From 421ed561f1240179e754779fda40465b9deee3e1 Mon Sep 17 00:00:00 2001
From: Akanksha Mahajan <akankshamahajan15@gmail.com>
Date: Fri, 22 Aug 2025 10:22:22 -0700
Subject: [PATCH] Enable encryption in backup test

---
 e2e/fixtures/factory.go                       | 29 +++++++++++++++++++
 e2e/fixtures/fdb_backup.go                    | 14 +++++++++
 e2e/fixtures/fdb_operator_client.go           | 23 ++++++++++++---
 e2e/fixtures/fdb_restore.go                   |  1 +
 e2e/fixtures/kubernetes_fixtures.go           |  3 ++
 .../operator_backup_test.go                   |  2 ++
 6 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/e2e/fixtures/factory.go b/e2e/fixtures/factory.go
index b1b69449e..030f3ac5a 100644
--- a/e2e/fixtures/factory.go
+++ b/e2e/fixtures/factory.go
@@ -22,6 +22,7 @@ package fixtures
 
 import (
 	"context"
+	cryptorand "crypto/rand"
 	"fmt"
 	"io"
 	"log"
@@ -39,6 +40,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/duration"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -132,6 +134,33 @@ func (factory *Factory) GetBackupSecretName() string {
 	return "backup-credentials"
 }
 
+// GetEncryptionKeySecretName returns the name for the encryption key secret
+func (factory *Factory) GetEncryptionKeySecretName() string {
+	return "backup-encryption-key"
+}
+
+// CreateEncryptionKeySecret creates a 32-byte encryption key secret.
+func (factory *Factory) CreateEncryptionKeySecret(namespace string) {
+	secretName := factory.GetEncryptionKeySecretName()
+
+	// Create 32-byte encryption key.
+	key := make([]byte, 32)
+	_, err := cryptorand.Read(key)
+	gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			"key.bin": key,
+		},
+	}
+
+	gomega.Expect(factory.CreateIfAbsent(secret)).NotTo(gomega.HaveOccurred())
+}
+
 func (factory *Factory) getConfig() *rest.Config {
 	return factory.config
 }
diff --git a/e2e/fixtures/fdb_backup.go b/e2e/fixtures/fdb_backup.go
index e75291994..b9383f5f1 100644
--- a/e2e/fixtures/fdb_backup.go
+++ b/e2e/fixtures/fdb_backup.go
@@ -73,6 +73,7 @@ func (factory *Factory) CreateBackupForCluster(
 			AllowTagOverride: ptr.To(true),
 			ClusterName:      fdbCluster.Name(),
 			Version:          fdbVersion.String(),
+			EncryptionKeyPath: "/tmp/encryption-key/key.bin",
 			BlobStoreConfiguration: &fdbv1beta2.BlobStoreConfiguration{
 				AccountName: "seaweedfs@seaweedfs:8333",
 				URLParameters: []fdbv1beta2.URLParameter{
@@ -123,6 +124,11 @@ func (factory *Factory) CreateBackupForCluster(
 									ReadOnly:  true,
 									MountPath: "/tmp/backup-credentials",
 								},
+								{
+									Name:      "encryption-key",
+									ReadOnly:  true,
+									MountPath: "/tmp/encryption-key",
+								},
 							},
 						},
 					},
@@ -143,6 +149,14 @@ func (factory *Factory) CreateBackupForCluster(
 								},
 							},
 						},
+						{
+							Name: "encryption-key",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: factory.GetEncryptionKeySecretName(),
+								},
+							},
+						},
 					},
 				},
 			},
diff --git a/e2e/fixtures/fdb_operator_client.go b/e2e/fixtures/fdb_operator_client.go
index 396be27d2..2bf91426f 100644
--- a/e2e/fixtures/fdb_operator_client.go
+++ b/e2e/fixtures/fdb_operator_client.go
@@ -325,6 +325,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -339,6 +342,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -459,6 +465,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -473,6 +482,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -505,6 +517,8 @@ type operatorConfig struct {
 	SecretName string
 	// BackupSecretName represents the secret that should be used to communicate with the backup blobstore.
 	BackupSecretName string
+	// EncryptionKeySecretName represents the secret that contains the encryption key for backup operations.
+	EncryptionKeySecretName string
 	// SidecarVersions represents the sidecar configurations for different FoundationDB versions.
 	SidecarVersions []SidecarConfig
 	// Namespace represents the namespace for the Deployment and all associated resources
@@ -602,10 +616,11 @@ func (factory *Factory) getOperatorConfig(namespace string) *operatorConfig {
 	}
 
 	return &operatorConfig{
-		OperatorImage:         factory.GetOperatorImage(),
-		SecretName:            factory.GetSecretName(),
-		BackupSecretName:      factory.GetBackupSecretName(),
-		Namespace:             namespace,
+		OperatorImage:           factory.GetOperatorImage(),
+		SecretName:              factory.GetSecretName(),
+		BackupSecretName:        factory.GetBackupSecretName(),
+		EncryptionKeySecretName: factory.GetEncryptionKeySecretName(),
+		Namespace:               namespace,
 		SidecarVersions:       factory.GetSidecarConfigs(),
 		ImagePullPolicy:       factory.getImagePullPolicy(),
 		CPURequests:           cpuRequests,
diff --git a/e2e/fixtures/fdb_restore.go b/e2e/fixtures/fdb_restore.go
index fb0c7177d..38b5c8089 100644
--- a/e2e/fixtures/fdb_restore.go
+++ b/e2e/fixtures/fdb_restore.go
@@ -47,6 +47,7 @@ func (factory *Factory) CreateRestoreForCluster(backup *FdbBackup) {
 			DestinationClusterName: backup.fdbCluster.Name(),
 			BlobStoreConfiguration: backup.backup.Spec.BlobStoreConfiguration,
 			CustomParameters:       backup.backup.Spec.CustomParameters,
+			EncryptionKeyPath:      backup.backup.Spec.EncryptionKeyPath,
 		},
 	}
 	gomega.Expect(factory.CreateIfAbsent(restore)).NotTo(gomega.HaveOccurred())
diff --git a/e2e/fixtures/kubernetes_fixtures.go b/e2e/fixtures/kubernetes_fixtures.go
index 7b6a8ea9f..a263dfdc7 100644
--- a/e2e/fixtures/kubernetes_fixtures.go
+++ b/e2e/fixtures/kubernetes_fixtures.go
@@ -156,6 +156,9 @@ func (factory *Factory) createNamespace(suffix string) string {
 	}
 	gomega.Expect(factory.CreateIfAbsent(backupCredentials)).NotTo(gomega.HaveOccurred())
 
+	// Create the encryption key secret for backup encryption operations.
+	factory.CreateEncryptionKeySecret(namespace)
+
 	factory.ensureRBACSetupExists(namespace)
 	gomega.Expect(factory.ensureFDBOperatorExists(namespace)).ToNot(gomega.HaveOccurred())
 	log.Printf("using namespace %s for testing", namespace)
diff --git a/e2e/test_operator_backups/operator_backup_test.go b/e2e/test_operator_backups/operator_backup_test.go
index 3bfca65a3..1efef392c 100644
--- a/e2e/test_operator_backups/operator_backup_test.go
+++ b/e2e/test_operator_backups/operator_backup_test.go
@@ -68,6 +68,8 @@ var _ = BeforeSuite(func() {
 
 	// Create a blobstore for testing backups and restore
 	factory.CreateBlobstoreIfAbsent(fdbCluster.Namespace())
+
+	// Note: Encryption key secret is automatically created during namespace setup
 })
 
 var _ = AfterSuite(func() {