change secret name to align with storage class name
Signed-off-by: Khushboo <fnu.khushboo@suse.com>
This commit is contained in:
Khushboo
David Ko
parent
5cdd5ddebd
commit
98e1e17c3b
@ -34,7 +34,7 @@ therefore the only user story that is mentioned is
|
||||
how to create and use an encrypted volume.
|
||||
|
||||
#### Create and use an encrypted volume
|
||||
- create a storage class with (secure=true) and either a global secret or a per volume secret
|
||||
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
|
||||
- create the secret for that volume in the configured namespace
|
||||
- create a pvc that references the created storage class
|
||||
- volume will be created then encrypted during first use
|
||||
@ -43,7 +43,7 @@ how to create and use an encrypted volume.
|
||||
### User Experience In Detail
|
||||
|
||||
Creation and usage of an encrypted volume requires 2 things:
|
||||
- the storage class needs to specify `secure: "true"` as part of its parameters.
|
||||
- the storage class needs to specify `encrypted: "true"` as part of its parameters.
|
||||
- secrets need to be created and reference for the csi operations need to be setup.
|
||||
- see below examples for different types of secret usage.
|
||||
|
||||
@ -53,28 +53,28 @@ And the side cars will retry secret retrieval periodically, once it's available
|
||||
`Controller::CreateVolume` and pass the secret after which longhorn will create a volume.
|
||||
|
||||
#### Create storage class that utilizes a global secret (all volumes use the same key)
|
||||
The below storage class uses a global secret named `longhorn-secure` in the `longhorn-system` namespace.
|
||||
The below storage class uses a global secret named `longhorn-crypto` in the `longhorn-system` namespace.
|
||||
```yaml
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: longhorn-secure-global
|
||||
name: longhorn-crypto-global
|
||||
provisioner: driver.longhorn.io
|
||||
allowVolumeExpansion: true
|
||||
parameters:
|
||||
numberOfReplicas: "3"
|
||||
staleReplicaTimeout: "2880" # 48 hours in minutes
|
||||
fromBackup: ""
|
||||
secure: "true"
|
||||
csi.storage.k8s.io/provisioner-secret-name: "longhorn-secure"
|
||||
encrypted: "true"
|
||||
csi.storage.k8s.io/provisioner-secret-name: "longhorn-crypto"
|
||||
csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
|
||||
csi.storage.k8s.io/node-publish-secret-name: "longhorn-secure"
|
||||
csi.storage.k8s.io/node-publish-secret-name: "longhorn-crypto"
|
||||
csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
|
||||
csi.storage.k8s.io/node-stage-secret-name: "longhorn-secure"
|
||||
csi.storage.k8s.io/node-stage-secret-name: "longhorn-crypto"
|
||||
csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"
|
||||
```
|
||||
|
||||
The global secret reference by the `longhorn-secure-global` storage class.
|
||||
The global secret reference by the `longhorn-crypto-global` storage class.
|
||||
This type of setup means that all volumes share the same encryption key.
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
@ -83,7 +83,7 @@ metadata:
|
||||
name: longhorn-crypto
|
||||
namespace: longhorn-system
|
||||
stringData:
|
||||
CRYPTO_KEY_VALUE: "Simple secure passphrase"
|
||||
CRYPTO_KEY_VALUE: "Simple passphrase"
|
||||
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
|
||||
```
|
||||
|
||||
@ -94,14 +94,14 @@ These templates will be resolved by the external sidecars and the resolved value
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: longhorn-secure-per-volume
|
||||
name: longhorn-crypto-per-volume
|
||||
provisioner: driver.longhorn.io
|
||||
allowVolumeExpansion: true
|
||||
parameters:
|
||||
numberOfReplicas: "3"
|
||||
staleReplicaTimeout: "2880" # 48 hours in minutes
|
||||
fromBackup: ""
|
||||
secure: "true"
|
||||
encrypted: "true"
|
||||
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
|
||||
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
|
||||
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}
|
||||
@ -112,9 +112,9 @@ parameters:
|
||||
|
||||
|
||||
### API changes
|
||||
add a `Secure` boolean to the `Volume` struct utilized by the http client,
|
||||
this ends up being stored in `Volume.Spec.Secure` of the volume cr.
|
||||
Storing the `Secure` value is necessary to support encryption for RWX volumes.
|
||||
add a `Encrypted` boolean to the `Volume` struct utilized by the http client,
|
||||
this ends up being stored in `Volume.Spec.encrypted` of the volume cr.
|
||||
Storing the `Encrypted` value is necessary to support encryption for RWX volumes.
|
||||
|
||||
## Design
|
||||
|
||||
@ -122,7 +122,7 @@ Storing the `Secure` value is necessary to support encryption for RWX volumes.
|
||||
Host requires `dm_crypt` kernel module as well as `cryptsetup` installed.
|
||||
We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us in the future to add other key management systems.
|
||||
```yaml
|
||||
CRYPTO_KEY_VALUE: "Simple secure passphrase"
|
||||
CRYPTO_KEY_VALUE: "Simple passphrase"
|
||||
CRYPTO_KEY_PROVIDER: "secret" # this is optional we currently only support direct keys via secrets
|
||||
```
|
||||
|
||||
@ -140,21 +140,21 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
|
||||
### Test plan
|
||||
|
||||
#### Successful Creation of an encrypted volume
|
||||
- create a storage class with (secure=true) and either a global secret or a per volume secret
|
||||
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
|
||||
- create the secret for that volume in the configured namespace
|
||||
- create a pvc that references the created storage class
|
||||
- create a pod that uses that pvc for a volume mount
|
||||
- wait for pod up and healthy
|
||||
|
||||
#### Missing Secret for encrypted volume creation
|
||||
- create a storage class with (secure=true) and either a global secret or a per volume secret
|
||||
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
|
||||
- create a pvc that references the created storage class
|
||||
- create a pod that uses that pvc for a volume mount
|
||||
- verify pvc remains in pending state
|
||||
- verify pod remains in creation state
|
||||
|
||||
#### Verify encryption of volume
|
||||
- create a storage class with (secure=true) and either a global secret or a per volume secret
|
||||
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
|
||||
- create the secret for that volume in the configured namespace
|
||||
- create a pvc that references the created storage class
|
||||
- create a pod that uses that pvc for a volume mount
|
||||
@ -163,7 +163,7 @@ We utilize the below parameters from a secret, `CRYPTO_KEY_PROVIDER` allows us i
|
||||
- verify absence (grep) of known test pattern after reading block device content `/dev/longhorn/<volume-name>`
|
||||
|
||||
#### Verify wrong key failure
|
||||
- create a storage class with (secure=true) and either a global secret or a per volume secret
|
||||
- create a storage class with (encrypted=true) and either a global secret or a per volume secret
|
||||
- create the secret for that volume in the configured namespace
|
||||
- create a pvc that references the created storage class
|
||||
- create a pod that uses that pvc for a volume mount
|
||||
|
||||
Loading…
Reference in New Issue
Block a user