core: azure kms support #13852
core: azure kms support #13852
Conversation
|
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
| github.com/kubernetes-incubator/external-storage => github.com/libopenstorage/external-storage v0.20.4-openstorage-rc3 | ||
| // github.com/libopenstorage/secrets => github.com/sp98/secrets v0.0.0-20240220060802-e2bb123d06b9 | ||
| github.com/libopenstorage/secrets => github.com/sp98/secrets v0.0.0-20240304064404-1ca2f1c12a8b | ||
| github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 |
There was a problem hiding this comment.
| github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 | |
| github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 |
any reason for this change? As we have put the portworx import in exclude section.
There was a problem hiding this comment.
We originally had this in the go.mod in Rook
// portworx dependencies are a mess, and we don't use portworx code, so skip it
github.com/portworx/sched-ops v1.20.4-rc1
The reason for this is that the portworx/sched-ops repo is still referring to this incorrect version of kubernetes-incubator/external-storage. This version dependency needs to be fixed in sched-ops.
sched-ops is only used by Azure KMS. So we excluded it since we were not using Azure.
Now that we are using Azure, we need to use Azure KMS, we need to repo. And solution was the replace it like this, since the issue is still not fixed.
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
I need to remove what we have in exclude section. That does not make sense now.
Thanks for pointing this out.
There was a problem hiding this comment.
thanks for explaining the uses.
There was a problem hiding this comment.
Thanks for explaining. I marked this it as unresolved to make sure that we keep the conversation more easily visible in case we have to reference it in the future. I don't see a way to mark it as resolved but still see the convo.
pkg/daemon/ceph/osd/kms/kms.go
Outdated
| if c.IsAzure() { | ||
| v, err := InitAzure(c.ClusterInfo.Context, c.context, c.ClusterInfo.Namespace, c.clusterSpec.Security.KeyManagementService.ConnectionDetails) | ||
| if err != nil { | ||
| return errors.Wrap(err, "failed to init azure key vault") | ||
| } | ||
| err = put(v, GenerateOSDEncryptionSecretName(secretName), secretValue, map[string]string{}) | ||
| if err != nil { | ||
| return errors.Wrap(err, "failed to put secret in azure key vault") | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I see 3 instances of this same code block. What is the reason for that?
There was a problem hiding this comment.
They are for put, get and delete operations.
There was a problem hiding this comment.
Got it. Thanks for explaining.
In general, I see this as a code smell. Methods like put/get shouldn't be doing KMS type checking. I think this is highlighting that our KMS support was hastily implemented and has been clunkily extended over time. I don't think this needs to be resolved in this PR, but it would be good to consider cleaning up the KMS code afterwards.
The better implementation would be to use a Golang interface that defines all the KMS methods, and then have each KMS implement all the methods. That would allow us to implement new KMSes more easily, it would make unit testing easier, and it would allow us to do functional e2e testing of KMSes without having to do a full install of Rook.
sp98
force-pushed
the
support-azure-kms
branch
2 times, most recently
from
0677351
to
bd8d741
Compare
sp98
force-pushed
the
support-azure-kms
branch
2 times, most recently
from
cfa0af7
to
2fedef3
Compare
sp98
force-pushed
the
support-azure-kms
branch
4 times, most recently
from
2999a5f
to
80d6d98
Compare
sp98
force-pushed
the
support-azure-kms
branch
4 times, most recently
from
75bb98d
to
d99fa19
Compare
| if err != nil && err != secrets.ErrInvalidSecretId && err != secrets.ErrSecretNotFound { | ||
| return errors.Wrapf(err, "failed to get secret %q in kms", secretName) | ||
| } | ||
| if key != "" { |
There was a problem hiding this comment.
Are updates supported? Or should we return an error if the value doesn't match? If the value changes it looks like the method succeeds, but ignores the new value. The caller will believe the latest value was set.
There was a problem hiding this comment.
I really don't think its supported.
This is an existing function used by hashcorp vault as well. The key is created for each PVC and then stored in the KMS.
There was a problem hiding this comment.
Maybe we don't need to worry about an update, since we don't expect it to change. How about logging an error if it doesn't match, but don't fail the reconcile?
There was a problem hiding this comment.
update to code the add error message and return if the new secret value is not same when compared to existing secret value in the KMS. .
sp98
force-pushed
the
support-azure-kms
branch
2 times, most recently
from
076c834
to
6d7c549
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
sp98
force-pushed
the
support-azure-kms
branch
4 times, most recently
from
3137314
to
0049f48
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
|
@sp98 A fork of the libopenstorage/secrets is created now. How about opening your PR against that repo and we can move this forward for the short term? Hopefully this is only temporary. |
cherrypicked my PR in the fork - rook/secrets#1 |
Add support for store OSD encryption Keys in Azure KMS Signed-off-by: sp98 <sapillai@redhat.com>
Updated the go.mod to use the |
| github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1 | ||
| github.com/kubernetes-incubator/external-storage => github.com/libopenstorage/external-storage v0.20.4-openstorage-rc3 | ||
|
|
||
| // TODO: remove this replace once https://github.com/libopenstorage/secrets/pull/83 is merged |
There was a problem hiding this comment.
replace once libopenstorage/secrets#83 is merged
sp98
requested review from
BlaineEXE and
iPraveenParihar
and removed request for
BlaineEXE and
iPraveenParihar
The build was failing locally for me with a go module checksum mismatch error: ```console verifying github.com/portworx/sched-ops@v0.20.4-openstorage-rc3: checksum mismatch downloaded: h1:46EZ+vYCJ3qmQolvgDCrGuPz8Tf0vIds41RuF0dqVEw= go.sum: h1:tXnHsjZT2wZ2BCXf8avDoya7zGyCgLNUC8Upt+WEQrY= `` The last change to go.sum related to this module was from PR rook#13852 This change to go.sum fixes the issue for me. It is the result of the following commands: ````console rm go.sum go mod tidy `` Signed-off-by: Michael Adam <obnox@samba.org>
The build was failing locally for me with a go module checksum mismatch error: ```console verifying github.com/portworx/sched-ops@v0.20.4-openstorage-rc3: checksum mismatch downloaded: h1:46EZ+vYCJ3qmQolvgDCrGuPz8Tf0vIds41RuF0dqVEw= go.sum: h1:tXnHsjZT2wZ2BCXf8avDoya7zGyCgLNUC8Upt+WEQrY= `` The last change to go.sum related to this module was from PR rook#13852 This change to go.sum fixes the issue for me. Fixes: rook#14282 It is the result of the following commands: ````console rm go.sum go mod tidy `` Signed-off-by: Michael Adam <obnox@samba.org>
Add support for store OSD encryption Keys in Azure KMS
Checklist: