Commit Graph

428 Commits

Author SHA1 Message Date
Niels de Vos
6915624380 util: add EncryptDEK DecryptDEK to EncryptionKMS interface
By adding these methods, a KMS can explicitly encrypt/decrypt the DEK if
there is no transparent way of doing so.

Hashicorp Vault encrypts the DEK when it it stored, and decrypts it when
fetched. Therefor there is no need to do any encryption in this case.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
cffec0b3f3 rbd: configure the DEKStore if the configuration suggests to use metadata
NewVolumeEncryption() will return an indication that an alternative
DEKStore needs to be configured in case the KMS does not support it.

setKMS() will also set the DEKStore if needed, so renaming it to
configureEncryption() makes things clearer.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
e4431edaf9 rbd: implement the DEKStore interface
To accommodate storing DEKs outside a KMS, the DEK can be stored in the
metadata of the volume.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
9ac7f56400 util: move existing KMS implementations to the DEKStore interface
Use DEKStore API for Fetching and Storing passphrases.

Drop the fallback for the old KMS interface that is now provided as
DEKStore. The original implementation has been re-used for the DEKStore
interface.

This also moves GetCryptoPassphrase/StoreNewCryptoPassphrase functions
to methods of VolumeEncryption.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
b60dd286c6 util: use the KMS as DEKStore if it supports it
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
ee033da8e9 util: add DEKStore interface
DEKStore is a new interface that will be used for Storing and Fetching
DEKs. The existing implementations for KMS already function as a
DEKStore, and will be updated to match the interface.

By splitting KMS and DEKStore into two components, the encryption
configuration for volumes becomes more modular. This makes it possible
to implement a DEKStore where the encrypted DEK for a volume is stored
in the metadata of the volume (RBD image).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
d4076d6216 util: introduce VolumeEncryption type
Prepare for grouping encryption related functions together. The main
rbdVolume object should not be cluttered with KMS or DEK procedures.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Niels de Vos
aa52afff09 cleanup: move SecretsKMS in own file
Prepared for an enhanced API to communicate with a KMS and keep the DEK
storage separate. The crypto.go file is already mixed with different
functions, so moving the KMS part into its own file, just like we have
for Hashicorp Vault KMS's.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-12 10:11:47 +00:00
Madhu Rajanna
cbb10fd84d rbd: add more logging for NodeUnstageVolume
For NodeUnstageVolume its a two step process,
first unmount the volume and than unmap the volume.
Currently, we are logging only after rbd unmapping is done.
sometimes it becomes difficult to debug with above logging
whether more time is spent in unmount or unmap.
This commits adds one more debug log after unmount is done.
with this we can identify where exactly more time is spent
by looking at the logs.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-03-11 17:40:57 +00:00
Niels de Vos
fe0f169875 rbd: write max 1gb per WriteSame() operation
It seems that writing more than 1 GiB per WriteSame() operation causes
an EINVAL (22) "Invalid argument" error. Splitting the writes in blocks
of maximum 1 GiB should prevent that from happening.

Not all volumes are of a size that is the multiple of the stripe-size.
WriteSame() needs to write full blocks of data, so in case there is a
small left-over, it will be filled with WriteAt().

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-11 10:57:31 +00:00
Niels de Vos
6c8bc79771 ci: add unit tests for SecretsKMS
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-04 12:11:07 +00:00
Niels de Vos
165a837bca rbd: move KMS initialization into rbdVol.initKMS()
Introduce initKMS() as a function of rbdVolume. KMS functionality does
not need to pollute general RBD image functions. Encryption functions
are now in internal/rbd.encryption.go, so move initKMS() there as well.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-24 13:16:11 +00:00
Niels de Vos
cf6dae86e9 rbd: move encryptDevice() to a method of rbdVolume
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-24 13:16:11 +00:00
Niels de Vos
fb065b0f39 rbd: move openEncryptedDevice() to a method of rbdVolume
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-24 13:16:11 +00:00
Madhu Rajanna
8720f4e2f5 cephfs: create subvolume with VolumeNamePrefix
when user provides an option for VolumeNamePrefix
create subvolume with the prefix which will be easy
for user to identify the subvolumes belongs to
the storageclass.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-19 17:04:17 +00:00
Niels de Vos
b5020657e6 rbd: add "--options notrim" when mapping a thick-provisioned image
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Niels de Vos
cc96bdaac3 rbd: allocate extents when expanding an image
When and RBD image is expanded, the additional extents need to get
allocated when the image was thick-provisioned.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Niels de Vos
294a0973bd rbd: mark images thick-provisioned in metadata
When images get resized/expanded, the additional space needs to be
allocated if the image was initially thick-provisioned. By marking the
image with a "thick-provisioned" key in the metadata, future operations
can check the need.

