From 0e4d455e54b8169e92b24bc775b8afc0d9ec294b Mon Sep 17 00:00:00 2001 From: Praveen M Date: Wed, 17 Jul 2024 12:31:52 +0530 Subject: [PATCH 1/4] deploy: update CSI sidecar driver-registrar to v2.11.1 Signed-off-by: Praveen M --- build.env | 2 +- charts/ceph-csi-cephfs/README.md | 2 +- charts/ceph-csi-cephfs/values.yaml | 2 +- charts/ceph-csi-rbd/README.md | 2 +- charts/ceph-csi-rbd/values.yaml | 2 +- deploy/cephfs/kubernetes/csi-cephfsplugin.yaml | 2 +- deploy/nfs/kubernetes/csi-nfsplugin.yaml | 2 +- deploy/rbd/kubernetes/csi-rbdplugin.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/build.env b/build.env index 1d7c372d7..76221816e 100644 --- a/build.env +++ b/build.env @@ -58,7 +58,7 @@ CSI_ATTACHER_VERSION=v4.6.1 CSI_SNAPSHOTTER_VERSION=v8.0.1 CSI_RESIZER_VERSION=v1.11.1 CSI_PROVISIONER_VERSION=v5.0.1 -CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.10.1 +CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.11.1 # e2e settings # - enable CEPH_CSI_RUN_ALL_TESTS when running tests with if it has root diff --git a/charts/ceph-csi-cephfs/README.md b/charts/ceph-csi-cephfs/README.md index 323bd7cdc..9ba8e0527 100644 --- a/charts/ceph-csi-cephfs/README.md +++ b/charts/ceph-csi-cephfs/README.md @@ -124,7 +124,7 @@ charts and their default values. | `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` | | `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` | | `nodeplugin.registrar.image.repository` | Node-Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` | -| `nodeplugin.registrar.image.tag` | Image tag | `v2.10.1` | +| `nodeplugin.registrar.image.tag` | Image tag | `v2.11.1` | | `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` | | `nodeplugin.plugin.image.tag` | Image tag | `canary` | diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index b3b7464ab..685cc1983 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -110,7 +110,7 @@ nodeplugin: registrar: image: repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.1 + tag: v2.11.1 pullPolicy: IfNotPresent resources: {} diff --git a/charts/ceph-csi-rbd/README.md b/charts/ceph-csi-rbd/README.md index 6ae069d5d..5897841b6 100644 --- a/charts/ceph-csi-rbd/README.md +++ b/charts/ceph-csi-rbd/README.md @@ -126,7 +126,7 @@ charts and their default values. | `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` | | `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` | | `nodeplugin.registrar.image.repository` | Node Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` | -| `nodeplugin.registrar.image.tag` | Image tag | `v2.10.1` | +| `nodeplugin.registrar.image.tag` | Image tag | `v2.11.1` | | `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` | | `nodeplugin.plugin.image.tag` | Image tag | `canary` | diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 73367eb9b..4ec49deee 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -139,7 +139,7 @@ nodeplugin: registrar: image: repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: v2.10.1 + tag: v2.11.1 pullPolicy: IfNotPresent resources: {} diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml index 363824079..f609df6a5 100644 --- a/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/csi-cephfsplugin.yaml @@ -106,7 +106,7 @@ spec: securityContext: privileged: true allowPrivilegeEscalation: true - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 args: - "--v=1" - "--csi-address=/csi/csi.sock" diff --git a/deploy/nfs/kubernetes/csi-nfsplugin.yaml b/deploy/nfs/kubernetes/csi-nfsplugin.yaml index 1ec01b137..e6c138eff 100644 --- a/deploy/nfs/kubernetes/csi-nfsplugin.yaml +++ b/deploy/nfs/kubernetes/csi-nfsplugin.yaml @@ -80,7 +80,7 @@ spec: securityContext: privileged: true allowPrivilegeEscalation: true - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 args: - "--v=1" - "--csi-address=/csi/csi.sock" diff --git a/deploy/rbd/kubernetes/csi-rbdplugin.yaml b/deploy/rbd/kubernetes/csi-rbdplugin.yaml index 2ac61eeb1..0d3dd57c6 100644 --- a/deploy/rbd/kubernetes/csi-rbdplugin.yaml +++ b/deploy/rbd/kubernetes/csi-rbdplugin.yaml @@ -116,7 +116,7 @@ spec: securityContext: privileged: true allowPrivilegeEscalation: true - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 args: - "--v=1" - "--csi-address=/csi/csi.sock" From 8083a966b69a48ad4afdfd9a661b3539456c8fb3 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Wed, 17 Jul 2024 14:39:06 +0200 Subject: [PATCH 2/4] helm: fix typo in document fix typo in document for helm values. Signed-off-by: Madhu Rajanna --- charts/ceph-csi-rbd/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/ceph-csi-rbd/README.md b/charts/ceph-csi-rbd/README.md index 5897841b6..e18ee51b8 100644 --- a/charts/ceph-csi-rbd/README.md +++ b/charts/ceph-csi-rbd/README.md @@ -207,7 +207,7 @@ charts and their default values. | `storageClass.encryptionKMSID` | Specifies the encryption kms id | `""` | | `storageClass.topologyConstrainedPools` | Add topology constrained pools configuration, if topology based pools are setup, and topology constrained provisioning is required | `[]` | | `storageClass.mapOptions` | Specifies comma-separated list of map options | `""` | -| `storageClass.unmapOtpions` | Specifies comma-separated list of unmap options | `""` | +| `storageClass.unmapOptions` | Specifies comma-separated list of unmap options | `""` | | `storageClass.stripeUnit` | Specifies the stripe unit in bytes | `""` | | `storageClass.stripeCount` | Specifies the number of objects to stripe over before looping | `""` | | `storageClass.objectSize` | Specifies the object size in bytes | `""` | From 4be5e4cbca4f1990124dfb9867b256e9f550c516 Mon Sep 17 00:00:00 2001 From: black-dragon74 Date: Mon, 3 Jun 2024 15:06:24 +0530 Subject: [PATCH 3/4] doc: proposal for providing PV key rotation The design and implementation details for rotating the encryption keys for volumes. Signed-off-by: black-dragon74 --- docs/design/proposals/pv-key-rotation.md | 55 ++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 docs/design/proposals/pv-key-rotation.md diff --git a/docs/design/proposals/pv-key-rotation.md b/docs/design/proposals/pv-key-rotation.md new file mode 100644 index 000000000..017f96649 --- /dev/null +++ b/docs/design/proposals/pv-key-rotation.md @@ -0,0 +1,55 @@ +# Encryption Key Rotation + +## Proposal + +Subject of this proposal is to add support for rotation of encryption keys (KEKs) for encrypted volumes in Ceph-CSI. + +## Document Terminology + +- Encryption Key: The passphrase that is used to encrypt and open the device. +- LUKS: The specification used by dm-crypt to process encrypted volumes on linux. + +## Proposed Solution + +The proposed solution in this document, is to address the periodic rotation of encryption keys for encrypted volumes. + +This document outlines the rotation steps for PVCs backed by RBD and will be updated with other volume types as they are supported. + +### Implementation Summary + +This feature builds upon the foundation laid by encrypted pvcs. + +An existing storage class can be annotated with `keyrotation.csiaddons.openshift.io/schedule` to enable the key rotation. The value of this annotation can be schedule in cron format or one of the macros supported by K8s CronJob spec. + +The following new methods are added to `cryptsetup.go` for handling the key rotation. + +- `LuksAddKey`: Adds a new key to specified LUKS slot +- `LuksRemoveKey`: Removes the specified key from its slot using `luksKillSlot` +- `LuksVerifyKey`: Verifies that the given key exists in the given slot using `luksChangeKey`. + +### Implementation Details + +The encryption key rotation request will contain with it the volume ID, credentials and secrets. + +These values are then used to call `GenVolFromVolID` to get the rbdVolume structure. + +The `VolumeEncryption` struct is modified to make `generateNewEncryptionPassphrase` a public member function. + +A metadata is set on the RBD image to indicate that the image is being processed for keyrotation. Presence of this metadata will prevent the same image being processed again. + +The following steps are followed to process the device for key rotation: + +- Create a `rbdvolume` object using volume ID, this is done by `GenVolFromVolID`. +- Fetch the current key from the KMS, it is needed for subsequent LUKS operations. +- Get the device path for the volume by calling `waitForPath` as all LUKS operations require the device path. +- Add the fetched key to LUKS slot 1, this will serve as a backup of the key. +- Generate a new key and store it locally. It will be updated in the KMS at later steps. +- Remove the exsitng key from slot 0 upon verifying that the key in KMS == the key in slot 0. +- Add new key to slot 0 and then call `LuksVerifyKey` to verify that the slot was successfully updated. +- Update the new key in the KMS. +- Fetch the key again and verify that the key in KMS == the new key we generated. +- We can now remove the backup key from slot 1. + +These order of the above steps guarantees that we always have one key that can unlock the encrypted volume. + +The set metadata is removed once the key rotation is complete. From 64c5be52428a880de1465d8cc45363b083f57214 Mon Sep 17 00:00:00 2001 From: black-dragon74 Date: Wed, 5 Jun 2024 15:27:41 +0530 Subject: [PATCH 4/4] doc: Update docs for rbd-pv-key-rotation This commit updates the key rotation docs with the following changes: - Do not call LuksVerify - Mention specifics of RWX volumes - Rename the file to represent RBD backed volumes Signed-off-by: black-dragon74 --- docs/design/proposals/pv-key-rotation.md | 55 --------------- docs/design/proposals/rbd-pv-key-rotation.md | 71 ++++++++++++++++++++ 2 files changed, 71 insertions(+), 55 deletions(-) delete mode 100644 docs/design/proposals/pv-key-rotation.md create mode 100644 docs/design/proposals/rbd-pv-key-rotation.md diff --git a/docs/design/proposals/pv-key-rotation.md b/docs/design/proposals/pv-key-rotation.md deleted file mode 100644 index 017f96649..000000000 --- a/docs/design/proposals/pv-key-rotation.md +++ /dev/null @@ -1,55 +0,0 @@ -# Encryption Key Rotation - -## Proposal - -Subject of this proposal is to add support for rotation of encryption keys (KEKs) for encrypted volumes in Ceph-CSI. - -## Document Terminology - -- Encryption Key: The passphrase that is used to encrypt and open the device. -- LUKS: The specification used by dm-crypt to process encrypted volumes on linux. - -## Proposed Solution - -The proposed solution in this document, is to address the periodic rotation of encryption keys for encrypted volumes. - -This document outlines the rotation steps for PVCs backed by RBD and will be updated with other volume types as they are supported. - -### Implementation Summary - -This feature builds upon the foundation laid by encrypted pvcs. - -An existing storage class can be annotated with `keyrotation.csiaddons.openshift.io/schedule` to enable the key rotation. The value of this annotation can be schedule in cron format or one of the macros supported by K8s CronJob spec. - -The following new methods are added to `cryptsetup.go` for handling the key rotation. - -- `LuksAddKey`: Adds a new key to specified LUKS slot -- `LuksRemoveKey`: Removes the specified key from its slot using `luksKillSlot` -- `LuksVerifyKey`: Verifies that the given key exists in the given slot using `luksChangeKey`. - -### Implementation Details - -The encryption key rotation request will contain with it the volume ID, credentials and secrets. - -These values are then used to call `GenVolFromVolID` to get the rbdVolume structure. - -The `VolumeEncryption` struct is modified to make `generateNewEncryptionPassphrase` a public member function. - -A metadata is set on the RBD image to indicate that the image is being processed for keyrotation. Presence of this metadata will prevent the same image being processed again. - -The following steps are followed to process the device for key rotation: - -- Create a `rbdvolume` object using volume ID, this is done by `GenVolFromVolID`. -- Fetch the current key from the KMS, it is needed for subsequent LUKS operations. -- Get the device path for the volume by calling `waitForPath` as all LUKS operations require the device path. -- Add the fetched key to LUKS slot 1, this will serve as a backup of the key. -- Generate a new key and store it locally. It will be updated in the KMS at later steps. -- Remove the exsitng key from slot 0 upon verifying that the key in KMS == the key in slot 0. -- Add new key to slot 0 and then call `LuksVerifyKey` to verify that the slot was successfully updated. -- Update the new key in the KMS. -- Fetch the key again and verify that the key in KMS == the new key we generated. -- We can now remove the backup key from slot 1. - -These order of the above steps guarantees that we always have one key that can unlock the encrypted volume. - -The set metadata is removed once the key rotation is complete. diff --git a/docs/design/proposals/rbd-pv-key-rotation.md b/docs/design/proposals/rbd-pv-key-rotation.md new file mode 100644 index 000000000..656adf738 --- /dev/null +++ b/docs/design/proposals/rbd-pv-key-rotation.md @@ -0,0 +1,71 @@ +# Encryption Key Rotation + +## Proposal + +Subject of this proposal is to add support for rotation of +encryption keys (KEKs) for encrypted volumes in Ceph-CSI. + +Support for rotating keys on RWX/ROX volumes and filesystem encryption +with `fscrypt` is out of scope for now and shall be added later. + +## Document Terminology + +- Encryption Key: The passphrase that is used to encrypt and open the device. +- LUKS: The specification used by dm-crypt to process encrypted volumes on linux. + +## Proposed Solution + +The proposed solution in this document, is to address the rotation +of encryption keys for encrypted volumes. + +This document outlines the rotation steps for PVCs backed by RBD. + +### Implementation Summary + +This feature builds upon the foundation laid by encrypted pvcs. + +The following new methods are added to `cryptsetup.go` for +handling the key rotation. + +- `LuksAddKey`: Adds a new key to specified LUKS slot +- `LuksRemoveKey`: Removes the specified key from its slot using `luksKillSlot` +- `LuksVerifyKey`: Verifies that the given key exists + in the given slot using `luksChangeKey`. + +### Implementation Details + +The encryption key rotation request will contain with it +the volume ID and secrets. + +The secrets are used to generate the credentials for authenticating +against a ceph cluster. + +These values are then used to call `GenVolFromVolID` to get the +rbdVolume structure. + +The `VolumeEncryption` struct is modified to make +`generateNewEncryptionPassphrase` a public member function. + +The `EncryptionKeyRotation` service is registered and implemented +on the node-plugin. + +The following steps are followed to process the device for key rotation: + +- Create a `rbdvolume` object using volume ID, + this is done by `GenVolFromVolID`. +- Fetch the current key from the KMS, it is needed for + subsequent LUKS operations. +- Get the device path for the volume by calling `waitForPath` as all LUKS + operations require the device path. +- Add the fetched key to LUKS slot 1, this will serve as a backup of the key. +- Generate a new key and store it locally. It will be updated + in the KMS at later steps. +- Remove the existing key from slot 0 upon verifying that the + key in KMS == the key in slot 0. +- Add new key to slot 0. +- Update the new key in the KMS. +- Fetch the key again and verify that the + key in KMS == the new key we generated. +- We can now remove the backup key from slot 1. + +Note that the key in the KMS can always be used to unlock the volume.