K8SPSMDB-1363 vault e2e test - fix vault file access mode (#2279)

* K8SPSMDB-1363 vault e2e test and fix for chmod 0600

* add test to pipelines

* handle container not ready

* fixes

* adjust the logic for the mode of the mount file

Author: gkech

e2e-tests/demand-backup-snapshot-vault/compare/find.json

@@ -0,0 +1,3 @@
+switched to db myApp
+{ "_id" : , "x" : 100500 }
+bye

e2e-tests/demand-backup-snapshot-vault/conf/backup.yml

@@ -0,0 +1,10 @@
+apiVersion: psmdb.percona.com/v1
+kind: PerconaServerMongoDBBackup
+metadata:
+  finalizers:
+    - percona.com/delete-backup
+  name:
+spec:
+  type: external
+  clusterName: some-name
+  volumeSnapshotClass:

e2e-tests/demand-backup-snapshot-vault/conf/restore.yml

@@ -0,0 +1,7 @@
+apiVersion: psmdb.percona.com/v1
+kind: PerconaServerMongoDBRestore
+metadata:
+  name:
+spec:
+  clusterName: some-name
+  backupName:

e2e-tests/demand-backup-snapshot-vault/conf/role-binding.yml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-role-binding
+  namespace: <namespace>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: percona-server-mongodb-operator
+    namespace: <namespace>

e2e-tests/demand-backup-snapshot-vault/conf/secrets.yml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: some-users
+type: Opaque
+data:
+  MONGODB_BACKUP_USER: YmFja3VwJCMl
+  MONGODB_BACKUP_PASSWORD: YmFja3VwMTIzNDU2Iw==
+  MONGODB_DATABASE_ADMIN_USER: ZGF0YWJhc2VBZG1pbg==
+  MONGODB_DATABASE_ADMIN_PASSWORD: ZGF0YWJhc2VBZG1pbjEyMzQ1Ng==
+  MONGODB_USER_ADMIN_USER: dXNlckFkbWlu
+  MONGODB_USER_ADMIN_PASSWORD: dXNlckFkbWluMTIzNDU2
+  MONGODB_CLUSTER_ADMIN_USER: Y2x1c3RlckFkbWlu
+  MONGODB_CLUSTER_ADMIN_PASSWORD: Y2x1c3RlckFkbWluMTIzNDU2
+  MONGODB_CLUSTER_MONITOR_USER: Y2x1c3Rlck1vbml0b3I=
+  MONGODB_CLUSTER_MONITOR_PASSWORD: Y2x1c3Rlck1vbml0b3IxMjM0NTY=

e2e-tests/demand-backup-snapshot-vault/conf/some-name.yml

@@ -0,0 +1,79 @@
+apiVersion: psmdb.percona.com/v1
+kind: PerconaServerMongoDB
+metadata:
+  finalizers:
+  - percona.com/delete-psmdb-pvc
+  name: some-name
+spec:
+  #platform: openshift
+  image:
+  imagePullPolicy: Always
+  updateStrategy: SmartUpdate
+  tls:
+    mode: requireTLS
+  backup:
+    enabled: true
+    image: perconalab/percona-server-mongodb-operator:main-backup
+    storages:
+      minio:
+        type: s3
+        s3:
+          credentialsSecret: minio-secret
+          region: us-east-1
+          bucket: operator-testing
+          endpointUrl: http://minio-service:9000/
+          insecureSkipTLSVerify: false
+  vault:
+    endpointURL: http://vault-service.NAME_SPACE.svc.cluster.local:8200
+    syncUsers:
+      role: operator
+      tokenSecret: vault-sync-secret
+  replsets:
+  - name: rs0
+    affinity:
+      antiAffinityTopologyKey: none
+    resources:
+      limits:
+        cpu: 500m
+        memory: 1G
+      requests:
+        cpu: 100m
+        memory: 0.1G
+    volumeSpec:
+      persistentVolumeClaim:
+        resources:
+          requests:
+            storage: 3Gi
+    expose:
+      enabled: false
+      type: ClusterIP
+    size: 3
+    configuration: |
+      operationProfiling:
+        mode: slowOp
+        slowOpThresholdMs: 100
+      security:
+        enableEncryption: true
+        vault:
+          serverName: vault-service
+          port: 8200
+          tokenFile: /etc/mongodb-vault/token
+          secret: secret/data/some-name/rs0
+          disableTLSForTesting: true
+      setParameter:
+        ttlMonitorSleepSecs: 60
+        wiredTigerConcurrentReadTransactions: 128
+        wiredTigerConcurrentWriteTransactions: 128
+      storage:
+        engine: wiredTiger
+        wiredTiger:
+          collectionConfig:
+            blockCompressor: snappy
+          engineConfig:
+            directoryForIndexes: false
+            journalCompressor: snappy
+          indexConfig:
+            prefixCompression: true
+  secrets:
+    users: some-users
+    vault: vault-secret

e2e-tests/demand-backup-snapshot-vault/run

@@ -0,0 +1,235 @@
+#!/bin/bash
+
+set -o errexit
+
+test_dir=$(realpath "$(dirname "$0")")
+. "${test_dir}/../functions"
+set_debug
+
+vault_name="vault-service"
+
+VOLUME_SNAPSHOT_CLASS=$(deploy_volume_snapshot_class)
+
+create_tls_secret() {
+	local name=$1
+	local service_name=$2
+
+	local tmp_dir
+	tmp_dir=$(mktemp -d)
+
+	openssl genrsa -out "${tmp_dir}/vault.key" 2048
+
+	cat <<EOF >"${tmp_dir}/csr.conf"
+[req]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+[req_distinguished_name]
+CN = ${service_name}.${namespace}.svc
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${service_name}
+DNS.2 = *.${service_name}
+DNS.3 = *.${service_name}.${namespace}
+DNS.4 = *.${service_name}.${namespace}.svc
+DNS.5 = ${service_name}.${namespace}.svc
+DNS.6 = ${service_name}.${namespace}.svc.cluster.local
+DNS.7 = *.${service_name}.${namespace}.svc.cluster.local
+IP.1 = 127.0.0.1
+EOF
+	openssl req -x509 -new -nodes \
+		-key "${tmp_dir}"/vault.key \
+		-sha256 \
+		-days 3650 \
+		-out "${tmp_dir}"/vault.crt \
+		-config "${tmp_dir}"/csr.conf \
+		-extensions v3_req
+
+	if [ ! -s "${tmp_dir}"/vault.crt ]; then
+		echo "failed to generate vault tls certificate"
+		exit 1
+	fi
+
+	cp "${tmp_dir}"/vault.crt "${tmp_dir}"/vault.ca
+
+	kubectl create secret generic "$name" \
+		--from-file=tls.key="${tmp_dir}"/vault.key \
+		--from-file=tls.crt="${tmp_dir}"/vault.crt \
+		--from-file=ca.crt="${tmp_dir}"/vault.ca
+
+	rm -rf "$tmp_dir"
+}
+
+setup_vault() {
+	local sa_namespace=$namespace
+	if [ -n "$OPERATOR_NS" ]; then
+		sa_namespace=$OPERATOR_NS
+	fi
+
+	deploy_vault $vault_name \
+		--set "global.enabled=true" \
+		--set "global.tlsDisable=true" \
+		\
+		--set "server.standalone.enabled=true"
+	sleep 10
+
+	wait_pod $vault_name-0
+
+	sleep 20
+
+	kubectl_bin exec $vault_name-0 -- vault auth enable kubernetes
+	cat "$test_dir"/conf/role-binding.yml \
+		| yq ".metadata.namespace=\"$namespace\"" \
+		| yq ".subjects[0].namespace=\"$sa_namespace\"" \
+		| kubectl_bin apply -f -
+
+	token=$(kubectl_bin exec $vault_name-0 -- vault token create -policy=operator -format=json | jq -r '.auth.client_token')
+	kubectl_bin create secret generic vault-sync-secret --from-literal=token="${token}"
+
+	# shellcheck disable=SC2016
+	kubectl_bin exec $vault_name-0 -- sh -c 'vault write auth/kubernetes/config kubernetes_host=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT'
+
+	kubectl_bin exec $vault_name-0 -- sh -c 'vault policy write operator - <<EOF
+    # KVv1
+    path "secret/psmdb/operator/*" {
+      capabilities = ["read"]
+    }
+
+    # KVv2
+    path "secret/data/psmdb/operator/*" {
+      capabilities = ["read"]
+    }
+EOF
+'
+
+	kubectl_bin exec $vault_name-0 -- vault write auth/kubernetes/role/operator \
+		bound_service_account_names=percona-server-mongodb-operator \
+		bound_service_account_namespaces="$sa_namespace" \
+		policies=operator \
+		ttl=1h
+}
+
+vault_append() {
+	local key=$1
+	local value=$2
+
+	local tmp_json
+	tmp_json=$(mktemp)
+	local new_tmp_json
+	new_tmp_json=$(mktemp)
+
+	kubectl_bin exec $vault_name-0 -- sh -c "vault kv get -format=json -mount=secret psmdb/operator/$namespace/$cluster/users" | jq '.data.data' >"$tmp_json"
+
+	if [ ! -s "$tmp_json" ]; then
+		echo '{}' >"$tmp_json"
+	fi
+
+	jq --arg key "$key" --arg value "$value" \
+		'(. // {}) + {($key): $value}' \
+		"$tmp_json" >"$new_tmp_json"
+
+	kubectl_bin cp "$new_tmp_json" $vault_name-0:/tmp/data_new.json
+	kubectl_bin exec $vault_name-0 -- sh -c "vault kv put -mount=secret psmdb/operator/$namespace/$cluster/users @\"/tmp/data_new.json\""
+
+	rm -f "$tmp_json" "$new_tmp_json"
+}
+
+run_snapshot_backup() {
+	local backup_name=$1
+
+	log "running snapshot backup $backup_name"
+
+	yq eval '.metadata.name = "'${backup_name}'" | .spec.volumeSnapshotClass = "'${VOLUME_SNAPSHOT_CLASS}'"' \
+		"${test_dir}/conf/backup.yml" \
