstring("Current Rotation Stage: prepare"))
|
2021-12-07 22:31:32 +00:00
|
|
|
})
|
|
|
|
It("rotates the keys", func() {
|
2022-10-08 00:36:57 +00:00
|
|
|
Expect(testutil.K3sCmd("secrets-encrypt rotate -d", secretsEncryptionDataDir)).
|
|
|
|
To(ContainSubstring("rotate completed successfully"))
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("Current Rotation Stage: rotate"))
|
|
|
|
reg, err := regexp.Compile(`AES-CBC.+aescbckey.*`)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
keys := reg.FindAllString(result, -1)
|
|
|
|
Expect(keys).To(HaveLen(2))
|
|
|
|
Expect(keys[0]).To(ContainSubstring("aescbckey-" + fmt.Sprint(time.Now().Year())))
|
|
|
|
Expect(keys[1]).To(ContainSubstring("aescbckey"))
|
|
|
|
})
|
|
|
|
It("restarts the server", func() {
|
|
|
|
var err error
|
2022-02-25 16:42:21 +00:00
|
|
|
Expect(testutil.K3sKillServer(secretsEncryptionServer)).To(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
secretsEncryptionServer, err = testutil.K3sStartServer(secretsEncryptionServerArgs...)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
2022-06-13 20:32:13 +00:00
|
|
|
Eventually(func() error {
|
|
|
|
return testutil.K3sDefaultDeployments()
|
|
|
|
}, "180s", "5s").Should(Succeed())
|
2023-08-25 05:09:13 +00:00
|
|
|
|
|
|
|
Eventually(func() (string, error) {
|
|
|
|
return testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
|
|
|
}, "120s", "5s").Should(ContainSubstring("Current Rotation Stage: rotate"))
|
2021-12-07 22:31:32 +00:00
|
|
|
})
|
|
|
|
It("reencrypts the keys", func() {
|
2022-01-06 16:05:56 +00:00
|
|
|
Expect(testutil.K3sCmd("secrets-encrypt reencrypt -d", secretsEncryptionDataDir)).
|
2021-12-07 22:31:32 +00:00
|
|
|
To(ContainSubstring("reencryption started"))
|
|
|
|
Eventually(func() (string, error) {
|
2022-01-06 16:05:56 +00:00
|
|
|
return testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2022-04-14 18:46:37 +00:00
|
|
|
}, "45s", "2s").Should(ContainSubstring("Current Rotation Stage: reencrypt_finished"))
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
reg, err := regexp.Compile(`AES-CBC.+aescbckey.*`)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
keys := reg.FindAllString(result, -1)
|
|
|
|
Expect(keys).To(HaveLen(1))
|
|
|
|
Expect(keys[0]).To(ContainSubstring("aescbckey-" + fmt.Sprint(time.Now().Year())))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
When("A server disables encryption", func() {
|
|
|
|
It("it triggers the disable", func() {
|
2022-01-06 16:05:56 +00:00
|
|
|
Expect(testutil.K3sCmd("secrets-encrypt disable -d", secretsEncryptionDataDir)).
|
2021-12-07 22:31:32 +00:00
|
|
|
To(ContainSubstring("secrets-encryption disabled"))
|
|
|
|
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("Encryption Status: Disabled"))
|
|
|
|
})
|
|
|
|
It("restarts the server", func() {
|
|
|
|
var err error
|
2022-02-25 16:42:21 +00:00
|
|
|
Expect(testutil.K3sKillServer(secretsEncryptionServer)).To(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
secretsEncryptionServer, err = testutil.K3sStartServer(secretsEncryptionServerArgs...)
|
|
|
|
Expect(err).ToNot(HaveOccurred())
|
2022-06-13 20:32:13 +00:00
|
|
|
Eventually(func() error {
|
|
|
|
return testutil.K3sDefaultDeployments()
|
|
|
|
}, "180s", "5s").Should(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
time.Sleep(10 * time.Second)
|
|
|
|
})
|
|
|
|
It("reencrypts the keys", func() {
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err := testutil.K3sCmd("secrets-encrypt reencrypt -f --skip -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("reencryption started"))
|
|
|
|
|
2022-01-06 16:05:56 +00:00
|
|
|
result, err = testutil.K3sCmd("secrets-encrypt status -d", secretsEncryptionDataDir)
|
2021-12-07 22:31:32 +00:00
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(result).To(ContainSubstring("Encryption Status: Disabled"))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2023-01-12 21:43:31 +00:00
|
|
|
var failed bool
|
|
|
|
var _ = AfterEach(func() {
|
|
|
|
failed = failed || CurrentSpecReport().Failed()
|
|
|
|
})
|
|
|
|
|
2021-12-07 22:31:32 +00:00
|
|
|
var _ = AfterSuite(func() {
|
|
|
|
if !testutil.IsExistingServer() {
|
2023-01-12 21:43:31 +00:00
|
|
|
if failed {
|
|
|
|
testutil.K3sSaveLog(secretsEncryptionServer, false)
|
2022-08-31 22:40:17 +00:00
|
|
|
}
|
2022-02-25 16:42:21 +00:00
|
|
|
Expect(testutil.K3sKillServer(secretsEncryptionServer)).To(Succeed())
|
|
|
|
Expect(testutil.K3sCleanup(testLock, secretsEncryptionDataDir)).To(Succeed())
|
2021-12-07 22:31:32 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
func Test_IntegrationSecretsEncryption(t *testing.T) {
|
|
|
|
RegisterFailHandler(Fail)
|
2022-02-09 16:22:53 +00:00
|
|
|
RunSpecs(t, "Secrets Encryption Suite")
|
2021-12-07 22:31:32 +00:00
|
|
|
}
|