Commit Graph

2015 Commits

Author SHA1 Message Date
Niels de Vos
eb1ef69cfb util: allow updating settings of vaultConnection
Make it possible to calle initConnection() multiple times. This enables
the VaultTokensKMS type to override global settings with options from a
per-tenant configuration.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
f08182e2fc rbd: pass Owner to GetKMS()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
5bbab25a9f util: move Secrets to vaultConnection
The Secrets is the main object to connect to Vault. This should be part
of the vaultConnection type.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
d28a5a5f23 util: pass map[string]interface{} to initialize KMS
This makes it possible to pass a more complex configuration to the
initialize functions for KMS's. The upcoming VaultTokensKMS can use
overrides for configiration options on a per tenant basis. Without this
change, it would not be possible to consume the JSON configuration file.

See-also: #1743
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
43fa1cddb7 util: use helper function to parse Vault configuration
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
b8fec4df64 doc: fix links for example yaml files
The yaml files for RBD encryption are located in examples/kms/vault, and
not in the examples/rbd directory.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 11:14:50 +00:00
Niels de Vos
db40c06e84 doc: add usage for Vault Tokens KMS support
In addition to the Vault KMS support (uses Kubernetes ServiceAccount),
there is the new Vault Tokens KMS feature.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 11:14:50 +00:00
Niels de Vos
24a17094a2 doc: multi-tenancy with Vault tokens
Design for adding a new KMS type "VaultTokens" that can be used to
configure a Hashicorp Vault service where each tenant has their own
personal token to manage encryptions keys for PVCs.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-10 15:39:47 +00:00
Madhu Rajanna
0d9fcbc21b cephfs: remove unused cr Credentials
removed unused cr variable.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
9a96370942 cephfs: implement purgeVolume with go-ceph
moved frm  ceph fs CLI to go-ceph for
purgeVolume.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
34d0ff0d70 cephfs: make purgeVolume method of volumeOptions
converted purgeVolume from function to method
of volumeOptions.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
eeec1213cb rebase: update go-ceph to v0.7.0
updating go-ceph to latest 0.7.0
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
97acd47ae9 build: remove ENV_CSI_IMAGE_VERSION from deploy.sh
as we are defining the image version in the
build.env use the same to build images.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-09 17:14:19 +00:00
Madhu Rajanna
cd96b3359b build: use CSI_IMAGE_VERSION in makefile
updated makefile to use CSI_IMAGE_VERSION
from build.env
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-09 17:14:19 +00:00
Madhu Rajanna
e82cd8339c build: add CSI_IMAGE_VERSION to build.env
CSI_IMAGE_VERSION is needed by makefile and
the centos CI to push the image to the minikube vm.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-09 17:14:19 +00:00
Niels de Vos
bccd5cef46 e2e: validate storing of csi.volume.owner attribute
The csi.volume.owner should get stored when the csi-provisioner sidecar
passes additional metadata. This option is now enabled by default, so
the owner (Kubernetes Namespace) of RBD images is expected to be
available.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Niels de Vos
16cb43f0f9 rbd: store csi.storage.k8s.io/pvc/namespace metadata as Owner
The Owner of an RBD image (Kubernetes Namespace, tenant) can be used to
identify additional configuration options. This will be used for
fetching the right Vault Token when encrypting/decrypting volumes.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Niels de Vos
0e6443e4c1 deploy: add --extra-create-metadata arg to csi-provisioner sidecar
This argument in csi-provisioner sidecar allows us to receive pv/pvc
name/namespace metadata in the createVolume() request.

For ex:

    csi.storage.k8s.io/pvc/name
    csi.storage.k8s.io/pvc/namespace
    csi.storage.k8s.io/pv/name

This is a useful information which can be used depend on the use case we
have at our driver. The features like vault token enablement for multi
tenancy, RBD mirroring ..etc can consume this based on the need.

Refer: #1305
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Madhu Rajanna
68adacad36 build: update CSI_IMAGE_VERSION in deploy.sh
update deploy.sh to use correct CSI_IMAGE_VERSION
from the build.env.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-09 17:49:00 +05:30
Niels de Vos
09fac4d9e2 e2e: fix kubectl_retry to not return a stale error
While deploying Rook, there can be issues when the environment is not
completely settled yet. On occasion the 1st kubectl command fails with

    The connection to the server ... was refused - did you specify the right host or port?

