provider-server: send info of kernelMountOptions for cephfs to client when encryption in transit is enabled #2707
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rohan47 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @rohan47. Thanks for your PR. I'm waiting for a red-hat-storage member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
rohan47
force-pushed
the
enc_in_transit_provider
branch
from
3e165cc
to
9f21e7a
Compare
services/provider/server/server.go
Outdated
| @@ -769,3 +776,25 @@ func (s *OCSProviderServer) getOCSSubscriptionChannel(ctx context.Context) (stri | |||
| } | |||
| return subscription.Spec.Channel, nil | |||
| } | |||
|
|
|||
| func (s *OCSProviderServer) getCephfsKernelMountOptions(ctx context.Context) (string, error) { | |||
There was a problem hiding this comment.
we already have
ocs-operator/controllers/storagecluster/csi_options.go
Lines 9 to 33 in 9200d55
rohan47
force-pushed
the
enc_in_transit_provider
branch
5 times, most recently
from
f46aaba
to
43eb71d
Compare
moved getCephFSKernelMountOptions function from storagecluster package to util package Signed-off-by: Rohan Gupta <rohgupta@redhat.com>
rohan47
force-pushed
the
enc_in_transit_provider
branch
2 times, most recently
from
3c608a8
to
c4b98ec
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Testing the code changes |
add kernel mount option ms_mode=secure to cephfs storageclass data when encryption in transit is enabled Signed-off-by: Rohan Gupta <rohgupta@redhat.com>
rohan47
force-pushed
the
enc_in_transit_provider
branch
from
c4b98ec
to
8ae40d6
Compare
|
Tested the code changes Csi config after the changes oc get cm ceph-csi-configs -o yaml
apiVersion: v1
data:
config.json: '[{"clusterID":"81fd58def37a35d1b4d4bee7ba35c3c3","storageClientID":"fb3e4f11-a38b-4859-ad18-1e8d579eb72b",
"monitors":["10.0.16.90:3300","10.0.61.203:3300","10.0.59.136:3300"],"rbd":{"radosNamespace":"cephradosnamespace-f6e94668817e4eefeb19b7a402fd947e"}},{"clusterID":"fe09c94a50c72d033da43478c21b8314",
"storageClientID":"fb3e4f11-a38b-4859-ad18-1e8d579eb72b","monitors":["10.0.16.90:3300","10.0.61.203:3300","10.0.59.136:3300"],
"cephFS":{"subvolumeGroup":"cephfilesystemsubvolumegroup-38beca789f5bc10e556b9832fd1070f6",
"kernelMountOptions":"ms_mode=secure"}}]'
kind: ConfigMap
metadata:
creationTimestamp: "2024-07-22T19:24:10Z"
name: ceph-csi-configs
namespace: openshift-storage
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
controller: true
kind: ConfigMap
name: ocs-client-operator-config
uid: 664e804f-fc77-4aef-9387-a3c39dcb0b00
resourceVersion: "3135818"
uid: 7dee1733-974c-48f3-9cc7-7dbab17aee62 |
| } | ||
| kernelMountOptions := util.GetCephFSKernelMountOptions(&storageClusters.Items[0]) | ||
| if kernelMountOptions == kernelMountOptionSecure { | ||
| cephfsStorageClassData[kernelMountOptionsKey] = kernelMountOptionSecure |
There was a problem hiding this comment.
We should not piggyback csi config info onto the storage class resource.
CSI config needs to be returned as its own resource
| if err != nil || len(storageClusters.Items) == 0 { | ||
| return nil, status.Errorf(codes.Internal, "failed to get storage cluster %v", err) | ||
| } | ||
| kernelMountOptions := util.GetCephFSKernelMountOptions(&storageClusters.Items[0]) |
There was a problem hiding this comment.
how are you getting ms_mode=secure as mentioned in the test comment as the function will return ms_mode=legacy if remote consumers are allowed? Is it due to sc.Spec.Network.Connections.Encryption.Enabled?
There was a problem hiding this comment.
Yes if sc.Spec.Network.Connections.Encryption.Enabled then it will return ms_mode=secure
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
@rohan47: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
In Case EiT is enabled on storagecluster all the clients are supposed to use 3300 right as mons will only listen on secure port? |
There was a problem hiding this comment.
continuing the discussion on PR rather than as a comment. So, does the kernel client on client cluster continues to offer services for PVCs which were created before enabling EiT?
There was a problem hiding this comment.
for 4.17 deployments the decision to use EiT will be taken when the provider is deployed right and we don't have to worry about clients connecting on unsecure port
There was a problem hiding this comment.
Well, rather than asking the specifics, let me put it this way, w/ this PR does the PVCs created on 4.16 still work?
There was a problem hiding this comment.
No, It won't work
4.16-based deployments will not support EiT even after they upgrade to 4.17 right?
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
included in #2713 pls check & confirm. |
openshift-merge-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
add kernel mount option ms_mode=secure to cephfs storageclass data when encryption in transit is enabled