[5.18 backport] Support key rotation to Azure vault (noobaa#1596) (noobaa#1795)

* Support key rotation to Azure vault (noobaa#1596)

Signed-off-by: jackyalbo <jacky.albo@gmail.com>
(cherry picked from commit 18b2405)

* CI | adding Set up kind step to the yamls

Signed-off-by: liranmauda <liran.mauda@gmail.com>
(cherry picked from commit 8deec77)

* Remove KMS condition status Init checks from tests

- Removing False positive verification of KMS condition status Init

The Init condition status is, in most cases, a state that is short in time, and the tests are missing the timing, hence failing.
We do not need this case as corev1.ConditionStatus = "Sync"
will never happen if Init did not, and we will fail there.

Signed-off-by: liranmauda <liran.mauda@gmail.com>
(cherry picked from commit de03454)

---------

Signed-off-by: jackyalbo <jacky.albo@gmail.com>
Signed-off-by: liranmauda <liran.mauda@gmail.com>
Co-authored-by: liranmauda <liran.mauda@gmail.com>

Author: jackyalbo

.github/workflows/run_hac_test.yml

@@ -13,7 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

.github/workflows/run_kms_azure_vault_test.yml

@@ -13,7 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

.github/workflows/run_kms_dev_test.yml

@@ -13,7 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

.github/workflows/run_kms_ibm_kp_test.yml

@@ -16,7 +16,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

.github/workflows/run_kms_kmip_test.yml

@@ -13,22 +13,28 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |
           echo PATH=$PATH:$HOME/go/bin                                          >> $GITHUB_ENV
           echo OPERATOR_IMAGE=localhost:5000/noobaa/noobaa-operator:integration >> $GITHUB_ENV
           echo PYKMIP_IMAGE=localhost:5000/noobaa/pykmip:integration >> $GITHUB_ENV
-      
+
       - name: Deploy Dependencies
         run: |
           set -x
           bash .travis/install-5nodes-kind-cluster.sh
           go get -v github.com/onsi/ginkgo/v2
           go install -v github.com/onsi/ginkgo/v2/ginkgo
           ginkgo version
-          
+
       - name: Build NooBaa
         run: |
           make cli

.github/workflows/run_kms_rotate_test.yml

@@ -13,7 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

.github/workflows/run_kms_tls_sa_test.yml

@@ -13,8 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
-
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
       - name: Set environment variables
         run: |
           echo PATH=$PATH:$HOME/go/bin                                          >> $GITHUB_ENV

.github/workflows/run_kms_tls_token_test.yml

@@ -13,7 +13,13 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23"
+          go-version-file: go.mod
+          check-latest: true
+          cache: true
+          cache-dependency-path: |
+            **/go.sum
+      - name: Set up kind
+        uses: helm/kind-action@v1
 
       - name: Set environment variables
         run: |

pkg/util/kms/kms_azure.go

@@ -21,6 +21,8 @@ const (
 // AzureVault is a azure kms driver
 type AzureVault struct {
 	UID string // NooBaa system UID
+	name string // NooBaa system name
+	ns   string // NooBaa system namespace
 }
 
 // NewAzureVault is azure driver constructor
@@ -29,7 +31,7 @@ func NewAzureVault(
 	namespace string,
 	uid string,
 ) Driver {
-	return &AzureVault{uid}
+	return &AzureVault{uid, name, namespace}
 }
 
 //
@@ -107,8 +109,8 @@ func createCertTempFile(config map[string]interface{}, namespace string) error {
 
 // Version returns the current driver KMS version
 // either single string or map, i.e. rotating key
-func (*AzureVault) Version(kms *KMS) Version {
-	return &VersionSingleSecret{kms, nil}
+func (k *AzureVault) Version(kms *KMS) Version {
+	return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns}
 }
 
 // Register Azure driver with KMS layer

pkg/util/kms/test/azure-vault/kms_azure_vault_test.go

@@ -3,6 +3,7 @@ package kmsazurevaulttest
 import (
 	"os"
 
+	"github.com/libopenstorage/secrets"
 	"github.com/libopenstorage/secrets/azure"
 	nbv1 "github.com/noobaa/noobaa-operator/v5/pkg/apis/noobaa/v1alpha1"
 	"github.com/noobaa/noobaa-operator/v5/pkg/options"
@@ -105,4 +106,48 @@ var _ = Describe("KMS - Azure Vault", func() {
 		})
 	})
 
+	Context("Verify Rotate", func() {
+		noobaa := getMiniNooBaa()
+		azureVaultURL, azureVaultURLFound := os.LookupEnv("AZURE_VAULT_URL")
+		k := azureKMSSpec(azureVaultURL)
+		noobaa.Spec.Security.KeyManagementService = k
+		noobaa.Spec.Security.KeyManagementService.EnableKeyRotation = true
+		noobaa.Spec.Security.KeyManagementService.Schedule = "* * * * *" // every min
+
+		Specify("Verify API Address", func() {
+			Expect(azureVaultURLFound).To(BeTrue())
+		})
+		Specify("Create key rotate schedule system", func() {
+			Expect(util.KubeCreateFailExisting(noobaa)).To(BeTrue())
+		})
+		// Change here to .To(BeTrue()) once fixed issue in line 53
+		Specify("Verify KMS condition Type", func() {
+			Expect(util.NooBaaCondition(noobaa, nbv1.ConditionTypeKMSType, secrets.TypeAzure)).To(BeFalse())
+		})
+		// Change here to .To(BeTrue()) once fixed issue in line 53
+		Specify("Verify KMS condition status Init", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSInit)).To(BeFalse())
+		})
+		Specify("Restart NooBaa operator", func() {
+			podList := &corev1.PodList{}
+			podSelector, _ := labels.Parse("noobaa-operator=deployment")
+			listOptions := client.ListOptions{Namespace: options.Namespace, LabelSelector: podSelector}
+
+			Expect(util.KubeList(podList, &listOptions)).To(BeTrue())
+			Expect(len(podList.Items)).To(BeEquivalentTo(1))
+			Expect(util.KubeDelete(&podList.Items[0])).To(BeTrue())
+		})
+		// Change here to .To(BeTrue()) once fixed issue in line 53
+		Specify("Verify KMS condition status Sync", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSSync)).To(BeFalse())
+		})
+		// Change here to .To(BeTrue()) once fixed issue in line 53
+		Specify("Verify KMS condition status Key Rotate", func() {
+			Expect(util.NooBaaCondStatus(noobaa, nbv1.ConditionKMSKeyRotate)).To(BeFalse())
+		})
+		Specify("Delete NooBaa", func() {
+			Expect(util.KubeDelete(noobaa)).To(BeTrue())
+		})
+	})
+
 })