+		| kubectl_bin apply -f -
+}
+
+run_snapshot_recovery_check() {
+	local backup_name=$1
+
+	wait_restore "${backup_name}" "${cluster}" "ready" "0" "3000"
+
+	if [ "$(kubectl_bin get psmdb "${cluster}" -o jsonpath='{.metadata.annotations.percona\.com/resync-pbm}')" != "true" ]; then
+		echo "psmdb/${cluster} should be annotated with percona.com/resync-pbm after a snapshot restore"
+		exit 1
+	fi
+
+	wait_cluster_consistency "${cluster}"
+	wait_for_pbm_operations "${cluster}"
+
+	compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-0.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+	compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-1.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+	compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-2.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+}
+
+cluster="some-name"
+
+create_infra "${namespace}"
+deploy_minio
+apply_s3_storage_secrets
+
+desc 'Setting up Vault'
+setup_vault
+
+desc 'Seeding initial credentials in Vault'
+vault_append "MONGODB_USER_ADMIN_PASSWORD" "userAdmin123456"
+vault_append "MONGODB_BACKUP_PASSWORD" "backup123456#"
+
+desc 'Deploying PSMDB cluster with Vault and snapshot backup'
+kubectl_bin apply -f "${test_dir}/conf/secrets.yml"
+apply_cluster "${test_dir}/conf/${cluster}.yml"
+kubectl_bin apply -f "${conf_dir}/client_with_tls.yml"
+
+echo 'check if all pods started'
+wait_for_running "${cluster}-rs0" 3
+wait_cluster_consistency "${cluster}"
+
+sleep 60 # give time for resync to start
+wait_for_pbm_operations "${cluster}"
+
+desc 'Writing test data'
+run_mongo_tls \
+	'db.createUser({user:"myApp",pwd:"myPass",roles:[{db:"myApp",role:"readWrite"}]})' \
+	"userAdmin:userAdmin123456@${cluster}-rs0.${namespace}"
+sleep 1
+run_mongo_tls \
+	'use myApp\n db.test.insert({ x: 100500 })' \
+	"myApp:myPass@${cluster}-rs0.${namespace}"
+sleep 5
+compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-0.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-1.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+compare_mongo_cmd "find" "myApp:myPass@${cluster}-rs0-2.${cluster}-rs0.${namespace}" "" "" "" "" "" "true"
+
+desc 'Running snapshot backup'
+backup_name="backup-snapshot-vault"
+run_snapshot_backup "${backup_name}"
+wait_backup "${backup_name}"
+
+desc 'Drop collection and restore from snapshot'
+run_mongo_tls 'use myApp\n db.test.drop()' "myApp:myPass@${cluster}-rs0.${namespace}"
+run_restore "${backup_name}"
+run_snapshot_recovery_check "${backup_name}"
+
+desc 'Verifying Vault sync still works after snapshot restore'
+newpass="vault-test-password-after-restore"
+vault_append "MONGODB_BACKUP_PASSWORD" "$newpass"
+sleep 25
+wait_cluster_consistency "${cluster}"
+sleep 15
+backup_user=$(getUserData "some-users" "MONGODB_BACKUP_USER")
+ping=$(run_mongo_tls "db.runCommand({ ping: 1 }).ok" "$backup_user:$newpass@${cluster}-rs0-0.${cluster}-rs0.${namespace}" "mongodb" "" "--quiet")
+if [ "${ping}" != "1" ]; then
+	echo "Vault sync check failed: could not authenticate as $backup_user with new password"
+	exit 1
+fi
+
+log "Vault sync after restore: OK"
+
+destroy_vault "${vault_name}"
+destroy "${namespace}"
+
+desc 'test passed'

e2e-tests/run-backups.csv

@@ -29,6 +29,7 @@ demand-backup-physical-minio-native-tls
 demand-backup-physical-sharded-minio-native
 demand-backup-sharded
 demand-backup-snapshot
+demand-backup-snapshot-vault
 pitr-physical
 pitr-physical-backup-source
 pitr-sharded

e2e-tests/run-distro.csv

@@ -30,6 +30,7 @@ demand-backup-physical-sharded-azure
 demand-backup-physical-sharded-gcp-native
 demand-backup-physical-sharded-minio
 demand-backup-sharded
+demand-backup-snapshot-vault
 init-deploy
 ldap
 ldap-tls

e2e-tests/run-pr.csv

@@ -37,6 +37,7 @@ demand-backup-physical-sharded-minio
 demand-backup-physical-sharded-minio-native
 demand-backup-sharded
 demand-backup-snapshot
+demand-backup-snapshot-vault
 disabled-auth
 expose-sharded
 finalizer