Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

controllers: Add logic to Create cephfs encrypted storageclass #2605

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

iamniting
Copy link
Member

@iamniting iamniting commented May 13, 2024

Signed-off-by: Nitin Goyal [email protected]

We also need changes in the Ceph and kernel to support this feature. Will add hold until those changes are present in the DS.

Copy link
Contributor

openshift-ci bot commented May 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iamniting

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 13, 2024
@iamniting iamniting force-pushed the cephfs-encryption branch from ccc76e7 to a2985f1 Compare May 13, 2024 05:10
@iamniting iamniting marked this pull request as draft May 13, 2024 05:14
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2024
@iamniting
Copy link
Member Author

/retest

encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData)
encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData)
// adding a annotation to support smart cloning across namespace for encrypted volume
encryptedStorageClassConfig.storageClass.ObjectMeta.Annotations["cdi.kubevirt.io/clone-strategy"] = "copy"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should confirm with kubevirt team once if they want to support cephfs volumes for this as well before adding the annotation.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nixpanic Can you pls confirm this if you have an idea?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think we use cephfs for kubevirt. do we have any cephfs storageclass with this annotation in ocs-operator?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No only encrypted rbd is the one where it was added.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the annotation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KubeVirt can use CephFS, but it is not recommended. Users have better performance and more options when using RBD with block-mode, that is the preferred storage backend when using Ceph.

@@ -853,6 +853,12 @@ func validateCustomStorageClassNames(sc *ocsv1.StorageCluster) error {
}
scMap[sc.Spec.Encryption.StorageClassName] = true
}
if sc.Spec.Encryption.CephFs.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable && sc.Spec.Encryption.CephFs.StorageClassName != "" {
if _, ok := scMap[sc.Spec.Encryption.CephFs.StorageClassName]; ok {
duplicateNames = append(duplicateNames, "Encryption")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about this ?
(and for RBD, append "RBD Encryption"... instead of just using "Encryption" in both cases)

Suggested change
duplicateNames = append(duplicateNames, "Encryption")
duplicateNames = append(duplicateNames, "CephFS Encryption")

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah correct, changed it

StorageClassName string `json:"storageClassName,omitempty"`
// Configure the default CephFS encrypted storage class
// +optional
CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"`
CephFS DefaultStorageClassSpec `json:"cephFS,omitempty"`

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData)
encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData)
// adding a annotation to support smart cloning across namespace for encrypted volume
encryptedStorageClassConfig.storageClass.ObjectMeta.Annotations["cdi.kubevirt.io/clone-strategy"] = "copy"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think we use cephfs for kubevirt. do we have any cephfs storageclass with this annotation in ocs-operator?

Comment on lines 465 to 468
StorageClassName string `json:"storageClassName,omitempty"`
// Configure the default CephFS encrypted storage class
// +optional
CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iamniting Did we decide that we are going with this approach?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we did that.

KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"`
// KeyRotation defines options for Key Rotation.
// +optional
KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"`
}

type DefaultStorageClassSpec struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type DefaultStorageClassSpec struct {
type StorageClassSpec struct {
}
// or
type CSIStorageClassSpec struct {
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default doesnt suit as its a shared struct for cephfs/rbd/nfs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed it to StorageClassSpec

KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"`
// KeyRotation defines options for Key Rotation.
// +optional
KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"`
}

type DefaultStorageClassSpec struct {
// Enable Default StorageClass
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Enable Default StorageClass
Create StorageClass

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -456,18 +456,33 @@ type EncryptionSpec struct {
Enable bool `json:"enable,omitempty"`
// +optional
ClusterWide bool `json:"clusterWide,omitempty"`
// Configure the default rbd encrypted storage class
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we remove the word default as we are not creating defaults with this one? use RBD

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@iamniting iamniting force-pushed the cephfs-encryption branch 2 times, most recently from f35322b to 1967d06 Compare May 14, 2024 13:53
@iamniting iamniting marked this pull request as ready for review May 14, 2024 13:55
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 14, 2024
@iamniting
Copy link
Member Author

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 14, 2024
// +optional
StorageClass bool `json:"storageClass,omitempty"`
// StorageClassName specifies the name of the storage class created for ceph encrypted block pools
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
StorageClassName string `json:"storageClassName,omitempty"`
StorageClassName string `json:"storageClassName,omitempty"`
// Configure the default CephFS encrypted storage class
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Configure the default CephFS encrypted storage class
// Configure the CephFS encrypted storage class

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

type StorageClassSpec struct {
// Create StorageClass
// +optional
StorageClass bool `json:"storageClass,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this to be pointer to bool or just bool

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

anything can be fine, I kept it as bool to align with the old flag.

KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"`
// KeyRotation defines options for Key Rotation.
// +optional
KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"`
}

type StorageClassSpec struct {
// Create StorageClass
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Create StorageClass
// Create Storage class

lets be constant with name in all the places storage class

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@iamniting iamniting force-pushed the cephfs-encryption branch from 1967d06 to 1c68588 Compare May 15, 2024 04:13
@iamniting iamniting requested a review from Madhu-1 May 15, 2024 04:20
Copy link
Member

@Madhu-1 Madhu-1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, lets keep it on hold until its fully tested with Rook+cephCSI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants