From 096cdfaee3caa126260e0c30f2578e4a5ced331d Mon Sep 17 00:00:00 2001 From: Marcus Watts Date: Wed, 11 Nov 2020 22:38:18 -0500 Subject: [PATCH] rgw/kms/kmip - rgw / kmip test integration. s3tests needs to know key names in order to run kms tests. It seems desirable to have s3tests default to discovering the names that were created by the pykmip task, and that if there is more than one rgw connected to more than one pykmip, that names belonging to the appropriate pykmip instance should be used. This logic does the following: rgw task: save pykmip role name. s3tests task: set kms_key (and kms_keyid2) to these in order of priority 1 s3tests client task property ['kms_key'] (or ['kms_key2']) 2 first (second) secret created in the matching pykmip instance. 3 testkey-1 (testkey-2) For case 2, names from the secrets have an initial "token-" stripped from them. The assumption here is that rgw is being run with a setting such as rgw crypt kmip kms key template: pykmip-$keyid therefore "pykmip-" will be prefixed back onto the key before use. Signed-off-by: Marcus Watts --- qa/tasks/rgw.py | 1 + qa/tasks/s3tests.py | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/qa/tasks/rgw.py b/qa/tasks/rgw.py index d45fe6e03fd..070adcf4c1b 100644 --- a/qa/tasks/rgw.py +++ b/qa/tasks/rgw.py @@ -146,6 +146,7 @@ def start_rgw(ctx, config, clients): elif pykmip_role is not None: if not hasattr(ctx, 'pykmip'): raise ConfigError('rgw must run after the pykmip task') + ctx.rgw.pykmip_role = pykmip_role rgw_cmd.extend([ '--rgw_crypt_kmip_addr', "{}:{}".format(*ctx.pykmip.endpoints[pykmip_role]), ]) diff --git a/qa/tasks/s3tests.py b/qa/tasks/s3tests.py index 3310d7499a1..f80e9954ee6 100644 --- a/qa/tasks/s3tests.py +++ b/qa/tasks/s3tests.py @@ -327,7 +327,14 @@ def configure(ctx, config): properties = properties['vault_%s' % ctx.vault.engine] s3tests_conf['DEFAULT']['kms_keyid'] = properties['key_path'] s3tests_conf['DEFAULT']['kms_keyid2'] = properties['key_path2'] - + elif hasattr(ctx.rgw, 'pykmip_role'): + keys=[] + for name in (x['Name'] for x in ctx.pykmip.keys[ctx.rgw.pykmip_role]): + p=name.partition('-') + keys.append(p[2] if p[2] else p[0]) + keys.extend(['testkey-1', 'testkey-2']) + s3tests_conf['DEFAULT']['kms_keyid'] = properties.get('kms_key', keys[0]) + s3tests_conf['DEFAULT']['kms_keyid2'] = properties.get('kms_key2', keys[1]) else: # Fallback scenario where it's the local (ceph.conf) kms being tested s3tests_conf['DEFAULT']['kms_keyid'] = 'testkey-1' -- 2.39.5