Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kms: added Azure Key Vault as a supported KMS #4455

Merged
merged 3 commits into from
Mar 13, 2024
Merged

kms: added Azure Key Vault as a supported KMS #4455

merged 3 commits into from
Mar 13, 2024

Conversation

iPraveenParihar
Copy link
Contributor

@iPraveenParihar iPraveenParihar commented Feb 21, 2024
edited by nixpanic
Loading

Describe what this PR does

This commit adds the support for the Azure key vault KMS service
for Ceph CSI.

Related issues

Fixes: #4421
Depends-on: #4477

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Reviewed the developer guide on Submitting a Pull Request
  • Pending release notes updated with breaking and/or notable changes for the next major release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.

=== Pod mounting =====

I0221 05:36:19.964922  186528 rbd_util.go:352] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 checking for ImageFeatures: [layering]
I0221 05:36:20.034605  186528 cephcmds.go:105] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 command succeeded: rbd [device list --format=json --device-type krbd]
I0221 05:36:20.064959  186528 rbd_attach.go:427] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 rbd: map mon 10.101.166.81:6789
I0221 05:36:20.212976  186528 cephcmds.go:105] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 command succeeded: rbd [--id csi-rbd-node -m 10.101.166.81:6789 --keyfile=***stripped*** map replicapool/csi-vol-274e6365-aa70-4afa-9bd7-9e889a8adc00 --device-type krbd --options noudev]
I0221 05:36:20.213114  186528 nodeserver.go:422] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 rbd image: replicapool/csi-vol-274e6365-aa70-4afa-9bd7-9e889a8adc00 was successfully mapped at /dev/rbd0
I0221 05:36:20.240236  186528 encryption.go:82] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 image replicapool/csi-vol-274e6365-aa70-4afa-9bd7-9e889a8adc00 encrypted state metadata reports "encryptionPrepared"
I0221 05:36:23.697891  186528 crypto.go:261] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 Encrypting device "/dev/rbd0"	 with LUKS
I0221 05:36:33.318346  186528 crypto.go:320] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 "/dev/mapper/luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00" is not an active LUKS device (an error (exit status 4) occurred while running cryptsetup args: [status luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00]):
I0221 05:36:33.318412  186528 crypto.go:272] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 Opening device "/dev/rbd0" with LUKS on "luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00"
I0221 05:36:35.655134  186528 cephcmds.go:105] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 command succeeded: blockdev [--getsize64 /dev/rbd0]
I0221 05:36:35.656776  186528 cephcmds.go:105] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 command succeeded: blockdev [--getsize64 /dev/mapper/luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00]
I0221 05:36:35.656809  186528 crypto.go:283] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 Resizing LUKS device "/dev/mapper/luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00"
I0221 05:36:35.710597  186528 nodeserver.go:382] ID: 32 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 rbd: successfully mounted volume 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 to stagingTargetPath /var/lib/kubelet/plugins/kubernetes.io/csi/rook-ceph.rbd.csi.ceph.com/c7184aef29d006913ec1ffd7db0e8d1d69d1fbccb77c25c4666aad492bb9a9b3/globalmount/0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00


=== Inside POD ===

/dev/mapper/luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00  977M  2.5M  958M   1% /var/lib/www/html
tmpfs                                                                                            12G   12K   12G   1% /run/secrets/kubernetes.io/serviceaccount


=== Image metadata ===

[pm@dhcp53-242 examples]$ kubectl exec -it rook-ceph-tools-66b77b8df5-xkhvv -- rbd image-meta ls replicapool/csi-vol-274e6365-aa70-4afa-9bd7-9e889a8adc00
There is 1 metadatum on this image:

Key                         Value
rbd.csi.ceph.com/encrypted  encrypted

=== Pod unmounting ===

I0221 05:41:45.794205  186528 nodeserver.go:1001] ID: 47 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 successfully unmounted volume (0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00) from staging path (/var/lib/kubelet/plugins/kubernetes.io/csi/rook-ceph.rbd.csi.ceph.com/c7184aef29d006913ec1ffd7db0e8d1d69d1fbccb77c25c4666aad492bb9a9b3/globalmount/0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00)
I0221 05:41:45.812138  186528 crypto.go:294] ID: 47 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 Closing LUKS device "luks-rbd-0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00"
I0221 05:41:45.924626  186528 cephcmds.go:105] ID: 47 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 command succeeded: rbd [unmap /dev/rbd0 --device-type krbd --options noudev]
I0221 05:41:45.924710  186528 nodeserver.go:1059] ID: 47 Req-ID: 0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00 successfully unmapped volume (0001-0009-rook-ceph-0000000000000002-274e6365-aa70-4afa-9bd7-9e889a8adc00)

@iPraveenParihar iPraveenParihar added the enhancement New feature or request label Feb 21, 2024
@iPraveenParihar iPraveenParihar self-assigned this Feb 21, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 21, 2024

