Commit Graph

4375 Commits

Author SHA1 Message Date
Niels de Vos
4937e59c4d rbd: add backwards compatible encryption in NodeStageVolume
When a volume was provisioned by an old Ceph-CSI provisioner, the
metadata of the RBD image will contain `requiresEncryption` to indicate
a passphrase needs to be created. New Ceph-CSI provisioners create the
passphrase in the CreateVolume request, and set `encryptionPrepared`
instead.

When a new node-plugin detects that `requiresEncryption` is set in the
RBD image metadata, it will fallback to the old behaviour.

In case `encryptionPrepared` is read from the RBD image metadata, the
passphrase is used to cryptsetup/format the image.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
ee79b22c97 rbd: move encryption function to encryption.go
This adds internal/rbd/encryption.go which will be used to include other
encryption functionality to support additional KMS related functions. It
will work together with the shared API from internal/util/kms.go.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
dc81e001cf cleanup: remove unused MissingPassphrase error type
Storing a passphrase is now done while the volume is created. There is
no need to (re)generate a passphrase when it can not be found.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
9b6c2117f3 rbd: set encryption passphrase on CreateVolume
Have the provisioner create the passphrase for the volume, instead of
doign it lazily at the time the volume is used for the 1st time. This
prevents potential races where pods on different nodes try to store
different passphrases at the (almost) same time.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 17:51:13 +00:00
Niels de Vos
47c6223b3a e2e: track deletion of PVC and PV more closely
When passing a pointer to a PVC and PV, the status of the deleted
objects is not logged correctly. The `PersistentVolumeClaim.Status` and
`PersistedVolume.Status` that is added to the logs contain the status of
the initially created object (reference to the PVC/PV). When the PVC/PV
is removed, there is no guarantee that the object is updated.

Logs show an empty (nullified) `PersistentVolumeClaim.Status`, which is
not helpful. Instead, use the returned PVC/PV from the `Get()` function
and use that for further logging. Even when the `.Status` struct from
the PVC/PV gets wiped, the returned object should have correct details.

Updates: #1874
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 12:24:31 +00:00
Niels de Vos
ff728eaf0d e2e: error out in case deploying Hashicorp Vault fails
Failures when deploying Hashicorp Vault are logged as informative. This
means that testing will continue, even if Vault will not be available.

Instead of logging the errors as INFO, use FAIL so that tests are not
run and the problems are identified early and obviously.

Updates: #1795
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-17 08:50:40 +00:00
Niels de Vos
a42c4b5855 util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option
"VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable
(a string) that needs to get converted to the "vaultCAVerify"
configuration option in the Ceph-CSI format.

The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify",
this part was missing in the original conversion too.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-16 13:05:47 +00:00
Mudit Agarwal
8ab9189760 build: update rook version to v1.4.9
Updated rook version to v1.4.9

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-02-15 09:11:44 +00:00
Mudit Agarwal
0b29d3b247 ci: update rook.sh and ceph cluster version
Changes:
1. Add a variable in build.env for rook ceph cluster version.
2. Modify rook.sh so that it can deploy ceph cluster with
   desirable version also rather than the one which rook installs
   by default.
3. Remove the code which is no longer required:
   a. Code which was added to test snapshot feature.
   b. Code which was required because
      https://github.com/rook/rook/pull/5925 was not fixed.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-02-15 09:11:44 +00:00
Niels de Vos
d534ee9ce8 rbd: include rados-namespace when calling addRbdManagerTask()
It seems that calls to addRbdManagerTask() do not include the
rados-namespace in the image location. Functions calling
addRbdManagerTask() construct the image location themselves, but should
use rbdVolume.String() to include all the attributes.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-12 12:02:14 +00:00
Niels de Vos
8d0b39e690 rbd: log error when scheduling flattening fails
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-12 12:02:14 +00:00
Niels de Vos
5bcd5cb928 e2e: use secret with "encryptionPassphrase" for RBD tests
The e2e tests create a Secret for using with the RBD StorageClass.
However this Secret was not used, instead the Rook generated Secret was
linked in the StorageClass.

By using our own Secret from the examples, Rook should not touch it when
we make modifications. In addition, no modifications are needed for
encryption anymore, as these are included in the example.

Updates: #1795
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-12 12:02:14 +00:00
Madhu Rajanna
1aaccd0e5a e2e: add validation for subvolumePath
as we are adding the subvolumepath to the
PV spec. this commits adds an E2E testing
to verify it.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-11 11:31:22 +00:00
Madhu Rajanna
8cd901d2dd cephfs: add subvolume path to volume context
There are many usecases with adding the subvolume
path to the PV object. the volume context returned
in the createVolumeResponse is added to the PV object
by the external provisioner.

