controllers: Add logic to Create cephfs encrypted storageclass #2605
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: iamniting The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
iamniting
force-pushed
the
cephfs-encryption
branch
from
ccc76e7
to
a2985f1
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/retest |
| encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData) | ||
| encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData) | ||
| // adding a annotation to support smart cloning across namespace for encrypted volume | ||
| encryptedStorageClassConfig.storageClass.ObjectMeta.Annotations["cdi.kubevirt.io/clone-strategy"] = "copy" |
There was a problem hiding this comment.
Should confirm with kubevirt team once if they want to support cephfs volumes for this as well before adding the annotation.
There was a problem hiding this comment.
@nixpanic Can you pls confirm this if you have an idea?
There was a problem hiding this comment.
i dont think we use cephfs for kubevirt. do we have any cephfs storageclass with this annotation in ocs-operator?
There was a problem hiding this comment.
No only encrypted rbd is the one where it was added.
There was a problem hiding this comment.
I removed the annotation.
There was a problem hiding this comment.
KubeVirt can use CephFS, but it is not recommended. Users have better performance and more options when using RBD with block-mode, that is the preferred storage backend when using Ceph.
| @@ -853,6 +853,12 @@ func validateCustomStorageClassNames(sc *ocsv1.StorageCluster) error { | |||
| } | |||
| scMap[sc.Spec.Encryption.StorageClassName] = true | |||
| } | |||
| if sc.Spec.Encryption.CephFs.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable && sc.Spec.Encryption.CephFs.StorageClassName != "" { | |||
| if _, ok := scMap[sc.Spec.Encryption.CephFs.StorageClassName]; ok { | |||
| duplicateNames = append(duplicateNames, "Encryption") | |||
There was a problem hiding this comment.
how about this ?
(and for RBD, append "RBD Encryption"... instead of just using "Encryption" in both cases)
| duplicateNames = append(duplicateNames, "Encryption") | |
| duplicateNames = append(duplicateNames, "CephFS Encryption") |
There was a problem hiding this comment.
yeah correct, changed it
api/v1/storagecluster_types.go
Outdated
| StorageClassName string `json:"storageClassName,omitempty"` | ||
| // Configure the default CephFS encrypted storage class | ||
| // +optional | ||
| CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"` |
There was a problem hiding this comment.
| CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"` | |
| CephFS DefaultStorageClassSpec `json:"cephFS,omitempty"` |
| encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData) | ||
| encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData) | ||
| // adding a annotation to support smart cloning across namespace for encrypted volume | ||
| encryptedStorageClassConfig.storageClass.ObjectMeta.Annotations["cdi.kubevirt.io/clone-strategy"] = "copy" |
There was a problem hiding this comment.
i dont think we use cephfs for kubevirt. do we have any cephfs storageclass with this annotation in ocs-operator?
api/v1/storagecluster_types.go
Outdated
| StorageClassName string `json:"storageClassName,omitempty"` | ||
| // Configure the default CephFS encrypted storage class | ||
| // +optional | ||
| CephFs DefaultStorageClassSpec `json:"cephfs,omitempty"` |
There was a problem hiding this comment.
@iamniting Did we decide that we are going with this approach?
api/v1/storagecluster_types.go
Outdated
| KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"` | ||
| // KeyRotation defines options for Key Rotation. | ||
| // +optional | ||
| KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"` | ||
| } | ||
|
|
||
| type DefaultStorageClassSpec struct { |
There was a problem hiding this comment.
| type DefaultStorageClassSpec struct { | |
| type StorageClassSpec struct { | |
| } | |
| // or | |
| type CSIStorageClassSpec struct { | |
| } |
There was a problem hiding this comment.
default doesnt suit as its a shared struct for cephfs/rbd/nfs
There was a problem hiding this comment.
Changed it to StorageClassSpec
api/v1/storagecluster_types.go
Outdated
| KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"` | ||
| // KeyRotation defines options for Key Rotation. | ||
| // +optional | ||
| KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"` | ||
| } | ||
|
|
||
| type DefaultStorageClassSpec struct { | ||
| // Enable Default StorageClass |
There was a problem hiding this comment.
| // Enable Default StorageClass | |
| Create StorageClass |
api/v1/storagecluster_types.go
Outdated
| @@ -456,18 +456,33 @@ type EncryptionSpec struct { | |||
| Enable bool `json:"enable,omitempty"` | |||
| // +optional | |||
| ClusterWide bool `json:"clusterWide,omitempty"` | |||
| // Configure the default rbd encrypted storage class | |||
There was a problem hiding this comment.
can we remove the word default as we are not creating defaults with this one? use RBD
iamniting
force-pushed
the
cephfs-encryption
branch
2 times, most recently
from
f35322b
to
1967d06
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
api/v1/storagecluster_types.go
Outdated
| // +optional | ||
| StorageClass bool `json:"storageClass,omitempty"` | ||
| // StorageClassName specifies the name of the storage class created for ceph encrypted block pools | ||
| // +kubebuilder:validation:MaxLength=253 | ||
| // +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| StorageClassName string `json:"storageClassName,omitempty"` | ||
| StorageClassName string `json:"storageClassName,omitempty"` | ||
| // Configure the default CephFS encrypted storage class |
There was a problem hiding this comment.
| // Configure the default CephFS encrypted storage class | |
| // Configure the CephFS encrypted storage class |
| type StorageClassSpec struct { | ||
| // Create StorageClass | ||
| // +optional | ||
| StorageClass bool `json:"storageClass,omitempty"` |
There was a problem hiding this comment.
Do we need this to be pointer to bool or just bool
There was a problem hiding this comment.
anything can be fine, I kept it as bool to align with the old flag.
api/v1/storagecluster_types.go
Outdated
| KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"` | ||
| // KeyRotation defines options for Key Rotation. | ||
| // +optional | ||
| KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"` | ||
| } | ||
|
|
||
| type StorageClassSpec struct { | ||
| // Create StorageClass |
There was a problem hiding this comment.
| // Create StorageClass | |
| // Create Storage class |
lets be constant with name in all the places storage class
Signed-off-by: Nitin Goyal <[email protected]>
Signed-off-by: Nitin Goyal <[email protected]>
iamniting
force-pushed
the
cephfs-encryption
branch
from
1967d06
to
1c68588
Compare
Signed-off-by: Nitin Goyal [email protected]
We also need changes in the Ceph and kernel to support this feature. Will add hold until those changes are present in the DS.