add e2e tests

edgeless/tests/README.md

@@ -0,0 +1,38 @@
+# CSI driver e2e tests
+
+Run CSI e2e tests using [`sonobuoy`](https://github.com/vmware-tanzu/sonobuoy/releases/latest).
+
+## Generate test framework
+
+Generate CSI e2e test sonobuoy config:
+
+```shell
+KUBECONFIG=</path/to/kubeconfig`
+sonobuoy gen --e2e-focus='External.Storage' --e2e-skip='\[Disruptive\]' --kubeconfig=${KUBECONFIG} > sonobuoy.yaml
+```
+
+Apply driver patch:
+
+```shell
+patch sonobuoy.yaml < patch.diff
+```
+
+## Running the test suite
+
+Start the test:
+
+```shell
+kubectl apply -f sonobuoy.yaml
+```
+
+Wait for tests to complete:
+
+```shell
+sonobuoy wait
+```
+
+Analyze results:
+
+```shell
+sonobuoy results $(sonobuoy retrieve)
+```

edgeless/tests/patch.diff

@@ -0,0 +1,61 @@
+--- sonobuoy.yaml.old	2023-05-09 08:24:09.470582428 +0000
++++ sonobuoy.yaml	2023-05-15 16:11:05.459165941 +0000
+@@ -64,6 +64,10 @@
+ data:
+   plugin-0.yaml: |-
+     podSpec:
++      volumes:
++      - name: csi-driver-config-volume
++        configMap:
++          name: csi-driver-test-config
+       containers: []
+       nodeSelector:
+         kubernetes.io/os: linux
+@@ -86,7 +90,7 @@
+       - /run_e2e.sh
+       env:
+       - name: E2E_EXTRA_ARGS
+-        value: --progress-report-url=http://localhost:8099/progress
++        value: --progress-report-url=http://localhost:8099/progress --storage.testdriver=/tmp/csi-cfg/driver.yaml
+       - name: E2E_FOCUS
+         value: External.Storage
+       - name: E2E_PARALLEL
+@@ -113,6 +117,8 @@
+       volumeMounts:
+       - mountPath: /tmp/sonobuoy/results
+         name: results
++      - mountPath: /tmp/csi-cfg
++        name: csi-driver-config-volume
+   plugin-1.yaml: |-
+     podSpec:
+       containers: []
+@@ -245,4 +251,28 @@
+     sonobuoy-component: aggregator
+   type: ClusterIP
+ ---
+-
++apiVersion: v1
++kind: ConfigMap
++metadata:
++  name: csi-driver-test-config
++  namespace: sonobuoy
++data:
++  driver.yaml: |
++    StorageClass:
++      FromName: true
++    DriverInfo:
++      Name: cinder.csi.confidential.cloud
++      SupportedFsType:
++        ext2: {}
++        ext3: {}
++        ext4: {}
++        xfs: {}
++      Capabilities:
++        persistence: true
++        block: true
++        exec: true
++        controllerExpansion: true
++        offlineExpansion: true
++        onlineExpansion: false
++        topology: true
++---

edgeless/tests/use.md

@@ -0,0 +1,125 @@
+# Use
+
+## Create a new storage class
+
+The following will create a storage class for the CSI driver.
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: encrypted-storage
+provisioner: cinder.csi.confidential.cloud
+volumeBindingMode: WaitForFirstConsumer
+EOF
+```
+
+## Make use of encrypted storage
+
+Now you can create persistent volume claims requesting storage over your newly created storage class.
+The following creates a persistent volume claim using the `encrypted-storage` class, and a Pod mounting said storage into a container:
+
+```shell
+cat <<EOF | kubectl apply -f -
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: podpvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: encrypted-storage
+  resources:
+    requests:
+      storage: 20Gi
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: web-server
+spec:
+  containers:
+   - name: web-server
+     image: nginx
+     volumeMounts:
+       - mountPath: /var/lib/www/html
+         name: mypvc
+  volumes:
+   - name: mypvc
+     persistentVolumeClaim:
+       claimName: podpvc
+       readOnly: false
+EOF
+```
+
+## Enable integrity protection
+
+By default the CSI driver will transparently encrypt all disks staged on the node.
+Optionally, you can configure the driver to also apply integrity protection.
+
+Please note that enabling integrity protection requires wiping the disk before use.
+Disk wipe speeds are largely dependent on IOPS and the performance tier of the disk.
+If you intend to provision large amounts of storage and Pod creation speed is important,
+we recommend requesting high-performance disks.
+
+To enable integrity protection, create a storage class with an explicit file system type request and add the suffix `-integrity`.
+
+```yaml
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: integrity-protected
+provisioner: cinder.csi.confidential.cloud
+volumeBindingMode: WaitForFirstConsumer
+parameters:
+  csi.storage.k8s.io/fstype: ext4-integrity
+```
+
+Please note that [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) is not supported for integrity-protected disks.
+
+## [Optional] Mark the storage class as default
+
+The default storage class is responsible for all persistent volume claims which don't explicitly request `storageClassName`.
+
+1. List the storage classes in your cluster:
+
+    ```shell
+    kubectl get storageclass
+    ```
+
+    The output is similar to this:
+
+    ```shell
+    NAME                   PROVISIONER                        AGE
+    encrypted-storage      cinder.csi.confidential.cloud      1d
+    ```
+
+    The default storage class is marked by `(default)`.
+
+2. Mark old default storage class as non default
+
+    If you previously used another storage class as the default, you will have to remove that annotation:
+
+    ```shell
+    kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+    ```
+
+3. Mark new class as the default
+
+    ```shell
+    kubectl patch storageclass encrypted-storage -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+    ```
+
+4. Verify that your chosen storage class is default:
+
+    ```shell
+    kubectl get storageclass
+    ```
+
+    The output is similar to this:
+
+    ```shell
+    NAME                         PROVISIONER                        AGE
+    encrypted-storage (default)  cinder.csi.confidential.cloud      1d
+    ```