From 8a28ff6cebf22a30fa1bb54541b321436221e2f9 Mon Sep 17 00:00:00 2001 From: Christopher Wilcox Date: Thu, 27 May 2021 11:43:57 -0700 Subject: [PATCH] test: different integration tests have different restrictions on KMS key location (#4184) --- CONTRIBUTING.md | 11 ++++++++++- internal/kokoro/continuous.sh | 3 ++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1d7870fa6d5d..ee9846363ae7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -136,6 +136,9 @@ As part of the setup that follows, the following variables will be configured: - `GCLOUD_TESTS_GOLANG_KEYRING`: The full name of the keyring for the tests, in the form "projects/P/locations/L/keyRings/R". The creation of this is described below. +- `GCLOUD_TESTS_BIGTABLE_KEYRING`: The full name of the keyring for the bigtable tests, +in the form +"projects/P/locations/L/keyRings/R". The creation of this is described below. Expected to be single region. - `GCLOUD_TESTS_GOLANG_ZONE`: Compute Engine zone. Install the [gcloud command-line tool][gcloudcli] to your machine and use it to @@ -172,6 +175,7 @@ $ gcloud beta spanner instances create go-integration-test --config regional-us- $ export MY_KEYRING=some-keyring-name $ export MY_LOCATION=global +$ export MY_SINGLE_LOCATION=us-central1 # Creates a KMS keyring, in the same location as the default location for your # project's buckets. $ gcloud kms keyrings create $MY_KEYRING --location $MY_LOCATION @@ -182,10 +186,15 @@ $ gcloud kms keys create key2 --keyring $MY_KEYRING --location $MY_LOCATION --pu $ export GCLOUD_TESTS_GOLANG_KEYRING=projects/$GCLOUD_TESTS_GOLANG_PROJECT_ID/locations/$MY_LOCATION/keyRings/$MY_KEYRING # Authorizes Google Cloud Storage to encrypt and decrypt using key1. $ gsutil kms authorize -p $GCLOUD_TESTS_GOLANG_PROJECT_ID -k $GCLOUD_TESTS_GOLANG_KEYRING/cryptoKeys/key1 + +# Create KMS Key in one region for Bigtable +$ gcloud kms keys create key1 --keyring $MY_KEYRING --location $MY_SINGLE_LOCATION --purpose encryption +# Sets the GCLOUD_TESTS_BIGTABLE_KEYRING environment variable. +$ export GCLOUD_TESTS_BIGTABLE_KEYRING=projects/$GCLOUD_TESTS_GOLANG_PROJECT_ID/locations/$MY_SINGLE_LOCATION/keyRings/$MY_KEYRING # Authorizes Google Cloud Bigtable to encrypt and decrypt using key1 $ gcloud kms keys add-iam-policy-binding key1 \ --keyring $MY_KEYRING \ - --location $MY_LOCATION \ + --location $MY_SINGLE_LOCATION \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --member "${GCLOUD_TESTS_GOLANG_PROJECT_ID}@${GCLOUD_TESTS_GOLANG_PROJECT_ID}.iam.gserviceaccount.com" \ --project $GCLOUD_TESTS_GOLANG_PROJECT_ID diff --git a/internal/kokoro/continuous.sh b/internal/kokoro/continuous.sh index 1b6b670820eb..82a86b1c41c1 100755 --- a/internal/kokoro/continuous.sh +++ b/internal/kokoro/continuous.sh @@ -34,12 +34,13 @@ export GCLOUD_TESTS_GOLANG_KEY=$GOOGLE_APPLICATION_CREDENTIALS export GCLOUD_TESTS_GOLANG_FIRESTORE_PROJECT_ID=gcloud-golang-firestore-tests export GCLOUD_TESTS_GOLANG_FIRESTORE_KEY=$KOKORO_KEYSTORE_DIR/72523_go_firestore_integration_service_account export GCLOUD_TESTS_API_KEY=`cat $KOKORO_KEYSTORE_DIR/72523_go_gcloud_tests_api_key` -export GCLOUD_TESTS_GOLANG_KEYRING=projects/dulcet-port-762/locations/us-central1/keyRings/go-integration-test +export GCLOUD_TESTS_GOLANG_KEYRING=projects/dulcet-port-762/locations/us/keyRings/go-integration-test export GCLOUD_TESTS_GOLANG_PROFILER_ZONE="us-west1-b" # Bigtable integration tests expect an existing instance and cluster # ❯ cbt createinstance gcloud-bt-it-tests-instance "Bigtable IT Instance" \ # gcloud-bt-it-tests-cluster us-west1-b 1 SSD +export GCLOUD_TESTS_BIGTABLE_KEYRING=projects/dulcet-port-762/locations/us-central1/keyRings/go-integration-test export GCLOUD_TESTS_BIGTABLE_CLUSTER="gcloud-bt-it-tests-cluster" export GCLOUD_TESTS_BIGTABLE_INSTANCE="gcloud-bt-it-tests-instance"