Commit Graph

9 Commits

Author SHA1 Message Date
Kevin Fox
d4c4954c9d Support externally managed configmap.
https://github.com/ceph/ceph-csi/issues/927

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2020-04-10 08:55:21 -07:00
Madhu Rajanna
bcd646ee55 Deprecate grpc metrics in ceph-csi
As kubernetes CSI sidecar is exposing the
GRPC mertics we can make use of the same in
ceph-csi we dont need to expose our own.

update: #881

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-01 11:59:37 +00:00
Vasyl Purchel
419ad0dd8e Adds per volume encryption with Vault integration
- adds proposal document for PVC encryption from PR448
- adds per-volume encription by generating encryption passphrase
  for each volume and storing it in a KMS
- adds HashiCorp Vault integration as a KMS for encryption passphrases
- avoids encrypting volume second time if it was already encrypted but
  no file system created
- avoids unnecessary checks if volume is a mapped device when encryption
  was not requested
- prevents resizing encrypted volumes (it is not currently supported)
- prevents creating snapshots from encrypted volumes to prevent attack
  on encryption key (security guard until re-encryption of volumes
  implemented)

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com

Fixes #420
Fixes #744
2020-02-05 05:18:56 +00:00
Jakub Kuzelka
1adef00c86 Repair typo in host-mount and host-dev definition. It was swithced between each other and actually there is not possible to deploy nodeplugin-daemonset via helm chart. 2020-01-29 16:00:10 +00:00
Madhu Rajanna
eb2fb9233b Add run hostpath to daemonset pods
`/run/mount` need to be share between host and
csi-plugin containers for `/run/mount/utab`

this is required to ensures that the network
is not stopped prior to unmounting the network devices.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-28 16:50:18 +00:00
Madhu Rajanna
e0cc7740f6 CSI: run all containers as privileged in daemonset pods
On systems with SELinux enabled, non-privileged containers
can't access data of privileged containers. Since the socket
is exposed by privileged containers, all sidecars must be
privileged too. This is needed only for containers running
in daemonset as we are using bidirectional mounts in daemonset

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-13 13:21:29 +00:00
Madhu Rajanna
4d28a981fc Remove hard-coded UpdateStrategy from templates
Provided an option to specify the UpdateStrategy
in helm  charts.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-05 08:05:06 +00:00
Jorge Isnardo Altamirano
dccbf484a8 fixed toYaml 2019-12-03 13:36:44 +00:00
wilmardo
6ee381db3a refactor: Merge 1.13 and 1.14 Helm charts and improve charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-09-27 05:49:18 +00:00