[Efs encryption][Draft] Support HeadNode Efs SharedStorage Encryption #6914
Conversation
…into efs-encryption
… check that SharedStorageEfsSettings can only be used when SharedStorageType is specified as Efs
…Validator's behavior and registration
…into efs-encryption
…er into efs-encryption
|
Please mention that Integ tests that you will modify is ONGOING |
…d `SharedStorageEfsSettingsSchema` class to make them clearer.
…into efs-encryption
…validator and unit test
…er into efs-encryption
…y from _add_resources to decrease complexity
…ster_config_limits unit test
|
LGTM! As discussed will wait for the Integ tests changes before we merge the PR |
| @@ -22,7 +22,8 @@ | |||
| from aws_cdk.aws_ec2 import CfnSecurityGroup | |||
| from aws_cdk.core import CfnOutput, CfnResource, Construct, Fn, Stack | |||
|
|
|||
| from pcluster.config.cluster_config import AwsBatchClusterConfig, CapacityType, SharedStorageType | |||
| from pcluster.config.cluster_config import AwsBatchClusterConfig, CapacityType | |||
| from pcluster.config.common import SharedStorageType | |||
There was a problem hiding this comment.
Here and in other part of the PR.
This change is motivated by a refactoring, unrelated to the main goal of this PR.
A best practice is to keep the PR minimal and avoid refactoring on components that are out of scope for the main goal. The refactoring you're suggesting here is correct, but I suggest to do it in a follow up PR.
| if self.config.head_node.shared_storage_efs_settings: | ||
| encrypted = self.config.head_node.shared_storage_efs_settings.encrypted | ||
| else: | ||
| encrypted = False |
There was a problem hiding this comment.
[Single Responsibility / Maintainability] The resource SharedStorageEfsSettings should be the only responsible to determine the default value of the encryption. To this aim, you should define the default value into a constant SharedStorageEfsSettings .DEFAULT_ENCRYPTION and reference the constant here. In this way we do not risk to scatter default values in different places. This prevent scattering responsibilities in different places, makes the code easier to maintain as it avoids code duplications and risk of misalignments.
| else: | ||
| encrypted = False | ||
| internal_efs_storage_shared = SharedEfs( | ||
| mount_dir="/opt/parallelcluster/init_shared", |
There was a problem hiding this comment.
Why init_shared and not, for example, shared? I know this was already in the code, but do we have an understanding about it?
| def _validate(self, shared_storage_type: str, shared_storage_efs_settings): | ||
| if shared_storage_efs_settings and shared_storage_type.lower() != SharedStorageType.EFS.value: | ||
| self._add_failure( | ||
| "SharedStorageEfsSettings is specified " |
There was a problem hiding this comment.
The error message can be simplified to SharedStorageEfsSettings can only be used when SharedStorageType is {SharedStorageType.EFS.value.capitalize()}.
I suggest to use the capitalize because, even if we are able to handle both Efs and efs as values, in our public doc we always use capitalized strings.
| @@ -392,6 +395,10 @@ def test_slurm_validators_are_called_with_correct_argument(test_datadir, mocker) | |||
| ], | |||
| any_order=True, | |||
| ) | |||
| shared_storage_efs_settings_validator.assert_has_calls( | |||
| [call(shared_storage_type="Ebs", shared_storage_efs_settings=None)], | |||
There was a problem hiding this comment.
[Test] This unit test would make mnore sense if we use a configuration that inject both shared_storage_type and shared_storage_efs_settings into the validators, otherwise you could have the doubt that there exists cases where shared_storage_efs_settings is not injected.
My suggestion is to cover two scenarios:
- default case (the one you did):
shared_storage_type=Ebsandshared_storage_efs_settingsis not set - case where shared_storage_efs_settings is injected:
shared_storage_type=Efsandshared_storage_efs_settingsis set.
| @@ -2075,6 +2076,50 @@ def test_mixed_security_group_overwrite_validator(head_node_security_groups, que | |||
| assert_failure_messages(actual_failures, expected_message) | |||
|
|
|||
|
|
|||
| @pytest.mark.parametrize( | |||
There was a problem hiding this comment.
[Test] It's a best practice to define test cases with a self-explanatory id. This improves readability and troubleshooting.
See example:
| mount_dir="/opt/parallelcluster/init_shared", | ||
| name="internal_pcluster_shared", | ||
| throughput_mode="elastic", | ||
| encrypted=encrypted, |
There was a problem hiding this comment.
[Test] We should capture this property in a unit test. the unit test should verify that when encrypted is specified in the cluster config, then the cluster template has the EFS resource with that property set to the expected value.
See example:
aws-parallelcluster/cli/tests/pcluster/templates/test_cluster_stack.py
Lines 217 to 249 in bf22eba
Description of changes
SharedStorageEfsSettingssection under theHeadNodesection to include all settings related to Efs shared storageEncryptedparameter under theSharedStorageEfsSettingssection to allow users to specify encryption for EFS shared storageSharedStorageEfsSettingsValidatorto verify thatSharedStorageEfsSettingsshould only be used whenSharedStorageTypeis EfsTests
test_shared_storage_efs_settings_validatorto test the behavior ofSharedStorageEfsSettingsValidatortest_internal_efsandtest_shared_hometo verify EFS encryptionReferences
Checklist
developadd the branch name as prefix in the PR title (e.g.[release-3.6]).Please review the guidelines for contributing and Pull Request Instructions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.