Skip to content

(wip) functional tests for sse KMS Migration #5793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: hotfix/7.70.21.outscale
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/docker/admin.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"accessKey": "D4IT2AWSB588GO5J9T00",
"secretKeyValue": "UEEu8tYlsOGGrgf4DAiSZD6apVNPUWqRiPG0nTB6"
}
37 changes: 37 additions & 0 deletions .github/docker/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,12 @@ services:
- /tmp/ssl-kmip:/ssl-kmip
- ${HOME}/.aws/credentials:/root/.aws/credentials
- /tmp/artifacts/${JOB_NAME}:/artifacts
# using artesca container, with persistent volumes for sse migration
- ../../localData:/usr/src/app/localData
- ../../localMetadata:/usr/src/app/localMetadata
- ../../tests/functional/sse-kms-migration/config.${SSE_CONF}.json:/conf/config.json
environment:
- S3_CONFIG_FILE=/conf/config.json
- CI=true
- ENABLE_LOCAL_CACHE=true
- REDIS_HOST=0.0.0.0
Expand All @@ -19,7 +24,9 @@ services:
- DATA_HOST=0.0.0.0
- METADATA_HOST=0.0.0.0
- S3BACKEND
- S3VAULT=scality
- S3DATA
- S3METADATA
- MPU_TESTING
- S3VAULT
- S3_LOCATION_FILE
Expand All @@ -42,6 +49,36 @@ services:
extra_hosts:
- "bucketwebsitetester.s3-website-us-east-1.amazonaws.com:127.0.0.1"
- "pykmip.local:127.0.0.1"
cloudserver-sse-migration:
extends: cloudserver
profiles: [sse-migration]
volumes:
# using artesca container
- ../../tests/functional/sse-kms-migration/config.${SSE_CONF}.json:/conf/config.json
- ../../localData:/usr/src/app/localData
- ../../localMetadata:/usr/src/app/localMetadata
environment:
- S3_CONFIG_FILE=/conf/config.json
- S3KMS=aws
- S3VAULT=scality
vault:
# image: ${VAULT_IMAGE_BEFORE_SSE_MIGRATION}
image: ${VAULT_IMAGE}
command: sh -c "chmod 400 tests/utils/keyfile && yarn start > /artifacts/vault.log"
network_mode: "host"
volumes:
- /tmp/artifacts/${JOB_NAME}:/artifacts
- ./vault-config.json:/conf/config.json:ro
- ./vault-db:/data
environment:
- VAULT_DB_BACKEND=LEVELDB
- CI=true
- ENABLE_LOCAL_CACHE=true
- REDIS_HOST=0.0.0.0
- REDIS_PORT=6379
- KMS_BACKEND=aws
depends_on:
- redis
redis:
image: redis:alpine
network_mode: "host"
Expand Down
110 changes: 110 additions & 0 deletions .github/docker/local.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
#!/bin/bash
set -e -o pipefail
#in .github/docker

export S3BACKEND=file
export S3METADATA=scality
export S3VAULT=scality
export CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/cloudserver:7.70.21-11
export CLOUDSERVER_IMAGE_ORIGINAL=ghcr.io/scality/cloudserver:50db1ada69a394cf877bd3486d4d0e318158e338
export MPU_TESTING="yes"
export JOB_NAME=sse-kms-migration-tests-show-arn
export kmsHideScalityArn=showArn

export VAULT_IMAGE_BEFORE_SSE_MIGRATION=ghcr.io/scality/vault:7.70.15-5
export VAULT_IMAGE_ORIGINAL=ghcr.io/scality/vault:e8c0fa2890c131581efd13ad3fd1ade7dcbd0968
export KMS_IMAGE=nsmithuk/local-kms:3.11.7

# IMAGE IS HARDCODED FOR OKMS TO HIDE
export JOB_NAME=sse-kms-migration-tests-hide-arn
export kmsHideScalityArn=hideArn
# export JOB_NAME=sse-kms-migration-tests-show-arn
# export kmsHideScalityArn=showArn

mkdir -p /tmp/artifacts/$JOB_NAME

export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_BEFORE_SSE_MIGRATION
export VAULT_IMAGE=$VAULT_IMAGE_BEFORE_SSE_MIGRATION
export SSE_CONF=before

export KMS_AWS_SECRET_ACCESS_KEY=123
export KMS_AWS_ACCESS_KEY_ID=456

# START KMS
docker run -d -p 8080:8080 $KMS_IMAGE || true

echo "waiting for local AWS KMS service on port 8080 to be available."

timeout 300 bash -c 'until curl -sS 0:8080 > /dev/null; do
echo "service not ready on port 8080. Retrying in 2 seconds."
sleep 2
done'
echo "local AWS KMS service is up and running on port 8080."

