Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

helm: support encryption config in ceph-csi-cephfs chart #4531

Open
wants to merge 2 commits into
base: devel
Choose a base branch
from

Conversation

acolombier
Copy link

This PR adds encryption configuration to the cephfs-csi chart, similarly to the RBD one,

This fixes permission missing when using the kubernetes KMS

Related issues

Fixes: ##4470

Checklist:

  • Commit Message Formatting: Commit titles and messages follow
    guidelines in the developer
    guide
    .
  • Reviewed the developer guide on Submitting a Pull
    Request
  • [?] Pending release
    notes

    updated with breaking and/or notable changes for the next major release.
  • Documentation has been updated, if necessary.
  • [-] Unit tests have been added, if necessary.
  • [-] Integration tests have been added, if necessary.

Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)

@acolombier
Copy link
Author

Let me know if you would need me to update the Pending release notes for this PR

@mergify mergify bot added the component/deployment Helm chart, kubernetes templates and configuration Issues/PRs label Apr 1, 2024
@acolombier acolombier force-pushed the feat/native-encryption-support branch 2 times, most recently from 80ba8b1 to 1dd0f21 Compare April 1, 2024 23:16
Copy link
Member

@nixpanic nixpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor changes needed to pass CI/yamllint

charts/ceph-csi-cephfs/values.yaml Show resolved Hide resolved
charts/ceph-csi-cephfs/values.yaml Outdated Show resolved Hide resolved
@acolombier acolombier force-pushed the feat/native-encryption-support branch from d8ff294 to 2f39774 Compare April 14, 2024 12:14
@acolombier acolombier force-pushed the feat/native-encryption-support branch from 2f39774 to 923b160 Compare April 15, 2024 21:08
@nixpanic nixpanic added the enhancement New feature or request label Apr 16, 2024
@nixpanic nixpanic requested a review from a team April 16, 2024 07:26
@nixpanic
Copy link
Member

yamllint passed, now MarkDown linting needs to be fixed as well...

image

@acolombier acolombier force-pushed the feat/native-encryption-support branch from 923b160 to b8bba0d Compare April 17, 2024 08:48
@acolombier
Copy link
Author

acolombier commented Apr 17, 2024

Apologies for missing this previously @nixpanic . Is it expected that the pre-commit check doesn't run any of the checkers? Or is my local setup flawed?

@nixpanic
Copy link
Member

Apologies for missing this previously @nixpanic . Is it expected that the pre-commit check doesn't run any of the checkers? Or is my local setup flawed?

I don't think pre-commit runs all the checks. I usually run make containerized-test to check if everything is OK.

nixpanic
nixpanic previously approved these changes Apr 18, 2024
@nixpanic nixpanic requested a review from a team April 18, 2024 07:05
@@ -3,6 +3,7 @@ kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we dont need namespace for clusterRole

@@ -0,0 +1,21 @@
{{- if .Values.rbac.create -}}
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
kind: Role
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we dont need Role and Role Binding right? we need to have access to secrets in different namespaces as well. i don't see Role https://github.com/ceph/ceph-csi/tree/devel/deploy/cephfs/kubernetes, am i missing anything?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea was to downgrade the ClusterRole to just a Role in case the configured secret in encryptionKMSConfig was local to the namespace. This was done to help with least privileged and limit the access to secret as much as possible. Happy to remove if you think this is overkill. Arguably, users who want least privileged roles can create manage the RBAC themselves

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ceph-CSI components which reads the Secrets are usually running in a different namespace than the namespace where Secrets for applications have their encryption key. Ceph-CSI needs to read the Secret from a different namespace than where it is running/mounting the PV.

Copy link
Author

@acolombier acolombier Apr 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, it will create the ClusterRole automatically. The logic at line 2 is if encryptionKMSConfig.secretNamespace == Release.Namespace, then create a Role instead of adding secret:read to the ClusterRole.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to scratch that optimisation, and create RBAC myself! But just thought it would be a harmless optimisation to put in

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have slightly reworked the logic behind it to enforce determinism and added a some documentation in the REAMDE.md. I'd be nice if you could tell me how that looks, and if you like it, I can spin up a PR with the same feature for RBD.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nixpanic it'd be great if you could let me know your though on this

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@acolombier @nixpanic is on PTO will be back 1st week of Jun, do you want me to block this PR until he is back to confirm on this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Up to you! If it is ready to be merged, happy to do so too, and I'll wait and see if @nixpanic likes this approach for RBD and I can make the PR then

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nixpanic friendly ping in case you missed the notification :)

@mergify mergify bot dismissed nixpanic’s stale review May 15, 2024 11:26

Pull request has been modified.

