ivampiresp/longhorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change secret name to align with storage class name

Browse Source 
Signed-off-by: Khushboo <fnu.khushboo@suse.com>
This commit is contained in:
Khushboo 2021-11-11 14:16:03 -08:00 committed by David Ko
parent 5cdd5ddebd
commit 98e1e17c3b
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
enhancements/20210726-pv-encryption.md
View File

@ -34,7 +34,7 @@ therefore the only user story that is mentioned is
how to create and use an encrypted volume.
#### Create and use an encrypted volume
- create a storage class with (secure=true) and either a global secret or a per volume secret
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace
- create a pvc that references the created storage class
- volume will be created then encrypted during first use
@ -43,7 +43,7 @@ how to create and use an encrypted volume.
### User Experience In Detail
Creation and usage of an encrypted volume requires 2 things:
- the storage class needs to specify `secure: "true"` as part of its parameters.
- the storage class needs to specify `encrypted: "true"` as part of its parameters.
- secrets need to be created and reference for the csi operations need to be setup.
- see below examples for different types of secret usage.
@ -53,28 +53,28 @@ And the side cars will retry secret retrieval periodically, once it's available
`Controller::CreateVolume` and pass the secret after which longhorn will create a volume.
#### Create storage class that utilizes a global secret (all volumes use the same key)
The below storage class uses a global secret named `longhorn-secure` in the `longhorn-system` namespace.
The below storage class uses a global secret named `longhorn-crypto` in the `longhorn-system` namespace.
```yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-secure-global
name: longhorn-crypto-global
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: ""
secure: "true"
csi.storage.k8s.io/provisioner-secret-name: "longhorn-secure"
encrypted: "true"
csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-publish-secret-name: "longhorn-secure"
csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-stage-secret-name: "longhorn-secure"
csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
```
The global secret reference by the `longhorn-secure-global` storage class.
The global secret reference by the `longhorn-crypto-global` storage class.
This type of setup means that all volumes share the same encryption key.
```yaml
apiVersion: v1
@ -83,7 +83,7 @@ metadata:
name: longhorn-crypto
namespace: longhorn-system
stringData:
CRYPTO_KEY_VALUE: "Simple secure passphrase"
CRYPTO_KEY_VALUE: "Simple passphrase"
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
```
@ -94,14 +94,14 @@ These templates will be resolved by the external sidecars and the resolved value
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: longhorn-secure-per-volume
name: longhorn-crypto-per-volume
provisioner: driver.longhorn.io
allowVolumeExpansion: true
parameters:
numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: ""
secure: "true"
encrypted: "true"
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}
@ -112,9 +112,9 @@ parameters:
### API changes
add a `Secure` boolean to the `Volume` struct utilized by the http client,
this ends up being stored in `Volume.Spec.Secure` of the volume cr.
Storing the `Secure` value is necessary to support encryption for RWX volumes.
add a `Encrypted` boolean to the `Volume` struct utilized by the http client,
this ends up being stored in `Volume.Spec.encrypted` of the volume cr.
Storing the `Encrypted` value is necessary to support encryption for RWX volumes.
## Design
@ -122,7 +122,7 @@ Storing the `Secure` value is necessary to support encryption for RWX volumes.
Host requires `dm_crypt` kernel module as well as `cryptsetup` installed.
We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us in the future to add other key management systems.
```yaml
CRYPTO_KEY_VALUE: "Simple secure passphrase"
CRYPTO_KEY_VALUE: "Simple passphrase"
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
```
@ -140,21 +140,21 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
### Test plan
#### Successful Creation of an encrypted volume
- create a storage class with (secure=true) and either a global secret or a per volume secret
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace
- create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount
- wait for pod up and healthy
#### Missing Secret for encrypted volume creation
- create a storage class with (secure=true) and either a global secret or a per volume secret
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount
- verify pvc remains in pending state
- verify pod remains in creation state
#### Verify encryption of volume
- create a storage class with (secure=true) and either a global secret or a per volume secret
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace
- create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount
@ -163,7 +163,7 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
- verify absence (grep) of known test pattern after reading block device content `/dev/longhorn/<volume-name>`
#### Verify wrong key failure
- create a storage class with (secure=true) and either a global secret or a per volume secret
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace
- create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount
@ -180,4 +180,4 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
- Host requires `dm_crypt` kernel module as well as `cryptsetup` installed.
- [csi sidecars and secrets](https://kubernetes-csi.github.io/docs/secrets-and-credentials.html)
- supporting external key vaults is possible in the future with some additional implementation
- support rotating keys is possible in the future with some additional implementation
- support rotating keys is possible in the future with some additional implementation