This would set the 'ret' variable to a non-zero value, before the next
retry of the kubectl command is done. In case the kubectl command
succeeds, the 'ret' variable still contains the old non-zero value, and
kubectl_retry returns the incorrect result.

By setting the 'ret' variable to 0 before calling kubectl again, this
problem is prevented.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 11:50:24 +00:00
Niels de Vos
9160a5309e cleanup: standardize error format in VaultKMS.GetPassphrase()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
e3ea8ca0b1 cleanup: standardize error format in util.GetTopologyFromDomainLabels()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
6d5de7458d cleanup: standardize error format in util.k8sGetNodeLabels()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
752841d213 cleanup: standardize error format in util.readClusterInfo()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
3dfe65d17c cleanup: return error type in GetCryptoPassphrase()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
c8c8176a37 cleanup: return error type in util.storeKey()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
f8ebc6aa3f cleanup: return error type in ensureEncryptionMetadataSet()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
d8e443ab49 cleanup: return error type in cleanupRBDImageMetadataStash()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
f262673b60 cleanup: return error type in lookupRBDImageMetadataStash()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
8e589587ae cleanup: return error type in stashRBDImageMetadata()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
57ce07f54e cleanup: return error type in updateVolWithImageInfo()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
610162b5f4 cleanup: return error type in genVolFromVolumeOptions()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
729e2419ef cleanup: return error type in detachRBDImageOrDeviceSpec()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
7eae69f10c cleanup: return error type in rbdGetDeviceList()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
4dde3fc9e0 cleanup: return error type in encryptDevice()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
d6fb8f302d cleanup: return error type in NodeServer.processEncryptedDevice()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
8019e4d1bc rbd: return CSI status-error on resize failure
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
65a10fd553 cleanup: standardize error format in NodeServer.NodeStageVolume()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
cc3f146ad1 cleanup: return error type in rbdVolume.checkCloneImage()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
37471c7a5f cleanup: return error type in ReconcilePersistentVolume.getCredentials()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
a7a928d7ec cleanup: return error from execCommandErr() in bindMount()
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Madhu Rajanna
518ccf42b3 deploy: add option to set default-fstype in provisioner
external-provisioner is exposing a new argument
to set the default fstype while starting the provisioner
sidecar, if the fstype is not specified in the storageclass
the default fstype will be applied for the pvc created from
the storageclass.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Madhu Rajanna
7d3bff0654 e2e: enable topology based provisioning
as we are testing the topology based
provisioning in our E2E, we need to set
topology=true in E2E.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Madhu Rajanna
e3d1ba7703 deploy: set topology=false in provisioner sidecar
with csi-provisioner v2.x the topology based
provisioning will not have any backward compatibility
with older version of kubernetes, if the nodes are
not labeled with topology keys, the pvc creation
is going to get fail with error `accessibility
requirements: no available topology found`, disabling
the topology based provisioning by default, if user want
to use it he can always enable it.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Madhu Rajanna
1c469fa522 doc: update new release matrix
updating the readme with latest release
image and version.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 10:43:06 +00:00
Madhu Rajanna
72fa77a6d7 ci: add mergify rules for release-v3.2
added mergify rules for backporting and
for auto merging the PR.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 11:25:16 +01:00
Mudit Agarwal
a92d8d7f2e deploy: update csi sidecar images
This PR makes the changes in csi templates and
upgrade documentation required for updating
csi sidecar images.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2020-12-08 10:23:34 +00:00
Mudit Agarwal
ba8ead6e04 doc: add upgrade document for 3.2
Added upgrade document for 3.2 with a separate section on
CSI sidecar containers update.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2020-12-07 15:16:46 +00:00
Madhu Rajanna
43fde0a30a cleanup: add a helper function storeImageID
added a helper function storeImageID to reduce
code duplication.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
b2fb43b335 cleanup: reduce the code complexity of controller
created a new helper function to getCredentials.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00