Madhu-1
Madhu-1 previously approved these changes May 15, 2024
Copy link
Collaborator

@Madhu-1 Madhu-1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks

@Madhu-1 Madhu-1 requested a review from Rakshith-R May 15, 2024 11:55
@acolombier acolombier force-pushed the feat/native-encryption-support branch from 58ac9c4 to 7849b15 Compare May 15, 2024 12:00
@mergify mergify bot dismissed Madhu-1’s stale review May 15, 2024 12:01

Pull request has been modified.

@acolombier
Copy link
Author

acolombier commented May 15, 2024

Not sure what is going on with commitlint - is that something that needs to be fixed on my end? Do you want me to merge devel?

Edit my commit to fix mdlint - sorry @Madhu-1

@acolombier acolombier requested a review from Madhu-1 May 15, 2024 12:01
@Madhu-1
Copy link
Collaborator

Madhu-1 commented May 15, 2024

@acolombier can you please rebase the PR on top of devel branch?

@acolombier acolombier force-pushed the feat/native-encryption-support branch from 7849b15 to 4fa3d47 Compare May 15, 2024 12:06
@acolombier
Copy link
Author

Done @Madhu-1

@Madhu-1
Copy link
Collaborator

Madhu-1 commented May 15, 2024

@Mergifyio rebase

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.30

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.31

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.29

@ceph-csi-bot ceph-csi-bot removed the ok-to-test Label to trigger E2E tests label Nov 6, 2024
@acolombier
Copy link
Author

acolombier commented Nov 6, 2024

Thanks for not letting the PR die @nixpanic !

Let me know how/if I can fix those tests!

@iPraveenParihar
Copy link
Contributor

/retest ci/centos/mini-e2e-helm/k8s-1.29

@nixpanic
Copy link
Member

nixpanic commented Nov 8, 2024

Let me know how/if I can fix those tests!

It seems to go wrong with the cephfs provisioner deployment, and maybe other parts.

https://jenkins-ceph-csi.apps.ocp.cloud.ci.centos.org/blue/organizations/jenkins/mini-e2e-helm_k8s-1.29/detail/mini-e2e-helm_k8s-1.29/514/pipeline/90

I suspect something sneaked in the helm charts that causes some problematic yaml generation.

Probably this:

Error: INSTALLATION FAILED: Unable to continue with install: could not get information about the resource ConfigMap "" in namespace "cephcsi-e2e-aa06ab4c126c": resource name may not be empty

@mergify mergify bot dismissed stale reviews from Madhu-1 and nixpanic November 9, 2024 18:05

Pull request has been modified.

@acolombier
Copy link
Author

acolombier commented Nov 9, 2024

Thanks for the tip @nixpanic - indeed, as I tried to unify the way encryption works with the RBD chart, I forgot some chart values from there. Should be ready for testing now!

Will squash once the test passes if that's okay with you.

@iPraveenParihar
Copy link
Contributor

/test ci/centos/mini-e2e-helm/k8s-1.29

@iPraveenParihar
Copy link
Contributor

Error: INSTALLATION FAILED: Unable to continue with install: ConfigMap "ceph-csi-encryption-kms-config" in namespace "cephcsi-e2e-d1df94a5c755" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "ceph-csi-rbd": current value is "ceph-csi-cephfs"

@acolombier, the install-helm.sh script fails to install RBD driver. Could you please include the change to delete the configMap ceph-csi-encryption-kms-config in install-helm.sh?

# deleting configmaps as a workaround to avoid configmap already present
# issue when installing ceph-csi-rbd
kubectl_retry delete cm ceph-csi-config --namespace "${NAMESPACE}"
kubectl_retry delete cm ceph-config --namespace "${NAMESPACE}"

@acolombier
Copy link
Author

Done @iPraveenParihar !

@iPraveenParihar
Copy link
Contributor

/test ci/centos/mini-e2e-helm/k8s-1.29

@iPraveenParihar
Copy link
Contributor

the helm test passed 🎉

@iPraveenParihar
Copy link
Contributor

@acolombier, can you please squash your fixup! commits?

this chart currently lack the ability to properly configure encryption,
as well as granting sufficent permission to allow controllers to access
secret when needed.

Signed-off-by: Antoine C <[email protected]>
this allows the encryption KMS config to be granted secret access with
a least privilges policy.

Signed-off-by: Antoine C <[email protected]>
@acolombier
Copy link
Author

Done!

@mergify mergify bot dismissed iPraveenParihar’s stale review November 12, 2024 09:14

Pull request has been modified.

@iPraveenParihar
Copy link
Contributor

@Mergifyio queue

Copy link
Contributor

mergify bot commented Nov 14, 2024

queue

🛑 The pull request has been removed from the queue default

The pull request can't be updated.

You can take a look at Queue: Embarked in merge queue check runs for more details.

In case of a failure due to a flaky test, you should first retrigger the CI.
Then, re-embark the pull request into the merge queue by posting the comment
@mergifyio refresh on the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/deployment Helm chart, kubernetes templates and configuration Issues/PRs enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants