Modify the functional tests for new pkcs11 support

openstack-k8s-operators · Jan 20, 2025 · 03e16f4 · 03e16f4
1 parent 470d295
commit 03e16f4
Show file tree

Hide file tree

Showing 6 changed files with 168 additions and 136 deletions.
diff --git a/pkg/barbican/const.go b/pkg/barbican/const.go
@@ -51,8 +51,12 @@ const (
 	LogVolume = "logs"
 	// ConfigVolume is the default volume name used to mount service config
 	ConfigVolume = "config-data"
+	// ConfigMountPoint is the mount point for service config
+	ConfigMountPoint = "/var/lib/config-data/default"
 	// ScriptVolume is the default volume name used to mount scripts
 	ScriptVolume = "scripts"
+	// ScriptMountPoint is the mount point for scripts
+	ScriptMountPoint = "/usr/local/bin/container-scripts"
 	// P11DataVolume is the volume used to mount PKCS11 client Data
 	P11ClientDataVolume = "p11-client-data"
 	// P11DataVolume is the mount point used for PKCS11 client Data

diff --git a/pkg/barbican/volumes.go b/pkg/barbican/volumes.go
@@ -39,7 +39,7 @@ func GetVolumeMounts(secretNames []string) []corev1.VolumeMount {
 	vm := []corev1.VolumeMount{
 		{
 			Name:      ConfigVolume,
-			MountPath: "/var/lib/config-data/default",
+			MountPath: ConfigMountPoint,
 			ReadOnly:  true,
 		},
 		{
@@ -106,7 +106,7 @@ func GetLogVolume() corev1.Volume {
 func GetScriptVolumeMount() corev1.VolumeMount {
 	return corev1.VolumeMount{
 		Name:      ScriptVolume,
-		MountPath: "/usr/local/bin/container-scripts",
+		MountPath: ScriptMountPoint,
 		ReadOnly:  true,
 	}
 }

diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go
@@ -91,7 +91,7 @@ var _ = Describe("Barbican controller", func() {
 		BeforeEach(func() {
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret"))
 			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetDefaultBarbicanSpec()))
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 			DeferCleanup(
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(
@@ -165,10 +165,7 @@ var _ = Describe("Barbican controller", func() {
 		BeforeEach(func() {
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret"))
 			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetDefaultBarbicanSpec()))
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
-
-			DeferCleanup(
-				k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, "test-osp-secret-barbican"))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 
 			DeferCleanup(
 				mariadb.DeleteDBService,
@@ -224,7 +221,7 @@ var _ = Describe("Barbican controller", func() {
 			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetTLSBarbicanSpec()))
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
 			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetTLSBarbicanAPISpec()))
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 			DeferCleanup(
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(
@@ -299,10 +296,7 @@ var _ = Describe("Barbican controller", func() {
 			spec["barbicanAPI"] = GetDefaultBarbicanAPISpec()
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret"))
 			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, spec))
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
-
-			DeferCleanup(
-				k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, "test-osp-secret-barbican"))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 
 			DeferCleanup(
 				mariadb.DeleteDBService,
@@ -432,15 +426,15 @@ var _ = Describe("Barbican controller", func() {
 		})
 	})
 
-	When("A Barbican with HSM is created", func() {
+	When("A Barbican with pkcs11 plugin is created", func() {
 		BeforeEach(func() {
-			DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret))
-			DeferCleanup(k8sClient.Delete, ctx, CreateHSMCertsSecret(barbicanTest.Instance.Namespace, HSMCertsSecret))
+			DeferCleanup(k8sClient.Delete, ctx, CreateP11LoginSecret(barbicanTest.Instance.Namespace, P11LoginSecret))
+			DeferCleanup(k8sClient.Delete, ctx, CreateP11ClientDataSecret(barbicanTest.Instance.Namespace, P11ClientDataSecret))
 
-			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec()))
+			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetP11BarbicanSpec()))
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
 			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 			DeferCleanup(
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(
@@ -455,7 +449,7 @@ var _ = Describe("Barbican controller", func() {
 			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
 			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
 			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
-			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
+			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetP11BarbicanAPISpec()))
 			th.SimulateJobSuccess(barbicanTest.BarbicanP11Prep)
 		})
 
@@ -483,7 +477,7 @@ var _ = Describe("Barbican controller", func() {
 			Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
 			Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
 
-			// Checking the HSM container
+			// Checking the P11 Client Data container
 			Expect(container.Name).To(Equal(barbican.ComponentAPI))
 			foundMount := false
 			indexMount := 0
@@ -498,70 +492,100 @@ var _ = Describe("Barbican controller", func() {
 			Expect(container.VolumeMounts[indexMount].MountPath).To(Equal(barbican.P11ClientDataMountPoint))
 		})
 
