ivampiresp/longhorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change secret name to align with storage class name

Browse Source 
Signed-off-by: Khushboo <fnu.khushboo@suse.com>
This commit is contained in:
Khushboo 2021-11-11 14:16:03 -08:00 committed by David Ko
parent 5cdd5ddebd
commit 98e1e17c3b
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
enhancements/20210726-pv-encryption.md
View File

@ -34,7 +34,7 @@ therefore the only user story that is mentioned is
how to create and use an encrypted volume. how to create and use an encrypted volume.
#### Create and use an encrypted volume #### Create and use an encrypted volume
- create a storage class with (secure=true) and either a global secret or a per volume secret - create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace - create the secret for that volume in the configured namespace
- create a pvc that references the created storage class - create a pvc that references the created storage class
- volume will be created then encrypted during first use - volume will be created then encrypted during first use
@ -43,7 +43,7 @@ how to create and use an encrypted volume.
### User Experience In Detail ### User Experience In Detail
Creation and usage of an encrypted volume requires 2 things: Creation and usage of an encrypted volume requires 2 things:
- the storage class needs to specify `secure: "true"` as part of its parameters. - the storage class needs to specify `encrypted: "true"` as part of its parameters.
- secrets need to be created and reference for the csi operations need to be setup. - secrets need to be created and reference for the csi operations need to be setup.
- see below examples for different types of secret usage. - see below examples for different types of secret usage.
@ -53,28 +53,28 @@ And the side cars will retry secret retrieval periodically, once it's available
`Controller::CreateVolume` and pass the secret after which longhorn will create a volume. `Controller::CreateVolume` and pass the secret after which longhorn will create a volume.
#### Create storage class that utilizes a global secret (all volumes use the same key) #### Create storage class that utilizes a global secret (all volumes use the same key)
The below storage class uses a global secret named `longhorn-secure` in the `longhorn-system` namespace. The below storage class uses a global secret named `longhorn-crypto` in the `longhorn-system` namespace.
```yaml ```yaml
kind: StorageClass kind: StorageClass
apiVersion: storage.k8s.io/v1 apiVersion: storage.k8s.io/v1
metadata: metadata:
name: longhorn-secure-global name: longhorn-crypto-global
provisioner: driver.longhorn.io provisioner: driver.longhorn.io
allowVolumeExpansion: true allowVolumeExpansion: true
parameters: parameters:
numberOfReplicas: "3" numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: "" fromBackup: ""
secure: "true" encrypted: "true"
csi.storage.k8s.io/provisioner-secret-name: "longhorn-secure" csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system" csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-publish-secret-name: "longhorn-secure" csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system" csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
csi.storage.k8s.io/node-stage-secret-name: "longhorn-secure" csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system" csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
``` ```
The global secret reference by the `longhorn-secure-global` storage class. The global secret reference by the `longhorn-crypto-global` storage class.
This type of setup means that all volumes share the same encryption key. This type of setup means that all volumes share the same encryption key.
```yaml ```yaml
apiVersion: v1 apiVersion: v1
@ -83,7 +83,7 @@ metadata:
name: longhorn-crypto name: longhorn-crypto
namespace: longhorn-system namespace: longhorn-system
stringData: stringData:
CRYPTO_KEY_VALUE: "Simple secure passphrase" CRYPTO_KEY_VALUE: "Simple passphrase"
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
``` ```
@ -94,14 +94,14 @@ These templates will be resolved by the external sidecars and the resolved value
kind: StorageClass kind: StorageClass
apiVersion: storage.k8s.io/v1 apiVersion: storage.k8s.io/v1
metadata: metadata:
name: longhorn-secure-per-volume name: longhorn-crypto-per-volume
provisioner: driver.longhorn.io provisioner: driver.longhorn.io
allowVolumeExpansion: true allowVolumeExpansion: true
parameters: parameters:
numberOfReplicas: "3" numberOfReplicas: "3"
staleReplicaTimeout: "2880" # 48 hours in minutes staleReplicaTimeout: "2880" # 48 hours in minutes
fromBackup: "" fromBackup: ""
secure: "true" encrypted: "true"
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name} csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace} csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name} csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}
@ -112,9 +112,9 @@ parameters:
### API changes ### API changes
add a `Secure` boolean to the `Volume` struct utilized by the http client, add a `Encrypted` boolean to the `Volume` struct utilized by the http client,
this ends up being stored in `Volume.Spec.Secure` of the volume cr. this ends up being stored in `Volume.Spec.encrypted` of the volume cr.
Storing the `Secure` value is necessary to support encryption for RWX volumes. Storing the `Encrypted` value is necessary to support encryption for RWX volumes.
## Design ## Design
@ -122,7 +122,7 @@ Storing the `Secure` value is necessary to support encryption for RWX volumes.
Host requires `dm_crypt` kernel module as well as `cryptsetup` installed. Host requires `dm_crypt` kernel module as well as `cryptsetup` installed.
We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us in the future to add other key management systems. We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us in the future to add other key management systems.
```yaml ```yaml
CRYPTO_KEY_VALUE: "Simple secure passphrase" CRYPTO_KEY_VALUE: "Simple passphrase"
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
``` ```
@ -140,21 +140,21 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
### Test plan ### Test plan
#### Successful Creation of an encrypted volume #### Successful Creation of an encrypted volume
- create a storage class with (secure=true) and either a global secret or a per volume secret - create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace - create the secret for that volume in the configured namespace
- create a pvc that references the created storage class - create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount - create a pod that uses that pvc for a volume mount
- wait for pod up and healthy - wait for pod up and healthy
#### Missing Secret for encrypted volume creation #### Missing Secret for encrypted volume creation
- create a storage class with (secure=true) and either a global secret or a per volume secret - create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create a pvc that references the created storage class - create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount - create a pod that uses that pvc for a volume mount
- verify pvc remains in pending state - verify pvc remains in pending state
- verify pod remains in creation state - verify pod remains in creation state
#### Verify encryption of volume #### Verify encryption of volume
- create a storage class with (secure=true) and either a global secret or a per volume secret - create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace - create the secret for that volume in the configured namespace
- create a pvc that references the created storage class - create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount - create a pod that uses that pvc for a volume mount
@ -163,7 +163,7 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
- verify absence (grep) of known test pattern after reading block device content `/dev/longhorn/<volume-name>` - verify absence (grep) of known test pattern after reading block device content `/dev/longhorn/<volume-name>`
#### Verify wrong key failure #### Verify wrong key failure
- create a storage class with (secure=true) and either a global secret or a per volume secret - create a storage class with (encrypted=true) and either a global secret or a per volume secret
- create the secret for that volume in the configured namespace - create the secret for that volume in the configured namespace
- create a pvc that references the created storage class - create a pvc that references the created storage class
- create a pod that uses that pvc for a volume mount - create a pod that uses that pvc for a volume mount