Enable encryption in backup operator test

e2e/fixtures/factory.go

@@ -22,6 +22,7 @@ package fixtures
 
 import (
 	"context"
+	cryptorand "crypto/rand"
 	"fmt"
 	"io"
 	"log"
@@ -39,6 +40,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/duration"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -132,6 +134,33 @@ func (factory *Factory) GetBackupSecretName() string {
 	return "backup-credentials"
 }
 
+// GetEncryptionKeySecretName returns the name for the encryption key secret
+func (factory *Factory) GetEncryptionKeySecretName() string {
+	return "backup-encryption-key"
+}
+
+// CreateEncryptionKeySecret creates a 32-byte encryption key secret.
+func (factory *Factory) CreateEncryptionKeySecret(namespace string) {
+	secretName := factory.GetEncryptionKeySecretName()
+
+	// Create 32-byte encryption key.
+	key := make([]byte, 32)
+	_, err := cryptorand.Read(key)
+	gomega.Expect(err).NotTo(gomega.HaveOccurred())
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretName,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			"key.bin": key,
+		},
+	}
+
+	gomega.Expect(factory.CreateIfAbsent(secret)).NotTo(gomega.HaveOccurred())
+}
+
 func (factory *Factory) getConfig() *rest.Config {
 	return factory.config
 }

e2e/fixtures/fdb_backup.go

@@ -46,6 +46,8 @@ type FdbBackup struct {
 type FdbBackupConfiguration struct {
 	// BackupType defines the backup type that should be used for this backup.
 	BackupType *fdbv1beta2.BackupType
+	// EncryptionEnabled determines whether backup encryption should be used.
+	EncryptionEnabled bool
 }
 
 // CreateBackupForCluster will create a FoundationDBBackup for the provided cluster.
@@ -122,6 +124,11 @@ func (factory *Factory) CreateBackupForCluster(
 									ReadOnly:  true,
 									MountPath: "/tmp/backup-credentials",
 								},
+								{
+									Name:      "encryption-key",
+									ReadOnly:  true,
+									MountPath: "/tmp/encryption-key",
+								},
 							},
 						},
 					},
@@ -142,12 +149,25 @@ func (factory *Factory) CreateBackupForCluster(
 								},
 							},
 						},
+						{
+							Name: "encryption-key",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: factory.GetEncryptionKeySecretName(),
+								},
+							},
+						},
 					},
 				},
 			},
 		},
 	}
 
+	// Set encryption key path only if encryption is enabled
+	if config.EncryptionEnabled {
+		backup.Spec.EncryptionKeyPath = "/tmp/encryption-key/key.bin"
+	}
+
 	gomega.Expect(factory.CreateIfAbsent(backup)).NotTo(gomega.HaveOccurred())
 
 	curBackup := &FdbBackup{

e2e/fixtures/fdb_operator_client.go

@@ -325,6 +325,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -339,6 +342,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -459,6 +465,9 @@ spec:
         - name: backup-credentials
           mountPath: /tmp/backup-credentials
           readOnly: true
+        - name: encryption-key
+          mountPath: /tmp/encryption-key
+          readOnly: true
       securityContext:
         fsGroup: 4059
         runAsGroup: 4059
@@ -473,6 +482,9 @@ spec:
       - name: backup-credentials
         secret:
           secretName: {{ .BackupSecretName }}
+      - name: encryption-key
+        secret:
+          secretName: {{ .EncryptionKeySecretName }}
       - name: fdb-certs
         secret:
           secretName: {{ .SecretName }}
@@ -505,6 +517,8 @@ type operatorConfig struct {
 	SecretName string
 	// BackupSecretName represents the secret that should be used to communicate with the backup blobstore.
 	BackupSecretName string
+	// EncryptionKeySecretName represents the secret that contains the encryption key for backup operations.
+	EncryptionKeySecretName string
 	// SidecarVersions represents the sidecar configurations for different FoundationDB versions.
 	SidecarVersions []SidecarConfig
 	// Namespace represents the namespace for the Deployment and all associated resources
@@ -602,10 +616,11 @@ func (factory *Factory) getOperatorConfig(namespace string) *operatorConfig {
 	}
 
 	return &operatorConfig{
-		OperatorImage:         factory.GetOperatorImage(),
-		SecretName:            factory.GetSecretName(),
-		BackupSecretName:      factory.GetBackupSecretName(),
-		Namespace:             namespace,
+		OperatorImage:           factory.GetOperatorImage(),
+		SecretName:              factory.GetSecretName(),
+		BackupSecretName:        factory.GetBackupSecretName(),
+		EncryptionKeySecretName: factory.GetEncryptionKeySecretName(),
+		Namespace:               namespace,
 		SidecarVersions:       factory.GetSidecarConfigs(),
 		ImagePullPolicy:       factory.getImagePullPolicy(),
 		CPURequests:           cpuRequests,

e2e/fixtures/fdb_restore.go

@@ -60,6 +60,7 @@ func (factory *Factory) CreateRestoreForCluster(
 				BlobStoreConfiguration: backup.backup.Spec.BlobStoreConfiguration,
 				CustomParameters:       backup.backup.Spec.CustomParameters,
 				BackupVersion:          backupVersion,
+				EncryptionKeyPath:      backup.backup.Spec.EncryptionKeyPath,
 			},
 		},
 		fdbCluster: backup.fdbCluster,

e2e/fixtures/kubernetes_fixtures.go

@@ -156,6 +156,9 @@ func (factory *Factory) createNamespace(suffix string) string {
 	}
 	gomega.Expect(factory.CreateIfAbsent(backupCredentials)).NotTo(gomega.HaveOccurred())
 
+	// Create the encryption key secret for backup encryption operations.
+	factory.CreateEncryptionKeySecret(namespace)
+
 	factory.ensureRBACSetupExists(namespace)
 	gomega.Expect(factory.ensureFDBOperatorExists(namespace)).ToNot(gomega.HaveOccurred())
 	log.Printf("using namespace %s for testing", namespace)

e2e/test_operator_backups/operator_backup_test.go

@@ -141,6 +141,34 @@ var _ = Describe("Operator Backup", Label("e2e", "pr"), func() {
 			})
 		})
 
+		When("the default backup system is used with encryption", func() {
+			BeforeEach(func() {
+				log.Println("creating backup for cluster")
+				backup = factory.CreateBackupForCluster(
+					fdbCluster,
+					&fixtures.FdbBackupConfiguration{
+						BackupType:        ptr.To(fdbv1beta2.BackupTypeDefault),
+						EncryptionEnabled: true,
+					},
+				)
+				keyValues = fdbCluster.GenerateRandomValues(10, prefix)
+				fdbCluster.WriteKeyValues(keyValues)
+				backup.WaitForRestorableVersion(fdbCluster.GetClusterVersion())
+				backup.Stop()
+				fdbCluster.ClearRange([]byte{prefix}, 60)
+			})
+
+			When("no restorable version is specified", func() {
+				BeforeEach(func() {
+					restore = factory.CreateRestoreForCluster(backup, nil)
+				})
+
+				It("should restore the cluster successfully with a restorable version", func() {
+					Expect(fdbCluster.GetRange([]byte{prefix}, 25, 60)).Should(Equal(keyValues))
+				})
+			})
+		})
+
 		When("the partitioned backup system is used", func() {
 			BeforeEach(func() {
 				// Versions before 7.4 have a few issues and will not work properly with the experimental feature.