Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ceph FS fscrypt support #3460

Merged
merged 12 commits into from
Nov 23, 2022
Merged

Ceph FS fscrypt support #3460

merged 12 commits into from
Nov 23, 2022

Commits on Nov 21, 2022

  1. cephfs: fscrypt encryption support 

    Add Ceph FS fscrypt support, similar to the RBD/ext4 fscrypt
integration. Supports encrypted PVCs, snapshots and clones.

Requires kernel and Ceph MDS support that is currently not in any
stable release.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    1b86181 View commit details
    Browse the repository at this point in the history

  2. deploy: Add KMS configuration to Ceph FS 

    Adds necessary KMS configuration based on the RBD configuration to use
Ceph FS with fscrypt

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    b17ccdf View commit details
    Browse the repository at this point in the history

  3. examples: Ceph FS fscrypt / KMS additions 

    Add encryption configuration to Ceph FS examples

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    f1dcb8d View commit details
    Browse the repository at this point in the history

  4. e2e: Add Ceph FS fscrypt validation helper 

    Add e2e helper to verify encrypted Ceph FS. Verify file's
ceph.fscrypt.auth attribute and KMS password creation / removal.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    23d039d View commit details
    Browse the repository at this point in the history

  5. e2e: Add test-cephfs-fscrypt flag 

    Add flag to default disable Ceph FS fscrypt tests, as they require a
custom minikube ISO

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    11719dd View commit details
    Browse the repository at this point in the history

  6. e2e: Deploy vault as part of the Ceph FS suite 

    Always deploy Vault as part of the the Ceph FS test suite.

Required by:
 - fscrypt tests using any vault KMS type.
 - Configuration in deploy/cephfs/*.yaml via the
   ceph-csi-encryption-kms-config config map created during deployVault()

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    44f0346 View commit details
    Browse the repository at this point in the history

  7. e2e: add basic PVC Ceph FS fscrypt tests 

    Test storage class, pvc and app bind of an fscrypt encrypted Ceph FS
with secrets metadata, vault, vault tokens and vault tenant KMS.

Tests are based on the RBD block/file encryption tests.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    8c6eb37 View commit details
    Browse the repository at this point in the history

  8. e2e: add PVC-PVC clone Ceph FS fscrypt tests 

    Note: Feature fixed https://tracker.ceph.com/issues/57641

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    01c67b3 View commit details
    Browse the repository at this point in the history

  9. e2e: add cephfs fscrypt snapshot volume test 

    Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    bd5c496 View commit details
    Browse the repository at this point in the history

  10. cephfs: nolint:gocyclo NewVolumeOptions, NewVolumeOptionsFromVolID 

    Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    b00540b View commit details
    Browse the repository at this point in the history

  11. e2e: Deploy vault as part of the Ceph FS upgrade suite 

    Deploy vault, analogue to the RBD upgrade suite to have the
ceph-csi-encryption-kms-config map ready when dependent
deployments/daemonsets are created.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    33ca2c8 View commit details
    Browse the repository at this point in the history

  12. deploy: Remove unnecessary RBAC permissions 

    Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
    @mergify
    Marcel Lauhoff authored and mergify[bot] committed Nov 21, 2022
    Configuration menu
    Copy the full SHA
    f24796d View commit details
    Browse the repository at this point in the history