Enable encryption in backup test

akankshamahajan15 · akankshamahajan15 · commit 421ed561f124 · 2025-08-22T17:26:13.000Z
diff --git a/e2e/fixtures/factory.go b/e2e/fixtures/factory.go
@@ -22,6 +22,7 @@ package fixtures
 
 import (
 	"context"
+	cryptorand "crypto/rand"
 	"fmt"
 	"io"
 	"log"
@@ -39,6 +40,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/duration"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -132,6 +134,33 @@ func (factory *Factory) GetBackupSecretName() string {
 	return "backup-credentials"
 }
 
+// GetEncryptionKeySecretName returns the name for the encryption key secret
+func (factory *Factory) GetEncryptionKeySecretName() string {
+	return "backup-encryption-key"
+}
+
+// CreateEncryptionKeySecret creates a 32-byte encryption key secret.
+func (factory *Factory) CreateEncryptionKeySecret(namespace string) {
+	secretName := factory.GetEncryptionKeySecretName()
+
+	// Create 32-byte encryption key.
+	key := make([]byte, 32)
+	_, err := cryptorand.Read(key)
+	gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			"key.bin": key,
+		},
+	}
+
+	gomega.Expect(factory.CreateIfAbsent(secret)).NotTo(gomega.HaveOccurred())
+}
+
 func (factory *Factory) getConfig() *rest.Config {
 	return factory.config
 }
diff --git a/e2e/fixtures/fdb_backup.go b/e2e/fixtures/fdb_backup.go
@@ -73,6 +73,7 @@ func (factory *Factory) CreateBackupForCluster(
 			AllowTagOverride: ptr.To(true),
 			ClusterName:      fdbCluster.Name(),
 			Version:          fdbVersion.String(),
+			EncryptionKeyPath: "/tmp/encryption-key/key.bin",
 			BlobStoreConfiguration: &fdbv1beta2.BlobStoreConfiguration{
 				AccountName: "seaweedfs@seaweedfs:8333",
 				URLParameters: []fdbv1beta2.URLParameter{
@@ -123,6 +124,11 @@ func (factory *Factory) CreateBackupForCluster(
 									ReadOnly:  true,
 									MountPath: "/tmp/backup-credentials",
 								},
+								{
+									Name:      "encryption-key",
+									ReadOnly:  true,
+									MountPath: "/tmp/encryption-key",
+								},
 							},
 						},
 					},
@@ -143,6 +149,14 @@ func (factory *Factory) CreateBackupForCluster(
 								},
 							},
 						},
+						{
+							Name: "encryption-key",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: factory.GetEncryptionKeySecretName(),
+								},
+							},
+						},
 					},
 				},
 			},
diff --git a/e2e/fixtures/fdb_operator_client.go b/e2e/fixtures/fdb_operator_client.go
@@ -325,6 +325,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -339,6 +342,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -459,6 +465,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -473,6 +482,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -505,6 +517,8 @@ type operatorConfig struct {
 	SecretName string
 	// BackupSecretName represents the secret that should be used to communicate with the backup blobstore.
 	BackupSecretName string
+	// EncryptionKeySecretName represents the secret that contains the encryption key for backup operations.
+	EncryptionKeySecretName string
 	// SidecarVersions represents the sidecar configurations for different FoundationDB versions.
 	SidecarVersions []SidecarConfig
 	// Namespace represents the namespace for the Deployment and all associated resources
@@ -602,10 +616,11 @@ func (factory *Factory) getOperatorConfig(namespace string) *operatorConfig {
 	}
 
 	return &operatorConfig{
-		OperatorImage:         factory.GetOperatorImage(),
-		SecretName:            factory.GetSecretName(),
-		BackupSecretName:      factory.GetBackupSecretName(),
-		Namespace:             namespace,
+		OperatorImage:           factory.GetOperatorImage(),
+		SecretName:              factory.GetSecretName(),
+		BackupSecretName:        factory.GetBackupSecretName(),
+		EncryptionKeySecretName: factory.GetEncryptionKeySecretName(),
+		Namespace:               namespace,
 		SidecarVersions:       factory.GetSidecarConfigs(),
 		ImagePullPolicy:       factory.getImagePullPolicy(),
 		CPURequests:           cpuRequests,
diff --git a/e2e/fixtures/fdb_restore.go b/e2e/fixtures/fdb_restore.go
@@ -47,6 +47,7 @@ func (factory *Factory) CreateRestoreForCluster(backup *FdbBackup) {
 			DestinationClusterName: backup.fdbCluster.Name(),
 			BlobStoreConfiguration: backup.backup.Spec.BlobStoreConfiguration,
 			CustomParameters:       backup.backup.Spec.CustomParameters,
+			EncryptionKeyPath:      backup.backup.Spec.EncryptionKeyPath,
 		},
 	}
 	gomega.Expect(factory.CreateIfAbsent(restore)).NotTo(gomega.HaveOccurred())
diff --git a/e2e/fixtures/kubernetes_fixtures.go b/e2e/fixtures/kubernetes_fixtures.go
@@ -156,6 +156,9 @@ func (factory *Factory) createNamespace(suffix string) string {
 	}
 	gomega.Expect(factory.CreateIfAbsent(backupCredentials)).NotTo(gomega.HaveOccurred())
 
+	// Create the encryption key secret for backup encryption operations.
+	factory.CreateEncryptionKeySecret(namespace)
+
 	factory.ensureRBACSetupExists(namespace)
 	gomega.Expect(factory.ensureFDBOperatorExists(namespace)).ToNot(gomega.HaveOccurred())
 	log.Printf("using namespace %s for testing", namespace)
diff --git a/e2e/test_operator_backups/operator_backup_test.go b/e2e/test_operator_backups/operator_backup_test.go
@@ -68,6 +68,8 @@ var _ = BeforeSuite(func() {
 
 	// Create a blobstore for testing backups and restore
 	factory.CreateBlobstoreIfAbsent(fdbCluster.Namespace())
+
+	// Note: Encryption key secret is automatically created during namespace setup
 })
 
 var _ = AfterSuite(func() {

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ func (factory Factory) CreateRestoreForCluster(backup FdbBackup) {`
`47`	`47`	`DestinationClusterName: backup.fdbCluster.Name(),`
`48`	`48`	`BlobStoreConfiguration: backup.backup.Spec.BlobStoreConfiguration,`
`49`	`49`	`CustomParameters: backup.backup.Spec.CustomParameters,`
	`50`	`+ EncryptionKeyPath: backup.backup.Spec.EncryptionKeyPath,`
`50`	`51`	`},`
`51`	`52`	`}`
`52`	`53`	`gomega.Expect(factory.CreateIfAbsent(restore)).NotTo(gomega.HaveOccurred())`
Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,9 @@ func (factory *Factory) createNamespace(suffix string) string {`
`156`	`156`	`}`
`157`	`157`	`gomega.Expect(factory.CreateIfAbsent(backupCredentials)).NotTo(gomega.HaveOccurred())`
`158`	`158`
	`159`	`+ // Create the encryption key secret for backup encryption operations.`
	`160`	`+ factory.CreateEncryptionKeySecret(namespace)`
	`161`	`+`
`159`	`162`	`factory.ensureRBACSetupExists(namespace)`
`160`	`163`	`gomega.Expect(factory.ensureFDBOperatorExists(namespace)).ToNot(gomega.HaveOccurred())`
`161`	`164`	`log.Printf("using namespace %s for testing", namespace)`