From f50335473e7b63d1d0541a5a79025808c904d26e Mon Sep 17 00:00:00 2001 From: Ryan Stankiewicz Date: Fri, 12 Apr 2024 19:47:21 +0000 Subject: [PATCH] Install Rust and Cargo for building efs-proxy Rust and Cargo are required to build efs-utils v2.0.0. I also a TODO to one of our integration tests - now that non-tls mounts are also re-directed to localhost (efs-utils v2), we need a new method of determining whether 'encryptInTransit' is working as expected. --- Dockerfile | 2 +- test/e2e/e2e.go | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 15b34de7c..71e10a507 100644 --- a/Dockerfile +++ b/Dockerfile @@ -38,7 +38,7 @@ RUN mkdir -p /tmp/rpms && \ then echo "Installing efs-utils from Amazon Linux 2 yum repo" && \ yum -y install --downloadonly --downloaddir=/tmp/rpms amazon-efs-utils-1.35.0-1.amzn2.noarch; \ else echo "Installing efs-utils from github using the latest git tag" && \ - yum -y install git rpm-build make && \ + yum -y install git rpm-build make rust cargo openssl-devel && \ git clone /~https://github.com/aws/efs-utils && \ cd efs-utils && \ git checkout $(git describe --tags $(git rev-list --tags --max-count=1)) && \ diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 5a2df25c6..dd49b36fb 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -305,6 +305,11 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() { }) testEncryptInTransit := func(f *framework.Framework, encryptInTransit *bool) { + // TODO [RyanStan 4-15-24] + // Now that non-tls mounts are re-directed to efs-proxy (efs-utils v2), + // we need a new method of determining whether encrypt in transit is correctly working. + // One way to do this could be to parse the arguments passed to efs-proxy and look for the '--tls' flag. + ginkgo.By("Creating efs pvc & pv") volumeAttributes := map[string]string{} if encryptInTransit != nil { @@ -320,20 +325,16 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() { _ = f.ClientSet.CoreV1().PersistentVolumes().Delete(context.TODO(), pv.Name, metav1.DeleteOptions{}) }() - // If mount.efs is passed option tls, the mount table entry should be... + // mount.efs connects the local NFS client to efs-proxy which listens on localhost and forwards NFS operations to EFS. + // This occurs for both non-tls and tls mounts. + // Therefore, the mount table entry should be // 127.0.0.1:/ on /mnt/volume1 type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,port=20052,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1) - // Note the tls option is not actually there. The proof that tls is passed - // to mount.efs is the server is 127.0.0.1 // (stunnel proxy running on localhost) // instead of the EFS DNS name // (file-system-id.efs.aws-region.amazonaws.com). // Call `mount` alone first to print it for debugging. + command := "mount && mount | grep /mnt/volume1 | grep 127.0.0.1" - if encryptInTransit != nil { - if !*encryptInTransit { - command = fmt.Sprintf("mount && mount | grep /mnt/volume1 | grep %v", FileSystemId) - } - } ginkgo.By(fmt.Sprintf("Creating pod to mount pvc %q and run %q", pvc.Name, command)) pod := e2epod.MakePod(f.Namespace.Name, nil, []*v1.PersistentVolumeClaim{pvc}, false, command) pod.Spec.RestartPolicy = v1.RestartPolicyNever