More Details about the usecases are in below link
https://github.com/rook/rook/issues/5471

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-11 11:31:22 +00:00
Niels de Vos
6256be0ce0 e2e: increase runtime timeout to 90 minutes
Sometimes testing takes more than 60 minutes. When that is the case, the
60 minute timeout causes a golang panic in the test suite.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-10 14:25:17 +00:00
Niels de Vos
0bc4ddde3e e2e: use "--cni=bridge" when starting minikube
It seems that recent minikube versions changed something in the
networking, and that prevents

    $ ceph fs subvolumegroup create myfs testGroup

from working. Strangely RBD is not impacted. Possibly something is
confusing the CephMgr pod that handles the CephFS admin commands.

Using the "bridge" CNI seems to help, CephFS admin commands work with
this in minikube.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-10 14:25:17 +00:00
Madhu Rajanna
2587a28112 rebase: update minikube to latest version
As minikube 1.17.1 is released and updating
the minikube to the latest available version.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-10 14:25:17 +00:00
Mudit Agarwal
32d78c4f7f rebase: update go-ceph to v0.8.0
Updating go-ceph to v0.8.0.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-02-10 05:23:01 +00:00
Madhu Rajanna
e6098520d1 rbd: add configmap get clusterrole for provisioner
as provisioner need to get the configmap from
different namespace to check tenant configuration.
added the clusterrole get access for the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
dd6ce7b441 rbd: fix error check when reading vaultCAFromSecret
check correct error variable when reading
vaultCAFromSecret.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
e9782d86ad rbd: fix incorrect reading of client cert key
fix incorrect reading of client cert key.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
f63ccb0cce rbd: store VaultCAVerify as a string
storing VaultCAVerify as a string.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
bf5c36822f rbd: set tenant in kms object
the tenant/namespace is needed to read the certificates,
this commit sets the tenant in kms object.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
22ae4a0b16 rbd: change key in secret for cert and tls
currently, the keys for kms certificates/keys in a
secret is ca.cert, tls.cert and
tls.key, this commit changes the key from ca.cert
and tls.cert to cert and tls.key to key.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Madhu Rajanna
b370d9afb6 rbd: unmarshal the data read from file
if are reading the kms data from the file.
than only we need to unmarshal. If we are reading
from the configmap it already returns the unmarshal
data.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Matthias Neugebauer
50a720f13d helm: Fix plugin socket path
PR #1736 made the kubelet path configurable. It also introduced a change in
the path to the CSI socket. By default the path is now
`/var/lib/kubelet/cephfs.csi.ceph.com/csi.sock` instead of
`/var/lib/kubelet/plugins/cephfs.csi.ceph.com/csi.sock`. This PR
restores the old default.

Signed-off-by: Matthias Neugebauer <matthias.neugebauer@uni-muenster.de>
2021-02-04 04:57:15 +00:00
Niels de Vos
582d004ca5 util: store EnvVaultInsecure as string, not bool
The configuration option `EnvVaultInsecure` is expected to be a string,
not a boolean. By converting the bool back to a string (after
verification), it is now possible to skip the certificate validation
check by setting `vaultCAVerify: false` in the Vault configuration.

Fixes: #1852
Reported-by: Bryon Nevis <bryon.nevis@intel.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-02 11:24:28 +00:00
Niels de Vos
df81022349 rbd: add support for VAULT_SKIP_VERIFY in KMS ConfigMap
When the KMS VaultTokens is configured through a Kubernetens ConfigMap,
the `VAULT_SKIP_VERIFY` option was not taken into account. The option
maps to the `vaultCAVerify` value in the configuration file, but has the
reverse meaning.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-01 13:09:54 +00:00
Mudit Agarwal
d480eb4bda cephfs: ignore BytesQuota field in case it is not set.
This can happen when the subvolume is in snapshot-retained state.
We should not return error for such case as it is a valid situation.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-02-01 09:20:53 +00:00
Madhu Rajanna
584a43dc2c rbd: fix issue in ENV variable check
Currently cephcsi is returning an error
if the ENV variable is set, but it should not.
This commit fixes the the POD_NAMESPACE env
variable issue and as well as the KMS_CONFIG_NAME
ENV variable.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-01-29 10:00:12 +00:00
Niels de Vos
0b7521162c cleanup: rewrite ifElseChains to switch statements
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-01-27 13:03:56 +00:00
Matt Brown
123a26abb3 deploy, helm: enable secret watch in rbac
enables secret ''watch'' rbac permission for ceph-csi-rbd-provisioner role. Fixes 1841.

