From 605344d7718d055216def5aa549acfb9d73ac115 Mon Sep 17 00:00:00 2001 From: Praveen M Date: Mon, 7 Oct 2024 16:49:30 +0530 Subject: [PATCH 1/5] kms: support key rotation for vault Signed-off-by: Praveen M (cherry picked from commit d2a7617624db5cbdd737939d47353f2170666d3e) --- pkg/system/phase2_creating.go | 7 +++++++ pkg/util/kms/kms_vault.go | 10 ++++++---- pkg/util/kms/kms_version.go | 14 +++++++++----- 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go index 4a1b6a58f9..eb73fe2c3d 100644 --- a/pkg/system/phase2_creating.go +++ b/pkg/system/phase2_creating.go @@ -1052,6 +1052,13 @@ func (r *Reconciler) keyRotate() error { return err } + err = k.Get() + if err != nil { + r.Logger.Errorf("keyRotate, KMS Get error %v", err) + r.setKMSConditionStatus(nbv1.ConditionKMSErrorRead) + return err + } + // Generate new random root key and set it in the KMS // Key - rotate begins err = k.Set(util.RandomBase64(32)) diff --git a/pkg/util/kms/kms_vault.go b/pkg/util/kms/kms_vault.go index 04ee40c8bd..76e834b58a 100644 --- a/pkg/util/kms/kms_vault.go +++ b/pkg/util/kms/kms_vault.go @@ -24,7 +24,9 @@ const ( // Vault is a vault driver type Vault struct { - UID string // NooBaa system UID + UID string // NooBaa system UID + name string // NooBaa system name + ns string // NooBaa system namespace } // NewVault is vault driver constructor @@ -33,7 +35,7 @@ func NewVault( namespace string, uid string, ) Driver { - return &Vault{uid} + return &Vault{uid, name, namespace} } // @@ -179,8 +181,8 @@ func writeCrtsToFile(secretName string, namespace string, secretValue []byte, en // Version returns the current driver KMS version // either single string or map, i.e. rotating key -func (*Vault) Version(kms *KMS) Version { - return &VersionSingleSecret{kms, nil} +func (k *Vault) Version(kms *KMS) Version { + return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns} } // Register Vault driver with KMS layer diff --git a/pkg/util/kms/kms_version.go b/pkg/util/kms/kms_version.go index 37d768e4ef..dff1686242 100644 --- a/pkg/util/kms/kms_version.go +++ b/pkg/util/kms/kms_version.go @@ -102,7 +102,7 @@ func (v *VersionRotatingSecret) Reconcile(r SecretReconciler) error { // Get implements SecretStorage interface for the secret map, i.e. rotating master root key func (v *VersionRotatingSecret) Get() error { - s, _, err := v.k.GetSecret(v.backendSecretName(), v.k.driver.GetContext()) + s, _, err := v.k.GetSecret(v.BackendSecretName(), v.k.driver.GetContext()) if err != nil { // handle k8s get from non-existent secret if strings.Contains(err.Error(), "not found") || strings.Contains(err.Error(), "does not exist") { @@ -119,8 +119,8 @@ func (v *VersionRotatingSecret) Get() error { return nil } -// backendSecretName returns the rotating secret backend secret name -func (v *VersionRotatingSecret) backendSecretName() string { +// BackendSecretName returns the rotating secret backend secret name +func (v *VersionRotatingSecret) BackendSecretName() string { return v.name + "-root-master-key-backend" } @@ -136,7 +136,7 @@ func (v *VersionRotatingSecret) Set(val string) error { s[ActiveRootKey] = key s[key] = val v.data = s - _, err := v.k.PutSecret(v.backendSecretName(), toInterfaceMap(s), v.k.driver.SetContext()) + _, err := v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext()) return err } @@ -153,11 +153,15 @@ func (v *VersionRotatingSecret) deleteSingleStringSecret() bool { func (v *VersionRotatingSecret) Delete() error { // Delete rotating secret backend backendSecret := &corev1.Secret{} - backendSecret.Name = v.backendSecretName() + backendSecret.Name = v.BackendSecretName() backendSecret.Namespace = v.ns if !util.KubeDelete(backendSecret) { return fmt.Errorf("KMS Delete error for the rotating master root secret backend") + } + err := v.k.DeleteSecret(v.BackendSecretName(), v.k.driver.DeleteContext()) + if