mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-01-18 02:39:30 +00:00
Merge pull request #344 from red-hat-storage/sync_ds--devel
Syncing latest changes from devel for ceph-csi
This commit is contained in:
commit
2539700a99
@ -58,7 +58,7 @@ CSI_ATTACHER_VERSION=v4.6.1
|
|||||||
CSI_SNAPSHOTTER_VERSION=v8.0.1
|
CSI_SNAPSHOTTER_VERSION=v8.0.1
|
||||||
CSI_RESIZER_VERSION=v1.11.1
|
CSI_RESIZER_VERSION=v1.11.1
|
||||||
CSI_PROVISIONER_VERSION=v5.0.1
|
CSI_PROVISIONER_VERSION=v5.0.1
|
||||||
CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.10.1
|
CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.11.1
|
||||||
|
|
||||||
# e2e settings
|
# e2e settings
|
||||||
# - enable CEPH_CSI_RUN_ALL_TESTS when running tests with if it has root
|
# - enable CEPH_CSI_RUN_ALL_TESTS when running tests with if it has root
|
||||||
|
@ -124,7 +124,7 @@ charts and their default values.
|
|||||||
| `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` |
|
| `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` |
|
||||||
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
|
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
|
||||||
| `nodeplugin.registrar.image.repository` | Node-Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
|
| `nodeplugin.registrar.image.repository` | Node-Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
|
||||||
| `nodeplugin.registrar.image.tag` | Image tag | `v2.10.1` |
|
| `nodeplugin.registrar.image.tag` | Image tag | `v2.11.1` |
|
||||||
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||||
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
|
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
|
||||||
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |
|
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |
|
||||||
|
@ -110,7 +110,7 @@ nodeplugin:
|
|||||||
registrar:
|
registrar:
|
||||||
image:
|
image:
|
||||||
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
|
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
|
||||||
tag: v2.10.1
|
tag: v2.11.1
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
resources: {}
|
resources: {}
|
||||||
|
|
||||||
|
@ -126,7 +126,7 @@ charts and their default values.
|
|||||||
| `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` |
|
| `nodeplugin.imagePullSecrets` | Specifies imagePullSecrets for containers | `[]` |
|
||||||
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
|
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
|
||||||
| `nodeplugin.registrar.image.repository` | Node Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
|
| `nodeplugin.registrar.image.repository` | Node Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
|
||||||
| `nodeplugin.registrar.image.tag` | Image tag | `v2.10.1` |
|
| `nodeplugin.registrar.image.tag` | Image tag | `v2.11.1` |
|
||||||
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||||
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
|
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
|
||||||
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |
|
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |
|
||||||
@ -207,7 +207,7 @@ charts and their default values.
|
|||||||
| `storageClass.encryptionKMSID` | Specifies the encryption kms id | `""` |
|
| `storageClass.encryptionKMSID` | Specifies the encryption kms id | `""` |
|
||||||
| `storageClass.topologyConstrainedPools` | Add topology constrained pools configuration, if topology based pools are setup, and topology constrained provisioning is required | `[]` |
|
| `storageClass.topologyConstrainedPools` | Add topology constrained pools configuration, if topology based pools are setup, and topology constrained provisioning is required | `[]` |
|
||||||
| `storageClass.mapOptions` | Specifies comma-separated list of map options | `""` |
|
| `storageClass.mapOptions` | Specifies comma-separated list of map options | `""` |
|
||||||
| `storageClass.unmapOtpions` | Specifies comma-separated list of unmap options | `""` |
|
| `storageClass.unmapOptions` | Specifies comma-separated list of unmap options | `""` |
|
||||||
| `storageClass.stripeUnit` | Specifies the stripe unit in bytes | `""` |
|
| `storageClass.stripeUnit` | Specifies the stripe unit in bytes | `""` |
|
||||||
| `storageClass.stripeCount` | Specifies the number of objects to stripe over before looping | `""` |
|
| `storageClass.stripeCount` | Specifies the number of objects to stripe over before looping | `""` |
|
||||||
| `storageClass.objectSize` | Specifies the object size in bytes | `""` |
|
| `storageClass.objectSize` | Specifies the object size in bytes | `""` |
|
||||||
|
@ -139,7 +139,7 @@ nodeplugin:
|
|||||||
registrar:
|
registrar:
|
||||||
image:
|
image:
|
||||||
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
|
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
|
||||||
tag: v2.10.1
|
tag: v2.11.1
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
resources: {}
|
resources: {}
|
||||||
|
|
||||||
|
@ -106,7 +106,7 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
|
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
|
||||||
args:
|
args:
|
||||||
- "--v=1"
|
- "--v=1"
|
||||||
- "--csi-address=/csi/csi.sock"
|
- "--csi-address=/csi/csi.sock"
|
||||||
|
@ -80,7 +80,7 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
|
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
|
||||||
args:
|
args:
|
||||||
- "--v=1"
|
- "--v=1"
|
||||||
- "--csi-address=/csi/csi.sock"
|
- "--csi-address=/csi/csi.sock"
|
||||||
|
@ -116,7 +116,7 @@ spec:
|
|||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
|
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
|
||||||
args:
|
args:
|
||||||
- "--v=1"
|
- "--v=1"
|
||||||
- "--csi-address=/csi/csi.sock"
|
- "--csi-address=/csi/csi.sock"
|
||||||
|
71
docs/design/proposals/rbd-pv-key-rotation.md
Normal file
71
docs/design/proposals/rbd-pv-key-rotation.md
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
# Encryption Key Rotation
|
||||||
|
|
||||||
|
## Proposal
|
||||||
|
|
||||||
|
Subject of this proposal is to add support for rotation of
|
||||||
|
encryption keys (KEKs) for encrypted volumes in Ceph-CSI.
