New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ceph: add support for encrypted metadata pvc #5977
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
holding for testing
dce34f7
to
7414463
Compare
pkg/operator/ceph/cluster/osd/osd.go
Outdated
errMsg := fmt.Sprintf("failed to validate storageClassDeviceSet %q. min required ceph version to support encryption is %q", volume.Name, cephVolumeRawEncryptionModeMinCephVersion.String()) | ||
if osdProps.encrypted && | ||
!c.clusterInfo.CephVersion.IsAtLeast(cephVolumeRawEncryptionModeMinNautilusCephVersion) && | ||
!c.clusterInfo.CephVersion.IsAtLeast(cephVolumeRawEncryptionModeMinOctopusCephVersion) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look like it will allow for any nautilus version. The octopus check will override the nautilus check. How about a helper function to check the version and then unit test it?
|
||
func (c *Cluster) getPVCEncryptionOpenInitContainerActivate(osdProps osdProperties) []v1.Container { | ||
containers := []v1.Container{} | ||
containers = append(containers, c.generateEncryptionOpenBlockContainer(osdProps.resources, blockEncryptionOpenInitContainer, osdProps.pvc.ClaimName)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: initialize the container with all its properties to a local var, then append it to the containers slice. This way, you wouldn't have to reference the slice with containers[0]
or containers[1]
below. It's more readable IMO that way.
eaa13f1
to
d110df0
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @leseb please rebase it. https://rook.io/docs/rook/master/development-flow.html#updating-your-fork |
27ff4d9
to
cffbe7e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a small suggestion
The c-v encryption is part of 15.2.5 on Octopus. Signed-off-by: Sébastien Han <seb@redhat.com>
c23840b
to
964ffe7
Compare
tests/scripts/localPathPV.sh
Outdated
lsblk | ||
# dump data of the disk to check whether it is an osd or not | ||
sudo dd if="$test_scratch_device" of=data bs=4k count=1 | ||
sudo cat data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It prints the raw binary data to stdout. It's difficult to read and it would break the terminal's setting when running in the local environment. How about using the binary dump tools like hexdump
or xxd
? In addition, I consider 4K is too long and printing "bluestore" signature and fsid is enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, this was mostly for quick debug, this commit is going away :)
964ffe7
to
bdf3d49
Compare
Now the metadata pvc will also be encrypted if the storageClassDeviceSet has the "encrypted" flag turned on. Signed-off-by: Sébastien Han <seb@redhat.com>
Small refactor to use the common function helper callCephVolume() to build ceph-volume arguments. Signed-off-by: Sébastien Han <seb@redhat.com>
If the device is empty let's not use an empty space as an argument for the c-v call. Signed-off-by: Sébastien Han <seb@redhat.com>
So that the operator can print it. Signed-off-by: Sébastien Han <seb@redhat.com>
bdf3d49
to
dd2166b
Compare
@leseb Could you tell me whether dropping the following change is intentional or not? c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447 In my local environment, MultiClusterTestSuite fails as before. Here is the log of failed osd prepare pod
Although this PR was merged without CI, I guess the integration test still fail in upstream/master too. |
Hm, my integration test in the local environment also failed even with the following change. c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447 The log of OSD prepare pod.
|
I have the fix, PR soon :) |
Similar to rook#5977 but for wal devices. So if a cluster is deployed on PVC and wal devices, those will be encrypted as well. Signed-off-by: Sébastien Han <seb@redhat.com>
@satoru-takeuchi and yes dropping this c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447 was intentional as I don't think it was fixing anything, |
Similar to rook#5977 but for wal devices. So if a cluster is deployed on PVC and wal devices, those will be encrypted as well. Signed-off-by: Sébastien Han <seb@redhat.com>
ceph: add support for encrypted metadata pvc (bp #5977)
Description of your changes:
Now the metadata pvc will also be encrypted if the storageClassDeviceSet
has the "encrypted" flag turned on.
Signed-off-by: Sébastien Han seb@redhat.com
Checklist:
make codegen
) has been run to update object specifications, if necessary.// known CI issue
[skip ci]