-		It("Verifies the PKCS11 struct is in good shape", func() {
+		It("Verifies the Barbican PKCS11 struct is in good shape", func() {
 			Barbican := GetBarbican(barbicanTest.Instance)
 			Expect(Barbican.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"}))
 			Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11")))
 
 			pkcs11 := Barbican.Spec.PKCS11
-			Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret))
+			Expect(pkcs11.LoginSecret).Should(Equal(P11LoginSecret))
+			Expect(pkcs11.ClientDataSecret).Should(Equal(P11ClientDataSecret))
+			Expect(pkcs11.ClientDataPath).Should(Equal(P11ClientDataPath))
+		})
+
+		It("Verifies the BarbicanAPI PKCS11 struct is in good shape", func() {
+			BarbicanAPI := GetBarbicanAPI(barbicanTest.Instance)
+			Expect(BarbicanAPI.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"}))
+			Expect(BarbicanAPI.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11")))
+
+			pkcs11 := BarbicanAPI.Spec.PKCS11
+			Expect(pkcs11.LoginSecret).Should(Equal(P11LoginSecret))
+			Expect(pkcs11.ClientDataSecret).Should(Equal(P11ClientDataSecret))
+			Expect(pkcs11.ClientDataPath).Should(Equal(P11ClientDataPath))
 		})
 
 		It("Checks if the two relevant secrets have the right contents", func() {
-			hsmSecret := th.GetSecret(barbicanTest.BarbicanHSMLoginSecret)
+			// TODO(alee) Eliminate this test?  Not sure if it tests anything other than setup
+			hsmSecret := th.GetSecret(barbicanTest.BarbicanP11LoginSecret)
 			Expect(hsmSecret).ShouldNot(BeNil())
-			confHSM := hsmSecret.Data["hsmLogin"]
-			Expect(confHSM).To(
+			confP11 := hsmSecret.Data["P11CryptoLogin"]
+			Expect(confP11).To(
 				ContainSubstring("12345678"))
 
-			certsSecret := th.GetSecret(barbicanTest.BarbicanHSMCertsSecret)
-			Expect(certsSecret).ShouldNot(BeNil())
-			confCA := certsSecret.Data["CACert.pem"]
+			clientDataSecret := th.GetSecret(barbicanTest.BarbicanP11ClientDataSecret)
+			Expect(clientDataSecret).ShouldNot(BeNil())
+			confClient := clientDataSecret.Data["Client.cfg"]
+			Expect(confClient).To(
+				ContainSubstring("dummy-data"))
+			confCA := clientDataSecret.Data["CACert.pem"]
 			Expect(confCA).To(
 				ContainSubstring("dummy-data"))
-			confServer := certsSecret.Data[HSMServerAddress+"Server.pem"]
+			confServer := clientDataSecret.Data["Server.pem"]
 			Expect(confServer).To(
 				ContainSubstring("dummy-data"))
 
-			confClient := certsSecret.Data[HSMClientAddress+"Client.pem"]
+			confClient = clientDataSecret.Data["Client.pem"]
 			Expect(confClient).To(
 				ContainSubstring("dummy-data"))
-			confKey := certsSecret.Data[HSMClientAddress+"Client.key"]
+			confKey := clientDataSecret.Data["Client.key"]
 			Expect(confKey).To(
 				ContainSubstring("dummy-data"))
 		})
 
-		It("Verifies if 00-default.conf, barbican-api-config.json and Chrystoki.conf have the right contents.", func() {
+		It("Verifies if 00-default.conf, barbican-api-config.json and 01-custom.conf have the right contents for Barbican.", func() {
 			confSecret := th.GetSecret(barbicanTest.BarbicanConfigSecret)
 			Expect(confSecret).ShouldNot(BeNil())
 
-			conf := confSecret.Data["Chrystoki.conf"]
+			conf := confSecret.Data["00-default.conf"]
 			Expect(conf).To(
-				ContainSubstring("Chrystoki2"))
+				ContainSubstring("stores_lookup_suffix = pkcs11"))
 			Expect(conf).To(
-				ContainSubstring("LunaSA Client"))
+				ContainSubstring("[secretstore:pkcs11]\nsecret_store_plugin = store_crypto\ncrypto_plugin = p11_crypto\nglobal_default = true"))
 			Expect(conf).To(
-				ContainSubstring("ProtectedAuthenticationPathFlagStatus = 0"))
+				ContainSubstring("[p11_crypto_plugin]\nlogin = 12345678"))
+
+			conf = confSecret.Data["01-custom.conf"]
 			Expect(conf).To(
-				ContainSubstring("ClientPrivKeyFile = " + HSMCertificatesMountPoint + "/" + HSMClientAddress + "Key.pem"))
+				ContainSubstring(P11CustomData))
+
+			conf = confSecret.Data["barbican-api-config.json"]
 			Expect(conf).To(
-				ContainSubstring("ClientCertFile = " + HSMCertificatesMountPoint + "/" + HSMClientAddress + ".pem"))
+				ContainSubstring("\"source\": \"/var/lib/config-data/hsm\""))
 			Expect(conf).To(
-				ContainSubstring("ServerCAFile = " + HSMCertificatesMountPoint + "/CACert.pem"))
+				ContainSubstring("\"dest\": \"/usr/local/luna\""))
+		})
 
-			conf = confSecret.Data["00-default.conf"]
+		It("Verifies if 00-default.conf, barbican-api-config.json and 01-custom.conf have the right contents for BarbicanAPI.", func() {
+			confSecret := th.GetSecret(barbicanTest.BarbicanAPIConfigSecret)
+			Expect(confSecret).ShouldNot(BeNil())
+
+			conf := confSecret.Data["00-default.conf"]
+			Expect(conf).To(
+				ContainSubstring("stores_lookup_suffix = pkcs11"))
 			Expect(conf).To(
-				ContainSubstring("[secretstore:pkcs11]"))
+				ContainSubstring("[secretstore:pkcs11]\nsecret_store_plugin = store_crypto\ncrypto_plugin = p11_crypto\nglobal_default = true"))
 			Expect(conf).To(
-				ContainSubstring("plugin_name = PKCS11"))
+				ContainSubstring("[p11_crypto_plugin]\nlogin = 12345678"))
+
+			conf = confSecret.Data["01-custom.conf"]
 			Expect(conf).To(
-				ContainSubstring("slot_id = " + HSMSlotID))
+				ContainSubstring(P11CustomData))
 
 			conf = confSecret.Data["barbican-api-config.json"]
 			Expect(conf).To(
-				ContainSubstring("/var/lib/config-data/default/Chrystoki.conf"))
+				ContainSubstring("\"source\": \"/var/lib/config-data/hsm\""))
 			Expect(conf).To(
-				ContainSubstring("/usr/local/luna/Chrystoki.conf"))
+				ContainSubstring("\"dest\": \"/usr/local/luna\""))
 		})
 
 		It("Checks if the P11PreJob successfully executed", func() {
@@ -574,18 +598,20 @@ var _ = Describe("Barbican controller", func() {
 				corev1.ConditionTrue,
 			)
 
-			// Checking if both, the volume mount name and its mount path match the specified values.
-			var elemLuna, elemScript = 0, 0
+			// Checking if the volume mount name and mount path match the specified values.
+			var elemClient, elemScript, elemConfig = 0, 0, 0
 			for index, mount := range th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts {
 				if mount.Name == barbican.P11ClientDataVolume {
-					elemLuna = index
+					elemClient = index
 				} else if mount.Name == barbican.ScriptVolume {
 					elemScript = index
+				} else if mount.Name == barbican.ConfigVolume && mount.SubPath == "" {
+					elemConfig = index
 				}
 			}
 
-			volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemLuna].Name
-			mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemLuna].MountPath
+			volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemClient].Name
+			mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemClient].MountPath
 
 			Eventually(func(g Gomega) {
 				g.Expect(volume).To(Equal(barbican.P11ClientDataVolume))
@@ -597,7 +623,15 @@ var _ = Describe("Barbican controller", func() {
 
 			Eventually(func(g Gomega) {
 				g.Expect(volume).To(Equal(barbican.ScriptVolume))
-				g.Expect(mountPath).To(Equal(P11PrepMountPoint))
+				g.Expect(mountPath).To(Equal(barbican.ScriptMountPoint))
+			}, timeout, interval).Should(Succeed())
+
+			volume = th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemConfig].Name
+			mountPath = th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemConfig].MountPath
+
+			Eventually(func(g Gomega) {
+				g.Expect(volume).To(Equal(barbican.ConfigVolume))
+				g.Expect(mountPath).To(Equal(barbican.ConfigMountPoint))
 			}, timeout, interval).Should(Succeed())
 		})
 	})
@@ -628,7 +662,7 @@ var _ = Describe("Barbican controller", func() {
 
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
 			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetTLSBarbicanAPISpec()))
-			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
 			DeferCleanup(
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(

diff --git a/tests/functional/barbican_test_data.go b/tests/functional/barbican_test_data.go
@@ -42,39 +42,39 @@ const (
 
