Kms cluster encryption #7153
Kms cluster encryption #7153
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
approved
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
6de77aa
to
7213815
Compare
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
7213815
to
f064b54
Compare
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
a2batic
force-pushed
the
kms-cluster-encryption
branch
3 times, most recently
from
cb38464
to
6dcb79e
Compare
openshift-ci-robot
added
the
needs-rebase
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
6dcb79e
to
dc1c90a
Compare
openshift-ci-robot
removed
the
needs-rebase
| import { KMSProviders } from '../../constants/ocs-install'; | ||
| import './kms-config.scss'; | ||
| import * as _ from 'lodash'; | ||
| import { advancedKMSModal } from '../modals/advanced-kms-modal/advanced-kms-modal'; | ||
| import { setDispatch, parseURL } from './utils'; | ||
| import { PencilAltIcon } from '@patternfly/react-icons'; | ||
| import { global_palette_blue_300 as blueInfoColor } from '@patternfly/react-tokens/dist/js/global_palette_blue_300'; |
| <p>Connected to external key management service: {kms.name}</p> | ||
| {encryption.advanced && ( | ||
| <p className="ocs-install-wizard__review-encryption"> | ||
| Connect to external key management service: {kms.name} |
There was a problem hiding this comment.
The KMS connection is done after clicking create, this should be better
| Connect to external key management service: {kms.name} | |
| External key management service: {kms.name} |
| requestData.spec.security = { | ||
| kms: { | ||
| connectionDetailsConfigMap: 'ocs-vault-connection-details', | ||
| tokenSecretName: 'ocs-kms-vault-token', |
There was a problem hiding this comment.
I would prefer to make ocs-kms-vault-token a constant, since used at multiple places.
| export const maxFileUploadSize = 4000000; | ||
| export const fileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.'; |
There was a problem hiding this comment.
It would be better to prefix names with kms- to understand what its for ?
| @@ -71,7 +77,7 @@ export const CreateInternalCluster: React.FC<CreateInternalClusterProps> = ({ ma | |||
| name: 'Configure', | |||
| id: CreateStepsSC.CONFIGURE, | |||
| component: <Configure state={state} dispatch={dispatch} mode={mode} />, | |||
| enableNext: state.encryption.hasHandled && hasConfiguredNetwork, | |||
| enableNext: state.encryption.hasHandled && hasConfiguredNetwork && state.kms.hasHandled, | |||
There was a problem hiding this comment.
Please remove any restriction from individual steps, until we push validation based wizard.
| enableNext: state.encryption.hasHandled && hasConfiguredNetwork && state.kms.hasHandled, |
There was a problem hiding this comment.
It was decided to have Next button blocked wrt validations in the wizard.
@cloudbehl @yuvalgalanti
There was a problem hiding this comment.
yes that's what was planned.
There was a problem hiding this comment.
We have navs still clickable, I thnk we should block them as well.
(Possibly in another PR)
| Connect to external key management service: {kms.name} | ||
| </p> | ||
| )} | ||
| <p>Encryption Level: {getEncryptionType(encryption)}</p> |
There was a problem hiding this comment.
| <p>Encryption Level: {getEncryptionType(encryption)}</p> | |
| <p>Encryption Level: {getEncryptionLevel(encryption)}</p> |
| <p className="ocs-install-wizard__review-encryption">Enable Encryption</p> | ||
| {encryption.advanced && kms.hasHandled && ( | ||
| <p className="ocs-install-wizard__review-encryption"> | ||
| Connect to external key management service: {kms.name} |
There was a problem hiding this comment.
| Connect to external key management service: {kms.name} | |
| External key management service: {kms.name} |
There was a problem hiding this comment.
As per UX, its Connected since its connected after Create button click, so changed it to Connect.
| <p className="ocs-install-wizard__review-encryption">Enable Encryption</p> | ||
| {encryption.advanced && kms.hasHandled && ( | ||
| <p>Connected to external key management service: {kms.name}</p> | ||
| {encryption.advanced && ( |
There was a problem hiding this comment.
Why not kms.hasHandled here ?
{encryption.advanced && (
There was a problem hiding this comment.
I have removed at the other place too, it's not required.
|
|
||
| if (!checked) { | ||
| kmsObject = initialState.kms; | ||
| setDispatch(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch); |
There was a problem hiding this comment.
I would prefer to call it following, just to avoid confusion with root state dispatcher
| setDispatch(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch); | |
| setKms(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch); |
| &__form-body { | ||
| padding: var(--pf-global--spacer--md) 0 !important; | ||
| } | ||
| } |
| const setServiceName = (name: string) => { | ||
| setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch); | ||
| }; |
There was a problem hiding this comment.
| const setServiceName = (name: string) => { | |
| setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch); | |
| }; | |
| const setServiceName = (name: string) => setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch); |
| const validateAddressMessage = () => { | ||
| if (kms.address === '') { | ||
| return 'This is a required field'; | ||
| } | ||
| return 'Please enter a URL'; | ||
| }; |
There was a problem hiding this comment.
| const validateAddressMessage = () => { | |
| if (kms.address === '') { | |
| return 'This is a required field'; | |
| } | |
| return 'Please enter a URL'; | |
| }; | |
| const validateAddressMessage = () => (kms.address === '') ? | |
| 'This is a required field' : 'Please enter a URL'; |
| const validatePort = () => { | ||
| return _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port | ||
| ? ValidatedOptions.error | ||
| : ValidatedOptions.default; | ||
| }; |
There was a problem hiding this comment.
| const validatePort = () => { | |
| return _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port | |
| ? ValidatedOptions.error | |
| : ValidatedOptions.default; | |
| }; | |
| const validatePort = () => _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port | |
| ? ValidatedOptions.error | |
| : ValidatedOptions.default; |
| const openAdvancedModal = () => { | ||
| return advancedKMSModal({ |
There was a problem hiding this comment.
| const openAdvancedModal = () => { | |
| return advancedKMSModal({ | |
| const openAdvancedModal = () => advancedKMSModal({ |
| import { SecretModel } from '@console/internal/models'; | ||
| import { SecretKind } from '@console/internal/module/k8s/types'; |
| export const AdvancedKMSModal = withHandlePromise((props: AdvancedKMSModalProps) => { | ||
| const { close, cancel, errorMessage, inProgress, state, dispatch, mode } = props; | ||
| const { kms } = state; | ||
| const [backendPath, setBackendPath] = React.useState(kms.backend || ''); |
There was a problem hiding this comment.
Why do we need another state here that is derived from another state? Can't we use dispatch and update the state over there.
There was a problem hiding this comment.
The advance modal has a Save button, on clicking which the data has to be added in the state, to locally store data, I have added local states.
| }; | ||
|
|
||
| return ( | ||
| <form |
There was a problem hiding this comment.
Then, we need to use PF form Modal as well. Console Modal's CSS breaks in PF4 form.
| @@ -66,7 +66,11 @@ | |||
| padding-left: var(--pf-global--spacer--lg); | |||
|
|
|||
| &__form-body { | |||
| padding: var(--pf-global--spacer--md); | |||
| padding: var(--pf-global--spacer--md) !important; | |||
There was a problem hiding this comment.
Can we have a comment on why we are overriding using important?
a2batic
force-pushed
the
kms-cluster-encryption
branch
3 times, most recently
from
813c34c
to
e36ddc2
Compare
| > | ||
| <FormSelect | ||
| value={kmsProvider} | ||
| onChange={(e) => setKMSProvider(e)} |
There was a problem hiding this comment.
| onChange={(e) => setKMSProvider(e)} | |
| onChange={setKMSProvider} |
| id="kms-provider-name" | ||
| name="kms-provider-name" | ||
| aria-label="kms-provider-name" | ||
| isDisabled |
There was a problem hiding this comment.
we are not setting the isDisabled.
There was a problem hiding this comment.
