-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: azure kms support #13852
core: azure kms support #13852
Conversation
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
github.com/kubernetes-incubator/external-storage => github.com/libopenstorage/external-storage v0.20.4-openstorage-rc3 | ||
// github.com/libopenstorage/secrets => github.com/sp98/secrets v0.0.0-20240220060802-e2bb123d06b9 | ||
github.com/libopenstorage/secrets => github.com/sp98/secrets v0.0.0-20240304064404-1ca2f1c12a8b | ||
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 | |
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 |
any reason for this change? As we have put the portworx
import in exclude section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We originally had this in the go.mod in Rook
// portworx dependencies are a mess, and we don't use portworx code, so skip it
github.com/portworx/sched-ops v1.20.4-rc1
The reason for this is that the portworx/sched-ops repo is still referring to this incorrect version of kubernetes-incubator/external-storage. This version dependency needs to be fixed in sched-ops.
sched-ops
is only used by Azure KMS. So we excluded it since we were not using Azure.
Now that we are using Azure, we need to use Azure KMS, we need to repo. And solution was the replace it like this, since the issue is still not fixed.
github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
I need to remove what we have in exclude section. That does not make sense now.
Thanks for pointing this out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for explaining the uses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explaining. I marked this it as unresolved to make sure that we keep the conversation more easily visible in case we have to reference it in the future. I don't see a way to mark it as resolved but still see the convo.
pkg/daemon/ceph/osd/kms/kms.go
Outdated
if c.IsAzure() { | ||
v, err := InitAzure(c.ClusterInfo.Context, c.context, c.ClusterInfo.Namespace, c.clusterSpec.Security.KeyManagementService.ConnectionDetails) | ||
if err != nil { | ||
return errors.Wrap(err, "failed to init azure key vault") | ||
} | ||
err = put(v, GenerateOSDEncryptionSecretName(secretName), secretValue, map[string]string{}) | ||
if err != nil { | ||
return errors.Wrap(err, "failed to put secret in azure key vault") | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see 3 instances of this same code block. What is the reason for that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are for put
, get
and delete
operations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Thanks for explaining.
In general, I see this as a code smell. Methods like put/get shouldn't be doing KMS type checking. I think this is highlighting that our KMS support was hastily implemented and has been clunkily extended over time. I don't think this needs to be resolved in this PR, but it would be good to consider cleaning up the KMS code afterwards.
The better implementation would be to use a Golang interface that defines all the KMS methods, and then have each KMS implement all the methods. That would allow us to implement new KMSes more easily, it would make unit testing easier, and it would allow us to do functional e2e testing of KMSes without having to do a full install of Rook.
0677351
to
bd8d741
Compare
cfa0af7
to
2fedef3
Compare
2999a5f
to
80d6d98
Compare
75bb98d
to
d99fa19
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some small suggestions
if err != nil && err != secrets.ErrInvalidSecretId && err != secrets.ErrSecretNotFound { | ||
return errors.Wrapf(err, "failed to get secret %q in kms", secretName) | ||
} | ||
if key != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are updates supported? Or should we return an error if the value doesn't match? If the value changes it looks like the method succeeds, but ignores the new value. The caller will believe the latest value was set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really don't think its supported.
This is an existing function used by hashcorp vault as well. The key is created for each PVC and then stored in the KMS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we don't need to worry about an update, since we don't expect it to change. How about logging an error if it doesn't match, but don't fail the reconcile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update to code the add error message and return if the new secret value is not same when compared to existing secret value in the KMS. .
076c834
to
6d7c549
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
3137314
to
0049f48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a note about this feature in the PendingReleaseNotes.md. Hopefully we can get traction on the dependent PR soon, but otherwise this looks good.
This pull request has merge conflicts that must be resolved before it can be merged. @sp98 please rebase it. https://rook.io/docs/rook/latest/Contributing/development-flow/#updating-your-fork |
@sp98 A fork of the libopenstorage/secrets is created now. How about opening your PR against that repo and we can move this forward for the short term? Hopefully this is only temporary. |
cherrypicked my PR in the fork - rook/secrets#1 |
Add support for store OSD encryption Keys in Azure KMS Signed-off-by: sp98 <sapillai@redhat.com>
Updated the go.mod to use the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1 | ||
github.com/kubernetes-incubator/external-storage => github.com/libopenstorage/external-storage v0.20.4-openstorage-rc3 | ||
|
||
// TODO: remove this replace once https://github.com/libopenstorage/secrets/pull/83 is merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replace once libopenstorage/secrets#83 is merged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The build was failing locally for me with a go module checksum mismatch error: ```console verifying github.com/portworx/sched-ops@v0.20.4-openstorage-rc3: checksum mismatch downloaded: h1:46EZ+vYCJ3qmQolvgDCrGuPz8Tf0vIds41RuF0dqVEw= go.sum: h1:tXnHsjZT2wZ2BCXf8avDoya7zGyCgLNUC8Upt+WEQrY= `` The last change to go.sum related to this module was from PR rook#13852 This change to go.sum fixes the issue for me. It is the result of the following commands: ````console rm go.sum go mod tidy `` Signed-off-by: Michael Adam <obnox@samba.org>
The build was failing locally for me with a go module checksum mismatch error: ```console verifying github.com/portworx/sched-ops@v0.20.4-openstorage-rc3: checksum mismatch downloaded: h1:46EZ+vYCJ3qmQolvgDCrGuPz8Tf0vIds41RuF0dqVEw= go.sum: h1:tXnHsjZT2wZ2BCXf8avDoya7zGyCgLNUC8Upt+WEQrY= `` The last change to go.sum related to this module was from PR rook#13852 This change to go.sum fixes the issue for me. Fixes: rook#14282 It is the result of the following commands: ````console rm go.sum go mod tidy `` Signed-off-by: Michael Adam <obnox@samba.org>
Add support for store OSD encryption Keys in Azure KMS
Checklist: