Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Scylla encryption (if disabled) for Manager SCT tests #4164

Closed
mikliapko opened this issue Dec 13, 2024 · 5 comments · Fixed by scylladb/scylla-cluster-tests#9960
Closed

Enable Scylla encryption (if disabled) for Manager SCT tests #4164

mikliapko opened this issue Dec 13, 2024 · 5 comments · Fixed by scylladb/scylla-cluster-tests#9960
Assignees
@mikliapko
Labels
qa should be used for qa team testing tasks

Comments

@mikliapko
Copy link

Scope:

  1. Check if current SCT tests for Manager run with enabled Scylla encryption.
  2. If not, make it enabled by default.
@mikliapko mikliapko added the qa should be used for qa team testing tasks label Dec 13, 2024
@mikliapko mikliapko self-assigned this Dec 13, 2024
@mikliapko
Copy link
Author

Currently, for Manager tests we configure scylla.yaml in a next way:

  • enabled client encryption
client_encryption_options:
  certificate: /etc/scylla/ssl_conf/client-facing.crt
  enabled: true
  keyfile: /etc/scylla/ssl_conf/client-facing.key
  truststore: /etc/scylla/ssl_conf/ca.pem
  • enabled EaR
kms_hosts:
  auto:
    aws_region: us-east-1
    aws_use_ec2_credentials: true
    master_key: alias/testid-68565fdc-a174-463f-aba0-1b77ad4d56f4
system_info_encryption:
  enabled: true
  key_provider: KmsKeyProviderFactory
  kms_host: auto
user_info_encryption:
  enabled: true
  key_provider: KmsKeyProviderFactory
  kms_host: auto

It looks like we are missing server encryption only. Can it be important for Manager to have it enabled as well?
@karol-kokoszka @Michal-Leszczynski @VAveryanov8

@mikliapko
Copy link
Author

As per the issue #4079 and the reason we were not able to catch it in SCT, the configuration is missing native_transport_port_ssl defined. I believe it was the reason Manager was failing to decide on the port to use?
@VAveryanov8

@Michal-Leszczynski
Copy link
Collaborator

It looks like we are missing server encryption only. Can it be important for Manager to have it enabled as well?

@mikliapko the encryption you linked refers to encryption between nodes, so it shouldn't impact SM at all.
On the other hand, if it's really easy to enable it, some SM tests should run with it, just to make sure that it's ok.
But if it's difficult, then I would say that's not worth the effort.

@mikliapko
Copy link
Author

@mikliapko the encryption you linked refers to encryption between nodes, so it shouldn't impact SM at all. On the other hand, if it's really easy to enable it, some SM tests should run with it, just to make sure that it's ok. But if it's difficult, then I would say that's not worth the effort.

It shouldn't be an issue to enable it for some runs but since we have a lot of work related to 1-to-1 restore, I'll postpone it for now.

@mikliapko
Copy link
Author

Currently, for Manager tests we configure scylla.yaml in a next way:

  • enabled client encryption
client_encryption_options:
  certificate: /etc/scylla/ssl_conf/client-facing.crt
  enabled: true
  keyfile: /etc/scylla/ssl_conf/client-facing.key
  truststore: /etc/scylla/ssl_conf/ca.pem

So, it was a mistake to judge about enabled/disabled client encryption looking into scylla.yaml collected by SCT after test.

Turned out that the test enables client encryption in the very last sub-stage. It means that the majority of checks are run with disabled encryption in manager_sanity_test.

The rest of the tests run with client encryption disabled what should be immediately fixed.

@mikliapko mikliapko mentioned this issue Jan 31, 2025
Merged
7 tasks
@karol-kokoszka karol-kokoszka reopened this Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikliapko mikliapko

Labels
qa should be used for qa team testing tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Manager] Run Manager tests with enabled client encryption mikliapko/scylla-cluster-tests
3 participants
@karol-kokoszka @mikliapko @Michal-Leszczynski