Commit Graph

16 Commits

Author SHA1 Message Date
Marcel Lauhoff
cd42ad67b2 examples: Ceph FS fscrypt / KMS additions
Add encryption configuration to Ceph FS examples

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
2022-11-23 12:21:02 +00:00
Madhu Rajanna
5524b2d538 ci: use 1.8.5 vault for e2e
current latest vault release is 1.9.0 but
with the latest image our E2E is broken.
reverting back the vault version to 1.8.5
till we root cause the issue.

Note:- This is to unblock PR merging

updates: #2657

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-11-19 10:37:14 +00:00
Niels de Vos
85c84910d3 e2e: add a monitor container to the vault Pod
The command `vault monitor` can be used to stream logging from the Vault
service. This is very helpful while debugging Vault configuration
failures.

By adding a 2nd container to the Vault deployment, it is now possible to
get the messages from the Vault service by running

    $ kubectl logs -c monitor <vault-pod-0123abcd>

This will be very useful when the e2e tests do not delete the deployment
after a failure and fetch the logs from all containers.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-10-19 03:37:42 +00:00
Niels de Vos
96bb8bfd0e e2e: add securityContext.runAsUser to vault-init-job
Kubelet sometimes reports the following error:

    failed to "StartContainer" for "vault-init-job" with CreateContainerConfigError: container has runAsNonRoot and image will run as root

Setting securityContext.runAsUser resolves this.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-13 17:16:35 +00:00
Niels de Vos
8ce5ae16c1 e2e: do not create a single-item list
The deployment of the Vault ConfigMap for the init-scripts job contains
a List with a single Item. This can be cleaned up to just be a ConfigMap
(without the list structure around it).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-30 16:22:32 +00:00
Niels de Vos
fd9fee74de e2e: disable iss validation in Hashicorp Vault
Testing encrypted PVCs does not work anymore since Kubernetes v1.21. It
seems that disabling the iss validation in Hashicorp Vault is a
relatively simple workaround that we can use instead of the more complex
securing of the environment like should be done in production
deployments.

Updates: #1963
See-also: external-secrets/kubernetes-external-secrets#721
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-29 10:12:47 +00:00
Humble Chirammal
1b0ebc43d4 deploy: use serviceAccountName instead of serviceAccount in yamls
serviceAccount is the depricated alias for serviceAccountName, so it
is recommended/suggested to use serviceAccountName instead.

For ex. reference:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-04-06 09:00:35 +00:00
Niels de Vos
b0f3b27209 ci: set imagePullPolicy for Vault to IfNotPresent
Deploying Vault still fails on occasion. It seems that the
imagePullPolicy has not been configured for the container yet.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-03 13:17:24 +00:00
Niels de Vos
1845f2b77d e2e: use full-qualified-image-name for vault-init-job
On occasion deploying Vault fails. It seems the vault-init-job batch job
does not use a full-qualified-image-name for the "vault" container.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-11-30 12:27:00 +00:00
Niels de Vos
db6d376434 deploy: add sys/mounts to Vault policy
Add "sys/mounts" so that VaultBackendKey does not need to be set. The
libopenstorage API detects the version for the key-value store in Vault
by reading "sys/mounts". Without permissions to read this endpoint, the
VaultBackendKey is required to be configured.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-11-29 04:03:59 +00:00
Niels de Vos
04586dc733 deploy: add "list" operation to Vault policy
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-11-29 04:03:59 +00:00
Niels de Vos
1f18e876f0 e2e: use docker.io/library as prefix for official images
Docker Hub offers a way to pull official images without any project
prefix, like "docker.io/vault:latest". This does a redirect to the
images located under "docker.io/library".

By using the full qualified image name, a redirect gets removed while
pulling the images. This reduces the likelyhood of hittin Docker Hub
pull rate-limits.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-11-26 13:51:02 +00:00
Niels de Vos
eaeee8ac3d deploy: use docker.io for unqualified image names
Images that have an unqualified name (no explicit registry) come from
Docker Hub. This can be made explicit by adding docker.io as prefix. In
addition, the default :latest tag has been added too.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-11-24 10:27:33 +00:00
Madhu Rajanna
7d229c2369 build: update imagepullpolicy for vault
this allows the image to be reused instead of pulling
it again.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-11-19 16:00:33 +00:00
Madhu Rajanna
37c4e3447d Add helm chart SA to vault.yaml
we need to provide access to the Service
account created with helm charts to access
the vault service.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-06 11:01:25 +00:00
Vasyl Purchel
419ad0dd8e Adds per volume encryption with Vault integration
- adds proposal document for PVC encryption from PR448
- adds per-volume encription by generating encryption passphrase
  for each volume and storing it in a KMS
- adds HashiCorp Vault integration as a KMS for encryption passphrases
- avoids encrypting volume second time if it was already encrypted but
  no file system created
- avoids unnecessary checks if volume is a mapped device when encryption
  was not requested
- prevents resizing encrypted volumes (it is not currently supported)
- prevents creating snapshots from encrypted volumes to prevent attack
  on encryption key (security guard until re-encryption of volumes
  implemented)

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com

Fixes #420
Fixes #744
2020-02-05 05:18:56 +00:00