Skip to content

Commit

Permalink
docs: add design for using services for addons pods
Browse files Browse the repository at this point in the history 
Signed-off-by: Bipul Adhikari <[email protected]>
  • Loading branch information
@bipuladh
bipuladh committed Dec 4, 2024
1 parent f325f74 commit c8acd5d
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions docs/design/podService.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
T# Services for Addons Pods

The Kubernetes CSI Addons project currently connects the CSI Addons Manager to the add-on sidecar through hardcoded IP addresses. However, this IP-based approach poses limitations, especially when implementing secure TLS communication between the manager and the sidecar. TLS certificates typically require stable DNS-based connections rather than IP-based, as IP addresses can change and are not easily resolved in cases where host networking is enabled.

## Problem Statement

1. **IP Dependency**: The current approach hardcodes IP addresses, which can be unreliable and lead to broken connections if IPs change.
2. **TLS Challenges**: Introducing TLS certificates requires a stable DNS name for validation. Relying on IPs does not align with best practices in certificate management and TLS.
3. **Host Networking Constraints**: Host networking limits the use of Pod DNS names, as Pod DNS entries may not resolve correctly or may be inaccessible.

## Proposed Solution

### Add support for CLI arguments for TLS

We introduce a new argument in the commands to enable TLS. It is diabled by default. But if this is enabled the deployer is expected to have mounted a secret that contains the required certificates. We will essentially need a certifiate that is compatible with the hostname that the manager will be issuing network calls using it.


### Operator changes

The Ceph CSI Operator is only responsible for taking in the information mounted to it and project those as volumes in the CSI Addons sidecar. The deployer of CSI Addons should create these certificates and mount it at `/etc/tls/tls.crt` and `/etc/tls/tls.key`. We keep this hardcoded to reduce the number of new arguments introduced. The logger should provide enough information if the user is not mounting this correctly for easy debugging.

## Guide to the deployeer for handling certificates

Since we use host networking the certificates should have these IP addresses as valid Subject names.

0 comments on commit c8acd5d

Please sign in to comment.