diff --git a/tempest/api/volume/admin/test_encrypted_volumes_extend.py b/tempest/api/volume/admin/test_encrypted_volumes_extend.py index 7339179461..e85a00dc07 100644 --- a/tempest/api/volume/admin/test_encrypted_volumes_extend.py +++ b/tempest/api/volume/admin/test_encrypted_volumes_extend.py @@ -31,5 +31,18 @@ class EncryptedVolumesExtendAttachedTest(extend.BaseVolumesExtendAttachedTest, "Attached encrypted volume extend is disabled.") @utils.services('compute') def test_extend_attached_encrypted_volume_luksv1(self): + """LUKs v1 decrypts and extends through libvirt.""" volume = self.create_encrypted_volume(encryption_provider="luks") self._test_extend_attached_volume(volume) + + @decorators.idempotent_id('381a2a3a-b2f4-4631-a910-720881f2cc2f') + @testtools.skipUnless( + CONF.volume_feature_enabled.extend_attached_encrypted_volume, + "Attached encrypted volume extend is disabled.") + @testtools.skipIf(CONF.volume.storage_protocol == 'ceph', + 'Ceph only supports LUKSv2 if doing host attach.') + @utils.services('compute') + def test_extend_attached_encrypted_volume_luksv2(self): + """LUKs v2 decrypts and extends through os-brick.""" + volume = self.create_encrypted_volume(encryption_provider="luks2") + self._test_extend_attached_volume(volume) diff --git a/tempest/scenario/test_encrypted_cinder_volumes.py b/tempest/scenario/test_encrypted_cinder_volumes.py index 6ee9f28a0d..9788e1900e 100644 --- a/tempest/scenario/test_encrypted_cinder_volumes.py +++ b/tempest/scenario/test_encrypted_cinder_volumes.py @@ -13,6 +13,8 @@ # License for the specific language governing permissions and limitations # under the License. +import testtools + from tempest.common import utils from tempest import config from tempest.lib import decorators @@ -27,7 +29,7 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest): This test is for verifying the functionality of encrypted cinder volumes. - For both LUKS and cryptsetup encryption types, this test performs + For both LUKS (v1 & v2) and cryptsetup encryption types, this test performs the following: * Boots an instance from an image (CONF.compute.image_ref) @@ -55,11 +57,24 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest): @decorators.attr(type='slow') @utils.services('compute', 'volume', 'image') def test_encrypted_cinder_volumes_luks(self): + """LUKs v1 decrypts volume through libvirt.""" server = self.launch_instance() volume = self.create_encrypted_volume('luks', volume_type='luks') self.attach_detach_volume(server, volume) + @decorators.idempotent_id('7abec0a3-61a0-42a5-9e36-ad3138fb38b4') + @testtools.skipIf(CONF.volume.storage_protocol == 'ceph', + 'Ceph only supports LUKSv2 if doing host attach.') + @decorators.attr(type='slow') + @utils.services('compute', 'volume', 'image') + def test_encrypted_cinder_volumes_luksv2(self): + """LUKs v2 decrypts volume through os-brick.""" + server = self.launch_instance() + volume = self.create_encrypted_volume('luks2', + volume_type='luksv2') + self.attach_detach_volume(server, volume) + @decorators.idempotent_id('cbc752ed-b716-4717-910f-956cce965722') @decorators.attr(type='slow') @utils.services('compute', 'volume', 'image') diff --git a/tempest/scenario/test_volume_boot_pattern.py b/tempest/scenario/test_volume_boot_pattern.py index 5a5cc2704a..2e87c159b5 100644 --- a/tempest/scenario/test_volume_boot_pattern.py +++ b/tempest/scenario/test_volume_boot_pattern.py @@ -246,14 +246,10 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest): # Assert that the underlying volume is gone. self.volumes_client.wait_for_resource_deletion(volume_origin['id']) - @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125') - @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, - 'Encrypted volume attach is not supported') - @utils.services('compute', 'volume') - def test_boot_server_from_encrypted_volume_luks(self): + def _do_test_boot_server_from_encrypted_volume_luks(self, provider): # Create an encrypted volume - volume = self.create_encrypted_volume('luks', - volume_type='luks') + volume = self.create_encrypted_volume(provider, + volume_type=provider) self.volumes_client.set_bootable_volume(volume['id'], bootable=True) @@ -266,3 +262,21 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest): server_info = self.servers_client.show_server(server['id'])['server'] created_volume = server_info['os-extended-volumes:volumes_attached'] self.assertEqual(volume['id'], created_volume[0]['id']) + + @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125') + @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, + 'Encrypted volume attach is not supported') + @utils.services('compute', 'volume') + def test_boot_server_from_encrypted_volume_luks(self): + """LUKs v1 decrypts volume through libvirt.""" + self._do_test_boot_server_from_encrypted_volume_luks('luks') + + @decorators.idempotent_id('5ab6100f-1b31-4dd0-a774-68cfd837ef77') + @testtools.skipIf(CONF.volume.storage_protocol == 'ceph', + 'Ceph only supports LUKSv2 if doing host attach.') + @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume, + 'Encrypted volume attach is not supported') + @utils.services('compute', 'volume') + def test_boot_server_from_encrypted_volume_luksv2(self): + """LUKs v2 decrypts volume through os-brick.""" + self._do_test_boot_server_from_encrypted_volume_luks('luks2') diff --git a/tools/tempest-integrated-gate-networking-exclude-list.txt b/tools/tempest-integrated-gate-networking-exclude-list.txt index 263b2e4068..9d79a350a8 100644 --- a/tools/tempest-integrated-gate-networking-exclude-list.txt +++ b/tools/tempest-integrated-gate-networking-exclude-list.txt @@ -11,9 +11,11 @@ tempest.api.identity # Skip Cinder, Glance and Swift only scenario tests. tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks +tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks2 tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_cryptsetup tempest.scenario.test_object_storage_basic_ops.TestObjectStorageBasicOps.test_swift_basic_ops tempest.scenario.test_object_storage_basic_ops.TestObjectStorageBasicOps.test_swift_acl_anonymous_download tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_boot_server_from_encrypted_volume_luks +tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_boot_server_from_encrypted_volume_luks2 tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_image_defined_boot_from_volume tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_create_server_from_volume_snapshot diff --git a/tools/tempest-integrated-gate-placement-exclude-list.txt b/tools/tempest-integrated-gate-placement-exclude-list.txt index efba796e18..eb68b328ed 100644 --- a/tools/tempest-integrated-gate-placement-exclude-list.txt +++ b/tools/tempest-integrated-gate-placement-exclude-list.txt @@ -11,9 +11,11 @@ tempest.api.object_storage # Skip Cinder, Glance and Swift only scenario tests. tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks +tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks2 tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_cryptsetup tempest.scenario.test_object_storage_basic_ops.TestObjectStorageBasicOps.test_swift_basic_ops tempest.scenario.test_object_storage_basic_ops.TestObjectStorageBasicOps.test_swift_acl_anonymous_download tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_boot_server_from_encrypted_volume_luks +tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_boot_server_from_encrypted_volume_luks2 tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_image_defined_boot_from_volume tempest.scenario.test_volume_boot_pattern.TestVolumeBootPattern.test_create_server_from_volume_snapshot