As we have successful runs with kubernetes
1.25 Marking is as default for CI jobs and
required for merging PR.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
As we need to test with last 3 Kubernetes
releases removing Kubernetes 1.22
as we have 1.23, 1.24 and 1.25
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
remove the podsecurity feature-gate
from minikube.sh, because of it
kubernetes 1.25.0 deployment is failing
fixes: #3358
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
When we do stat on the targetpath, if there is
any error we can check is it due to corruption.
If yes, cephcsi can return abnormal in the
NodeGetVolumeStats so that consumer (CO/admin)
and detect and take further action.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
When we do stat on the targetpath, if there is
any error we can check is it due to corruption.
If yes, cephcsi can return abnormal in the
NodeGetVolumeStats so that consumer (CO/admin)
and detect and take further action.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
based on the discussion on the slack
channel. we are adding a github action
to trigger the CI jobs when a ok-to-test
label is added on the PR.
This action is based on below github action
https://github.com/peter-evans/create-or-update-comment
Sample Demo avaiable at
https://github.com/Madhu-1/
\label-commentor-action-testing/pull/4
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
To avoid subvolume leaks if the SetAllMetadata
operations fails delete the subvolume.
If any operation fails after creating the subvolume
we will remove the omap as the omap gets
removed we will need to remove the subvolume to
avoid stale resources.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
A vulnerability was found in golang.org/x/text/language package which
could cause a denial of service. An attacker can craft an
Accept-Language header which ParseAcceptLanguage will take significant
time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.
See-also: https://go.dev/issue/56152
See-also: https://bugzilla.redhat.com/CVE-2022-32149
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit makes the following changes:
`Please replace \":code_blocks => false\" \`
`by \":ignore_code_blocks => true\" in your configuration.`
Some rules are ignore for the time being,
these will be fixed later on.
Signed-off-by: Rakshith R <rar@redhat.com>
Add test-rbd-fscrypt feature flag to e2e suite. Default disabled as
the current CI system's kernel doesn't have the required features
enabled.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Replace `By` with `ByFileAndBlockEncryption` in all encryption related
tests to parameterize them to file and block encryption.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add a `By` wrapper to parameterize encryption related test functions
and run them on both block and file encryption
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Different places have different meaningful fallback. When parsing
from user we should default to block, when parsing stored config we
should default to invalid and handle that as an error.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Integrate basic fscrypt functionality into RBD initialization. To
activate file encryption instead of block introduce the new
'encryptionType' storage class key.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Call Mount.Setup with SingleUserWritable constant instead of 0o755,
which is silently ignored and causes the /.fscrypt/{policy,protector}/
directories to have mode 000.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Revert once our google/fscrypt dependency is upgraded to a version
that includes https://github.com/google/fscrypt/pull/359 gets accepted
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Use constant protector name 'ceph-csi' instead of constant prefix
concatenated with the volume ID. When cloning volumes the ID changes
and fscrypt protected directories become inunlockable due to the
protector name change
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
NewContextFrom{Mountpoint,Path} functions use cached
`/proc/self/mountinfo` to find mounted file systems by device ID.
Since we run fscrypt as a library in a long-lived process the cached
information is likely to be stale. Stale entries may map device IDs to
mount points of already destroyed RBDs and fail context creation.
Updating the cache beforehand prevents this.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Currently fscrypt supports policies version 1 and 2. 2 is the best
choice and was the only choice prior to this commit. This adds support
for kernels < 5.4, by selecting policy version 1 there.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Fetch password when keyFn is invoked, not when it is created. This
allows creation of the keyFn before actually creating the passphrase.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Fetch keys from KMS before doing anything else. This will catch KMS
errors before setting up any fscrypt metadata.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>