helm: support encryption config in ceph-csi-cephfs chart #4531
Conversation
|
Let me know if you would need me to update the |
mergify
bot
added
the
component/deployment
acolombier
force-pushed
the
feat/native-encryption-support
branch
2 times, most recently
from
80ba8b1
to
1dd0f21
Compare
| @@ -30,6 +30,19 @@ serviceAccounts: | |||
| # netNamespaceFilePath: "{{ .kubeletDir }}/plugins/{{ .driverName }}/net" | |||
| csiConfig: [] | |||
|
|
|||
| # Configuration for the encryption KMS | |||
| # Ref: https://github.com/ceph/ceph-csi/blob/devel/docs/deploy-cephfs.md#cephfs-volume-encryption | |||
There was a problem hiding this comment.
this line seems to be too long (ci job)
There was a problem hiding this comment.
Is it okay for me to break the link into two lines? Or perhaps I should add lint silencer for this line? What is the suggestion?
There was a problem hiding this comment.
Adding a lint silencer for that line is fine. Breaking the URL over multiple lines isn't that clean.
There was a problem hiding this comment.
This line directly above the URL should work:
# yamllint disable-line rule:line-length
d8ff294
to
2f39774
Compare
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
2f39774
to
923b160
Compare
|
|
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
923b160
to
b8bba0d
Compare
|
Apologies for missing this previously @nixpanic . Is it expected that the pre-commit check doesn't run any of the checkers? Or is my local setup flawed? |
I don't think pre-commit runs all the checks. I usually run |
| @@ -3,6 +3,7 @@ kind: ClusterRole | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| metadata: | |||
| name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} | |||
| namespace: {{ .Release.Namespace }} | |||
There was a problem hiding this comment.
we dont need namespace for clusterRole
| @@ -0,0 +1,21 @@ | |||
| {{- if .Values.rbac.create -}} | |||
| {{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}} | |||
| kind: Role | |||
There was a problem hiding this comment.
we dont need Role and Role Binding right? we need to have access to secrets in different namespaces as well. i don't see Role https://github.com/ceph/ceph-csi/tree/devel/deploy/cephfs/kubernetes, am i missing anything?
There was a problem hiding this comment.
The idea was to downgrade the ClusterRole to just a Role in case the configured secret in encryptionKMSConfig was local to the namespace. This was done to help with least privileged and limit the access to secret as much as possible. Happy to remove if you think this is overkill. Arguably, users who want least privileged roles can create manage the RBAC themselves
There was a problem hiding this comment.
Ceph-CSI components which reads the Secrets are usually running in a different namespace than the namespace where Secrets for applications have their encryption key. Ceph-CSI needs to read the Secret from a different namespace than where it is running/mounting the PV.
There was a problem hiding this comment.
In this case, it will create the ClusterRole automatically. The logic at line 2 is if encryptionKMSConfig.secretNamespace == Release.Namespace, then create a Role instead of adding secret:read to the ClusterRole.
There was a problem hiding this comment.
Happy to scratch that optimisation, and create RBAC myself! But just thought it would be a harmless optimisation to put in
There was a problem hiding this comment.
I think the optimization is nice to have, specially if users (like yourself) will benefit from it. Maybe document it, or explain it in a comment, and add it to the rbd chart too?
There was a problem hiding this comment.
No problem, I will put some comments in the README. I'll try to see if I can add it the the rbd too, is it okay if I do so in another PR tho? I seem to recall than encryptionKMSConfig doesn't work exactly the same and so it might be best to split the changes if that's okay with you?
There was a problem hiding this comment.
Thanks! Yes, a 2nd PR is fine for the RBD enhancement.
There was a problem hiding this comment.
I have slightly reworked the logic behind it to enforce determinism and added a some documentation in the REAMDE.md. I'd be nice if you could tell me how that looks, and if you like it, I can spin up a PR with the same feature for RBD.
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
58ac9c4
to
7849b15
Compare
|
Not sure what is going on with Edit my commit to fix mdlint - sorry @Madhu-1 |
|
@acolombier can you please rebase the PR on top of devel branch? |
acolombier
force-pushed
the
feat/native-encryption-support
branch
from
7849b15
to
4fa3d47
Compare
|
Done @Madhu-1 |
|
@Mergifyio rebase |
this chart currently lack the ability to properly configure encryption, as well as granting sufficent permission to allow controllers to access secret when needed. Signed-off-by: Antoine C <hi@acolombier.dev>
this allows the encryption KMS config to be granted secret access with a least privilges policy. Signed-off-by: Antoine C <hi@acolombier.dev>
Madhu-1
force-pushed
the
feat/native-encryption-support
branch
from
4fa3d47
to
f78e8ee
Compare
✅ Branch has been successfully rebased |
This PR adds encryption configuration to the
cephfs-csichart, similarly to the RBD one,This fixes permission missing when using the
kubernetesKMSRelated issues
Fixes: ##4470
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)