scality · BourgoisMickael · Apr 30, 2025 · May 5, 2025 · May 12, 2025 · Jun 2, 2025
diff --git a/.github/docker/admin.json b/.github/docker/admin.json
@@ -0,0 +1,4 @@
+{
+    "accessKey": "D4IT2AWSB588GO5J9T00",
+    "secretKeyValue": "UEEu8tYlsOGGrgf4DAiSZD6apVNPUWqRiPG0nTB6"
+}
diff --git a/.github/docker/docker-compose.yaml b/.github/docker/docker-compose.yaml
@@ -8,7 +8,12 @@ services:
       - /tmp/ssl-kmip:/ssl-kmip
       - ${HOME}/.aws/credentials:/root/.aws/credentials
       - /tmp/artifacts/${JOB_NAME}:/artifacts
+      # using artesca container, with persistent volumes for sse migration
+      - ../../localData:/usr/src/app/localData
+      - ../../localMetadata:/usr/src/app/localMetadata
+      - ../../tests/functional/sse-kms-migration/config.${SSE_CONF}.json:/conf/config.json
     environment:
+      - S3_CONFIG_FILE=/conf/config.json
       - CI=true
       - ENABLE_LOCAL_CACHE=true
       - REDIS_HOST=0.0.0.0
@@ -19,7 +24,9 @@ services:
       - DATA_HOST=0.0.0.0
       - METADATA_HOST=0.0.0.0
       - S3BACKEND
+      - S3VAULT=scality
       - S3DATA
+      - S3METADATA
       - MPU_TESTING
       - S3VAULT
       - S3_LOCATION_FILE
@@ -42,6 +49,36 @@ services:
     extra_hosts:
       - "bucketwebsitetester.s3-website-us-east-1.amazonaws.com:127.0.0.1"
       - "pykmip.local:127.0.0.1"
+  cloudserver-sse-migration:
+    extends: cloudserver
+    profiles: [sse-migration]
+    volumes:
+      # using artesca container
+      - ../../tests/functional/sse-kms-migration/config.${SSE_CONF}.json:/conf/config.json
+      - ../../localData:/usr/src/app/localData
+      - ../../localMetadata:/usr/src/app/localMetadata
+    environment:
+      - S3_CONFIG_FILE=/conf/config.json
+      - S3KMS=aws
+      - S3VAULT=scality
+  vault:
+    # image: ${VAULT_IMAGE_BEFORE_SSE_MIGRATION}
+    image: ${VAULT_IMAGE}
+    command: sh -c "chmod 400 tests/utils/keyfile && yarn start > /artifacts/vault.log"
+    network_mode: "host"
+    volumes:
+      - /tmp/artifacts/${JOB_NAME}:/artifacts
+      - ./vault-config.json:/conf/config.json:ro
+      - ./vault-db:/data
+    environment:
+      - VAULT_DB_BACKEND=LEVELDB
+      - CI=true
+      - ENABLE_LOCAL_CACHE=true
+      - REDIS_HOST=0.0.0.0
+      - REDIS_PORT=6379
+      - KMS_BACKEND=aws
+    depends_on:
+      - redis
   redis:
     image: redis:alpine
     network_mode: "host"

diff --git a/.github/docker/local.sh b/.github/docker/local.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+set -e -o pipefail
+#in .github/docker
+
+export S3BACKEND=file
+export S3METADATA=scality
+export S3VAULT=scality
+export CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/cloudserver:7.70.21-11
+export CLOUDSERVER_IMAGE_ORIGINAL=ghcr.io/scality/cloudserver:50db1ada69a394cf877bd3486d4d0e318158e338
+export MPU_TESTING="yes"
+export JOB_NAME=sse-kms-migration-tests-show-arn
+export kmsHideScalityArn=showArn
+
+export VAULT_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/vault:7.70.15-5
+export VAULT_IMAGE_ORIGINAL=ghcr.io/scality/vault:e8c0fa2890c131581efd13ad3fd1ade7dcbd0968
+export KMS_IMAGE=nsmithuk/local-kms:3.11.7
+
+# IMAGE IS HARDCODED FOR OKMS TO HIDE
+export JOB_NAME=sse-kms-migration-tests-hide-arn
+export kmsHideScalityArn=hideArn
+# export JOB_NAME=sse-kms-migration-tests-show-arn
+# export kmsHideScalityArn=showArn
+
+mkdir -p /tmp/artifacts/$JOB_NAME
+
+export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION
+export VAULT_IMAGE=$VAULT_IMAGE_BEFORE_SSE_MIGRATION
+export SSE_CONF=before
+
+export KMS_AWS_SECRET_ACCESS_KEY=123
+export KMS_AWS_ACCESS_KEY_ID=456
+
+# START KMS
+docker run -d -p 8080:8080 $KMS_IMAGE || true
+
+    echo "waiting for local AWS KMS service on port 8080 to be available."
+
+    timeout 300 bash -c 'until curl -sS 0:8080 > /dev/null; do 
+        echo "service not ready on port 8080. Retrying in 2 seconds."
+        sleep 2
+    done'
+    echo "local AWS KMS service is up and running on port 8080."
