Skip to content

Commit

Permalink
Install Rust and Cargo for building efs-proxy
Browse files Browse the repository at this point in the history
Rust and Cargo are required to build efs-utils v2.0.0.

I also a TODO to one of our integration tests - now that non-tls mounts
are also re-directed to localhost (efs-utils v2), we need a new method
of determining whether 'encryptInTransit' is working as expected.
  • Loading branch information
RyanStan committed Apr 15, 2024
1 parent 0ea48a3 commit f503354
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 9 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ RUN mkdir -p /tmp/rpms && \
then echo "Installing efs-utils from Amazon Linux 2 yum repo" && \
yum -y install --downloadonly --downloaddir=/tmp/rpms amazon-efs-utils-1.35.0-1.amzn2.noarch; \
else echo "Installing efs-utils from github using the latest git tag" && \
yum -y install git rpm-build make && \
yum -y install git rpm-build make rust cargo openssl-devel && \
git clone https://github.com/aws/efs-utils && \
cd efs-utils && \
git checkout $(git describe --tags $(git rev-list --tags --max-count=1)) && \
Expand Down
17 changes: 9 additions & 8 deletions test/e2e/e2e.go
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,11 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() {
})

testEncryptInTransit := func(f *framework.Framework, encryptInTransit *bool) {
// TODO [RyanStan 4-15-24]
// Now that non-tls mounts are re-directed to efs-proxy (efs-utils v2),
// we need a new method of determining whether encrypt in transit is correctly working.
// One way to do this could be to parse the arguments passed to efs-proxy and look for the '--tls' flag.

ginkgo.By("Creating efs pvc & pv")
volumeAttributes := map[string]string{}
if encryptInTransit != nil {
Expand All @@ -320,20 +325,16 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() {
_ = f.ClientSet.CoreV1().PersistentVolumes().Delete(context.TODO(), pv.Name, metav1.DeleteOptions{})
}()

// If mount.efs is passed option tls, the mount table entry should be...
// mount.efs connects the local NFS client to efs-proxy which listens on localhost and forwards NFS operations to EFS.
// This occurs for both non-tls and tls mounts.
// Therefore, the mount table entry should be
// 127.0.0.1:/ on /mnt/volume1 type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,port=20052,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)
// Note the tls option is not actually there. The proof that tls is passed
// to mount.efs is the server is 127.0.0.1
// (stunnel proxy running on localhost)
// instead of the EFS DNS name
// (file-system-id.efs.aws-region.amazonaws.com).
// Call `mount` alone first to print it for debugging.

command := "mount && mount | grep /mnt/volume1 | grep 127.0.0.1"
if encryptInTransit != nil {
if !*encryptInTransit {
command = fmt.Sprintf("mount && mount | grep /mnt/volume1 | grep %v", FileSystemId)
}
}
ginkgo.By(fmt.Sprintf("Creating pod to mount pvc %q and run %q", pvc.Name, command))
pod := e2epod.MakePod(f.Namespace.Name, nil, []*v1.PersistentVolumeClaim{pvc}, false, command)
pod.Spec.RestartPolicy = v1.RestartPolicyNever
Expand Down

0 comments on commit f503354

Please sign in to comment.