err != nil { + return err } return nil From 65ff5c13df58f5d50557bc5223361d89eda39dac Mon Sep 17 00:00:00 2001 From: liranmauda Date: Thu, 22 Jan 2026 09:27:54 +0200 Subject: [PATCH 2/5] CI | adding Set up kind step to the yamls Signed-off-by: liranmauda (cherry picked from commit 8deec7713b5aac69b843df8fcd0c0f4299a8a0e6) --- .github/workflows/run_hac_test.yml | 8 +++++++- .github/workflows/run_kms_azure_vault_test.yml | 8 +++++++- .github/workflows/run_kms_dev_test.yml | 8 +++++++- .github/workflows/run_kms_ibm_kp_test.yml | 8 +++++++- .github/workflows/run_kms_kmip_test.yml | 12 +++++++++--- .github/workflows/run_kms_rotate_test.yml | 8 +++++++- .github/workflows/run_kms_tls_sa_test.yml | 9 +++++++-- .github/workflows/run_kms_tls_token_test.yml | 8 +++++++- 8 files changed, 58 insertions(+), 11 deletions(-) diff --git a/.github/workflows/run_hac_test.yml b/.github/workflows/run_hac_test.yml index 80cf2e63d3..3d4ad2a9c5 100644 --- a/.github/workflows/run_hac_test.yml +++ b/.github/workflows/run_hac_test.yml @@ -13,7 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | diff --git a/.github/workflows/run_kms_azure_vault_test.yml b/.github/workflows/run_kms_azure_vault_test.yml index c101606081..a05c8954f0 100644 --- a/.github/workflows/run_kms_azure_vault_test.yml +++ b/.github/workflows/run_kms_azure_vault_test.yml @@ -13,7 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | diff --git a/.github/workflows/run_kms_dev_test.yml b/.github/workflows/run_kms_dev_test.yml index b9f0f0a1ec..5b47996200 100644 --- a/.github/workflows/run_kms_dev_test.yml +++ b/.github/workflows/run_kms_dev_test.yml @@ -13,7 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | diff --git a/.github/workflows/run_kms_ibm_kp_test.yml b/.github/workflows/run_kms_ibm_kp_test.yml index b328d87929..7230ae29bb 100644 --- a/.github/workflows/run_kms_ibm_kp_test.yml +++ b/.github/workflows/run_kms_ibm_kp_test.yml @@ -16,7 +16,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | diff --git a/.github/workflows/run_kms_kmip_test.yml b/.github/workflows/run_kms_kmip_test.yml index ae52ccbb10..270b9cb27c 100644 --- a/.github/workflows/run_kms_kmip_test.yml +++ b/.github/workflows/run_kms_kmip_test.yml @@ -13,14 +13,20 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | echo PATH=$PATH:$HOME/go/bin >> $GITHUB_ENV echo OPERATOR_IMAGE=localhost:5000/noobaa/noobaa-operator:integration >> $GITHUB_ENV echo PYKMIP_IMAGE=localhost:5000/noobaa/pykmip:integration >> $GITHUB_ENV - + - name: Deploy Dependencies run: | set -x @@ -28,7 +34,7 @@ jobs: go get -v github.com/onsi/ginkgo/ginkgo go install -v github.com/onsi/ginkgo/ginkgo ginkgo version - + - name: Build NooBaa run: | make cli diff --git a/.github/workflows/run_kms_rotate_test.yml b/.github/workflows/run_kms_rotate_test.yml index dfcfc86b7a..ac8d1cbf1b 100644 --- a/.github/workflows/run_kms_rotate_test.yml +++ b/.github/workflows/run_kms_rotate_test.yml @@ -13,7 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | diff --git a/.github/workflows/run_kms_tls_sa_test.yml b/.github/workflows/run_kms_tls_sa_test.yml index 230041d416..416fde5a39 100644 --- a/.github/workflows/run_kms_tls_sa_test.yml +++ b/.github/workflows/run_kms_tls_sa_test.yml @@ -13,8 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" - + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | echo PATH=$PATH:$HOME/go/bin >> $GITHUB_ENV diff --git a/.github/workflows/run_kms_tls_token_test.yml b/.github/workflows/run_kms_tls_token_test.yml index 77dc787058..db28700bf8 100644 --- a/.github/workflows/run_kms_tls_token_test.yml +++ b/.github/workflows/run_kms_tls_token_test.yml @@ -13,7 +13,13 @@ jobs: uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: "1.21" + go-version-file: go.mod + check-latest: true + cache: true + cache-dependency-path: | + **/go.sum + - name: Set up kind + uses: helm/kind-action@v1 - name: Set environment variables run: | From c64b442e5e37c8f55585c79338d8076c95f3f047 Mon Sep 17 00:00:00 2001 From: liranmauda Date: Sun, 28 Dec 2025 09:46:53 +0200 Subject: [PATCH 3/5] Remove KMS condition status Init checks from tests - Removing False positive verification of KMS condition status Init The Init condition status is, in most cases, a state that is short in time, and the tests are missing the timing, hence failing. We do not need this case as corev1.ConditionStatus = "Sync" will never happen if Init did not, and we will fail there. Signed-off-by: liranmauda (cherry picked from commit de03454bb2142294da55b0bd5d047916deefd671) --- pkg/util/kms/test/azure-vault/kms_azure_vault_test.go | 11 ----------- pkg/util/kms/test/dev/kms_dev_test.go | 9 --------- pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go | 3 --- pkg/util/kms/test/kmip/kms_kmip_test.go | 6 ------ pkg/util/kms/test/rotate/kms_rotate_test.go | 3 --- pkg/util/kms/test/tls-sa/kms_tls_sa_test.go | 3 --- pkg/util/kms/test/tls-token/kms_tls_token_test.go | 3 --- 7 files changed, 38 deletions(-) diff --git a/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go b/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go index 2f64f10bab..23c8280e9a 100644 --- a/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go +++ b/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go @@ -49,17 +49,6 @@ var _ = Describe("KMS - Azure Vault", func() { Specify("Create KMS Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - // TODO: As of now azure key vault is a cloud service and to test - // this case, an account needs to be created at azure side. - // Create Azure key vault and provide the parameters - // Below condition always be corev1.ConditionStatus = "Invalid" - // utill we provide the actual azure key vault credentials - // Change Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeFalse()) - // to Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - // once we have azure valut in place - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeFalse()) - }) Specify("Restart NooBaa operator", func() { podList := &corev1.PodList{} podSelector, _ := labels.Parse("noobaa-operator=deployment") diff --git a/pkg/util/kms/test/dev/kms_dev_test.go b/pkg/util/kms/test/dev/kms_dev_test.go index c1fc4921c9..92843a69a9 100644 --- a/pkg/util/kms/test/dev/kms_dev_test.go +++ b/pkg/util/kms/test/dev/kms_dev_test.go @@ -66,9 +66,6 @@ var _ = Describe("KMS - K8S, Dev Vault", func() { Specify("Create default system", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeK8s)).To(BeTrue()) }) @@ -106,9 +103,6 @@ var _ = Describe("KMS - K8S, Dev Vault", func() { Specify("Create Vault Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue()) }) @@ -143,9 +137,6 @@ var _ = Describe("KMS - K8S, Dev Vault", func() { Specify("Create Vault v2 Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeVault)).To(BeTrue()) }) diff --git a/pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go b/pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go index aee7a0dfa5..e457b6842b 100644 --- a/pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go +++ b/pkg/util/kms/test/ibm-kp/kms_ibm_kp_test.go @@ -94,9 +94,6 @@ var _ = Describe("KMS - IBM KP", func() { Specify("Create IBM KP Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, kms.IbmKpSecretStorageName)).To(BeTrue()) }) diff --git a/pkg/util/kms/test/kmip/kms_kmip_test.go b/pkg/util/kms/test/kmip/kms_kmip_test.go index 1c074c7199..965b0d6304 100644 --- a/pkg/util/kms/test/kmip/kms_kmip_test.go +++ b/pkg/util/kms/test/kmip/kms_kmip_test.go @@ -72,9 +72,6 @@ var _ = Describe("KMS - KMIP", func() { Specify("Create KMIP Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, kms.KMIPSecretStorageName)).To(BeTrue()) }) @@ -135,9 +132,6 @@ var _ = Describe("KMS - KMIP", func() { Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, "kmip")).