For 4.7, it will always be disabled.
| className="co-m-pane__form ocs-install-encryption__form-body" | ||
| className="ocs-install-encryption__form-body" | ||
| helperTextInvalid="This is a required field" | ||
| validated={kms.name.valid ? ValidatedOptions.default : ValidatedOptions.error} |
There was a problem hiding this comment.
create a generic function and use it for all fields. Like isValid(name)
| import { InternalClusterAction } from '../ocs-install/internal-mode/reducer'; | ||
| import { KMSConfig, KMSConfigMap } from '../ocs-install/types'; | ||
|
|
||
| export const parseURL = (url: string) => { |
There was a problem hiding this comment.
nit: can be put in a shared folder. Will do in next PR.
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
e36ddc2
to
fef77ec
Compare
|
@bipuladh will address this comment(#7153 (comment)) with the follow up PR: #7330. Please review the rest. |
|
@afreen23 @cloudbehl please review. |
|
/retest |
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
fef77ec
to
36b92b3
Compare
| <FormSelect | ||
| value={kmsProvider} | ||
| onChange={setKMSProvider} | ||
| id="kms-provider-name" |
There was a problem hiding this comment.
id needs to match with FormGroup
| id="kms-provider-name" | |
| id="kms-provider" |
| onChange={setAddress} | ||
| className="ocs-install-kms__form-address--padding" | ||
| type="url" | ||
| id="kms-address" |
There was a problem hiding this comment.
here as well.
| id="kms-address" | |
| id="kms-service-address" |
| <FormGroup | ||
| fieldId="kms-service-address-port" | ||
| label="Port" | ||
| className="ocs-install-kms__form-port ocs-install-encryption__form-body--small-padding" | ||
| helperTextInvalid={validatePortMessage()} | ||
| validated={isValid(kms.port.valid)} | ||
| isRequired | ||
| > | ||
| <TextInput | ||
| value={kms.port.value} | ||
| onChange={setAddressPort} | ||
| type="text" | ||
| id="kms-address-port" | ||
| name="kms-address-port" | ||
| isRequired | ||
| validated={isValid(kms.port.valid)} | ||
| /> | ||
| </FormGroup> | ||
| </div> | ||
| <FormGroup | ||
| fieldId="kms-service-token" | ||
| label="Token" | ||
| className="ocs-install-encryption__form-body" | ||
| helperTextInvalid="This is a required field" | ||
| validated={isValid(kms.token.valid)} | ||
| isRequired | ||
| > | ||
| <TextInput | ||
| value={kms.token.value} | ||
| onChange={setToken} | ||
| type="password" | ||
| id="kms-token" | ||
| name="kms-token" | ||
| isRequired | ||
| validated={isValid(kms.token.valid)} |
| } | ||
| // eslint-disable-next-line react-hooks/exhaustive-deps | ||
| }, [kms.name]); | ||
| const serviceName = (name: string) => { |
There was a problem hiding this comment.
| const serviceName = (name: string) => { | |
| const setServiceName = (name: string) => { |
| if (caCertificate && caCertificate !== '') { | ||
| kmsAdvanced.caCert = caSecret; | ||
| kmsAdvanced.caCertFile = caCertificateFile; | ||
| } else { | ||
| kmsAdvanced.caCert = null; | ||
| kmsAdvanced.caCertFile = ''; | ||
| } | ||
|
|
||
| if (clientCertificate && clientCertificate !== '') { | ||
| kmsAdvanced.clientCert = clientCertSecret; | ||
| kmsAdvanced.clientCertFile = clientCertificateFile; | ||
| } else { | ||
| kmsAdvanced.clientCert = null; | ||
| kmsAdvanced.clientCertFile = ''; | ||
| } | ||
|
|
||
| if (clientKey && clientCertificate !== '') { | ||
| kmsAdvanced.clientKey = clientKeySecret; | ||
| kmsAdvanced.clientKeyFile = clientKeyFile; | ||
| } else { | ||
| kmsAdvanced.clientKey = null; | ||
| kmsAdvanced.clientKeyFile = ''; | ||
| } |
There was a problem hiding this comment.
Does not setting value helps here ?
Because anyways you are setting state. I think you can avoid the guard here
| if (encryption.advanced && kms.hasHandled) { | ||
| promises.push(...kmsResources(kms)); | ||
| } | ||
| await Promise.all(promises).then(() => k8sCreate(OCSServiceModel, storageCluster)); |
There was a problem hiding this comment.
I understand its not the part of PR, but this is a minor :)
| await Promise.all(promises).then(() => k8sCreate(OCSServiceModel, storageCluster)); | |
| await Promise.all(promises).then(() => k8sCreate(StorageClusterModel, storageCluster)); |
There was a problem hiding this comment.
No worries to take in another PR, this needs fix at various places.
| }; | ||
|
|
||
| return ( | ||
| <form |
There was a problem hiding this comment.
Then, we need to use PF form Modal as well. Console Modal's CSS breaks in PF4 form.
| @@ -15,6 +15,8 @@ export const requestedCapacityTooltip = | |||
| 'The backing storage requested will be higher as it will factor in the requested capacity, replica factor, and fault tolerant costs associated with the requested capacity.'; | |||
| export const encryptionTooltip = | |||
| 'The storage cluster encryption level can be set to include all components under the cluster (including storage class and PVs) or to include only storage class encryption. PV encryption can use an auth token that will be used with the KMS configuration to allow multi-tenancy.'; | |||
| export const vaultNamespaceTooltip = | |||
| 'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace.'; | |||
There was a problem hiding this comment.
| 'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace.'; | |
| 'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault". They have separate login paths and support creating and managing data isolated to their namespace.'; |
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
36b92b3
to
36a0469
Compare
| if (kmsEnable) { | ||
| requestData.spec.encryption = { | ||
| ...requestData.spec.encryption, | ||
| kms: { | ||
| enable: true, | ||
| }, | ||
| }; | ||
| } |
There was a problem hiding this comment.
Just for consistency, can you use Object.assign as well similar to arbiter and network?
| @@ -38,6 +39,7 @@ export type InternalClusterAction = | |||
| | { type: ActionType.SET_ENCRYPTION; payload: EncryptionType } | |||
| // KMS action | |||
| | { type: ActionType.SET_KMS_ENCRYPTION; payload: KMSConfig } | |||
| | { type: ActionType.CLEAR_KMS_STATE; payload?: KMSConfig } | |||
There was a problem hiding this comment.
Why payload optional ? Can't we pass empty params to the same action , used to set kms ActionType.SET_KMS_ENCRYPTION ?
| }; | ||
|
|
||
| return ( | ||
| <Form onSubmit={submit} key="pool-form-modal"> |
There was a problem hiding this comment.
nit: pool-form-modal
| <Form onSubmit={submit} key="pool-form-modal"> | |
| <Form onSubmit={submit} key=""> |
| export const kmsMaxFileUploadSize = 4000000; | ||
| export const kmsFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.'; | ||
| export const KMSConfigMapName = 'ocs-kms-connection-details'; | ||
| export const KMSSecretName = 'ocs-kms-token'; |
There was a problem hiding this comment.
Lets be consistent with names.
| export const kmsMaxFileUploadSize = 4000000; | |
| export const kmsFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.'; | |
| export const KMSConfigMapName = 'ocs-kms-connection-details'; | |
| export const KMSSecretName = 'ocs-kms-token'; | |
| export const KMSMaxFileUploadSize = 4000000; | |
| export const KMSFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.'; | |
| export const KMSConfigMapName = 'ocs-kms-connection-details'; | |
| export const KMSSecretName = 'ocs-kms-token'; |
Signed-off-by: Kanika Murarka <kmurarka@redhat.com>
a2batic
force-pushed
the
kms-cluster-encryption
branch
from
36a0469
to
226c6f3
Compare
|
/test e2e-gcp-console |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: a2batic, afreen23 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Merged after: #7062