This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏

@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 2 times, most recently from 6d103a6 to 369d075 Compare February 21, 2024 06:06
@iPraveenParihar iPraveenParihar changed the title [WIP] kms: added Azure Key Vault as a supported KaMS [WIP] kms: added Azure Key Vault as a supported KMS Feb 21, 2024
nixpanic
nixpanic reviewed Feb 21, 2024
View reviewed changes
Copy link
Member

@nixpanic nixpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider adding more details in a document under https://github.com/ceph/ceph-csi/tree/devel/docs/design/proposals

internal/kms/azure_vault.go Outdated Show resolved Hide resolved
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
Madhu-1
Madhu-1 reviewed Feb 29, 2024
View reviewed changes
docs/deploy-rbd.md Outdated Show resolved Hide resolved
examples/kms/vault/azure-credentials.yaml Outdated Show resolved Hide resolved
internal/kms/azure_vault._test.go Outdated Show resolved Hide resolved
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 3 times, most recently from 14a185a to cdcc829 Compare February 29, 2024 16:44
@iPraveenParihar iPraveenParihar marked this pull request as ready for review March 1, 2024 04:26
@iPraveenParihar iPraveenParihar changed the title [WIP] kms: added Azure Key Vault as a supported KMS kms: added Azure Key Vault as a supported KMS Mar 1, 2024
@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 2 times, most recently from f46e967 to 02d2fbb Compare March 4, 2024 07:56
sp98
sp98 suggested changes Mar 4, 2024
View reviewed changes
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
internal/kms/azure_vault.go Outdated Show resolved Hide resolved
nixpanic
nixpanic reviewed Mar 5, 2024
View reviewed changes
internal/kms/kms.go Outdated Show resolved Hide resolved
@iPraveenParihar iPraveenParihar mentioned this pull request Mar 6, 2024
Closed
@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 2 times, most recently from 7649c8c to 3cbf7c3 Compare March 6, 2024 08:47
@iPraveenParihar
Copy link
Contributor Author

/test ci/centos/k8s-e2e-external-storage/1.27

@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 2 times, most recently from 1b0ca36 to ae13d82 Compare March 6, 2024 10:54
@iPraveenParihar
Copy link
Contributor Author

/test ci/centos/k8s-e2e-external-storage/1.27

@iPraveenParihar
Copy link
Contributor Author

@nixpanic @Rakshith-R PTAL

@iPraveenParihar iPraveenParihar force-pushed the kms/azure-key-vault branch 2 times, most recently from e68cdb2 to cdd1f41 Compare March 13, 2024 10:01
Rakshith-R
Rakshith-R approved these changes Mar 13, 2024
View reviewed changes
Copy link
Contributor

@Rakshith-R Rakshith-R left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Madhu-1
Madhu-1 reviewed Mar 13, 2024
View reviewed changes
Copy link
Collaborator

@Madhu-1 Madhu-1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, @nixpanic please feel free to approve it as you have suggested changes

@nixpanic
Copy link
Member

@Mergifyio rebase

@iPraveenParihar @nixpanic
kms: Implement Azure key vault as KMS provider
349f7d6 
This commit adds the Azure Key Vault as a supported
KMS provider.

Signed-off-by: Praveen M <m.praveen@ibm.com>
@iPraveenParihar @nixpanic
doc: added docs for Azure KMS
9f891d3 
Signed-off-by: Praveen M <m.praveen@ibm.com>
@iPraveenParihar @nixpanic
rebase: Azure key vault module dependency update
a95efee 
This commit adds the Azure SDK for Azure key vault KMS
integration to the Ceph CSI driver.

Signed-off-by: Praveen M <m.praveen@ibm.com>
@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 13, 2024

rebase

✅ Branch has been successfully rebased

@nixpanic nixpanic force-pushed the kms/azure-key-vault branch from cdd1f41 to a95efee Compare March 13, 2024 12:44
@nixpanic
Copy link
Member

@Mergifyio queue

sp98
sp98 suggested changes Mar 13, 2024
View reviewed changes
Copy link

@sp98 sp98 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 13, 2024
edited
Loading

queue

✅ The pull request has been merged automatically

The pull request has been merged automatically at 47b2025

@mergify mergify bot added the ok-to-test Label to trigger E2E tests label Mar 13, 2024
@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.28

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.27

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.28

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.27

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.28

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.27

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/upgrade-tests-cephfs

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/upgrade-tests-rbd

@ceph-csi-bot ceph-csi-bot removed the ok-to-test Label to trigger E2E tests label Mar 13, 2024
@mergify mergify bot merged commit 47b2025 into ceph:devel Mar 13, 2024
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Madhu-1 Madhu-1 Madhu-1 left review comments

@sp98 sp98 sp98 requested changes

@Rakshith-R Rakshith-R Rakshith-R approved these changes

@nixpanic nixpanic nixpanic approved these changes

Assignees

@iPraveenParihar iPraveenParihar

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

KMS: Support Azure Key Vault as a supported KMS
6 participants
@iPraveenParihar @nixpanic @ceph-csi-bot @sp98 @Madhu-1 @Rakshith-R