Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ceph: auto detect vault k/v version #8265

Merged
merged 1 commit into from Jul 29, 2021

Conversation

leseb
Copy link
Member

@leseb leseb commented Jul 5, 2021

Rook will now auto detect the kv version of the vault server. This
allows users not having to pass the VAULT_BACKEND configuration in the
CephCluster CR.

Signed-off-by: Sébastien Han seb@redhat.com

Description of your changes:

Which issue is resolved by this Pull Request:
Resolves #

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

@mergify mergify bot added the ceph main ceph tag label Jul 5, 2021
@leseb leseb force-pushed the auto-detect-vault-kv-version branch from 6bc05b8 to d30cedf Compare July 8, 2021 09:15
@leseb leseb marked this pull request as ready for review July 8, 2021 09:15
@leseb leseb force-pushed the auto-detect-vault-kv-version branch from d30cedf to 9e2a4a3 Compare July 8, 2021 10:19
backendPath = vault.DefaultBackendPath
}

backend := GetParam(secretConfig, vault.VaultBackendKey)
Copy link
Contributor

@thotz thotz Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to still support this if there is auto-detection? This won't have a backward compatibility issue right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoever passes a parameter expects it to be interpreted even if it happens to be incorrect. This could be useful for checking errors too.

@leseb leseb force-pushed the auto-detect-vault-kv-version branch 8 times, most recently from 90863ca to dbcdb26 Compare July 13, 2021 11:59
@leseb leseb requested a review from thotz July 13, 2021 12:18
@leseb leseb force-pushed the auto-detect-vault-kv-version branch from dbcdb26 to 8198084 Compare July 13, 2021 12:18
@leseb leseb requested a review from travisn July 13, 2021 12:18
Copy link
Member

@travisn travisn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a couple nits

pkg/daemon/ceph/osd/kms/vault_api.go Outdated Show resolved Hide resolved
pkg/daemon/ceph/osd/kms/vault_api.go Outdated Show resolved Hide resolved
@leseb leseb force-pushed the auto-detect-vault-kv-version branch 4 times, most recently from 4357d51 to d4444f2 Compare July 20, 2021 13:13
@leseb leseb force-pushed the auto-detect-vault-kv-version branch from d4444f2 to e08e7d1 Compare July 27, 2021 15:07
@leseb leseb requested review from thotz and travisn July 27, 2021 15:07
}

switch GetParam(securitySpec.KeyManagementService.ConnectionDetails, Provider) {
case "vault":
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be an error case if the provider is not vault?

return errors.Errorf("failed to read k8s kms secret %q key %q (not found or empty)", KMSTokenSecretNameKey, securitySpec.KeyManagementService.TokenSecretName)
secretEngine := securitySpec.KeyManagementService.ConnectionDetails[VaultSecretEngineKey]
switch secretEngine {
case VaultKVSecretEngineKey:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An error case if this is not the case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No we also support the transit engine, so we don't need to error here.

Rook will now auto detect the kv version of the vault server. This
allows users not having to pass the VAULT_BACKEND configuration in the
CephCluster CR.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb leseb force-pushed the auto-detect-vault-kv-version branch from 2b741e8 to 99e00de Compare July 29, 2021 08:16
Copy link
Contributor

@thotz thotz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@leseb leseb merged commit f415a58 into rook:master Jul 29, 2021
@leseb leseb deleted the auto-detect-vault-kv-version branch July 29, 2021 09:41
leseb added a commit that referenced this pull request Jul 29, 2021
ceph: auto detect vault k/v version (backport #8265)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ceph main ceph tag
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants