diff --git a/internal/bminventory/inventory.go b/internal/bminventory/inventory.go index 30c9cded1930..6732fff89f44 100644 --- a/internal/bminventory/inventory.go +++ b/internal/bminventory/inventory.go @@ -443,11 +443,9 @@ func (b *bareMetalInventory) setDefaultRegisterClusterParams(ctx context.Context params.NewClusterParams.AdditionalNtpSource = &b.Config.DefaultNTPSource } if params.NewClusterParams.DiskEncryption == nil { - params.NewClusterParams.DiskEncryption = &models.DiskEncryption{ - EnableOn: swag.String(models.DiskEncryptionEnableOnNone), - Mode: swag.String(models.DiskEncryptionModeTpmv2), - } + params.NewClusterParams.DiskEncryption = &models.DiskEncryption{} } + common.ApplyDiskEncryptionDefaults(params.NewClusterParams.DiskEncryption) params.NewClusterParams.NetworkType, err = getDefaultNetworkType(params) if err != nil { @@ -919,14 +917,7 @@ func setDiskEncryptionWithDefaultValues(c *models.Cluster, config *models.DiskEn } c.DiskEncryption = config - - if c.DiskEncryption.EnableOn == nil { - c.DiskEncryption.EnableOn = swag.String(models.DiskEncryptionEnableOnNone) - } - - if config.Mode == nil { - c.DiskEncryption.Mode = swag.String(models.DiskEncryptionModeTpmv2) - } + common.ApplyDiskEncryptionDefaults(c.DiskEncryption) } func updateSSHPublicKey(cluster *common.Cluster) error { @@ -2635,7 +2626,7 @@ func (b *bareMetalInventory) updateDhcpNetworkParams(db *gorm.DB, id *strfmt.UUI func (b *bareMetalInventory) setDiskEncryptionUsage(c *models.Cluster, diskEncryption *models.DiskEncryption, usages map[string]models.Usage) { - if c.DiskEncryption == nil || swag.StringValue(c.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone { + if !common.IsConfigured(c.DiskEncryption) { return } @@ -2647,7 +2638,7 @@ func (b *bareMetalInventory) setDiskEncryptionUsage(c *models.Cluster, diskEncry props["mode"] = swag.StringValue(diskEncryption.Mode) props["tang_servers"] = diskEncryption.TangServers } - b.setUsage(swag.StringValue(c.DiskEncryption.EnableOn) != models.DiskEncryptionEnableOnNone, usage.DiskEncryption, &props, usages) + b.setUsage(common.IsConfigured(c.DiskEncryption), usage.DiskEncryption, &props, usages) } func (b *bareMetalInventory) updateClusterData(_ context.Context, cluster *common.Cluster, params installer.V2UpdateClusterParams, usages map[string]models.Usage, db *gorm.DB, log logrus.FieldLogger, interactivity Interactivity, mirrorRegistryConfiguration *common.MirrorRegistryConfiguration, primaryIPStackUpdated bool, primaryIPStack *common.PrimaryIPStack) error { @@ -2719,9 +2710,13 @@ func (b *bareMetalInventory) updateClusterData(_ context.Context, cluster *commo return common.NewApiError(http.StatusBadRequest, errors.New(msg)) } if params.ClusterUpdateParams.DiskEncryption.EnableOn != nil { + enableOn, _ := common.DiskEncryptionFieldDefaults(params.ClusterUpdateParams.DiskEncryption.EnableOn, nil) + params.ClusterUpdateParams.DiskEncryption.EnableOn = swag.String(enableOn) updates["disk_encryption_enable_on"] = params.ClusterUpdateParams.DiskEncryption.EnableOn } if params.ClusterUpdateParams.DiskEncryption.Mode != nil { + _, mode := common.DiskEncryptionFieldDefaults(nil, params.ClusterUpdateParams.DiskEncryption.Mode) + params.ClusterUpdateParams.DiskEncryption.Mode = swag.String(mode) updates["disk_encryption_mode"] = params.ClusterUpdateParams.DiskEncryption.Mode } if params.ClusterUpdateParams.DiskEncryption.TangServers != "" { diff --git a/internal/cluster/validations/validations.go b/internal/cluster/validations/validations.go index 134c88b0fb71..36e134e1edda 100644 --- a/internal/cluster/validations/validations.go +++ b/internal/cluster/validations/validations.go @@ -776,10 +776,10 @@ func ValidateDiskEncryptionParams(diskEncryptionParams *models.DiskEncryption, D if diskEncryptionParams == nil { return nil } - if !DiskEncryptionSupport && swag.StringValue(diskEncryptionParams.EnableOn) != models.DiskEncryptionEnableOnNone { + if !DiskEncryptionSupport && common.RequestsConfiguration(diskEncryptionParams) { return errors.New("Disk encryption support is not enabled. Cannot apply configurations to the cluster") } - if diskEncryptionParams.Mode != nil && swag.StringValue(diskEncryptionParams.Mode) == models.DiskEncryptionModeTang { + if common.HasMode(diskEncryptionParams, models.DiskEncryptionModeTang) { if diskEncryptionParams.TangServers == "" { return errors.New("Setting Tang mode but tang_servers isn't set") } diff --git a/internal/common/disk_encryption.go b/internal/common/disk_encryption.go new file mode 100644 index 000000000000..c2d34d7dc120 --- /dev/null +++ b/internal/common/disk_encryption.go @@ -0,0 +1,103 @@ +package common + +import ( + "strings" + + "github.com/go-openapi/swag" + "github.com/openshift/assisted-service/models" + "github.com/thoas/go-funk" +) + +// IsEnabled reports whether disk encryption is enabled for any role. +// Empty or "none" enable_on values are treated as disabled. +func IsEnabled(enableOn *string) bool { + v := swag.StringValue(enableOn) + return v != "" && v != models.DiskEncryptionEnableOnNone +} + +// IsConfigured reports whether disk encryption is enabled on the cluster. +func IsConfigured(diskEncryption *models.DiskEncryption) bool { + return diskEncryption != nil && IsEnabled(diskEncryption.EnableOn) +} + +// RequestsConfiguration reports whether an API payload carries explicit disk encryption +// settings beyond the disabled defaults, including tang configuration without enable_on. +func RequestsConfiguration(diskEncryption *models.DiskEncryption) bool { + if diskEncryption == nil { + return false + } + return RequestsDiskEncryptionConfiguration( + diskEncryption.EnableOn, + diskEncryption.Mode, + diskEncryption.TangServers, + ) +} + +// RequestsDiskEncryptionConfiguration reports whether disk encryption fields carry explicit +// configuration beyond disabled defaults. Use this when the caller has separate fields +// instead of a models.DiskEncryption payload (for example AgentClusterInstall spec). +func RequestsDiskEncryptionConfiguration(enableOn, mode *string, tangServers string) bool { + return IsEnabled(enableOn) || + HasMode(&models.DiskEncryption{Mode: mode}, models.DiskEncryptionModeTang) || + tangServers != "" +} + +// DiskEncryptionFieldDefaults returns enable_on and mode with defaults for nil or empty values. +func DiskEncryptionFieldDefaults(enableOn, mode *string) (string, string) { + enableOnValue := swag.StringValue(enableOn) + if enableOnValue == "" { + enableOnValue = models.DiskEncryptionEnableOnNone + } + modeValue := swag.StringValue(mode) + if modeValue == "" { + modeValue = models.DiskEncryptionModeTpmv2 + } + return enableOnValue, modeValue +} + +// ApplyDiskEncryptionDefaults normalizes nil or empty disk encryption fields to their defaults. +func ApplyDiskEncryptionDefaults(diskEncryption *models.DiskEncryption) { + if diskEncryption == nil { + return + } + enableOn, mode := DiskEncryptionFieldDefaults(diskEncryption.EnableOn, diskEncryption.Mode) + diskEncryption.EnableOn = swag.String(enableOn) + diskEncryption.Mode = swag.String(mode) +} + +// HasMode reports whether disk encryption mode equals the given value. +func HasMode(diskEncryption *models.DiskEncryption, mode string) bool { + if diskEncryption == nil { + return false + } + return swag.StringValue(diskEncryption.Mode) == mode +} + +// IsSetWithTpm reports whether TPM-based disk encryption is configured for any role. +func IsSetWithTpm(diskEncryption *models.DiskEncryption) bool { + return IsConfigured(diskEncryption) && HasMode(diskEncryption, models.DiskEncryptionModeTpmv2) +} + +// IsSetWithTang reports whether Tang-based disk encryption is configured for any role. +func IsSetWithTang(diskEncryption *models.DiskEncryption) bool { + return IsConfigured(diskEncryption) && HasMode(diskEncryption, models.DiskEncryptionModeTang) +} + +// EnabledForRole reports whether disk encryption is enabled for the given host role. +func EnabledForRole(encryption models.DiskEncryption, role models.HostRole) bool { + if swag.StringValue(encryption.EnableOn) == models.DiskEncryptionEnableOnAll { + return true + } + + enabledGroups := strings.Split(swag.StringValue(encryption.EnableOn), ",") + if role == models.HostRoleMaster || role == models.HostRoleBootstrap { + return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnMasters) + } + if role == models.HostRoleArbiter { + return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnArbiters) + } + if role == models.HostRoleWorker { + return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnWorkers) + } + return false +} diff --git a/internal/common/disk_encryption_test.go b/internal/common/disk_encryption_test.go new file mode 100644 index 000000000000..bd40bf8bc009 --- /dev/null +++ b/internal/common/disk_encryption_test.go @@ -0,0 +1,240 @@ +package common + +import ( + "github.com/go-openapi/swag" + . "github.com/onsi/ginkgo" + . "github.com/onsi/ginkgo/extensions/table" + . "github.com/onsi/gomega" + "github.com/openshift/assisted-service/models" +) + +var _ = Describe("RequestsConfiguration", func() { + It("returns false for nil or disabled configuration", func() { + Expect(RequestsConfiguration(nil)).To(BeFalse()) + Expect(RequestsConfiguration(&models.DiskEncryption{})).To(BeFalse()) + Expect(RequestsConfiguration(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnNone), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + })).To(BeFalse()) + }) + + It("returns true when enable_on requests encryption", func() { + Expect(RequestsConfiguration(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + })).To(BeTrue()) + }) + + It("returns true when tang is configured without enable_on", func() { + Expect(RequestsConfiguration(&models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTang), + TangServers: `[{"url":"http://tang.example.com:7500","thumbprint":"PLjNyRdGw03zlRoGjQYMahSZGu9"}]`, + })).To(BeTrue()) + Expect(RequestsConfiguration(&models.DiskEncryption{ + TangServers: `[{"url":"http://tang.example.com:7500","thumbprint":"PLjNyRdGw03zlRoGjQYMahSZGu9"}]`, + })).To(BeTrue()) + Expect(RequestsDiskEncryptionConfiguration( + nil, + swag.String(models.DiskEncryptionModeTang), + `[{"url":"http://tang.example.com:7500","thumbprint":"PLjNyRdGw03zlRoGjQYMahSZGu9"}]`, + )).To(BeTrue()) + }) +}) + +var _ = Describe("IsConfigured", func() { + It("returns false when disk encryption is not configured", func() { + Expect(IsConfigured(nil)).To(BeFalse()) + Expect(IsConfigured(&models.DiskEncryption{})).To(BeFalse()) + Expect(IsConfigured(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnNone), + })).To(BeFalse()) + }) + + It("returns true when disk encryption is enabled", func() { + Expect(IsConfigured(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + })).To(BeTrue()) + }) +}) + +var _ = Describe("IsEnabled", func() { + It("returns false for nil, empty, and