Parametrize tests with pools encryption

rosik · rosik · commit c6a1f20f95aa · 2025-12-05T20:48:46.000+03:00
diff --git a/ydb/tests/functional/tenants/test_auth_system_views.py b/ydb/tests/functional/tenants/test_auth_system_views.py
@@ -57,8 +57,8 @@ def ydb_cluster_configuration():
 
 
 @pytest.fixture(scope='module')
-def ydb_configurator(ydb_cluster_configuration):
-    config_generator = KikimrConfigGenerator(**ydb_cluster_configuration)
+def ydb_configurator(ydb_cluster_configuration_with_encryption_parametrized):
+    config_generator = KikimrConfigGenerator(**ydb_cluster_configuration_with_encryption_parametrized)
     config_generator.yaml_config['auth_config'] = {
         'domain_login_only': False,
     }
diff --git a/ydb/tests/library/fixtures/__init__.py b/ydb/tests/library/fixtures/__init__.py
@@ -167,3 +167,21 @@ def stop_pool():
 #     with Driver(DriverConfig(ydb_endpoint, database_path)) as driver:
 #         with SessionPool(driver) as pool:
 #             yield database_path, pool
+
+
+@pytest.fixture(scope='module', params=[True, False], ids=["encryption_enabled", "encryption_disabled"])
+def encryption_enabled(request):
+    """
+    Parametrized fixture that runs tests with both encryption enabled and disabled.
+    """
+    return request.param
+
+
+@pytest.fixture(scope='module')
+def ydb_cluster_configuration_with_encryption_parametrized(ydb_cluster_configuration, encryption_enabled):
+    """
+    Extended cluster configuration that includes encryption settings based on the parametrized fixture.
+    """
+    config = ydb_cluster_configuration.copy()
+    config['enable_pool_encryption'] = encryption_enabled
+    return config
diff --git a/ydb/tests/library/harness/kikimr_config.py b/ydb/tests/library/harness/kikimr_config.py
@@ -190,7 +190,8 @@ def __init__(
             cms_config=None,
             explicit_statestorage_config=None,
             system_tablets=None,
-            protected_mode=False,
+            protected_mode=False,  # Authentication
+            enable_pool_encryption=False,
             tiny_mode=False,
             module=None,
     ):
@@ -222,6 +223,7 @@ def __init__(
         erasure = Erasure.NONE if erasure is None else erasure
         self.system_tablets = system_tablets
         self.protected_mode = protected_mode
+        self.enable_pool_encryption = enable_pool_encryption
         self.module = module
         self.__grpc_ssl_enable = grpc_ssl_enable or protected_mode
         self.__grpc_tls_data_path = None
@@ -684,6 +686,7 @@ def grpc_tls_ca(self):
     @property
     def domains_txt(self):
         app_config = config_pb2.TAppConfig()
+        assert not self.enable_pool_encryption, "pool encryption isn't addressed in domains.txt"
         Parse(read_binary(__name__, "resources/default_domains.txt"), app_config.DomainsConfig)
         return app_config.DomainsConfig
 
@@ -947,3 +950,8 @@ def __build(self):
         self._add_state_storage_config()
         if not self.use_self_management and not self.explicit_hosts_and_host_configs:
             self._initialize_pdisks_info()
+
+        if self.enable_pool_encryption:
+            for domain in self.yaml_config['domains_config']['domain']:
+                for pool_type in domain['storage_pool_types']:
+                    pool_type['pool_config']['encryption_mode'] = 1
diff --git a/ydb/tests/library/harness/kikimr_runner.py b/ydb/tests/library/harness/kikimr_runner.py
@@ -641,6 +641,18 @@ def __register_slot(self, tenant_affiliation=None, encryption_key=None, seed_nod
             self.nodes[1].grpc_ssl_port if self.__configurator.grpc_ssl_enable
             else self.nodes[1].grpc_port
         )
+
+        if encryption_key is None and self.__configurator.enable_pool_encryption:
+            workdir = os.path.join(self.__configurator.working_dir, self.__cluster_name)
+            slug = tenant_affiliation.replace('/', '_')
+            secret_path = os.path.join(workdir, slug + "_secret.txt")
+            with open(secret_path, "w") as writer:
+                writer.write("fake_secret_data_for_%s" % slug)
+            keyfile_path = os.path.join(workdir, slug + "_key.txt")
+            with open(keyfile_path, "w") as writer:
+                writer.write('Keys { ContainerPath: "%s" Pin: "" Id: "%s" Version: 1 } ' % (secret_path, slug))
+            encryption_key = keyfile_path
+
         self._slots[slot_index] = KiKiMRNode(
             node_id=slot_index,
             config_path=self.config_path,

Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,8 @@ def ydb_cluster_configuration():`
`57`	`57`
`58`	`58`
`59`	`59`	`@pytest.fixture(scope='module')`
`60`		`-def ydb_configurator(ydb_cluster_configuration):`
`61`		`- config_generator = KikimrConfigGenerator(**ydb_cluster_configuration)`
	`60`	`+def ydb_configurator(ydb_cluster_configuration_with_encryption_parametrized):`
	`61`	`+ config_generator = KikimrConfigGenerator(**ydb_cluster_configuration_with_encryption_parametrized)`
`62`	`62`	`config_generator.yaml_config['auth_config'] = {`
`63`	`63`	`'domain_login_only': False,`
`64`	`64`	`}`