From c8acd5d6e837ada08bfefb970a09149f7f86e01a Mon Sep 17 00:00:00 2001 From: Bipul Adhikari Date: Fri, 15 Nov 2024 10:08:48 +0545 Subject: [PATCH] docs: add design for using services for addons pods Signed-off-by: Bipul Adhikari --- docs/design/podService.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs/design/podService.md diff --git a/docs/design/podService.md b/docs/design/podService.md new file mode 100644 index 00000000..f9b309c8 --- /dev/null +++ b/docs/design/podService.md @@ -0,0 +1,24 @@ +T# Services for Addons Pods + +The Kubernetes CSI Addons project currently connects the CSI Addons Manager to the add-on sidecar through hardcoded IP addresses. However, this IP-based approach poses limitations, especially when implementing secure TLS communication between the manager and the sidecar. TLS certificates typically require stable DNS-based connections rather than IP-based, as IP addresses can change and are not easily resolved in cases where host networking is enabled. + +## Problem Statement + +1. **IP Dependency**: The current approach hardcodes IP addresses, which can be unreliable and lead to broken connections if IPs change. +2. **TLS Challenges**: Introducing TLS certificates requires a stable DNS name for validation. Relying on IPs does not align with best practices in certificate management and TLS. +3. **Host Networking Constraints**: Host networking limits the use of Pod DNS names, as Pod DNS entries may not resolve correctly or may be inaccessible. + +## Proposed Solution + +### Add support for CLI arguments for TLS + +We introduce a new argument in the commands to enable TLS. It is diabled by default. But if this is enabled the deployer is expected to have mounted a secret that contains the required certificates. We will essentially need a certifiate that is compatible with the hostname that the manager will be issuing network calls using it. + + +### Operator changes + +The Ceph CSI Operator is only responsible for taking in the information mounted to it and project those as volumes in the CSI Addons sidecar. The deployer of CSI Addons should create these certificates and mount it at `/etc/tls/tls.crt` and `/etc/tls/tls.key`. We keep this hardcoded to reduce the number of new arguments introduced. The logger should provide enough information if the user is not mounting this correctly for easy debugging. + +## Guide to the deployeer for handling certificates + +Since we use host networking the certificates should have these IP addresses as valid Subject names.