Signed-off-by: Matt Brown <matthewbrown18@gmail.com>
2021-01-26 15:41:11 +00:00
liulei3
94fc931d44 doc: remove redundant word
Signed-off-by: liulei3 <liulei3@360.cn>
2021-01-25 09:57:12 +00:00
Prasanna Kumar Kalever
0d5efe9147 doc: add more example formats to run e2e tests
Added more example to run e2e and functional tests using `go test` and
`make` commands.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-01-20 12:29:59 +00:00
Flemming Frandsen
47e12a6b6c doc: explain why certain features are unsupported
Signed-off-by: Flemming Frandsen <dren.dk@gmail.com>
2021-01-15 13:10:38 +00:00
Mudit Agarwal
0339df2b02 rebase: update golang version to v1.15.5
To fix math/big CVE, this version of golang has the fix
for this vulnerability.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2021-01-11 10:05:59 +00:00
Ilya Dryomov
04644c1d58 rbd: enable mapping and unmapping from a network namespace
Make rbdplugin pod work in a non-initial network namespace (i.e. with
"hostNetwork: false") by skipping waiting for udev events when mapping
and unmapping images.  CSI use case is very simple: all that is needed
is a device node which is immediately fed to mkfs, so we should be able
to tolerate udev not being finished with the device just fine.

Fixes: #1323
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
c2493686b7 rbd: introduce appendDeviceTypeAndOptions()
Factor out --device-type and --options formatting.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
d3f31187fc rbd: rename ndbType parameter
Fix "ndb" typo.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Ilya Dryomov
5631b83dd0 rbd: rename mapOptions and options argument slices
With the new support for passing --options, referring to ExecCommand()
argument slices as mapOptions and options is confusing.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2021-01-07 15:34:05 +00:00
Seena Fallah
1f17d25407 e2e: add filesystem PVC resize test for radosNamespace
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
2021-01-05 11:26:09 +00:00
Seena Fallah
fdec9f65b8 rbd: fix namespace json parser for xbdDeviceInfo
rbd device list --format=json returns namespace as a namespace not radosNamespace

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
2021-01-05 11:26:09 +00:00
Yati Padia
995879d349 cephfs: use enum to check resize is supported or not
Currently, we are using bool pointer to find out
the ceph cluster supports resize or not. This
commit replaces the bool pointer with enum.

Signed-off-by: Yati Padia <ypadia@redhat.com>

Fixes#1764
2021-01-04 04:42:58 +00:00
Niels de Vos
61a16012b7 build: only use --cpuset options when the cgroup controller is available
Fixes: #1670
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-23 02:53:51 +00:00
Niels de Vos
90966597b4 ci: require ci/centos/mini-e2e/k8s-1.20 for merging
k8s-1.20 CI jobs seem stable, so there is nothing preventing us from
requiring v1.20 for test results. v1.18 jobs will be removed from the CI
environment, so that version will not be required anymore.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-18 12:05:10 +05:30
Madhu Rajanna
9c7176dbb4 rbd: update mount packges in import path
mount packges is moved from
k8s.io/utils/mount to a new repository
k8s.io/mount-utils. updated code to use
the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-17 16:04:54 +00:00
Madhu Rajanna
1db3f03856 e2e: IsRetryableAPIError is not available in kubernetes 1.20.0
IsRetryableAPIError is not available in latest
kubernetes release ie 1.20.0 created a internal
function called isRetryableAPIError for the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-17 16:04:54 +00:00
Madhu Rajanna
83559144b1 rebase: update kubernetes to v1.20.0
updated kubernetes packages to latest
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-17 16:04:54 +00:00
Niels de Vos
4abe128bd8 e2e: log events from deployment namespace
When tests run and something goes wrong during deployment, not all
information is available. Logging the events from the namespace where
Ceph-CSI (and Vault) is deployed, might help with troubleshooting.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-17 11:40:57 +00:00
Niels de Vos
dd29c6c06b deploy: allow rbd nodeplugin to read ConfigMaps from Tenants
Tenants can have their own ConfigMap that contains connection parameters
to the Vault Service where the PV encyption keys are located. It is
possible for a Tenant to use a different Vault Service than the one
configured by the Storage Admin who deployed Ceph-CSI.

For this, the node-plugin needs to be able to read the ConfigMap from
the Tenants namespace.

See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-16 16:45:29 +00:00