-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
keyring: E2E testing for KMS/rotation #23601
Conversation
ca0ad51
to
8f123e7
Compare
8f123e7
to
2167010
Compare
62910f6
to
e93d439
Compare
2167010
to
f29a23d
Compare
e93d439
to
42a638b
Compare
f29a23d
to
0f2ca08
Compare
42a638b
to
c178ddd
Compare
In #23580 we're implementing support for encrypting Nomad's key material with external KMS providers or Vault Transit. This changeset breaks out the E2E infrastructure and testing from that PR to keep the review manageable. Ref: https://hashicorp.atlassian.net/browse/NET-10334 Ref: #14852 Ref: #23580
c178ddd
to
677b7f1
Compare
e3d449a
to
c1e9132
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! I mostly have little test message suggestions for failure legibility, and a couple questions.
|
||
func getJWKS(t *testing.T) *jose.JSONWebKeySet { | ||
t.Helper() | ||
out, err := e2eutil.Commandf("nomad operator api /.well-known/jwks.json") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tangent: intriguing that our api
package doesn't have a method for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I considered adding that here but I wanted to see if there was a reason that @schmichael didn't implement it first.
Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>
In #23580 we're implementing support for encrypting Nomad's key material with external KMS providers or Vault Transit. In #23577 we're implementing support for prepublishing keys. This changeset updates the E2E infrastructure to use an external KMS and adds tests for rotation.
Ref: https://hashicorp.atlassian.net/browse/NET-10398
Ref: https://hashicorp.atlassian.net/browse/NET-10280
Ref: https://hashicorp.atlassian.net/browse/NET-10334
Ref: #14852
Ref: #23580
Note to reviewers: this PR requires #23580 and #23577 to be merged before we can merge this. Test run against a build that includes both PRs: