New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to setup encrypted persistent volumes #13013
Comments
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
I know this is old but I figured I'd chime in with some information, and a caveat.
Even though Once a volume is created, you should see the volume info both from using the For testing, you can see that there is a large list of mounts, on the gluster pod. For testing, you can create your key in From here, if the volume has encryption enabled all that is required is to use it. Kubernetes StrorageClasses (of which one would exist for The gluster storage plugin is compatible and should take all the mount options and use them. Other methods also exist, such as setting If all goes well, everything should work. You should have good logs, and no errors. NOW the caveat. If you ran a test mount from one or more (or ALL) of the glusterfs pods, and you indeed specified the xlator-crypt key, but also a fake one to one of the pods you'll see that nothing works. That is, encryption doesn't actually seem to be working at all. I've found that indeed there are warnings in the logs but haven't gotten around to debugging it deeply. It could be that the pods are missing some libraries, or that the crypt-xlator is plain broken (without logging errors). I've looked at the recent mount parser for xlator-crypt, and I know I'm passing in correct keys. As well as the volume being set up correctly (multiple places to confirm this). However actually getting the mount to be written to with encryption, and trying to verify it has been a real pita. I cannot actually verify that encryption is being done at all. With that, you will find this recent issue posted to the gluster repo. It says that the Would be nice to see RedHat jump on this and work some magic. |
I'm going to reopen this issue, only to see if I can illicit a hands on test/response from RH. :-) /reopen Well at least I wish I could teehee. |
@JasonGiedymin: you can't re-open an issue/PR unless you authored it or you are assigned to it. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
We're trying to use gluster volume encryption with heketi using instructions mentioned in https://github.com/gluster/glusterfs-specs/blob/master/done/GlusterFS%203.5/Disk%20Encryption.md#7-getting-started-with-crypt-translator. We can mount/use a volume from a host that has the volume's encryption.master-key but launching a pod fails, presumably because it can't mount the volume since the pod's file system has the decryption key. Feels like a catch 22. Anyone know of a how to set up gluster encryption with heketi/openshift?
Version
Steps To Reproduce
Current Result
We can mount/use a volume from a host that has the volume's encryption.master-key but launching a pod fails, presumably because it can't mount the volume since the pod's file system has the decryption key. Feels like a catch 22. Anyone know of a how to set up gluster encryption with heketi/openshift?
Expected Result
The volume should be decrypted and the pod should launch successfully.
The text was updated successfully, but these errors were encountered: