Niels de Vos
e4b16a5c72
util: allow tenants to (re)configure VaultTokens settings
...
A tenant can place a ConfigMap in their Kubernetes Namespace with
configuration options that differ from the global (by the Storage Admin
set) values.
The ConfigMap needs to be located in the Tenants namespace, as described
in the documentation
See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-16 13:42:52 +00:00
Madhu Rajanna
81061e9f68
util: add support for vault certificates
...
Added a option to pass the client certificate
and the client certificate key for the vault token
based encryption.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-16 11:01:15 +00:00
Niels de Vos
db15458d16
cleanup: use constant for "vault" KMS-type
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
cc5684dbd8
util: add support for Hashicorp Vault with Tokens per Tenant
...
Tenants (Kubernetes Namespaces) can use their own Vault Token to manage
the encryption keys for PVCs. The working is documented in #1743 .
See-also: #1743
Closes : #1500
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
648f9ccf31
util: support vaultBackendPath and vaultTLSServerName options
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
8f91c672d4
util: add EncryptionKMS.Destroy()
...
Add a new method to the EncryptionKMS interface so that resources can be
freed when EncryptionKMS instances get freed.
With the move to using the libopenstorage API, a temporary file needs to
store the optional CA certificate. The Destroy() method of the
vaultConnection type now removes this file.
The rbdVolume uses the EncryptionKMS type now, so call the new Destroy()
method from withing rbdVolume.Destroy().
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
eb1ef69cfb
util: allow updating settings of vaultConnection
...
Make it possible to calle initConnection() multiple times. This enables
the VaultTokensKMS type to override global settings with options from a
per-tenant configuration.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
f08182e2fc
rbd: pass Owner to GetKMS()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
5bbab25a9f
util: move Secrets to vaultConnection
...
The Secrets is the main object to connect to Vault. This should be part
of the vaultConnection type.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
d28a5a5f23
util: pass map[string]interface{} to initialize KMS
...
This makes it possible to pass a more complex configuration to the
initialize functions for KMS's. The upcoming VaultTokensKMS can use
overrides for configiration options on a per tenant basis. Without this
change, it would not be possible to consume the JSON configuration file.
See-also: #1743
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
43fa1cddb7
util: use helper function to parse Vault configuration
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Madhu Rajanna
0d9fcbc21b
cephfs: remove unused cr Credentials
...
removed unused cr variable.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
9a96370942
cephfs: implement purgeVolume with go-ceph
...
moved frm ceph fs CLI to go-ceph for
purgeVolume.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Madhu Rajanna
34d0ff0d70
cephfs: make purgeVolume method of volumeOptions
...
converted purgeVolume from function to method
of volumeOptions.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-10 10:13:55 +00:00
Niels de Vos
16cb43f0f9
rbd: store csi.storage.k8s.io/pvc/namespace metadata as Owner
...
The Owner of an RBD image (Kubernetes Namespace, tenant) can be used to
identify additional configuration options. This will be used for
fetching the right Vault Token when encrypting/decrypting volumes.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Niels de Vos
9160a5309e
cleanup: standardize error format in VaultKMS.GetPassphrase()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
e3ea8ca0b1
cleanup: standardize error format in util.GetTopologyFromDomainLabels()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
6d5de7458d
cleanup: standardize error format in util.k8sGetNodeLabels()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
752841d213
cleanup: standardize error format in util.readClusterInfo()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
3dfe65d17c
cleanup: return error type in GetCryptoPassphrase()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
c8c8176a37
cleanup: return error type in util.storeKey()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
f8ebc6aa3f
cleanup: return error type in ensureEncryptionMetadataSet()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
d8e443ab49
cleanup: return error type in cleanupRBDImageMetadataStash()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
f262673b60
cleanup: return error type in lookupRBDImageMetadataStash()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
8e589587ae
cleanup: return error type in stashRBDImageMetadata()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
57ce07f54e
cleanup: return error type in updateVolWithImageInfo()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
610162b5f4
cleanup: return error type in genVolFromVolumeOptions()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
729e2419ef
cleanup: return error type in detachRBDImageOrDeviceSpec()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
7eae69f10c
cleanup: return error type in rbdGetDeviceList()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
4dde3fc9e0
cleanup: return error type in encryptDevice()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
d6fb8f302d
cleanup: return error type in NodeServer.processEncryptedDevice()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
8019e4d1bc
rbd: return CSI status-error on resize failure
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
65a10fd553
cleanup: standardize error format in NodeServer.NodeStageVolume()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
cc3f146ad1
cleanup: return error type in rbdVolume.checkCloneImage()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
37471c7a5f
cleanup: return error type in ReconcilePersistentVolume.getCredentials()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Niels de Vos
a7a928d7ec
cleanup: return error from execCommandErr() in bindMount()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 08:35:35 +00:00
Madhu Rajanna
43fde0a30a
cleanup: add a helper function storeImageID
...
added a helper function storeImageID to reduce
code duplication.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
b2fb43b335
cleanup: reduce the code complexity of controller
...
created a new helper function to getCredentials.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
e243c0006b
rbd: dont generate OMAP data for static volume
...
if the user has created a static PV for a RBD
image which is not created by CSI driver, dont
generate the OMAP data.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
c40872df00
rbd: undo reservation incase of errors
...
If cephcsi encounters any error after
reservation, as a cleanup operation
it should revert back the reservation.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
99dbe27921
rbd: return nil if the omap data exists
...
If the omap data already exits return nil.
so that omap generator will not try to reserve
anything again.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-07 11:03:27 +00:00
Madhu Rajanna
ebb413534f
cephfs: remove unsed cr util.Credentials
...
remove unused cr util.Credentials variable.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-03 14:53:33 +00:00
Madhu Rajanna
0f451ed465
cephfs: implement getSnapshotInfo with go-ceph
...
implement getSnapshotInfo function with go-ceph
to get subvolume information.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-03 14:53:33 +00:00
Madhu Rajanna
ddf91de859
cephfs: implement clonesnapshot with go-ceph
...
updated ceph fs CLI implementaion of cloning
with go-ceph.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-03 06:39:18 +00:00
Madhu Rajanna
814bf4459a
cephfs: implement snapshot protect and unprotect to go-ceph
...
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-03 06:39:18 +00:00
Niels de Vos
3433cefaa5
cleanup: standardize logging in deleteSnapshot
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-02 14:36:39 +00:00
Niels de Vos
294f7b22d4
cephfs: remove unused Credentials argument from deleteSnapshot()
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-02 14:36:39 +00:00
Niels de Vos
9d9b5b3303
cephfs: implement deleteSnapshot() with go-ceph
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-02 14:36:39 +00:00
Niels de Vos
032db78d8a
cephfs: make deleteSnapshot() a method of volumeOptions
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-02 14:36:39 +00:00
Niels de Vos
5883f244d2
cleanup: standardize logging in createSnapshot
...
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-02 13:18:47 +05:30