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Restart NooBaa operator", func() { podList := &corev1.PodList{} podSelector, _ := labels.Parse("noobaa-operator=deployment") diff --git a/pkg/util/kms/test/rotate/kms_rotate_test.go b/pkg/util/kms/test/rotate/kms_rotate_test.go index 926b730f85..2d38c47d95 100644 --- a/pkg/util/kms/test/rotate/kms_rotate_test.go +++ b/pkg/util/kms/test/rotate/kms_rotate_test.go @@ -84,9 +84,6 @@ var _ = Describe("KMS - K8S Key Rotate", func() { Specify("Verify KMS condition Type", func() { Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeK8s)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Restart NooBaa operator", func() { podList := &corev1.PodList{} podSelector, _ := labels.Parse("noobaa-operator=deployment") diff --git a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go index f2e3d84f2f..f6fd1d0ec9 100644 --- a/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go +++ b/pkg/util/kms/test/tls-sa/kms_tls_sa_test.go @@ -52,9 +52,6 @@ var _ = Describe("KMS - TLS Vault SA", func() { Specify("Create KMS Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Restart NooBaa operator", func() { podList := &corev1.PodList{} podSelector, _ := labels.Parse("noobaa-operator=deployment") diff --git a/pkg/util/kms/test/tls-token/kms_tls_token_test.go b/pkg/util/kms/test/tls-token/kms_tls_token_test.go index 10320fb490..0c773b7635 100644 --- a/pkg/util/kms/test/tls-token/kms_tls_token_test.go +++ b/pkg/util/kms/test/tls-token/kms_tls_token_test.go @@ -58,9 +58,6 @@ var _ = Describe("KMS - TLS Vault Token", func() { Specify("Create KMS Noobaa", func() { Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) }) - Specify("Verify KMS condition status Init", func() { - Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeTrue()) - }) Specify("Restart NooBaa operator", func() { podList := &corev1.PodList{} podSelector, _ := labels.Parse("noobaa-operator=deployment") From 7770c50a601e290f5866f6b83a297c6d2d4df46a Mon Sep 17 00:00:00 2001 From: jackyalbo Date: Thu, 8 May 2025 11:15:38 +0300 Subject: [PATCH 4/5] Support key rotation to Azure vault (#1596) Signed-off-by: jackyalbo (cherry picked from commit 18b2405e7c7ebf966333d925b665d3982e7dec5f) --- pkg/util/kms/kms_azure.go | 8 ++-- .../test/azure-vault/kms_azure_vault_test.go | 45 +++++++++++++++++++ 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/pkg/util/kms/kms_azure.go b/pkg/util/kms/kms_azure.go index b3c304dbd6..2d9f36809c 100644 --- a/pkg/util/kms/kms_azure.go +++ b/pkg/util/kms/kms_azure.go @@ -21,6 +21,8 @@ const ( // AzureVault is a azure kms driver type AzureVault struct { UID string // NooBaa system UID + name string // NooBaa system name + ns string // NooBaa system namespace } // NewAzureVault is azure driver constructor @@ -29,7 +31,7 @@ func NewAzureVault( namespace string, uid string, ) Driver { - return &AzureVault{uid} + return &AzureVault{uid, name, namespace} } // @@ -107,8 +109,8 @@ func createCertTempFile(config map[string]interface{}, namespace string) error { // Version returns the current driver KMS version // either single string or map, i.e. rotating key -func (*AzureVault) Version(kms *KMS) Version { - return &VersionSingleSecret{kms, nil} +func (k *AzureVault) Version(kms *KMS) Version { + return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns} } // Register Azure driver with KMS layer diff --git a/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go b/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go index 23c8280e9a..77fad57453 100644 --- a/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go +++ b/pkg/util/kms/test/azure-vault/kms_azure_vault_test.go @@ -3,6 +3,7 @@ package kmsazurevaulttest import ( "os" + "github.com/libopenstorage/secrets" "github.com/libopenstorage/secrets/azure" nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1" "github.com/noobaa/noobaa-operator/v5/pkg/options" @@ -94,4 +95,48 @@ var _ = Describe("KMS - Azure Vault", func() { }) }) + Context("Verify Rotate", func() { + noobaa := getMiniNooBaa() + azureVaultURL, azureVaultURLFound := os.LookupEnv("AZURE_VAULT_URL") + k := azureKMSSpec(azureVaultURL) + noobaa.Spec.Security.KeyManagementService = k + noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true + noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min + + Specify("Verify API Address", func() { + Expect(azureVaultURLFound).To(BeTrue()) + }) + Specify("Create key rotate schedule system", func() { + Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue()) + }) + // Change here to .To(BeTrue()) once fixed issue in line 53 + Specify("Verify KMS condition Type", func() { + Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeAzure)).To(BeFalse()) + }) + // Change here to .To(BeTrue()) once fixed issue in line 53 + Specify("Verify KMS condition status Init", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeFalse()) + }) + Specify("Restart NooBaa operator", func() { + podList := &corev1.PodList{} + podSelector, _ := labels.Parse("noobaa-operator=deployment") + listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector} + + Expect(util.KubeList(podList, &listOptions)).To(BeTrue()) + Expect(len(podList.Items)).To(BeEquivalentTo(1)) + Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue()) + }) + // Change here to .To(BeTrue()) once fixed issue in line 53 + Specify("Verify KMS condition status Sync", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeFalse()) + }) + // Change here to .To(BeTrue()) once fixed issue in line 53 + Specify("Verify KMS condition status Key Rotate", func() { + Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeFalse()) + }) + Specify("Delete NooBaa", func() { + Expect(util.KubeDelete(noobaa)).To(BeTrue()) + }) + }) + }) From f7f131ce4b5eea35471ca5f42f33f5128f9f2162 Mon Sep 17 00:00:00 2001 From: jackyalbo Date: Wed, 4 Feb 2026 20:22:32 +0200 Subject: [PATCH 5/5] Update kms_dev_test.go Signed-off-by: jackyalbo --- pkg/util/kms/test/dev/kms_dev_test.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/pkg/util/kms/test/dev/kms_dev_test.go b/pkg/util/kms/test/dev/kms_dev_test.go index 92843a69a9..1ea475171a 100644 --- a/pkg/util/kms/test/dev/kms_dev_test.go +++ b/pkg/util/kms/test/dev/kms_dev_test.go @@ -3,6 +3,7 @@ package kmsdevtest import ( "os" "os/exec" + "time" "github.com/libopenstorage/secrets" "github.com/libopenstorage/secrets/vault" @@ -38,16 +39,23 @@ func simpleKmsSpec(token, apiAddress string) nbv1.KeyManagementServiceSpec { return k } -func checkExternalSecret(noobaa *nbv1.NooBaa, expectedNil bool) { +func checkExternalSecret(noobaa *nbv1.NooBaa, expectedExists bool) { k := noobaa.Spec.Security.KeyManagementService uid := string(noobaa.UID) driver := &kms.Vault{UID: uid} path := k.ConnectionDetails[vault.VaultBackendPathKey] + driver.Path() - cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path) - logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args) - err := cmd.Run() - actualResult := (err == nil) - Expect(actualResult == expectedNil).To(BeTrue()) + runVaultGet := func() bool { + cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path) + logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args) + err := cmd.Run() + return err == nil + } + if expectedExists { + // Operator may need time to write the secret to Vault; poll until it appears. + Eventually(runVaultGet, 60*time.Second, 2*time.Second).Should(BeTrue()) + } else { + Expect(runVaultGet()).To(BeFalse()) + } } func verifyExternalSecretExists(noobaa *nbv1.NooBaa) {