helm: support encryption config in ceph-csi-cephfs chart #4531
Conversation
|
Let me know if you would need me to update the |
mergify
bot
added
the
component/deployment
acolombier
force-pushed
the
feat/native-encryption-support
branch
2 times, most recently
from
80ba8b1
to
1dd0f21
Compare
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
d8ff294
to
2f39774
Compare
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
2f39774
to
923b160
Compare
|
|
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
923b160
to
b8bba0d
Compare
|
Apologies for missing this previously @nixpanic . Is it expected that the pre-commit check doesn't run any of the checkers? Or is my local setup flawed? |
I don't think pre-commit runs all the checks. I usually run |
| @@ -3,6 +3,7 @@ kind: ClusterRole | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| metadata: | |||
| name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} | |||
| namespace: {{ .Release.Namespace }} | |||
There was a problem hiding this comment.
we dont need namespace for clusterRole
| @@ -0,0 +1,21 @@ | |||
| {{- if .Values.rbac.create -}} | |||
| {{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}} | |||
| kind: Role | |||
There was a problem hiding this comment.
we dont need Role and Role Binding right? we need to have access to secrets in different namespaces as well. i don't see Role https://github.com/ceph/ceph-csi/tree/devel/deploy/cephfs/kubernetes, am i missing anything?
There was a problem hiding this comment.
The idea was to downgrade the ClusterRole to just a Role in case the configured secret in encryptionKMSConfig was local to the namespace. This was done to help with least privileged and limit the access to secret as much as possible. Happy to remove if you think this is overkill. Arguably, users who want least privileged roles can create manage the RBAC themselves
There was a problem hiding this comment.
Ceph-CSI components which reads the Secrets are usually running in a different namespace than the namespace where Secrets for applications have their encryption key. Ceph-CSI needs to read the Secret from a different namespace than where it is running/mounting the PV.
There was a problem hiding this comment.
In this case, it will create the ClusterRole automatically. The logic at line 2 is if encryptionKMSConfig.secretNamespace == Release.Namespace, then create a Role instead of adding secret:read to the ClusterRole.
There was a problem hiding this comment.
Happy to scratch that optimisation, and create RBAC myself! But just thought it would be a harmless optimisation to put in
There was a problem hiding this comment.
I have slightly reworked the logic behind it to enforce determinism and added a some documentation in the REAMDE.md. I'd be nice if you could tell me how that looks, and if you like it, I can spin up a PR with the same feature for RBD.
There was a problem hiding this comment.
@nixpanic it'd be great if you could let me know your though on this
There was a problem hiding this comment.
@acolombier @nixpanic is on PTO will be back 1st week of Jun, do you want me to block this PR until he is back to confirm on this?
There was a problem hiding this comment.
Up to you! If it is ready to be merged, happy to do so too, and I'll wait and see if @nixpanic likes this approach for RBD and I can make the PR then
There was a problem hiding this comment.
@nixpanic friendly ping in case you missed the notification :)
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
58ac9c4
to
7849b15
Compare
|
Not sure what is going on with Edit my commit to fix mdlint - sorry @Madhu-1 |
|
@acolombier can you please rebase the PR on top of devel branch? |
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
7849b15
to
4fa3d47
Compare
|
Done @Madhu-1 |
|
@Mergifyio rebase |
|
/test ci/centos/mini-e2e-helm/k8s-1.30 |
|
/test ci/centos/mini-e2e-helm/k8s-1.31 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/mini-e2e/k8s-1.30 |
|
/test ci/centos/mini-e2e/k8s-1.31 |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
Thanks for not letting the PR die @nixpanic ! Let me know how/if I can fix those tests! |
|
/retest ci/centos/mini-e2e-helm/k8s-1.29 |
It seems to go wrong with the cephfs provisioner deployment, and maybe other parts. I suspect something sneaked in the helm charts that causes some problematic yaml generation. Probably this: |
mergify
bot
dismissed stale reviews from Madhu-1 and nixpanic
Pull request has been modified.
|
Thanks for the tip @nixpanic - indeed, as I tried to unify the way encryption works with the RBD chart, I forgot some chart values from there. Should be ready for testing now! Will squash once the test passes if that's okay with you. |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
@acolombier, the install-helm.sh script fails to install RBD driver. Could you please include the change to delete the configMap ceph-csi/scripts/install-helm.sh Lines 187 to 191 in cea8bf8 |
|
Done @iPraveenParihar ! |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
the helm test passed 🎉 |
|
@acolombier, can you please squash your |
this chart currently lack the ability to properly configure encryption, as well as granting sufficent permission to allow controllers to access secret when needed. Signed-off-by: Antoine C <[email protected]>
this allows the encryption KMS config to be granted secret access with a least privilges policy. Signed-off-by: Antoine C <[email protected]>
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
ce39f32
to
fa2c0f6
Compare
|
Done! |
mergify
bot
dismissed
iPraveenParihar’s stale review
Pull request has been modified.
This PR adds encryption configuration to the
cephfs-csichart, similarly to the RBD one,This fixes permission missing when using the
kubernetesKMSRelated issues
Fixes: ##4470
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)