-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rbd: create token and use it for vault SA #3174
Conversation
29fc8ef
to
078238d
Compare
/retest all |
@@ -31,4 +31,7 @@ rules: | |||
- apiGroups: ["storage.k8s.io"] | |||
resources: ["volumeattachments"] | |||
verbs: ["list", "get"] | |||
- apiGroups: ["authentication.k8s.io"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same change is required in Rook, dont forget to send patch to Rook
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
small nit, changes LGTM
internal/kms/vault_sa.go
Outdated
@@ -303,6 +307,27 @@ func (kms *vaultTenantSA) getToken() (string, error) { | |||
} | |||
} | |||
|
|||
version, err := c.ServerVersion() | |||
if err != nil { | |||
return "", fmt.Errorf("can not get ServiceVersion %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return "", fmt.Errorf("can not get ServiceVersion %w", err) | |
return "", fmt.Errorf("failed to get ServiceVersion %w", err) |
internal/kms/vault_sa.go
Outdated
} | ||
// from kubernetes v1.24+, secret for service account tokens are not | ||
// automatically created. Hence, use the create token api to fetch it. | ||
if version.Major == kubeMajorVersion && version.Minor >= kubeMinorVersion { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add kubernetes changelog link here for future reference?
internal/kms/vault_sa.go
Outdated
@@ -35,6 +36,9 @@ const ( | |||
// should be available in the Tenants namespace. This ServiceAccount | |||
// will be used to connect to Hashicorp Vault. | |||
vaultTenantSAName = "ceph-csi-vault-sa" | |||
// Kubernetes version to get token from the ServiceAccount. | |||
kubeMajorVersion = "1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the name of these constants do not say anything about the feature that Kubernetes introduced. Please use a better name.
internal/kms/vault_sa.go
Outdated
@@ -303,6 +307,27 @@ func (kms *vaultTenantSA) getToken() (string, error) { | |||
} | |||
} | |||
|
|||
version, err := c.ServerVersion() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this to a helper function, one that can always be called. If the version does not need to create a token, just return no error.
internal/kms/vault_sa.go
Outdated
@@ -303,6 +307,27 @@ func (kms *vaultTenantSA) getToken() (string, error) { | |||
} | |||
} | |||
|
|||
version, err := c.ServerVersion() | |||
if err != nil { | |||
return "", fmt.Errorf("can not get ServiceVersion %w", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use the standard format "<message>: %w"
, with :
https://jenkins-ceph-csi.apps.ocp.ci.centos.org/blue/organizations/jenkins/mini-e2e-helm_k8s-1.24/detail/mini-e2e-helm_k8s-1.24/18/pipeline/ @pkalever , rbd nbd tests are failing
|
90e3127
to
30a6338
Compare
I've tested it manually on k8s 1.24 and it works logs
|
30a6338
to
286e997
Compare
286e997
to
0456969
Compare
This rbac is required to fetch serviceaccount token for vault tenant sa encryption type on k8s 1.24+. refer: ceph/ceph-csi#3174 Signed-off-by: Rakshith R <rar@redhat.com>
This rbac is required to fetch serviceaccount token for vault tenant sa encryption type on k8s 1.24+. refer: ceph/ceph-csi#3174 Signed-off-by: Rakshith R <rar@redhat.com>
/retest ci/centos/mini-e2e-helm/k8s-1.22 |
/retest ci/centos/mini-e2e-helm/k8s-1.23 |
@Mergifyio requeue |
☑️ This pull request is already queued |
/retest ci/centos/k8s-e2e-external-storage/1.22 |
@Rakshith-R "ci/centos/k8s-e2e-external-storage/1.22" test failed. Logs are available at location for debugging |
@Mergifyio requeue |
☑️ This pull request is already queued |
/retest ci/centos/mini-e2e-helm/k8s-1.21 |
@Rakshith-R "ci/centos/mini-e2e-helm/k8s-1.21" test failed. Logs are available at location for debugging |
/retest ci/centos/k8s-e2e-external-storage/1.22 |
@Rakshith-R "ci/centos/k8s-e2e-external-storage/1.22" test failed. Logs are available at location for debugging |
/retest ci/centos/k8s-e2e-external-storage/1.21 |
@Rakshith-R "ci/centos/k8s-e2e-external-storage/1.21" test failed. Logs are available at location for debugging |
@Mergifyio requeue |
☑️ This pull request is already queued |
/retest ci/centos/k8s-e2e-external-storage/1.22 |
@Rakshith-R "ci/centos/k8s-e2e-external-storage/1.22" test failed. Logs are available at location for debugging |
@Mergifyio requeue |
☑️ This pull request is already queued |
/retest ci/centos/mini-e2e-helm/k8s-1.21 |
@Rakshith-R "ci/centos/mini-e2e-helm/k8s-1.21" test failed. Logs are available at location for debugging |
@Mergifyio requeue |
☑️ This pull request is already queued |
This rbac is required to fetch serviceaccount token for vault tenant sa encryption type on k8s 1.24+. refer: ceph/ceph-csi#3174 Signed-off-by: Rakshith R <rar@redhat.com> (cherry picked from commit 623c515)
This rbac is required to fetch serviceaccount token for vault tenant sa encryption type on k8s 1.24+. refer: ceph/ceph-csi#3174 Signed-off-by: Rakshith R <rar@redhat.com> (cherry picked from commit 623c515) (cherry picked from commit 54bf464)
This rbac is required to fetch serviceaccount token for vault tenant sa encryption type on k8s 1.24+. refer: ceph/ceph-csi#3174 Signed-off-by: Rakshith R <rar@redhat.com> (cherry picked from commit 623c515) (cherry picked from commit 54bf464)
create the token if kubernetes version is 1.24+ and use it for vault sa.
Signed-off-by: Madhu Rajanna madhupr007@gmail.com
Signed-off-by: Rakshith R rar@redhat.com
Resolves: #3135