A missing "thick-provisioned" key indicates that the image has not been
thick-provisioned.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Niels de Vos
74d218df8d rbd: disable rbd_discard_on_zeroed_write_same for thick-allocation
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Niels de Vos
5522a05f59 rbd: thick-provision images on request
Write blocks of stripe-size to allocate RBD images when
Thick-Provisioning is enabled in the StorageClass.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Madhu Rajanna
c417a5d0ba rbd: add support for thick provisioning option
Add an option to the StorageClass to support creating fully allocated
(thick provisioned) RBD images

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-19 11:55:40 +00:00
Niels de Vos
4937e59c4d rbd: add backwards compatible encryption in NodeStageVolume
When a volume was provisioned by an old Ceph-CSI provisioner, the
metadata of the RBD image will contain `requiresEncryption` to indicate
a passphrase needs to be created. New Ceph-CSI provisioners create the
passphrase in the CreateVolume request, and set `encryptionPrepared`
instead.

When a new node-plugin detects that `requiresEncryption` is set in the
RBD image metadata, it will fallback to the old behaviour.

In case `encryptionPrepared` is read from the RBD image metadata, the
passphrase is used to cryptsetup/format the image.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
ee79b22c97 rbd: move encryption function to encryption.go
This adds internal/rbd/encryption.go which will be used to include other
encryption functionality to support additional KMS related functions. It
will work together with the shared API from internal/util/kms.go.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
dc81e001cf cleanup: remove unused MissingPassphrase error type
Storing a passphrase is now done while the volume is created. There is
no need to (re)generate a passphrase when it can not be found.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
9b6c2117f3 rbd: set encryption passphrase on CreateVolume
Have the provisioner create the passphrase for the volume, instead of
doign it lazily at the time the volume is used for the 1st time. This
prevents potential races where pods on different nodes try to store
different passphrases at the (almost) same time.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
a42c4b5855 util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option
"VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable
(a string) that needs to get converted to the "vaultCAVerify"
configuration option in the Ceph-CSI format.

The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify",
this part was missing in the original conversion too.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-16 13:05:47 +00:00
Niels de Vos
d534ee9ce8 rbd: include rados-namespace when calling addRbdManagerTask()
It seems that calls to addRbdManagerTask() do not include the
rados-namespace in the image location. Functions calling
addRbdManagerTask() construct the image location themselves, but should
use rbdVolume.String() to include all the attributes.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-12 12:02:14 +00:00
Niels de Vos
8d0b39e690 rbd: log error when scheduling flattening fails
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-12 12:02:14 +00:00
Madhu Rajanna
8cd901d2dd cephfs: add subvolume path to volume context
There are many usecases with adding the subvolume
path to the PV object. the volume context returned
in the createVolumeResponse is added to the PV object
by the external provisioner.

More Details about the usecases are in below link
https://github.com/rook/rook/issues/5471

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-11 11:31:22 +00:00
Madhu Rajanna
dd6ce7b441 rbd: fix error check when reading vaultCAFromSecret
check correct error variable when reading
vaultCAFromSecret.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
e9782d86ad rbd: fix incorrect reading of client cert key
fix incorrect reading of client cert key.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
f63ccb0cce rbd: store VaultCAVerify as a string
storing VaultCAVerify as a string.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
bf5c36822f rbd: set tenant in kms object
the tenant/namespace is needed to read the certificates,
this commit sets the tenant in kms object.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
22ae4a0b16 rbd: change key in secret for cert and tls
currently, the keys for kms certificates/keys in a
secret is ca.cert, tls.cert and
tls.key, this commit changes the key from ca.cert
and tls.cert to cert and tls.key to key.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
b370d9afb6 rbd: unmarshal the data read from file
if are reading the kms data from the file.
than only we need to unmarshal. If we are reading
from the configmap it already returns the unmarshal
data.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Niels de Vos
582d004ca5 util: store EnvVaultInsecure as string, not bool
The configuration option `EnvVaultInsecure` is expected to be a string,
not a boolean. By converting the bool back to a string (after
verification), it is now possible to skip the certificate validation
check by setting `vaultCAVerify: false` in the Vault configuration.

