Add LUKS v2 tests

We currently have cryptsetup and LUKS v1 tests, but we are missing LUKS
v2 tests.

Code paths for LUKS v1 and LUKS v2 are different, because Nova uses
libvirt to decode LUKS v1 volumes but os-brick to decode LUKS v2
volumes.

This means that not only the attach process is different, but also some
features such as extend volume, so one of them may work while the other
doesn't.

This patch adds LUKS v2 encryption tests for all backends except for RBD
volumes, because they are not connected to the host but directly through
libvirt, so they can only use LUKS v1.

Depends-On: Ia1411f11ec4bf44af6a42d5f96c8a0903846ed66
Depends-On: I351f1a7769c9f915e4cd280f05a8b8b87f40df84
Related-Bug: #1967157
Change-Id: I40c518c3a3e760867efd6b6338fa9c16945b28c4

2 files changed, 37 insertions, 8 deletions

diff --git a/tempest/scenario/test_encrypted_cinder_volumes.py b/tempest/scenario/test_encrypted_cinder_volumes.py
index 6ee9f28a0..9788e1900 100644
--- a/tempest/scenario/test_encrypted_cinder_volumes.py
+++ b/tempest/scenario/test_encrypted_cinder_volumes.py
@@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import testtools
+
 from tempest.common import utils
 from tempest import config
 from tempest.lib import decorators
@@ -27,7 +29,7 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest):
 
     This test is for verifying the functionality of encrypted cinder volumes.
 
-    For both LUKS and cryptsetup encryption types, this test performs
+    For both LUKS (v1 & v2) and cryptsetup encryption types, this test performs
     the following:
 
     * Boots an instance from an image (CONF.compute.image_ref)
@@ -55,11 +57,24 @@ class TestEncryptedCinderVolumes(manager.EncryptionScenarioTest):
     @decorators.attr(type='slow')
     @utils.services('compute', 'volume', 'image')
     def test_encrypted_cinder_volumes_luks(self):
+        """LUKs v1 decrypts volume through libvirt."""
         server = self.launch_instance()
         volume = self.create_encrypted_volume('luks',
                                               volume_type='luks')
         self.attach_detach_volume(server, volume)
 
+    @decorators.idempotent_id('7abec0a3-61a0-42a5-9e36-ad3138fb38b4')
+    @testtools.skipIf(CONF.volume.storage_protocol == 'ceph',
+                      'Ceph only supports LUKSv2 if doing host attach.')
+    @decorators.attr(type='slow')
+    @utils.services('compute', 'volume', 'image')
+    def test_encrypted_cinder_volumes_luksv2(self):
+        """LUKs v2 decrypts volume through os-brick."""
+        server = self.launch_instance()
+        volume = self.create_encrypted_volume('luks2',
+                                              volume_type='luksv2')
+        self.attach_detach_volume(server, volume)
+
     @decorators.idempotent_id('cbc752ed-b716-4717-910f-956cce965722')
     @decorators.attr(type='slow')
     @utils.services('compute', 'volume', 'image')
diff --git a/tempest/scenario/test_volume_boot_pattern.py b/tempest/scenario/test_volume_boot_pattern.py
index 5a5cc2704..2e87c159b 100644
--- a/tempest/scenario/test_volume_boot_pattern.py
+++ b/tempest/scenario/test_volume_boot_pattern.py
@@ -246,14 +246,10 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest):
         # Assert that the underlying volume is gone.
         self.volumes_client.wait_for_resource_deletion(volume_origin['id'])
 
-    @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125')
-    @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume,
-                          'Encrypted volume attach is not supported')
-    @utils.services('compute', 'volume')
-    def test_boot_server_from_encrypted_volume_luks(self):
+    def _do_test_boot_server_from_encrypted_volume_luks(self, provider):
         # Create an encrypted volume
-        volume = self.create_encrypted_volume('luks',
-                                              volume_type='luks')
+        volume = self.create_encrypted_volume(provider,
+                                              volume_type=provider)
 
         self.volumes_client.set_bootable_volume(volume['id'], bootable=True)
 
@@ -266,3 +262,21 @@ class TestVolumeBootPattern(manager.EncryptionScenarioTest):
         server_info = self.servers_client.show_server(server['id'])['server']
         created_volume = server_info['os-extended-volumes:volumes_attached']
         self.assertEqual(volume['id'], created_volume[0]['id'])
+
+    @decorators.idempotent_id('cb78919a-e553-4bab-b73b-10cf4d2eb125')
+    @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume,
+                          'Encrypted volume attach is not supported')
+    @utils.services('compute', 'volume')
+    def test_boot_server_from_encrypted_volume_luks(self):
+        """LUKs v1 decrypts volume through libvirt."""
+        self._do_test_boot_server_from_encrypted_volume_luks('luks')
+
+    @decorators.idempotent_id('5ab6100f-1b31-4dd0-a774-68cfd837ef77')
+    @testtools.skipIf(CONF.volume.storage_protocol == 'ceph',
+                      'Ceph only supports LUKSv2 if doing host attach.')
+    @testtools.skipUnless(CONF.compute_feature_enabled.attach_encrypted_volume,
+                          'Encrypted volume attach is not supported')
+    @utils.services('compute', 'volume')
+    def test_boot_server_from_encrypted_volume_luksv2(self):
+        """LUKs v2 decrypts volume through os-brick."""
+        self._do_test_boot_server_from_encrypted_volume_luks('luks2')