AWS_ENDPOINT_URL=http://0:8080 AWS_DEFAULT_REGION=us-east-1 AWS_ACCESS_KEY_ID=456 AWS_SECRET_ACCESS_KEY=123 aws kms list-keys --max-items 1
# END KMS

# Start all before migration
docker compose up -d
bash ../../wait_for_local_port.bash 8500 40
bash ../../wait_for_local_port.bash 8000 40
# HAVE vaultclient bin in your PATH or an alias
alias vaultclient="~/scality/vaultclient/bin/vaultclient"
export PATH="$PATH:~/scality/vaultclient/bin/"
vaultclient --config admin.json delete-account --name mick || true
vaultclient --config admin.json create-account --name mick --email [email protected]
vaultclient --config admin.json generate-account-access-key --name mick --accesskey SCUBAINTERNAL0000000 --secretkey SCUBAINTERNAL000000000000000000000000000
vaultclient --config admin.json get-account --account-name mick

cd ../..

echo ===== RUN BEFORE MIGRATION =====
export S3_CONFIG_FILE=config.before.json

set -o pipefail;


echo Ensures the expected version of cloudserver is old one:
VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
exec cloudserver cat package.json | jq -r .version)
if [[ "$VERSION" != "7.70.21-11" ]]; then
echo "bad version of container. Should be 7.70.21-11. Was $VERSION" >&2
exit 1
else
echo OK $VERSION
fi

yarn run ft_sse_before_migration | tee /tmp/artifacts/$JOB_NAME/beforeMigration.log

# RUN latest images
cd .github/docker
export SSE_CONF=sseMigration.$kmsHideScalityArn
export CLOUDSERVER_IMAGE=$CLOUDSERVER_IMAGE_ORIGINAL
export VAULT_IMAGE=$VAULT_IMAGE_ORIGINAL

docker compose down cloudserver vault && docker compose up -d vault # cloudserver-sse-migration

echo ==== RUN MIGRATION ====
cd ../..
yarn start_migration > s3.log &
export S3_CONFIG_FILE=config.sseMigration.$kmsHideScalityArn.json
export S3KMS=aws

set -o pipefail;
bash wait_for_local_port.bash 8500 40
bash wait_for_local_port.bash 8000 40

# echo Ensures the expected version of cloudserver is NOT old one
# VERSION=$(docker compose -f .github/docker/docker-compose.yaml \
# exec cloudserver-sse-migration cat package.json | jq -r .version)
# if [[ "$VERSION" == "7.70.21-11" ]]; then
# echo "bad version of container. Should NOT be 7.70.21-11. Was $VERSION" >&2
# exit 1
# else
# echo OK $VERSION
# fi

yarn run ft_sse_migration # | tee /tmp/artifacts/$JOB_NAME/migration.log
sleep 10
yarn run ft_sse_arn # | tee /tmp/artifacts/$JOB_NAME/migration.log

76 changes: 76 additions & 0 deletions .github/docker/vault-config.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{
"clusters": 1,
"healthChecks": {
"allowFrom": ["127.0.0.1/8", "::1"]
},
"interfaces": {
"S3": {
"address": "0.0.0.0",
"port": 8500,
"allowFrom": ["0.0.0.0/8", "::1"]
},
"administration": {
"address": "0.0.0.0",
"port": 8600
},
"sts": {
"address": "127.0.0.1",
"port": 8800
}
},
"map": ["127.0.0.1:4300", "127.0.0.2:4301", "127.0.0.3:4302", "127.0.0.4:4303", "127.0.0.5:4304"],
"keyFilePath": "./tests/utils/keyfile",
"adminCredentialsFilePath": "./tests/utils/admincredentials.json.encrypted",
"log": {
"level": "info",
"dump": "error"
},
"accountSeeds": [
{
"role": {
"roleName": "scality-role1",
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::000000000000:user/root" },
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
},
"permissionPolicy": {
"policyName": "scality-policy1",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
}
]
}
}
}
],
"utapi": {
"host": "127.0.0.1",
"port": 8100
},
"scuba": {
"host": "127.0.0.1",
"port": 8100
},
"kmsAWS": {
"noAwsArn": true,
"providerName": "local",
"region": "us-east-1",
"endpoint": "http://0:8080",
"ak": "456",
"sk": "123"
}
}
4 changes: 4 additions & 0 deletions .github/docker/vault-db/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Ignore everything in this directory
*
# Except this file
!.gitignore
Loading
Loading