none", func() { + Expect(IsEnabled(nil)).To(BeFalse()) + Expect(IsEnabled(swag.String(""))).To(BeFalse()) + Expect(IsEnabled(swag.String(models.DiskEncryptionEnableOnNone))).To(BeFalse()) + }) + + It("returns true when encryption is enabled", func() { + Expect(IsEnabled(swag.String(models.DiskEncryptionEnableOnMasters))).To(BeTrue()) + }) +}) + +var _ = Describe("DiskEncryptionFieldDefaults", func() { + It("defaults nil fields", func() { + enableOn, mode := DiskEncryptionFieldDefaults(nil, nil) + Expect(enableOn).To(Equal(models.DiskEncryptionEnableOnNone)) + Expect(mode).To(Equal(models.DiskEncryptionModeTpmv2)) + }) + + It("defaults empty strings", func() { + enableOn, mode := DiskEncryptionFieldDefaults(swag.String(""), swag.String("")) + Expect(enableOn).To(Equal(models.DiskEncryptionEnableOnNone)) + Expect(mode).To(Equal(models.DiskEncryptionModeTpmv2)) + }) + + It("preserves explicit values", func() { + enableOn, mode := DiskEncryptionFieldDefaults( + swag.String(models.DiskEncryptionEnableOnMasters), + swag.String(models.DiskEncryptionModeTang), + ) + Expect(enableOn).To(Equal(models.DiskEncryptionEnableOnMasters)) + Expect(mode).To(Equal(models.DiskEncryptionModeTang)) + }) +}) + +var _ = Describe("ApplyDiskEncryptionDefaults", func() { + It("handles nil input", func() { + Expect(func() { ApplyDiskEncryptionDefaults(nil) }).NotTo(Panic()) + }) + + It("defaults nil fields", func() { + diskEncryption := &models.DiskEncryption{} + ApplyDiskEncryptionDefaults(diskEncryption) + Expect(diskEncryption.EnableOn).To(Equal(swag.String(models.DiskEncryptionEnableOnNone))) + Expect(diskEncryption.Mode).To(Equal(swag.String(models.DiskEncryptionModeTpmv2))) + }) + + It("defaults empty string fields", func() { + diskEncryption := &models.DiskEncryption{ + EnableOn: swag.String(""), + Mode: swag.String(""), + } + ApplyDiskEncryptionDefaults(diskEncryption) + Expect(diskEncryption.EnableOn).To(Equal(swag.String(models.DiskEncryptionEnableOnNone))) + Expect(diskEncryption.Mode).To(Equal(swag.String(models.DiskEncryptionModeTpmv2))) + }) + + It("preserves explicit values", func() { + diskEncryption := &models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTang), + } + ApplyDiskEncryptionDefaults(diskEncryption) + Expect(diskEncryption.EnableOn).To(Equal(swag.String(models.DiskEncryptionEnableOnMasters))) + Expect(diskEncryption.Mode).To(Equal(swag.String(models.DiskEncryptionModeTang))) + }) +}) + +var _ = Describe("HasMode", func() { + It("returns false for nil or non-matching mode", func() { + Expect(HasMode(nil, models.DiskEncryptionModeTang)).To(BeFalse()) + Expect(HasMode(&models.DiskEncryption{}, models.DiskEncryptionModeTang)).To(BeFalse()) + Expect(HasMode(&models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTpmv2), + }, models.DiskEncryptionModeTang)).To(BeFalse()) + }) + + It("returns true when mode matches", func() { + Expect(HasMode(&models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTang), + }, models.DiskEncryptionModeTang)).To(BeTrue()) + Expect(HasMode(&models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTpmv2), + }, models.DiskEncryptionModeTpmv2)).To(BeTrue()) + }) +}) + +var _ = Describe("IsSetWithTpm", func() { + It("returns false when TPM encryption is not configured", func() { + Expect(IsSetWithTpm(nil)).To(BeFalse()) + Expect(IsSetWithTpm(&models.DiskEncryption{ + EnableOn: swag.String(""), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + })).To(BeFalse()) + Expect(IsSetWithTpm(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnNone), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + })).To(BeFalse()) + Expect(IsSetWithTpm(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTang), + })).To(BeFalse()) + }) + + It("returns true when TPM encryption is configured", func() { + Expect(IsSetWithTpm(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + })).To(BeTrue()) + }) +}) + +var _ = Describe("IsSetWithTang", func() { + It("returns false when Tang encryption is not configured", func() { + Expect(IsSetWithTang(nil)).To(BeFalse()) + Expect(IsSetWithTang(&models.DiskEncryption{ + EnableOn: swag.String(""), + Mode: swag.String(models.DiskEncryptionModeTang), + })).To(BeFalse()) + Expect(IsSetWithTang(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnNone), + Mode: swag.String(models.DiskEncryptionModeTang), + })).To(BeFalse()) + Expect(IsSetWithTang(&models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTang), + })).To(BeFalse()) + Expect(IsSetWithTang(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + })).To(BeFalse()) + }) + + It("returns true when Tang encryption is configured", func() { + Expect(IsSetWithTang(&models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTang), + })).To(BeTrue()) + }) +}) + +var _ = DescribeTable("EnabledForRole", + func(enabledOn string, role models.HostRole, expectedResult bool) { + diskEncryption := models.DiskEncryption{EnableOn: swag.String(enabledOn)} + Expect(EnabledForRole(diskEncryption, role)).To(Equal(expectedResult)) + }, + Entry("enabledOn all, role master", models.DiskEncryptionEnableOnAll, models.HostRoleMaster, true), + Entry("enabledOn all, role bootstrap", models.DiskEncryptionEnableOnAll, models.HostRoleBootstrap, true), + Entry("enabledOn all, role arbiter", models.DiskEncryptionEnableOnAll, models.HostRoleArbiter, true), + Entry("enabledOn all, role worker", models.DiskEncryptionEnableOnAll, models.HostRoleWorker, true), + Entry("enabledOn masters,arbiters,workers, role master", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleMaster, true), + Entry("enabledOn masters,arbiters,workers, role bootstrap", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleBootstrap, true), + Entry("enabledOn masters,arbiters,workers, role arbiter", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleArbiter, true), + Entry("enabledOn masters,arbiters,workers, role worker", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleWorker, true), + Entry("enabledOn masters,arbiters, role master", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleMaster, true), + Entry("enabledOn masters,arbiters, role bootstrap", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleBootstrap, true), + Entry("enabledOn masters,arbiters, role arbiter", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleArbiter, true), + Entry("enabledOn masters,arbiters, role worker", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleWorker, false), + Entry("enabledOn masters,workers, role master", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleMaster, true), + Entry("enabledOn masters,workers, role bootstrap", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleBootstrap, true), + Entry("enabledOn masters,workers, role arbiter", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleArbiter, false), + Entry("enabledOn masters,workers, role worker", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleWorker, true), + Entry("enabledOn arbiters,workers, role master", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleMaster, false), + Entry("enabledOn arbiters,workers, role bootstrap", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleBootstrap, false), + Entry("enabledOn arbiters,workers, role arbiter", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleArbiter, true), + Entry("enabledOn arbiters,workers, role worker", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleWorker, true), + Entry("enabledOn masters, role master", models.DiskEncryptionEnableOnMasters, models.HostRoleMaster, true), + Entry("enabledOn masters, role bootstrap", models.DiskEncryptionEnableOnMasters, models.HostRoleBootstrap, true), + Entry("enabledOn masters, role arbiter", models.DiskEncryptionEnableOnMasters, models.HostRoleArbiter, false), + Entry("enabledOn masters, role worker", models.DiskEncryptionEnableOnMasters, models.HostRoleWorker, false), + Entry("enabledOn arbiters, role master", models.DiskEncryptionEnableOnArbiters, models.HostRoleMaster, false), + Entry("enabledOn arbiters, role bootstrap", models.DiskEncryptionEnableOnArbiters, models.HostRoleBootstrap, false), + Entry("enabledOn arbiters, role arbiter", models.DiskEncryptionEnableOnArbiters, models.HostRoleArbiter, true), + Entry("enabledOn arbiters, role worker", models.DiskEncryptionEnableOnArbiters, models.HostRoleWorker, false), + Entry("enabledOn workers, role master", models.DiskEncryptionEnableOnWorkers, models.HostRoleMaster, false), + Entry("enabledOn workers, role bootstrap", models.DiskEncryptionEnableOnWorkers, models.HostRoleBootstrap, false), + Entry("enabledOn workers, role arbiter", models.DiskEncryptionEnableOnWorkers, models.HostRoleArbiter, false), + Entry("enabledOn workers, role worker", models.DiskEncryptionEnableOnWorkers, models.HostRoleWorker, true), + Entry("enabledOn none, role master", models.DiskEncryptionEnableOnNone, models.HostRoleMaster, false), + Entry("enabledOn none, role bootstrap", models.DiskEncryptionEnableOnNone, models.HostRoleBootstrap, false), + Entry("enabledOn none, role arbiter", models.DiskEncryptionEnableOnNone, models.HostRoleArbiter, false), + Entry("enabledOn none, role worker", models.DiskEncryptionEnableOnNone, models.HostRoleWorker, false), +) diff --git a/internal/controller/controllers/clusterdeployments_controller.go b/internal/controller/controllers/clusterdeployments_controller.go index c6caeeae05ae..12638e1816a0 100644 --- a/internal/controller/controllers/clusterdeployments_controller.go +++ b/internal/controller/controllers/clusterdeployments_controller.go @@ -760,11 +760,6 @@ func isUserManagedNetwork(clusterInstall *hiveext.AgentClusterInstall) bool { clusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents == 1 && clusterInstall.Spec.ProvisionRequirements.WorkerAgents == 0 } -func isDiskEncryptionEnabled(clusterInstall *hiveext.AgentClusterInstall) bool { - return clusterInstall.Spec.DiskEncryption != nil && - swag.StringValue(clusterInstall.Spec.DiskEncryption.EnableOn) != models.DiskEncryptionEnableOnNone -} - // see https://docs.openshift.com/container-platform/4.7/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-bare-metal-config-yaml_installing-platform-agnostic func hyperthreadingInSpec(clusterInstall *hiveext.AgentClusterInstall) bool { //check if either master or worker pool hyperthreading settings are explicitly specified @@ -1152,8 +1147,12 @@ func (r *ClusterDeploymentsReconciler) updateIfNeeded( if cluster.DiskEncryption == nil { // true when current cluster configuration does not include disk encryption cluster.DiskEncryption = &models.DiskEncryption{} } - updateString(swag.StringValue(clusterInstall.Spec.DiskEncryption.EnableOn), swag.StringValue(cluster.DiskEncryption.EnableOn), ¶ms.DiskEncryption.EnableOn) - updateString(swag.StringValue(clusterInstall.Spec.DiskEncryption.Mode), swag.StringValue(cluster.DiskEncryption.Mode), ¶ms.DiskEncryption.Mode) + enableOn, mode := common.DiskEncryptionFieldDefaults( + clusterInstall.Spec.DiskEncryption.EnableOn, + clusterInstall.Spec.DiskEncryption.Mode, + ) + updateString(enableOn, swag.StringValue(cluster.DiskEncryption.EnableOn), ¶ms.DiskEncryption.EnableOn) + updateString(mode, swag.StringValue(cluster.DiskEncryption.Mode), ¶ms.DiskEncryption.Mode) if clusterInstall.Spec.DiskEncryption.TangServers != cluster.DiskEncryption.TangServers { params.DiskEncryption.TangServers = clusterInstall.Spec.DiskEncryption.TangServers update = true @@ -1526,10 +1525,19 @@ func CreateClusterParams(clusterDeployment *hivev1.ClusterDeployment, clusterIns clusterParams.Hyperthreading = getHyperthreading(clusterInstall) } - if isDiskEncryptionEnabled(clusterInstall) { + if clusterInstall.Spec.DiskEncryption != nil && + common.RequestsDiskEncryptionConfiguration( + clusterInstall.Spec.DiskEncryption.EnableOn, + clusterInstall.Spec.DiskEncryption.Mode, + clusterInstall.Spec.DiskEncryption.TangServers, + ) { + enableOn, mode := common.DiskEncryptionFieldDefaults( + clusterInstall.Spec.DiskEncryption.EnableOn, + clusterInstall.Spec.DiskEncryption.Mode, + ) clusterParams.DiskEncryption = &models.DiskEncryption{ - EnableOn: clusterInstall.Spec.DiskEncryption.EnableOn, - Mode: clusterInstall.Spec.DiskEncryption.Mode, + EnableOn: swag.String(enableOn), + Mode: swag.String(mode), TangServers: clusterInstall.Spec.DiskEncryption.TangServers, } } diff --git a/internal/hardware/validator.go b/internal/hardware/validator.go index 8309a7cf7057..d7776da49c4a 100644 --- a/internal/hardware/validator.go +++ b/internal/hardware/validator.go @@ -23,7 +23,6 @@ import ( "github.com/openshift/assisted-service/pkg/conversions" "github.com/samber/lo" "github.com/sirupsen/logrus" - "github.com/thoas/go-funk" "k8s.io/utils/ptr" ) @@ -398,12 +397,6 @@ func (v *validator) GetInfraEnvHostRequirements(ctx context.Context, infraEnv *c }, nil } -func isDiskEncryptionSetWithTpm(c *common.Cluster) bool { - return c.DiskEncryption != nil && - swag.StringValue(c.DiskEncryption.EnableOn) != models.DiskEncryptionEnableOnNone && - swag.StringValue(c.DiskEncryption.Mode) == models.DiskEncryptionModeTpmv2 -} - func (v *validator) GetPreflightHardwareRequirements(ctx context.Context, cluster *common.Cluster) (*models.PreflightHardwareRequirements, error) { operatorsRequirements, err := v.operatorsAPI.GetPreflightRequirementsBreakdownForCluster(ctx, cluster) if err != nil { @@ -413,26 +406,20 @@ func (v *validator) GetPreflightHardwareRequirements(ctx context.Context, cluste if err != nil { return nil, err } - if isDiskEncryptionSetWithTpm(cluster) { - valid := false - isDiskEncryptionOnAll := swag.StringValue(cluster.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnAll - enabledGroups := strings.Split(swag.StringValue(cluster.DiskEncryption.EnableOn), ",") + if common.IsSetWithTpm(cluster.DiskEncryption) { + diskEncryption := *cluster.DiskEncryption + if !common.EnabledForRole(diskEncryption, models.HostRoleMaster) && + !common.EnabledForRole(diskEncryption, models.HostRoleArbiter) && + !common.EnabledForRole(diskEncryption, models.HostRoleWorker) { + return nil, fmt.Errorf("disk-encryption is enabled on non-valid role: %s", swag.StringValue(cluster.DiskEncryption.EnableOn)) + } - if isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnMasters) { - valid = true + if common.EnabledForRole(diskEncryption, models.HostRoleMaster) { ocpRequirements.Master.Quantitative.TpmEnabledInBios = true } - if isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnArbiters) { - valid = true - } - if isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnWorkers) { - valid = true + if common.EnabledForRole(diskEncryption, models.HostRoleWorker) { ocpRequirements.Worker.Quantitative.TpmEnabledInBios = true } - - if !valid { - return nil, fmt.Errorf("disk-encryption is enabled on non-valid role: %s", swag.StringValue(cluster.DiskEncryption.EnableOn)) - } } return &models.PreflightHardwareRequirements{ diff --git a/internal/hardware/validator_test.go b/internal/hardware/validator_test.go index e8c2ab84bff1..74dd2a975b6a 100644 --- a/internal/hardware/validator_test.go +++ b/internal/hardware/validator_test.go @@ -1877,6 +1877,25 @@ var _ = Describe("Preflight host requirements", func() { Expect(result.Ocp.Worker.Quantitative.TpmEnabledInBios).To(BeFalse()) }) + It("TPM - unset enable_on with tpmv2 mode is treated as disabled", func() { + + diskEncryptionClusterID := strfmt.UUID(uuid.New().String()) + diskEncryptionCluster := &common.Cluster{Cluster: models.Cluster{ + ID: &diskEncryptionClusterID, + OpenshiftVersion: openShiftVersionNotInConfig, + DiskEncryption: &models.DiskEncryption{ + Mode: swag.String(models.DiskEncryptionModeTpmv2), + }, + }} + + operatorsMock.EXPECT().GetPreflightRequirementsBreakdownForCluster(gomock.Any(), gomock.Eq(diskEncryptionCluster)).Return(operatorRequirements, nil) + + result, err := hwvalidator.GetPreflightHardwareRequirements(context.TODO(), diskEncryptionCluster) + Expect(err).ToNot(HaveOccurred()) + Expect(result.Ocp.Master.Quantitative.TpmEnabledInBios).To(BeFalse()) + Expect(result.Ocp.Worker.Quantitative.TpmEnabledInBios).To(BeFalse()) + }) + It("Tang - all roles", func() { diskEncryptionClusterID := strfmt.UUID(uuid.New().String()) diff --git a/internal/host/hostcommands/tang_connectivity_check_cmd.go b/internal/host/hostcommands/tang_connectivity_check_cmd.go index c3bca019a668..e74bd3c5f7db 100644 --- a/internal/host/hostcommands/tang_connectivity_check_cmd.go +++ b/internal/host/hostcommands/tang_connectivity_check_cmd.go @@ -5,7 +5,6 @@ import ( "encoding/json" ignition_types "github.com/coreos/ignition/v2/config/v3_2/types" - "github.com/go-openapi/swag" "github.com/openshift/assisted-service/internal/common" "github.com/openshift/assisted-service/internal/host/hostutil" "github.com/openshift/assisted-service/models" @@ -66,14 +65,9 @@ func (c *tangConnectivityCheckCmd) getTangServersFromHostIgnition(host *models.H } func (c *tangConnectivityCheckCmd) shouldRunTangConnectivityCheck(cluster common.Cluster, host *models.Host) bool { - // Skip tangConnectivityCheck for cases where: - // 1. DiskEncryption not set or not enabled. - // 2. DiskEncryption mode is not tang based. - // 3. DiskEncryption is not enabled, for the host role. - if cluster.DiskEncryption == nil || - swag.StringValue(cluster.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone || - swag.StringValue(cluster.DiskEncryption.Mode) == models.DiskEncryptionModeTpmv2 || - !hostutil.IsDiskEncryptionEnabledForRole(*cluster.DiskEncryption, common.GetEffectiveRole(host)) { + // Skip tangConnectivityCheck when Tang-based disk encryption is not required for this host. + if !common.IsSetWithTang(cluster.DiskEncryption) || + !common.EnabledForRole(*cluster.DiskEncryption, common.GetEffectiveRole(host)) { c.log.Debugf("skipping tangConnectivityCheck for host %s, cluster DiskEncryption config does not require validation here", host.ID.String()) return false diff --git a/internal/host/hostutil/host_utils.go b/internal/host/hostutil/host_utils.go index a6dda121b382..9db1fa396675 100644 --- a/internal/host/hostutil/host_utils.go +++ b/internal/host/hostutil/host_utils.go @@ -307,24 +307,6 @@ func SaveDiskPartitionsIsSet(installerArgs string) bool { return false } -func IsDiskEncryptionEnabledForRole(encryption models.DiskEncryption, role models.HostRole) bool { - if swag.StringValue(encryption.EnableOn) == models.DiskEncryptionEnableOnAll { - return true - } - - enabledGroups := strings.Split(swag.StringValue(encryption.EnableOn), ",") - if role == models.HostRoleMaster || role == models.HostRoleBootstrap { - return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnMasters) - } - if role == models.HostRoleArbiter { - return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnArbiters) - } - if role == models.HostRoleWorker { - return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnWorkers) - } - return false -} - func GetDiskEncryptionForDay2(log logrus.FieldLogger, host *models.Host) (*ignition_types.Luks, error) { var response models.APIVipConnectivityResponse if err := json.Unmarshal([]byte(host.APIVipConnectivity), &response); err != nil { diff --git a/internal/host/hostutil/host_utils_test.go b/internal/host/hostutil/host_utils_test.go index ffab7c5214fc..c2a508778c7f 100644 --- a/internal/host/hostutil/host_utils_test.go +++ b/internal/host/hostutil/host_utils_test.go @@ -9,7 +9,6 @@ import ( "github.com/go-openapi/strfmt" "github.com/google/uuid" . "github.com/onsi/ginkgo" - . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" "github.com/openshift/assisted-service/internal/common" "github.com/openshift/assisted-service/models" @@ -632,51 +631,6 @@ var _ = Describe("Get Disks of Holder", func() { }) }) -var _ = DescribeTable("IsDiskEncryptionEnabledForRole", func(enabledOn string, role models.HostRole, expectedResult bool) { - diskEncryption := models.DiskEncryption{ - EnableOn: &enabledOn, - } - isEnabled := IsDiskEncryptionEnabledForRole(diskEncryption, role) - Expect(isEnabled).To(Equal(expectedResult)) -}, - Entry("enabledOn all, role master", models.DiskEncryptionEnableOnAll, models.HostRoleMaster, true), - Entry("enabledOn all, role bootstrap", models.DiskEncryptionEnableOnAll, models.HostRoleBootstrap, true), - Entry("enabledOn all, role arbiter", models.DiskEncryptionEnableOnAll, models.HostRoleArbiter, true), - Entry("enabledOn all, role worker", models.DiskEncryptionEnableOnAll, models.HostRoleWorker, true), - Entry("enabledOn masters,arbiters,workers, role master", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleMaster, true), - Entry("enabledOn masters,arbiters,workers, role bootstrap", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleBootstrap, true), - Entry("enabledOn masters,arbiters,workers, role arbiter", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleArbiter, true), - Entry("enabledOn masters,arbiters,workers, role worker", models.DiskEncryptionEnableOnMastersArbitersWorkers, models.HostRoleWorker, true), - Entry("enabledOn masters,arbiters, role master", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleMaster, true), - Entry("enabledOn masters,arbiters, role bootstrap", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleBootstrap, true), - Entry("enabledOn masters,arbiters, role arbiter", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleArbiter, true), - Entry("enabledOn masters,arbiters, role worker", models.DiskEncryptionEnableOnMastersArbiters, models.HostRoleWorker, false), - Entry("enabledOn masters,workers, role master", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleMaster, true), - Entry("enabledOn masters,workers, role bootstrap", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleBootstrap, true), - Entry("enabledOn masters,workers, role arbiter", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleArbiter, false), - Entry("enabledOn masters,workers, role worker", models.DiskEncryptionEnableOnMastersWorkers, models.HostRoleWorker, true), - Entry("enabledOn arbiters,workers, role master", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleMaster, false), - Entry("enabledOn arbiters,workers, role bootstrap", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleBootstrap, false), - Entry("enabledOn arbiters,workers, role arbiter", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleArbiter, true), - Entry("enabledOn arbiters,workers, role worker", models.DiskEncryptionEnableOnArbitersWorkers, models.HostRoleWorker, true), - Entry("enabledOn masters, role master", models.DiskEncryptionEnableOnMasters, models.HostRoleMaster, true), - Entry("enabledOn masters, role bootstrap", models.DiskEncryptionEnableOnMasters, models.HostRoleBootstrap, true), - Entry("enabledOn masters, role arbiter", models.DiskEncryptionEnableOnMasters, models.HostRoleArbiter, false), - Entry("enabledOn masters, role worker", models.DiskEncryptionEnableOnMasters, models.HostRoleWorker, false), - Entry("enabledOn arbiters, role master", models.DiskEncryptionEnableOnArbiters, models.HostRoleMaster, false), - Entry("enabledOn arbiters, role bootstrap", models.DiskEncryptionEnableOnArbiters, models.HostRoleBootstrap, false), - Entry("enabledOn arbiters, role arbiter", models.DiskEncryptionEnableOnArbiters, models.HostRoleArbiter, true), - Entry("enabledOn arbiters, role worker", models.DiskEncryptionEnableOnArbiters, models.HostRoleWorker, false), - Entry("enabledOn workers, role master", models.DiskEncryptionEnableOnWorkers, models.HostRoleMaster, false), - Entry("enabledOn workers, role bootstrap", models.DiskEncryptionEnableOnWorkers, models.HostRoleBootstrap, false), - Entry("enabledOn workers, role arbiter", models.DiskEncryptionEnableOnWorkers, models.HostRoleArbiter, false), - Entry("enabledOn workers, role worker", models.DiskEncryptionEnableOnWorkers, models.HostRoleWorker, true), - Entry("enabledOn none, role master", models.DiskEncryptionEnableOnNone, models.HostRoleMaster, false), - Entry("enabledOn none, role bootstrap", models.DiskEncryptionEnableOnNone, models.HostRoleBootstrap, false), - Entry("enabledOn none, role arbiter", models.DiskEncryptionEnableOnNone, models.HostRoleArbiter, false), - Entry("enabledOn none, role worker", models.DiskEncryptionEnableOnNone, models.HostRoleWorker, false), -) - var _ = Describe("GetHostInstallationDisk", func() { var ( hostId strfmt.UUID diff --git a/internal/host/validations_test.go b/internal/host/validations_test.go index 2b243f967a56..dd2e35ccca92 100644 --- a/internal/host/validations_test.go +++ b/internal/host/validations_test.go @@ -1425,7 +1425,12 @@ var _ = Describe("Validations test", func() { }) It("day2 host - disk encryption is available", func() { - createDay2Cluster() + c := generateDay2Cluster() + c.DiskEncryption = &models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + } + Expect(db.Create(c).Error).ToNot(HaveOccurred()) h := getDay2Host() //explicit set the role to worker h.Inventory = common.GenerateTestInventoryWithTpmVersion("") @@ -1442,7 +1447,12 @@ var _ = Describe("Validations test", func() { }) It("day2 host - pending on APIVipConnectivity response", func() { - createDay2Cluster() + c := generateDay2Cluster() + c.DiskEncryption = &models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + } + Expect(db.Create(c).Error).ToNot(HaveOccurred()) h := getDay2Host() h.Inventory = common.GenerateTestInventoryWithTpmVersion(models.InventoryTpmVersionNone) @@ -1458,7 +1468,12 @@ var _ = Describe("Validations test", func() { }) It("day2 host - LUKS in APIVipConnectivity response", func() { - createDay2Cluster() + c := generateDay2Cluster() + c.DiskEncryption = &models.DiskEncryption{ + EnableOn: swag.String(models.DiskEncryptionEnableOnMasters), + Mode: swag.String(models.DiskEncryptionModeTpmv2), + } + Expect(db.Create(c).Error).ToNot(HaveOccurred()) h := getDay2Host() h.Inventory = common.GenerateTestInventoryWithTpmVersion(models.InventoryTpmVersionNone) diff --git a/internal/host/validator.go b/internal/host/validator.go index 2de397e2ca10..2df1fa5ee4af 100644 --- a/internal/host/validator.go +++ b/internal/host/validator.go @@ -488,7 +488,10 @@ func (v *validator) diskEncryptionRequirementsSatisfied(c *validationContext) (V var status ValidationStatus var message string - if c.infraEnv != nil || swag.StringValue(c.cluster.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone { + if c.infraEnv != nil { + return ValidationSuccessSuppressOutput, "" + } + if !hostutil.IsDay2Host(c.host) && !common.IsConfigured(c.cluster.DiskEncryption) { return ValidationSuccessSuppressOutput, "" } if c.inventory == nil { @@ -500,6 +503,9 @@ func (v *validator) diskEncryptionRequirementsSatisfied(c *validationContext) (V //according to that information luks, err := hostutil.GetDiskEncryptionForDay2(v.log, c.host) if err != nil { + if !common.IsConfigured(c.cluster.DiskEncryption) { + return ValidationSuccessSuppressOutput, "" + } return ValidationPending, "Missing ignition information" } if luks == nil || luks.Clevis == nil { @@ -529,15 +535,15 @@ func (v *validator) diskEncryptionRequirementsSatisfied(c *validationContext) (V if role == models.HostRoleAutoAssign { return ValidationPending, "Missing role assignment" } - if !hostutil.IsDiskEncryptionEnabledForRole(*c.cluster.DiskEncryption, role) { + if !common.EnabledForRole(*c.cluster.DiskEncryption, role) { return ValidationSuccessSuppressOutput, "" } - if swag.StringValue(c.cluster.DiskEncryption.Mode) == models.DiskEncryptionModeTang { + if common.IsSetWithTang(c.cluster.DiskEncryption) { status, message = v.areTangServersReachable(c) if status == ValidationFailure { return status, message } - } else { // Mode TPMv2 + } else if common.IsSetWithTpm(c.cluster.DiskEncryption) { status = boolValue(c.inventory.TpmVersion == models.InventoryTpmVersionNr20) } diff --git a/internal/network/manifests_generator.go b/internal/network/manifests_generator.go index 293a5ee7cc81..8c1e75a03fca 100644 --- a/internal/network/manifests_generator.go +++ b/internal/network/manifests_generator.go @@ -22,7 +22,6 @@ import ( "github.com/pkg/errors" "github.com/samber/lo" "github.com/sirupsen/logrus" - "github.com/thoas/go-funk" "gorm.io/gorm" ) @@ -338,7 +337,7 @@ func (m *ManifestsGenerator) createDiskEncryptionManifest(ctx context.Context, l func (m *ManifestsGenerator) AddDiskEncryptionManifest(ctx context.Context, log logrus.FieldLogger, c *common.Cluster) error { - if swag.StringValue(c.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone { + if !common.IsConfigured(c.DiskEncryption) { return nil } @@ -346,14 +345,9 @@ func (m *ManifestsGenerator) AddDiskEncryptionManifest(ctx context.Context, log "CIPHER": m.GetDiskEncryptionCipher(log), } - switch *c.DiskEncryption.Mode { - - case models.DiskEncryptionModeTpmv2: - + if common.IsSetWithTpm(c.DiskEncryption) { manifestParams["MODE"] = "tpm" - - case models.DiskEncryptionModeTang: - + } else if common.IsSetWithTang(c.DiskEncryption) { tangServers, err := tang.UnmarshalTangServers(c.DiskEncryption.TangServers) if err != nil { log.WithError(err).Error("failed to unmarshal tang_server from cluster object") @@ -364,17 +358,16 @@ func (m *ManifestsGenerator) AddDiskEncryptionManifest(ctx context.Context, log manifestParams["TANG_SERVERS"] = tangServers } - enabledGroups := strings.Split(swag.StringValue(c.DiskEncryption.EnableOn), ",") - isDiskEncryptionOnAll := swag.StringValue(c.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnAll + diskEncryption := *c.DiskEncryption - if isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnMasters) { + if common.EnabledForRole(diskEncryption, models.HostRoleMaster) { manifestParams["ROLE"] = "master" if err := m.createDiskEncryptionManifest(ctx, log, c, manifestParams); err != nil { return err } } - if (isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnArbiters)) && + if common.EnabledForRole(diskEncryption, models.HostRoleArbiter) && common.IsClusterTopologyHighlyAvailableArbiter(c) { manifestParams["ROLE"] = "arbiter" if err := m.createDiskEncryptionManifest(ctx, log, c, manifestParams); err != nil { @@ -382,7 +375,7 @@ func (m *ManifestsGenerator) AddDiskEncryptionManifest(ctx context.Context, log } } - if isDiskEncryptionOnAll || funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnWorkers) { + if common.EnabledForRole(diskEncryption, models.HostRoleWorker) { manifestParams["ROLE"] = "worker" if err := m.createDiskEncryptionManifest(ctx, log, c, manifestParams); err != nil { return err diff --git a/subsystem/cluster_test.go b/subsystem/cluster_test.go index 0c26b1ba5b45..b72c9cbe0bef 100644 --- a/subsystem/cluster_test.go +++ b/subsystem/cluster_test.go @@ -4406,7 +4406,7 @@ func registerHostsAndSetRoles(clusterID, infraenvID strfmt.UUID, numHosts int, c } generateFullMeshConnectivity(ctx, ips[0], hosts...) cluster := utils_test.TestContext.GetCluster(clusterID) - if cluster.DiskEncryption != nil && swag.StringValue(cluster.DiskEncryption.Mode) == models.DiskEncryptionModeTang { + if common.IsSetWithTang(cluster.DiskEncryption) { utils_test.TestContext.GenerateTangPostStepReply(ctx, true, hosts...) } @@ -4468,7 +4468,7 @@ func registerHostsAndSetRolesTang(clusterID, infraenvID strfmt.UUID, numHosts in } generateFullMeshConnectivity(ctx, ips[0], hosts...) cluster := utils_test.TestContext.GetCluster(clusterID) - if cluster.DiskEncryption != nil && swag.StringValue(cluster.DiskEncryption.Mode) == models.DiskEncryptionModeTang { + if common.IsSetWithTang(cluster.DiskEncryption) { utils_test.TestContext.GenerateTangPostStepReply(ctx, tangValidated, hosts...) } diff --git a/subsystem/kubeapi/kubeapi_test.go b/subsystem/kubeapi/kubeapi_test.go index 93c6d0479e6f..0338d172ad22 100644 --- a/subsystem/kubeapi/kubeapi_test.go +++ b/subsystem/kubeapi/kubeapi_test.go @@ -3388,7 +3388,7 @@ location = "%s" } deployAgentClusterInstallCRD(ctx, kubeClient, aciSpec, clusterDeploymentSpec.ClusterInstallRef.Name) checkAgentClusterInstallCondition(ctx, installkey, hiveext.ClusterRequirementsMetCondition, hiveext.ClusterNotReadyReason) - verifyDiskEncryptionConfig(swag.String(models.DiskEncryptionEnableOnNone), nil, "") + verifyDiskEncryptionConfig(swag.String(models.DiskEncryptionEnableOnNone), swag.String(models.DiskEncryptionModeTpmv2), "") By("update deployment with disk encryption enabled with tpmv2 on master only") aciSpec = getDefaultAgentClusterInstallSpec(clusterDeploymentSpec.ClusterName) @@ -4724,8 +4724,10 @@ location = "%s" }, "30s", "10s").Should(Equal(firstAgentEventsURL)) By("Check host is removed from first backend cluster") - cluster := getClusterFromDB(ctx, kubeClient, db, clusterKey, waitForReconcileTimeout) - Expect(len(cluster.Hosts)).Should(Equal(0)) + Eventually(func() int { + cluster := getClusterFromDB(ctx, kubeClient, db, clusterKey, waitForReconcileTimeout) + return len(cluster.Hosts) + }, "30s", "10s").Should(Equal(0)) By("Delete Original Clusterdeployment") clusterDeploymentCRD := getClusterDeploymentCRD(ctx, kubeClient, clusterKey)