|
||||||
|
|
||||||
|
Support for rotating keys on RWX/ROX volumes and filesystem encryption
|
||||||
|
with `fscrypt` is out of scope for now and shall be added later.
|
||||||
|
|
||||||
|
## Document Terminology
|
||||||
|
|
||||||
|
- Encryption Key: The passphrase that is used to encrypt and open the device.
|
||||||
|
- LUKS: The specification used by dm-crypt to process encrypted volumes on linux.
|
||||||
|
|
||||||
|
## Proposed Solution
|
||||||
|
|
||||||
|
The proposed solution in this document, is to address the rotation
|
||||||
|
of encryption keys for encrypted volumes.
|
||||||
|
|
||||||
|
This document outlines the rotation steps for PVCs backed by RBD.
|
||||||
|
|
||||||
|
### Implementation Summary
|
||||||
|
|
||||||
|
This feature builds upon the foundation laid by encrypted pvcs.
|
||||||
|
|
||||||
|
The following new methods are added to `cryptsetup.go` for
|
||||||
|
handling the key rotation.
|
||||||
|
|
||||||
|
- `LuksAddKey`: Adds a new key to specified LUKS slot
|
||||||
|
- `LuksRemoveKey`: Removes the specified key from its slot using `luksKillSlot`
|
||||||
|
- `LuksVerifyKey`: Verifies that the given key exists
|
||||||
|
in the given slot using `luksChangeKey`.
|
||||||
|
|
||||||
|
### Implementation Details
|
||||||
|
|
||||||
|
The encryption key rotation request will contain with it
|
||||||
|
the volume ID and secrets.
|
||||||
|
|
||||||
|
The secrets are used to generate the credentials for authenticating
|
||||||
|
against a ceph cluster.
|
||||||
|
|
||||||
|
These values are then used to call `GenVolFromVolID` to get the
|
||||||
|
rbdVolume structure.
|
||||||
|
|
||||||
|
The `VolumeEncryption` struct is modified to make
|
||||||
|
`generateNewEncryptionPassphrase` a public member function.
|
||||||
|
|
||||||
|
The `EncryptionKeyRotation` service is registered and implemented
|
||||||
|
on the node-plugin.
|
||||||
|
|
||||||
|
The following steps are followed to process the device for key rotation:
|
||||||
|
|
||||||
|
- Create a `rbdvolume` object using volume ID,
|
||||||
|
this is done by `GenVolFromVolID`.
|
||||||
|
- Fetch the current key from the KMS, it is needed for
|
||||||
|
subsequent LUKS operations.
|
||||||
|
- Get the device path for the volume by calling `waitForPath` as all LUKS
|
||||||
|
operations require the device path.
|
||||||
|
- Add the fetched key to LUKS slot 1, this will serve as a backup of the key.
|
||||||
|
- Generate a new key and store it locally. It will be updated
|
||||||
|
in the KMS at later steps.
|
||||||
|
- Remove the existing key from slot 0 upon verifying that the
|
||||||
|
key in KMS == the key in slot 0.
|
||||||
|
- Add new key to slot 0.
|
||||||
|
- Update the new key in the KMS.
|
||||||
|
- Fetch the key again and verify that the
|
||||||
|
key in KMS == the new key we generated.
|
||||||
|
- We can now remove the backup key from slot 1.
|
||||||
|
|
||||||
|
Note that the key in the KMS can always be used to unlock the volume.
|
Loading…
Reference in New Issue
Block a user