+
+    AWS_ENDPOINT_URL=http://0:8080 AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=456 AWS_SECRET_ACCESS_KEY=123 aws kms list-keys --max-items 1
+# END KMS
+
+# Start all before migration
+docker compose up -d
+        bash ../../wait_for_local_port.bash 8500 40
+        bash ../../wait_for_local_port.bash 8000 40
+# HAVE vaultclient bin in your PATH or an alias
+alias vaultclient="~/scality/vaultclient/bin/vaultclient"
+export PATH="$PATH:~/scality/vaultclient/bin/"
+vaultclient --config admin.json delete-account --name mick || true
+vaultclient --config admin.json create-account --name mick --email [email protected]
+vaultclient --config admin.json generate-account-access-key --name mick --accesskey SCUBAINTERNAL0000000 --secretkey SCUBAINTERNAL000000000000000000000000000
+vaultclient --config admin.json get-account --account-name mick
+
+cd ../..
+
+echo ===== RUN BEFORE MIGRATION =====
+export S3_CONFIG_FILE=config.before.json
+
+        set -o pipefail;
+
+
+        echo Ensures the expected version of cloudserver is old one:
+        VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+            exec cloudserver cat package.json | jq -r .version)
+        if [[ "$VERSION" != "7.70.21-11" ]]; then
+          echo "bad version of container. Should be 7.70.21-11. Was $VERSION" >&2
+          exit 1
+        else
+          echo OK $VERSION
+        fi
+
+        yarn run ft_sse_before_migration | tee /tmp/artifacts/$JOB_NAME/beforeMigration.log
+
+# RUN latest images
+cd .github/docker
+export SSE_CONF=sseMigration.$kmsHideScalityArn
+export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_ORIGINAL
+export VAULT_IMAGE=$VAULT_IMAGE_ORIGINAL
+
+docker compose down cloudserver vault && docker compose up -d vault # cloudserver-sse-migration
+
+echo ==== RUN MIGRATION ====
+cd ../..
+yarn start_migration > s3.log &
+export S3_CONFIG_FILE=config.sseMigration.$kmsHideScalityArn.json
+export S3KMS=aws
+
+        set -o pipefail;
+        bash wait_for_local_port.bash 8500 40
+        bash wait_for_local_port.bash 8000 40
+
+        # echo Ensures the expected version of cloudserver is NOT old one
+        # VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
+        #     exec cloudserver-sse-migration cat package.json | jq -r .version)
+        # if [[ "$VERSION" == "7.70.21-11" ]]; then
+        #   echo "bad version of container. Should NOT be 7.70.21-11. Was $VERSION" >&2
+        #   exit 1
+        # else
+        #   echo OK $VERSION
+        # fi
+
+        yarn run ft_sse_migration # | tee /tmp/artifacts/$JOB_NAME/migration.log
+        sleep 10
+        yarn run ft_sse_arn # | tee /tmp/artifacts/$JOB_NAME/migration.log
+
diff --git a/.github/docker/vault-config.json b/.github/docker/vault-config.json
@@ -0,0 +1,76 @@
+{
+    "clusters": 1,
+    "healthChecks": {
+        "allowFrom": ["127.0.0.1/8", "::1"]
+    },
+    "interfaces": {
+        "S3": {
+            "address": "0.0.0.0",
+            "port": 8500,
+            "allowFrom": ["0.0.0.0/8", "::1"]
+        },
+        "administration": {
+            "address": "0.0.0.0",
+            "port": 8600
+        },
+        "sts": {
+            "address": "127.0.0.1",
+            "port": 8800
+        }
+    },
+    "map": ["127.0.0.1:4300", "127.0.0.2:4301", "127.0.0.3:4302", "127.0.0.4:4303", "127.0.0.5:4304"],
+    "keyFilePath": "./tests/utils/keyfile",
+    "adminCredentialsFilePath": "./tests/utils/admincredentials.json.encrypted",
+    "log": {
+        "level": "info",
+        "dump": "error"
+    },
+    "accountSeeds": [
+        {
+            "role": {
+                "roleName": "scality-role1",
+                "trustPolicy": {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Effect": "Allow",
+                            "Principal": { "AWS": "arn:aws:iam::000000000000:user/root" },
+                            "Action": "sts:AssumeRole",
+                            "Condition": {}
+                        }
+                    ]
+                }
+            },
+            "permissionPolicy": {
+                "policyName": "scality-policy1",
+                "policyDocument": {
+                    "Version": "2012-10-17",
+                    "Statement": [
+                        {
+                            "Sid": "FullAccess",
+                            "Effect": "Allow",
+                            "Action": ["s3:*"],
+                            "Resource": ["*"]
+                        }
+                    ]
+                }
+            }
+        }
+    ],
+    "utapi": {
+        "host": "127.0.0.1",
+        "port": 8100
+    },
+    "scuba": {
+        "host": "127.0.0.1",
+        "port": 8100
+    },
+    "kmsAWS": {
+        "noAwsArn": true,
+        "providerName": "local",
+        "region": "us-east-1", 
+        "endpoint": "http://0:8080",
+        "ak": "456",
+        "sk": "123"
+    }
+}
diff --git a/.github/docker/vault-db/.gitignore b/.github/docker/vault-db/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore