EKS - fix secrets encryption with KMS key checkbox (#11576)

* fix kms key checkbox * add kms key input unit tests
rancher · Aug 2, 2024 · a81d838 · a81d838
1 parent 17039a3
commit a81d838
Show file tree

Hide file tree

Showing 4 changed files with 149 additions and 7 deletions.
diff --git a/pkg/eks/components/Config.vue b/pkg/eks/components/Config.vue
@@ -59,6 +59,11 @@ export default defineComponent({
       default: ''
     },
 
+    secretsEncryption: {
+      type:    Boolean,
+      default: false
+    },
+
     serviceRole: {
       type:    String,
       default: ''
@@ -101,7 +106,6 @@ export default defineComponent({
       canReadKms:            false,
       supportedVersionRange,
       customServiceRole:     !!this.serviceRole && !!this.serviceRole.length,
-      encryptSecrets:        false,
       loadingVersions:       false,
       loadingKms:            false,
       allKubernetesVersions: eksVersions as string[],
@@ -131,7 +135,7 @@ export default defineComponent({
       immediate: true
     },
 
-    'encryptSecrets'(neu) {
+    'secretsEncryption'(neu) {
       if (!neu) {
         this.$emit('update:kmsKey', '');
       }
@@ -341,16 +345,17 @@ export default defineComponent({
     <div class="row mb-10">
       <div class="col span-6">
         <Checkbox
-          v-model="encryptSecrets"
+          :value="secretsEncryption"
           :disabled="mode!=='create'"
           :mode="mode"
           label-key="eks.encryptSecrets.label"
-          data-testid="eks-encrypt-secrets-checkbox"
+          data-testid="eks-secrets-encryption-checkbox"
+          @input="$emit('update:secretsEncryption', $event)"
         />
       </div>
     </div>
     <div
-      v-if="encryptSecrets"
+      v-if="secretsEncryption"
       class="row mb-10"
     >
       <div

diff --git a/pkg/eks/components/CruEKS.vue b/pkg/eks/components/CruEKS.vue
@@ -688,6 +688,7 @@ export default defineComponent({
           :ebs-c-s-i-driver.sync="config.ebsCSIDriver"
           :service-role.sync="config.serviceRole"
           :kms-key.sync="config.kmsKey"
+          :secrets-encryption.sync="config.secretsEncryption"
           :tags.sync="config.tags"
           :mode="mode"
           :config="config"

diff --git a/pkg/eks/components/__mocks__/listKeys.js b/pkg/eks/components/__mocks__/listKeys.js
@@ -8,7 +8,17 @@ export default {
   Keys: [
     {
       KeyArn: 'arn:aws:kms:us-west-2:testdata2134',
-      KeyId:  '1234-4321'
+      KeyId:  '1234-2134'
+    },
+    {
+      KeyArn: 'arn:aws:kms:us-west-2:testdata6543',
+      KeyId:  '1234-6543'
+    }, {
+      KeyArn: 'arn:aws:kms:us-west-2:testdata3454',
+      KeyId:  '1234-3454'
+    }, {
+      KeyArn: 'arn:aws:kms:us-west-2:testdata8762',
+      KeyId:  '1234-8762'
     }
   ],
   Truncated: false

diff --git a/pkg/eks/components/__tests__/Config.test.ts b/pkg/eks/components/__tests__/Config.test.ts
@@ -157,16 +157,142 @@ describe('eKS K8s configuration', () => {
     expect(wrapper.exists()).toBe(true);
 
     let kmsDropdown = wrapper.find('[data-testid="eks-kms-dropdown"]');
+    let kmsTextInput = wrapper.find('[data-testid="eks-kms-input"]');
 
+    expect(kmsTextInput.exists()).toBe(false);
     expect(kmsDropdown.exists()).toBe(false);
 
-    wrapper.setData({ encryptSecrets: true, canReadKms: true });
+    wrapper.setData({ canReadKms: true });
+    wrapper.setProps({ secretsEncryption: true });
+
     await wrapper.vm.$nextTick();
     kmsDropdown = wrapper.find('[data-testid="eks-kms-dropdown"]');
+    kmsTextInput = wrapper.find('[data-testid="eks-kms-input"]');
 
+    expect(kmsTextInput.exists()).toBe(false);
     expect(kmsDropdown.exists()).toBe(true);
   });
 
+  it('should update the secretsEncryption prop when the kms key checkbox is checked', async() => {
+    const setup = requiredSetup();
+
+    const wrapper = shallowMount(Config, { propsData: { config: { amazonCredentialSecret: '', region: '' } }, ...setup });
+
+    wrapper.setData({ canReadKms: true });
+
+    await setCredential(wrapper);
+
+    expect(wrapper.emitted('update:secretsEncryption')).toBeUndefined();
+
+    const secretsEncryptionCheckbox = wrapper.find('[data-testid="eks-secrets-encryption-checkbox"]');
+
+    secretsEncryptionCheckbox.vm.$emit('input', true);
+    await wrapper.vm.$nextTick();
+    expect(wrapper.emitted('update:secretsEncryption')).toHaveLength(1);
+    expect(wrapper.emitted('update:secretsEncryption')?.[0]?.[0]).toBe(true);
+
+    secretsEncryptionCheckbox.vm.$emit('input', false);
+    await wrapper.vm.$nextTick();
+    expect(wrapper.emitted('update:secretsEncryption')).toHaveLength(2);
+    expect(wrapper.emitted('update:secretsEncryption')?.[1]?.[0]).toBe(false);
+  });
+
+  it('should set the kmsKey to an empty string if secretsEncryption is disabled', async() => {
+    const setup = requiredSetup();
+
+    const wrapper = shallowMount(Config, {
+      propsData: {
+        config:            { amazonCredentialSecret: '', region: '' },
+        secretsEncryption: true,
+        kmsKey:            '123abc'
+      },
+      ...setup
+    });
+
+    await setCredential(wrapper);
+    expect(wrapper.exists()).toBe(true);
+    expect(wrapper.emitted('update:kmsKey')).toBeUndefined();
+
+    wrapper.setData({ canReadKms: true });
+    wrapper.setProps({ secretsEncryption: false });
+
+    await wrapper.vm.$nextTick();
+
+    expect(wrapper.emitted('update:kmsKey')).toHaveLength(1);
+    expect(wrapper.emitted('update:kmsKey')?.[0]?.[0]).toBe('');
+  });
+
+  // load kms key arn into dropdown
+  it('should populate a dropdown with kms key arns from aws api call', async() => {
+    const setup = requiredSetup();
+
+    const wrapper = shallowMount(Config, {
+      propsData: {
+        config:            { amazonCredentialSecret: '', region: '' },
+        secretsEncryption: true,
+        kmsKey:            '123abc'
+      },
+      ...setup
+    });
+
+    await setCredential(wrapper);
+    const kmsDropdown = wrapper.find('[data-testid="eks-kms-dropdown"]');
+
+    expect(kmsDropdown.props().options).toStrictEqual(['arn:aws:kms:us-west-2:testdata2134',
+      'arn:aws:kms:us-west-2:testdata6543',
+      'arn:aws:kms:us-west-2:testdata3454',
+      'arn:aws:kms:us-west-2:testdata8762']);
+  });
+
+  // set canReadKms false if data fetch fails; show text input for kmsKey instead
+  it('should show a text input for kms key arns if no data if the api call throws an error', async() => {
+    const failingStoreMock = {
+      ...mockedStore({ value: '<=1.27.x' }),
+      dispatch: () => {
+        return {
+          listKeys: () => {
+            throw new Error('failed to load keys blah blah');
+          },
+          describeAddonVersions: () => {
+            return describeAddonVersionsResponseData;
+          }
+
+        };
+      }
+    };
+
+    const setup = {
+      mixins: [mockedValidationMixin],
+      mocks:  {
+        $store:      failingStoreMock,
+        $route:      mockedRoute,
+        $fetchState: {},
+      }
+    };
+
+    const wrapper = shallowMount(Config, {
+      propsData: {
+        config:            { amazonCredentialSecret: '', region: '' },
+        secretsEncryption: true,
+        kmsKey:            '123abc'
+      },
+      ...setup
+    });
+
+    await setCredential(wrapper);
+
+    expect(wrapper.exists()).toBe(true);
+
+    expect(wrapper.vm.canReadKms).toBe(false);
+    const kmsDropdown = wrapper.find('[data-testid="eks-kms-dropdown"]');
+
+    expect(kmsDropdown.exists()).toBe(false);
+
+    const kmsTextInput = wrapper.find('[data-testid="eks-kms-input"]');
+
+    expect(kmsTextInput.exists()).toBe(true);
+  });
+
   it('should show an input for service role if the custom service role radio option is selected', async() => {
     const setup = requiredSetup();