[CC-35895] e2e/operator: add encryption provider interface and GCP advanced test infrastructure#627
Open
shreyaskm623 wants to merge 6 commits into
Open
[CC-35895] e2e/operator: add encryption provider interface and GCP advanced test infrastructure#627shreyaskm623 wants to merge 6 commits into
shreyaskm623 wants to merge 6 commits into
Conversation
shreyaskm623
force-pushed
the
nishanth/operator-advanced-tests
branch
2 times, most recently
from
ef82b74 to
6df483d
Compare
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
from
0326060 to
89e9a9c
Compare
shreyaskm623
force-pushed
the
nishanth/operator-advanced-tests
branch
4 times, most recently
from
e210753 to
6ab0067
Compare
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
6 times, most recently
from
b1ddc9b to
90f3b64
Compare
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
4 times, most recently
from
d8a51b1 to
1a6687c
Compare
shreyaskm623
changed the title
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
4 times, most recently
from
4d14a02 to
1a6687c
Compare
shreyaskm623
requested review from
NishanthNalluri,
Copilot,
nameisbhaskar and
pritesh-lahoti
There was a problem hiding this comment.
Pull request overview
This PR refactors the operator E2E test harness to abstract encryption-at-rest setup behind a provider interface (so tests don’t manually generate/store keys) and extends infrastructure support for GCP, including CRDB-version-gated PCR external connection URI generation.
Changes:
- Centralize provider resolution (
PROVIDER) and wire anencryption.Providerinto the region/provider factory flow. - Move encryption key/secret setup into a dedicated
tests/e2e/operator/encryptionpackage and update advanced encryption tests to use provider-driven overrides/secret creation. - Add GCP KMS-backed encryption test infrastructure and gate PCR URI generation on the CRDB version (
convert-urlvsencode-uri).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/e2e/operator/singleRegion/cockroachdb_single_region_e2e_test.go | Switch to centralized provider resolution; provider-scoped test runner cleanup. |
| tests/e2e/operator/singleRegion/cockroachdb_single_region_advanced_features_test.go | Update encryption-at-rest flows (enable/disable/rotate) to use provider-driven overrides and secret creation; adjust PCR validation inputs. |
| tests/e2e/operator/region.go | Add encryption provider plumbing and encryption secret setup during install; add PCR URI version gating and primary cluster-domain override. |
| tests/e2e/operator/multiRegion/cockroachdb_multi_region_e2e_test.go | Switch to centralized provider resolution. |
| tests/e2e/operator/multiRegion/cockroachdb_multi_region_advanced_features_test.go | Update multi-region encryption test to use provider-driven encryption region config. |
| tests/e2e/operator/infra/provider.go | Add ResolveProvider and provider→region encryption provider wiring in the factory. |
| tests/e2e/operator/infra/local.go | Implement encryption provider interface for local providers (file-based/UNKNOWN_KEY_TYPE). |
| tests/e2e/operator/infra/gcp.go | Implement GCP KMS-backed encryption provider (keyring/key creation, encrypt, secret creation). |
| tests/e2e/operator/encryption/types.go | Introduce provider interface + helpers for generating keys and creating secrets for file-based vs CMEK providers. |
| tests/e2e/migrate/helm_chart_to_cockroach_enterprise_operator_test.go | Use centralized provider resolution for operator install region selection. |
Comments suppressed due to low confidence (1)
tests/e2e/operator/singleRegion/cockroachdb_single_region_e2e_test.go:63
- The provider teardown only calls cloudProvider.TeardownInfra; it does not trigger any encryption-provider cleanup even though Region stores an encryptionCleanupFunc. To avoid leaking KMS/test resources, call providerRegion.CleanupEncryptionInfra() (or equivalent) as part of this cleanup block.
// Use t.Cleanup for guaranteed cleanup even on test timeout/panic.
t.Cleanup(func() {
t.Logf("Starting infrastructure cleanup for provider: %s", provider)
cloudProvider.TeardownInfra(t)
t.Logf("Completed infrastructure cleanup for provider: %s", provider)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| out, err := exec.Command("kubectl", cmdArgs...).CombinedOutput() | ||
| if err != nil { | ||
| return fmt.Errorf("kubectl %s: %w\nOutput: %s", strings.Join(args[:2], " "), err, string(out)) |
Comment on lines
+343
to
+345
| // oldCmekCredentialsSecretName is required for the operator to set OLD_CMEK_PLATFORM | ||
| // and OLD_GCP_SERVICE_ACCOUNT_KEY, which tells the init container to KMS-decrypt | ||
| // the old key instead of writing the raw ciphertext to old_store.key. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
tests/e2e/operator/singleRegion/cockroachdb_single_region_e2e_test.go:63
- The provider-level cleanup only calls cloudProvider.TeardownInfra, but encryption infra cleanup closures captured via Region (CleanupEncryptionInfra) are never invoked. To avoid leaking KMS/IAM test resources (and to keep the cleanup API meaningful), call providerRegion.CleanupEncryptionInfra() in both the t.Cleanup block and the immediate failure cleanup path.
// Use t.Cleanup for guaranteed cleanup even on test timeout/panic.
t.Cleanup(func() {
t.Logf("Starting infrastructure cleanup for provider: %s", provider)
cloudProvider.TeardownInfra(t)
t.Logf("Completed infrastructure cleanup for provider: %s", provider)
|
|
||
| func (r *Region) EncryptionOverridesFromProvider() map[string]interface{} { | ||
| if r.encryptionProvider == nil { | ||
| return nil |
|
|
||
| // Wait for crd to be installed. | ||
| // Wait for crdbclusters CRD to serve v1beta1 before proceeding. | ||
| _, _ = retry.DoWithRetryE(t, "wait-for-crd", 60, time.Second*5, func() (string, error) { |
Comment on lines
+52
to
+54
| func SetupEncryptionSecrets(t *testing.T, provider Provider, kubectlOptions *k8s.KubectlOptions, clusterRegion string) error { | ||
| return SetupEncryptionSecretsWithName(t, provider, kubectlOptions, clusterRegion, "cmek-key-secret") | ||
| } |
| require.NoError(t, err) | ||
| require.True(t, len(secretSize) > 0, "Secret StoreKeyData should be >0") | ||
| t.Logf("Created encryption secret %s with size: %d bytes", encryptionSecretName, len(secretSize)) | ||
| err = encryption.SetupEncryptionSecretsWithName(t, r.encryptionProvider, kubectlOptions, cluster, DefaultEncryptionSecret) |
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
from
6e2b463 to
c019669
Compare
shreyaskm623
changed the title
shreyaskm623
force-pushed
the
shreyaskm/gcp-operator-advanced-test-infra
branch
from
c019669 to
7c1ef66
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces an encryption.Provider interface to abstract KMS and secret setup behind infra-level provider types, and adds GCP-specific test infrastructure support including version-gated PCR connection URI generation.
JIRA : https://cockroachlabs.atlassian.net/browse/CC-35895