-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying custom Ceph user and secret name for mounting #2216
Conversation
cfe9d03
to
7610d5c
Compare
One thing to add here, this change does not only affect filesystem mounting but also block storage or to put it differently I thought why stop at filesystem. There seems to be one more quirk I have to fix in the code to get the tests green. Will look on Monday, but in general this is ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How much simpler would this be if it was only supported for CephFS? If there isn't a request for block to support this, seems like we should keep it simple. The doc example also only discusses how to use it for the file system, right?
Since mounting cephfs requires using flex directly instead of a storage class seems like this would simplify a number of places.
- The username and secret would be set here
- If they are not set, the
admin
account would be used, which is the behavior today and would be the new default - No need for an env var in the operator.yaml that controls the policy
@@ -155,14 +174,30 @@ func (vm *VolumeManager) Detach(image, pool, clusterNamespace string, force bool | |||
return nil | |||
} | |||
|
|||
if id == "" && key == "" { | |||
return fmt.Errorf("no id nor keyring given, can't unmount without credentials") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ummapping requires the keyring?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to verify, though the unmap command has the keyring
flag set on it so I just added it to make sure the credentials are set as in the map command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per discussion in huddle, if nobody needs the feature for block, let's keep it simple and only support it for cephfs.
# (Optional) Specify an existing Ceph user that will be used for mounting storage with this StorageClass. | ||
#mountUser: user1 | ||
# (Optional) Specify an existing Kubernetes Secret name containing just one key holding the Ceph user secret. | ||
# The secret must exist in each namespace(s) where the storage will be consumed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should there also be a secret namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bassam No, the namespace of the Pod mounting the storage will be used to get the secret. This is in "conformance" with some existing in-tree plugins looking up the secret in the namespace of the pod using storage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all storage classes that have a secret also specify the namespace. why this different? https://kubernetes.io/docs/concepts/storage/storage-classes/#ceph-rbd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems to be new for the user provided mount secret ..
https://v1-11.docs.kubernetes.io/docs/concepts/storage/storage-classes/#ceph-rbd
Sure, I'll add that too though would default it to pod namespace.
548d0c2
to
5688c1d
Compare
@bassam I just realized a security problem with the
I would be for removing the |
@galexrt what would it take to update a filesystem integration test to generate and mount with the user creds? It seems like it wouldn't be too big a work item. |
e374797
to
76a074c
Compare
Came here to whine about authentication... |
52caf79
to
edd2fb2
Compare
@galexrt looking at the integration tests, here are a few suggestions. It's not clear yet what the underlying issue is for deleting the mds pod. I am not able to repro the issue locally, similarly to your findings. Only jenkins seems to be having the issue anytime deleting the mds pods. It doesn't seem to be inter-related between the integration tests because each test uses the labels to only look for mds pods that it created. To troubleshoot further, i would suggest printing the output of
Perhaps on an unrelated note, the operator log shows we are calling an obsolete command to deactivate the mds.
|
2081085
to
d2b2700
Compare
Any chance we will have mount security for basic multi tenancy soon ? |
7738eb7
to
b3b078c
Compare
b9f1c27
to
c3ca160
Compare
@travisn I just had three green, restarted CI.. https://jenkins.rook.io/blue/organizations/jenkins/rook%2Frook/detail/PR-2216/60/pipeline/ If it fails another time in 1.8 and 1.9 I'll take a closer look at why it failed.
|
Oh well now I have 4 of 5 green.. aws 1.9 failed with |
@@ -154,7 +154,7 @@ def RunIntegrationTest(k, v) { | |||
export PATH="/tmp/rook-tests-scripts-helm/linux-amd64:$PATH" \ | |||
KUBECONFIG=$HOME/admin.conf | |||
kubectl config view | |||
_output/tests/linux_amd64/integration -test.v -test.timeout 2400s --host_type '''+"${k}"+''' --helm /tmp/rook-tests-scripts-helm/linux-amd64/helm 2>&1 | tee _output/tests/integrationTests.log''' | |||
_output/tests/linux_amd64/integration -test.v -test.timeout 7200s --host_type '''+"${k}"+''' --helm /tmp/rook-tests-scripts-helm/linux-amd64/helm 2>&1 | tee _output/tests/integrationTests.log''' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a timeout of 2h seems too long. how about 60 minutes for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I had problems with a timeout of "just" 60 minutes in the CI. As written below, I just "cranked" it up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the typical time for the integration tests is currently 35 minutes. If it goes over 60 minutes, seems like jenkins should kill it because the tests are surely failing. The longer we wait, the jenkins backlog just has the potential to get longer. Hopefully we can fix the resource issue with jenkins soon...
@CGO_ENABLED=0 $(GOHOST) test -v -i $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) | ||
@CGO_ENABLED=0 $(GOHOST) test -v $(GO_TEST_FLAGS) $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) $(TEST_FILTER_PARAM) 2>&1 | tee $(GO_TEST_OUTPUT)/integration-tests.log | ||
CGO_ENABLED=0 $(GOHOST) test -v -i $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) | ||
CGO_ENABLED=0 $(GOHOST) test -v -timeout 7200s $(GO_TEST_FLAGS) $(GO_STATIC_FLAGS) $(GO_INTEGRATION_TEST_PACKAGES) $(TEST_FILTER_PARAM) 2>&1 | tee $(GO_TEST_OUTPUT)/integration-tests.log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this timeout? if someone is running the integration tests locally, they could just cancel them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisn Well.. during local testing when I ran the tests I got test timeouts, so I just "cranked" it up.
Introduce mount security mode for basic multi tenancy Fixes rook#2164. This adds three new parameters/options to StorageClass/flexvolume entry: * `mountUser` * `mountSecret` * `mountSecretNamespace` Signed-off-by: Alexander Trost <galexrt@googlemail.com>
@travisn please merge the PR when the CI is green now, as I'm heading to bed now and want to get the PR finally merged. |
Crossed all the fingers I have |
@travisn it's green! Finally. |
So,If the Node reboot,Then will lost security mode env? |
@planeo1105 No. You are probably running a Please create a new issue with your problem next time. |
Description of your changes:
Introduce mount security mode for basic multi tenancy
This adds three new parameters/options to StorageClass/flexvolume entry:
mountUser
mountSecret
mountSecretNamespace
Will test in a minute or two but I'm currently "rebuilding" my vendor directory which takes quite an amount of time.
Which issue is resolved by this Pull Request:
Resolves #2164.
Checklist:
make codegen
) has been run to update object specifications, if necessary./cc @dimm0 took me a bit longer than said in the community meeting but here it is