[Manager] Run Manager tests with enabled client encryption #9960
Conversation
mikliapko
force-pushed
the
enable-encryption-for-manager-tests
branch
4 times, most recently
from
b25ca7a to
5bda33d
Compare
mikliapko
force-pushed
the
enable-encryption-for-manager-tests
branch
from
5bda33d to
93f8969
Compare
mikliapko
changed the title
mikliapko
force-pushed
the
enable-encryption-for-manager-tests
branch
from
93f8969 to
5c86a06
Compare
mikliapko
requested review from
karol-kokoszka,
Michal-Leszczynski and
a team
and removed request for
rayakurl
mgmt_cli_test.py
Outdated
| def test_client_encryption(self): | ||
| self.log.info('starting test_client_encryption') | ||
| # Encryption should be disabled at the beginning of the test |
There was a problem hiding this comment.
As the test aims to check both cases - with client encryption enabled and with encryption disabled.
Moreover, it makes the test independent on the initial cluster encryption state - since the same test_client_encryption (which is part of test_manager_sanity) can be executed against cluster with enabled or disabled encryption.
mgmt_cli_test.py
Outdated
| healthcheck_task = mgr_cluster.get_healthcheck_task() | ||
|
|
||
| self.db_cluster.enable_client_encrypt() | ||
| self._set_scylla_client_encryption(is_enable=True) |
There was a problem hiding this comment.
this won't make sense if client_encrypt setting is false, should error/warn about it
There was a problem hiding this comment.
Ah, that's true, will fix it
There was a problem hiding this comment.
I decided to change an approach for this test a bit.
First of all, disabling encryption at the beginning of the test might be redundant since from now, the majority of tests will have it set by default. It will result in extra steps to disable it.
Secondly, SM verification with enabled encryption has higher priority than with disabled, thus, it's a right thing to check it firstly.
Thus, the stages were swapped - the first test stage will check the Manager functionality with ENABLED encryption, and only after that with DISABLED.
There was a problem hiding this comment.
retesting it here:
There was a problem hiding this comment.
both tests have passed successfully
Could you please elaborate on this? |
SM using dns names instead of IP's |
Update `ensure_and_get_cluster` method to `--force_non_ssl_session_port` flag in add cluster command if client encryption is enabled. Update add cluster method in upgrade and installation tests as well. In addition to that, 'ensure_and_get_cluster' method was refactored to get 'add_cluster_extra_params' (not required) which can be used as extra params (for example, 'client_encrypt') for add_cluster method.
Test reworked to check the current state of Scylla cluster encryption at the beginning and, if disabled, to enable it. It makes the test independent on the initial cluster state. In addition to that, changed the order of steps - at first, the test verify SM with enabled encryption, at second, with disabled. It makes sense since the majority of tests now will have the cluster encryption set to enabled at the beginning of the test. Thus, it will help to save time on disabling encryption that might have been required otherwise. Additionally, introduced _disable_client_encryption method to disable encryption since disable_client_encrypt method of BaseScyllaCluster class doesn't work in case when "client_encryption_options" block is already part of scylla.yaml (haven't investigated why it behaves so).
Until now, all Manager basic tests were run with disabled client encryption. This change adds `client_encrypt: true` to all active Manager yaml configurations, thus, enabling Scylla client encryption in tests. Encryption is kept disabled for only two jobs (ubuntu24-manager-sanity, ubuntu24-manager-upgrade) to have at least one job running with such configuration. To disable encryption for these specific tests a separate configuration yaml was introduced `disable_client_encrypt.yaml`.
mikliapko
force-pushed
the
enable-encryption-for-manager-tests
branch
from
5c86a06 to
883e1dc
Compare
Yeah, it's not covered anywhere in Manager SCT tests. |
Yes, I'm ok, it was just my note that would be good to test it. |
| self.log.info('ENABLED client encryption checks') | ||
| if not self.db_cluster.nodes[0].is_client_encrypt: | ||
| self.db_cluster.enable_client_encrypt() |
There was a problem hiding this comment.
just setting to enabled won't fix the problem. Test without client_encrypt set to True at test config time (or even provision) will end with encryption enabled without certificates - possibly failing.
I think this part should be skipped then and jump to DISABLED client encryption check if that's possible
There was a problem hiding this comment.
This method puts the whole client_encryption_options block into config:
client_encryption_options:
certificate: /etc/scylla/ssl_conf/client-facing.crt
enabled: true
keyfile: /etc/scylla/ssl_conf/client-facing.key
truststore: /etc/scylla/ssl_conf/ca.pem
If nothing is set before test, this block will be put there, otherwise, just skipped, and the rest of the test will make sense.
There was a problem hiding this comment.
true, I mixed it with the method above.
In that case, it's up to you to decide on the test flow.
| self.log.info('ENABLED client encryption checks') | ||
| if not self.db_cluster.nodes[0].is_client_encrypt: | ||
| self.db_cluster.enable_client_encrypt() |
There was a problem hiding this comment.
true, I mixed it with the method above.
In that case, it's up to you to decide on the test flow.
|
@karol-kokoszka @Michal-Leszczynski Guys, could you please take a look? |
|
still need one QA more to approve |
|
Closes scylladb/scylla-manager#4164
Changes:
ensure_and_get_clustermethod to apply--force_non_ssl_session_portflag in add cluster command if client encryption is enabled. Together with that, updatedadd_clustermethod in upgrade and installation tests as well.test_client_encryptionto make it independent of initial cluster state.Testing
PR pre-checks (self review)
backportlabels