Fixes: #1852
Reported-by: Bryon Nevis <bryon.nevis@intel.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-02 11:24:28 +00:00
Niels de Vos
df81022349 rbd: add support for VAULT_SKIP_VERIFY in KMS ConfigMap
When the KMS VaultTokens is configured through a Kubernetens ConfigMap,
the `VAULT_SKIP_VERIFY` option was not taken into account. The option
maps to the `vaultCAVerify` value in the configuration file, but has the
reverse meaning.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-01 13:09:54 +00:00
Mudit Agarwal
d480eb4bda cephfs: ignore BytesQuota field in case it is not set.
This can happen when the subvolume is in snapshot-retained state.
We should not return error for such case as it is a valid situation.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-02-01 09:20:53 +00:00
Madhu Rajanna
584a43dc2c rbd: fix issue in ENV variable check
Currently cephcsi is returning an error
if the ENV variable is set, but it should not.
This commit fixes the the POD_NAMESPACE env
variable issue and as well as the KMS_CONFIG_NAME
ENV variable.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-01-29 10:00:12 +00:00
Niels de Vos
0b7521162c cleanup: rewrite ifElseChains to switch statements
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-01-27 13:03:56 +00:00
Ilya Dryomov
04644c1d58 rbd: enable mapping and unmapping from a network namespace
Make rbdplugin pod work in a non-initial network namespace (i.e. with
"hostNetwork: false") by skipping waiting for udev events when mapping
and unmapping images.  CSI use case is very simple: all that is needed
is a device node which is immediately fed to mkfs, so we should be able
to tolerate udev not being finished with the device just fine.

Fixes: #1323
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
c2493686b7 rbd: introduce appendDeviceTypeAndOptions()
Factor out --device-type and --options formatting.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
d3f31187fc rbd: rename ndbType parameter
Fix "ndb" typo.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
5631b83dd0 rbd: rename mapOptions and options argument slices
With the new support for passing --options, referring to ExecCommand()
argument slices as mapOptions and options is confusing.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Seena Fallah
fdec9f65b8 rbd: fix namespace json parser for xbdDeviceInfo
rbd device list --format=json returns namespace as a namespace not radosNamespace

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
2021-01-05 11:26:09 +00:00
Yati Padia
995879d349 cephfs: use enum to check resize is supported or not
Currently, we are using bool pointer to find out
the ceph cluster supports resize or not. This
commit replaces the bool pointer with enum.

Signed-off-by: Yati Padia <ypadia@redhat.com>

Fixes#1764
2021-01-04 04:42:58 +00:00
Madhu Rajanna
9c7176dbb4 rbd: update mount packges in import path
mount packges is moved from
k8s.io/utils/mount to a new repository
k8s.io/mount-utils. updated code to use
the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-17 16:04:54 +00:00
Madhu Rajanna
b3fbcb9c95 rbd: read configuration from the configmap
if the kms encryption configmap is not mounted
as a volume to the CSI pods, add the code to
read the configuration from the kubernetes. Later
the code to fetch the configmap will be moved to
the new sidecar which is will talk to respective
CO to fetch the encryption configurations.

The k8s configmap uses the standard vault spefic
names to add the configurations. this will be converted
back to the CSI configurations.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-16 15:05:05 +00:00
Niels de Vos
e4b16a5c72 util: allow tenants to (re)configure VaultTokens settings
A tenant can place a ConfigMap in their Kubernetes Namespace with
configuration options that differ from the global (by the Storage Admin
set) values.

The ConfigMap needs to be located in the Tenants namespace, as described
in the documentation

See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-16 13:42:52 +00:00
Madhu Rajanna
81061e9f68 util: add support for vault certificates
Added a option to pass the client certificate
and the client certificate key for the vault token
based encryption.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-16 11:01:15 +00:00