 // BarbicanTestData is the data structure used to provide input data to envTest
 type BarbicanTestData struct {
-	BarbicanPassword         string
-	BarbicanServiceUser      string
-	ContainerImage           string
-	DatabaseHostname         string
-	DatabaseInstance         string
-	RabbitmqClusterName      string
-	RabbitmqSecretName       string
-	Instance                 types.NamespacedName
-	Barbican                 types.NamespacedName
-	BarbicanDatabaseName     types.NamespacedName
-	BarbicanDatabaseAccount  types.NamespacedName
-	BarbicanDBSync           types.NamespacedName
-	BarbicanP11Prep          types.NamespacedName
-	BarbicanAPI              types.NamespacedName
-	BarbicanRole             types.NamespacedName
-	BarbicanRoleBinding      types.NamespacedName
-	BarbicanTransportURL     types.NamespacedName
-	BarbicanSA               types.NamespacedName
-	BarbicanKeystoneService  types.NamespacedName
-	BarbicanKeystoneEndpoint types.NamespacedName
-	BarbicanServicePublic    types.NamespacedName
-	BarbicanServiceInternal  types.NamespacedName
-	BarbicanConfigSecret     types.NamespacedName
-	BarbicanAPIConfigSecret  types.NamespacedName
-	BarbicanHSMLoginSecret   types.NamespacedName
-	BarbicanHSMCertsSecret   types.NamespacedName
-	BarbicanConfigScripts    types.NamespacedName
-	BarbicanConfigMapData    types.NamespacedName
-	BarbicanScheduler        types.NamespacedName
-	InternalAPINAD           types.NamespacedName
-	CABundleSecret           types.NamespacedName
-	InternalCertSecret       types.NamespacedName
-	PublicCertSecret         types.NamespacedName
+	BarbicanPassword            string
+	BarbicanServiceUser         string
+	ContainerImage              string
+	DatabaseHostname            string
+	DatabaseInstance            string
+	RabbitmqClusterName         string
+	RabbitmqSecretName          string
+	Instance                    types.NamespacedName
+	Barbican                    types.NamespacedName
+	BarbicanDatabaseName        types.NamespacedName
+	BarbicanDatabaseAccount     types.NamespacedName
+	BarbicanDBSync              types.NamespacedName
+	BarbicanP11Prep             types.NamespacedName
+	BarbicanAPI                 types.NamespacedName
+	BarbicanRole                types.NamespacedName
+	BarbicanRoleBinding         types.NamespacedName
+	BarbicanTransportURL        types.NamespacedName
+	BarbicanSA                  types.NamespacedName
+	BarbicanKeystoneService     types.NamespacedName
+	BarbicanKeystoneEndpoint    types.NamespacedName
+	BarbicanServicePublic       types.NamespacedName
+	BarbicanServiceInternal     types.NamespacedName
+	BarbicanConfigSecret        types.NamespacedName
+	BarbicanAPIConfigSecret     types.NamespacedName
+	BarbicanP11LoginSecret      types.NamespacedName
+	BarbicanP11ClientDataSecret types.NamespacedName
+	BarbicanConfigScripts       types.NamespacedName
+	BarbicanConfigMapData       types.NamespacedName
+	BarbicanScheduler           types.NamespacedName
+	InternalAPINAD              types.NamespacedName
+	CABundleSecret              types.NamespacedName
+	InternalCertSecret          types.NamespacedName
+	PublicCertSecret            types.NamespacedName
 }
 
 // GetBarbicanTestData is a function that initialize the BarbicanTestData
@@ -149,15 +149,13 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData {
 			Namespace: barbicanName.Namespace,
 			Name:      fmt.Sprintf("%s-%s", barbicanName.Name, "api-config-data"),
 		},
-		// This secret stores the password to connect to the HSM.
-		BarbicanHSMLoginSecret: types.NamespacedName{
+		BarbicanP11LoginSecret: types.NamespacedName{
 			Namespace: barbicanName.Namespace,
-			Name:      "hsm-login",
+			Name:      P11LoginSecret,
 		},
-		// This secret stores the certificates used to interact with the HSM.
-		BarbicanHSMCertsSecret: types.NamespacedName{
+		BarbicanP11ClientDataSecret: types.NamespacedName{
 			Namespace: barbicanName.Namespace,
-			Name:      "hsm-certs",
+			Name:      P11ClientDataSecret,
 		},
 		BarbicanConfigScripts: types.NamespacedName{
 			Namespace: barbicanName.Namespace,