keyring: E2E testing for KMS/rotation #23601

tgross · 2024-07-16T20:46:38Z

In #23580 we're implementing support for encrypting Nomad's key material with external KMS providers or Vault Transit. In #23577 we're implementing support for prepublishing keys. This changeset updates the E2E infrastructure to use an external KMS and adds tests for rotation.

Ref: https://hashicorp.atlassian.net/browse/NET-10398
Ref: https://hashicorp.atlassian.net/browse/NET-10280
Ref: https://hashicorp.atlassian.net/browse/NET-10334
Ref: #14852
Ref: #23580

Note to reviewers: this PR requires #23580 and #23577 to be merged before we can merge this. Test run against a build that includes both PRs:

$ go test -v -count=1 ./keyring
=== RUN   TestKeyringRotation
--- PASS: TestKeyringRotation (0.62s)
PASS
ok      github.com/hashicorp/nomad/e2e/keyring  0.632s

In #23580 we're implementing support for encrypting Nomad's key material with external KMS providers or Vault Transit. This changeset breaks out the E2E infrastructure and testing from that PR to keep the review manageable. Ref: https://hashicorp.atlassian.net/browse/NET-10334 Ref: #14852 Ref: #23580

gulducat

lgtm! I mostly have little test message suggestions for failure legibility, and a couple questions.

e2e/keyring/keyring_test.go

gulducat · 2024-07-18T16:09:39Z

e2e/keyring/keyring_test.go

+
+func getJWKS(t *testing.T) *jose.JSONWebKeySet {
+	t.Helper()
+	out, err := e2eutil.Commandf("nomad operator api /.well-known/jwks.json")


tangent: intriguing that our api package doesn't have a method for this.

Yeah, I considered adding that here but I wanted to see if there was a reason that @schmichael didn't implement it first.

e2e/terraform/variables.tf

e2e/keyring/keyring_test.go

Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>

tgross added the theme/e2e label Jul 16, 2024

vercel bot deployed to Preview – nomad-ui July 16, 2024 20:47 View deployment

tgross added theme/keyring backport/1.8.x backport to 1.8.x release line labels Jul 16, 2024

tgross force-pushed the keyring-external-kms branch from ca0ad51 to 8f123e7 Compare July 16, 2024 20:48

tgross mentioned this pull request Jul 16, 2024

keyring: support external KMS for key encryption key (KEK) #23580

Merged

tgross added this to the 1.8.x milestone Jul 16, 2024

tgross force-pushed the keyring-external-kms branch from 8f123e7 to 2167010 Compare July 17, 2024 17:35

tgross force-pushed the e2e-keyring-external-kms branch 2 times, most recently from 62910f6 to e93d439 Compare July 17, 2024 17:37

vercel bot deployed to Preview – nomad-ui July 17, 2024 17:39 View deployment

tgross force-pushed the keyring-external-kms branch from 2167010 to f29a23d Compare July 17, 2024 18:49

tgross force-pushed the e2e-keyring-external-kms branch from e93d439 to 42a638b Compare July 17, 2024 18:51

vercel bot deployed to Preview – nomad-ui July 17, 2024 18:52 View deployment

tgross force-pushed the keyring-external-kms branch from f29a23d to 0f2ca08 Compare July 17, 2024 19:23

tgross force-pushed the e2e-keyring-external-kms branch from 42a638b to c178ddd Compare July 17, 2024 19:25

vercel bot deployed to Preview – nomad-ui July 17, 2024 19:26 View deployment

tgross changed the title ~~keyring: infrastructure for E2E testing of external KMS~~ keyring: infrastructure for E2E testing of KMS/rotation Jul 17, 2024

tgross changed the base branch from keyring-external-kms to main July 17, 2024 19:32

tgross changed the title ~~keyring: infrastructure for E2E testing of KMS/rotation~~ keyring: E2E testing for KMS/rotation Jul 17, 2024

tgross force-pushed the e2e-keyring-external-kms branch from c178ddd to 677b7f1 Compare July 17, 2024 19:33

vercel bot deployed to Preview – nomad-ui July 17, 2024 19:34 View deployment

vercel bot deployed to Preview – nomad-ui July 17, 2024 20:43 View deployment

hc-github-team-nomad-core mentioned this pull request Jul 18, 2024

Backport of keyring: support external KMS for key encryption key (KEK) into release/1.8.x #23620

Merged

E2E test

c1e9132

tgross force-pushed the e2e-keyring-external-kms branch from e3d449a to c1e9132 Compare July 18, 2024 15:39

tgross marked this pull request as ready for review July 18, 2024 15:39

tgross requested review from gulducat and pkazmierczak July 18, 2024 15:39

vercel bot deployed to Preview – nomad-ui July 18, 2024 15:40 View deployment

gulducat approved these changes Jul 18, 2024

View reviewed changes

Apply suggestions from code review

bdace8f

Co-authored-by: Daniel Bennett <dbennett@hashicorp.com>

vercel bot deployed to Preview – nomad-ui July 18, 2024 16:31 View deployment

added extra guardrail on tests

6c3c4e3

vercel bot deployed to Preview – nomad-ui July 18, 2024 16:33 View deployment

tgross merged commit a29f9b6 into main Jul 19, 2024
19 checks passed

tgross deleted the e2e-keyring-external-kms branch July 19, 2024 17:49

hc-github-team-nomad-core mentioned this pull request Jul 19, 2024

Backport of keyring: E2E testing for KMS/rotation into release/1.8.x #23652

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

keyring: E2E testing for KMS/rotation #23601

keyring: E2E testing for KMS/rotation #23601

tgross commented Jul 16, 2024 •

edited

Loading

gulducat left a comment

gulducat Jul 18, 2024

tgross Jul 18, 2024

keyring: E2E testing for KMS/rotation #23601

keyring: E2E testing for KMS/rotation #23601

Conversation

tgross commented Jul 16, 2024 • edited Loading

gulducat left a comment

Choose a reason for hiding this comment

gulducat Jul 18, 2024

Choose a reason for hiding this comment

tgross Jul 18, 2024

Choose a reason for hiding this comment

tgross commented Jul 16, 2024 •

edited

Loading