Install Rust and Cargo for building efs-proxy

Rust and Cargo are required to build efs-utils v2.0.0. I also a TODO to one of our integration tests - now that non-tls mounts are also re-directed to localhost (efs-utils v2), we need a new method of determining whether 'encryptInTransit' is working as expected.
kubernetes-sigs · Apr 15, 2024 · f503354 · f503354
1 parent 0ea48a3
commit f503354
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -38,7 +38,7 @@ RUN mkdir -p /tmp/rpms && \
     then echo "Installing efs-utils from Amazon Linux 2 yum repo" && \
          yum -y install --downloadonly --downloaddir=/tmp/rpms amazon-efs-utils-1.35.0-1.amzn2.noarch; \
     else echo "Installing efs-utils from github using the latest git tag" && \
-         yum -y install git rpm-build make && \
+         yum -y install git rpm-build make rust cargo openssl-devel && \
          git clone https://github.com/aws/efs-utils && \
          cd efs-utils && \
          git checkout $(git describe --tags $(git rev-list --tags --max-count=1)) && \

diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go
@@ -305,6 +305,11 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() {
 		})
 
 		testEncryptInTransit := func(f *framework.Framework, encryptInTransit *bool) {
+			// TODO [RyanStan 4-15-24]
+			// Now that non-tls mounts are re-directed to efs-proxy (efs-utils v2),
+			// we need a new method of determining whether encrypt in transit is correctly working.
+			// One way to do this could be to parse the arguments passed to efs-proxy and look for the '--tls' flag.
+
 			ginkgo.By("Creating efs pvc & pv")
 			volumeAttributes := map[string]string{}
 			if encryptInTransit != nil {
@@ -320,20 +325,16 @@ var _ = ginkgo.Describe("[efs-csi] EFS CSI", func() {
 				_ = f.ClientSet.CoreV1().PersistentVolumes().Delete(context.TODO(), pv.Name, metav1.DeleteOptions{})
 			}()
 
-			// If mount.efs is passed option tls, the mount table entry should be...
+			// mount.efs connects the local NFS client to efs-proxy which listens on localhost and forwards NFS operations to EFS.
+			// This occurs for both non-tls and tls mounts.
+			// Therefore, the mount table entry should be
 			// 127.0.0.1:/ on /mnt/volume1 type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,noresvport,proto=tcp,port=20052,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)
-			// Note the tls option is not actually there. The proof that tls is passed
-			// to mount.efs is the server is 127.0.0.1
 			// (stunnel proxy running on localhost)
 			// instead of the EFS DNS name
 			// (file-system-id.efs.aws-region.amazonaws.com).
 			// Call `mount` alone first to print it for debugging.
+
 			command := "mount && mount | grep /mnt/volume1 | grep 127.0.0.1"
-			if encryptInTransit != nil {
-				if !*encryptInTransit {
-					command = fmt.Sprintf("mount && mount | grep /mnt/volume1 | grep %v", FileSystemId)
-				}
-			}
 			ginkgo.By(fmt.Sprintf("Creating pod to mount pvc %q and run %q", pvc.Name, command))
 			pod := e2epod.MakePod(f.Namespace.Name, nil, []*v1.PersistentVolumeClaim{pvc}, false, command)
 			pod.Spec.RestartPolicy = v1.RestartPolicyNever