Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding kms policy name for same kms encryption keys #11497

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Adding kms policy name for same kms encryption keys #11497

wants to merge 7 commits into from

Conversation

shivamdurgbuns
Copy link
Member

Fixes issue: #11495

@shivamdurgbuns shivamdurgbuns requested a review from a team as a code owner February 25, 2025 12:32
@shivamdurgbuns
Copy link
Member Author

Verification job: https://jenkins-csb-odf-qe-ocs4.dno.corp.redhat.com/job/qe-rdr-setup/1655/
getting same policy name and token value for both the clusters

@pull-request-size pull-request-size bot added size/M PR that changes 30-99 lines and removed size/XS labels Mar 4, 2025
petr-balogh
petr-balogh previously approved these changes Mar 4, 2025
View reviewed changes
@openshift-ci openshift-ci bot added the lgtm label Mar 4, 2025
@shivamdurgbuns
Copy link
Member Author

Verification job here: https://jenkins-csb-odf-qe-ocs4.dno.corp.redhat.com/job/qe-rdr-setup/1667/

@petr-balogh
Copy link
Member

New validation:
https://url.corp.redhat.com/3d8fd58

petr-balogh
petr-balogh reviewed Mar 6, 2025
View reviewed changes
ocs_ci/utility/kms.py Outdated
@@ -129,7 +129,7 @@ def __init__(self):
"VAULT_BACKEND", defaults.VAULT_DEFAULT_BACKEND_VERSION
)
self.kmsid = None
self.vault_policy_name = None
self.vault_policy_name = self.kms_vault_policy_name()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
self.vault_policy_name = self.kms_vault_policy_name()
self.vault_policy_name = self.kms_vault_policy_name

@petr-balogh petr-balogh dismissed their stale review March 6, 2025 20:38

There is an issue:

2025-03-05 12:12:01  >       self.vault_policy_name = self.kms_vault_policy_name()
2025-03-05 12:12:01  E       TypeError: 'str' object is not callable
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 6, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: shivamdurgbuns

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm label Mar 10, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 10, 2025

New changes are detected. LGTM label has been removed.

@shivamdurgbuns
Copy link
Member Author

new vaildation job: https://jenkins-csb-odf-qe-ocs4.dno.corp.redhat.com/job/qe-rdr-setup/1680/

petr-balogh
petr-balogh reviewed Mar 12, 2025
View reviewed changes
ocs_ci/utility/kms.py
Comment on lines +582 to +589
json_out = json.loads(out)
if self.vault_policy_name in json_out:
# if policy already exists append the secondary cluster backend path to the policy
poilcy_data = (
f"\n}}\n"
f'path "{self.vault_backend_path}/*" {{\n'
f' capabilities = ["create", "read", "update","delete"]'
)
Copy link
Member

@petr-balogh petr-balogh Mar 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo in poilcy_data
and you are repeating this unnecesarly. Should be defined once only.
This is simplified how you can do this:

Suggested change
json_out = json.loads(out)
if self.vault_policy_name in json_out:
# if policy already exists append the secondary cluster backend path to the policy
poilcy_data = (
f"\n}}\n"
f'path "{self.vault_backend_path}/*" {{\n'
f' capabilities = ["create", "read", "update","delete"]'
)
existing_policy_data = None
read_policy_cmd = f"vault policy read {self.vault_policy_name}"
try:
existing_policy_data = subprocess.check_output(shlex.split(read_policy_cmd))
logger.info(f"Existing policy found!:\n{existing_policy_data}")
expect Exception:
logger.info("No existing policy found!")
policy_backend_path = (
f'path "{self.vault_backend_path}/*" {{\n'
f' capabilities = ["create", "read", "update","delete"]'
f"\n}}\n"
)
policy_sys_mount = (
f'path "sys/mounts" {{\n'
f'capabilities = ["read"]\n'
f"}}"
)
if existing_policy_data is None:
policy = policy_backend_path + policy_sys_mount
else:
policy = policy_backend_path + existing_policy_data
vault_hcl = tempfile.NamedTemporaryFile(
mode="a+", prefix="test", delete=False
)
logger.info(
f"Creating or updating policy: {self.vault_policy_name} with content:\n"
f"{policy}"
)
with open(vault_hcl.name, "a") as hcl:
hcl.write(policy)

petr-balogh
petr-balogh reviewed Mar 12, 2025
View reviewed changes
ocs_ci/utility/kms.py
f'path "{self.vault_backend_path}/*" {{\n'
f' capabilities = ["create", "read", "update","delete"]'
)
vault_hcl = tempfile.NamedTemporaryFile(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and the rest from this line can be deleted if you will follow the suggestion from code above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petr-balogh petr-balogh petr-balogh left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

@petr-balogh petr-balogh

Labels
size/M PR that changes 30-99 lines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shivamdurgbuns @petr-balogh