Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using RequiresRepublish for rotation #585

Open
aramase opened this issue Jun 8, 2021 · 22 comments
Open

Using RequiresRepublish for rotation #585

aramase opened this issue Jun 8, 2021 · 22 comments
Assignees
@aramase
Labels
feature/rotation kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Milestone
v1.4.0

Comments

@aramase
Copy link
Member

aramase commented Jun 8, 2021

When requiresRepublish: true is set in the CSIDriver spec

  requiresRepublish: true # added in Kubernetes 1.20, this field is beta as of Kubernetes 1.21

kubelet will periodically send NodePublishVolume to the driver.

  • Investigate if we can use this feature with internal backoff logic for rotation

/assign
@aramase
Copy link
Member Author

aramase commented Jun 8, 2021

/kind feature

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 8, 2021
@aramase aramase added this to the v0.1.0 milestone Jun 9, 2021
@tam7t tam7t mentioned this issue Jun 9, 2021
Merged
@tam7t
Copy link
Contributor

tam7t commented Jun 15, 2021

Based on https://kubernetes-csi.github.io/docs/token-requests.html#feature-gate

  • 1.19 does not have this (EOL: 2021-10-28)
  • 1.20 adds this as optional (--feature-gates=CSIServiceAccountToken=true) (EOL: 2022-02-28)
  • 1.21 enables this by default

We could emulate this behavior in the driver (give driver permission to act as any SA in the cluster, maintain token caches for republish).

@tam7t tam7t mentioned this issue Jun 15, 2021
Closed
@tam7t tam7t mentioned this issue Jun 29, 2021
Merged
@tam7t
Copy link
Contributor

tam7t commented Jul 21, 2021
edited
Loading

RequiresRepublish would help us delete the pkg/rotation/reconciler.go controller, but that controller is ALSO responsible for updating sync'd K8s secret values.

That may mean that we need to rethink some K8s secret syncing logic to:

  • stay in existing controller rotation/reconciler controller
  • add logic topkg/secrets-store/nodeserver.go
  • expand secretproviderclasspodstatus_controller.go responsibilities to updates as well as initial creates

@nilekhc
Copy link
Contributor

nilekhc commented Jul 21, 2021

We are reviewing proposal with SIG-Auth. If we end up creating separate subproject then we can deprecate sync secret logic altogether from driver.

@aramase aramase removed this from the v0.1.0 milestone Jul 21, 2021
@tam7t tam7t added this to the v1.1.0 milestone Oct 13, 2021
@tam7t
Copy link
Contributor

tam7t commented Oct 13, 2021

We need a design on how to introduce this in a way thats:

  • compatible with rotation
  • compatible with sync

And backwards compatible for 1.19 + 1.20 where the cluster may not have this built in (or delay the feature until 1.20 is deprecated...)

@aramase specifically brings up keeping notes about auth token audience parameters like:

apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  name: mycsidriver.example.com
spec:
  tokenRequests:
    - audience: "gcp"
    - audience: ""
      expirationSeconds: 3600
  requiresRepublish: true

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 11, 2022
@aramase aramase modified the milestones: v1.1.0, v1.2.0 Jan 31, 2022
@tam7t tam7t mentioned this issue Feb 27, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 2, 2022
@aramase
Copy link
Member Author

aramase commented Mar 2, 2022

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 2, 2022
@nlamirault
Copy link
Contributor

any news on this feature ?

@aramase
Copy link
Member Author

aramase commented Mar 29, 2022

any news on this feature ?

We will be adding it in a future release. Even without RequiresRepublish rotation is already supported today: https://secrets-store-csi-driver.sigs.k8s.io/topics/secret-auto-rotation.html. Other than rotation any other reason you need this @nlamirault?

@aramase
Copy link
Member Author

aramase commented Apr 21, 2022

Changes in v1.2

v1.21+

  • set requires republish to enable rotation
  • set --enable-secret-rotation=false to disable the old controller

if ran into issues or running < 1.21

  • remove requires republish from CSI driver
  • set --enable-secret-rotation=true (this is same as today)

v1.3

  • We will deprecate the old rotation flag and controller
  • Only way for rotation will be setting RequiresRepublish: true in CSIDriver
  • This will only work with Kubernetes 1.21+

v1.4

  • Move rotation feature with requires republish to beta
  • Consider if we want to enable it by default

@tomhjp tomhjp mentioned this issue Jun 14, 2022
Merged
@aramase aramase removed this from the v1.2.0 milestone Jun 21, 2022
@aramase aramase mentioned this issue Jun 28, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 19, 2022
@fjallot
Copy link

fjallot commented Sep 20, 2022

@aramase any news on this feature ? Still planned for v1.3 ?

@aramase
Copy link
Member Author

aramase commented Sep 20, 2022

@aramase any news on this feature ? Still planned for v1.3 ?

@fjallot The driver already supports rotation. Could you tell me if you have a specific reason for wanting RequiresRepublish to do rotation?

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 20, 2022
@aramase
Copy link
Member Author

aramase commented Oct 20, 2022

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Oct 20, 2022
@aramase aramase modified the milestones: v1.3.0, v1.4.0 Oct 28, 2022
This was referenced Oct 28, 2022
Closed
Closed
@tam7t tam7t mentioned this issue Nov 9, 2022
Merged
3 tasks
tam7t added a commit to tam7t/secrets-store-csi-driver that referenced this issue Dec 18, 2022
@tam7t
feat: require RequiresRepublish for rotation
4eed8d2 
Remove the rotation controller and rely exclusively on RequiresRepublish for secret rotation.

All supported k8s versions have RequiresRepublish support enabled by default.

Resolves: kubernetes-sigs#585

The flags will be no-ops in this and removed in 1.5+.
@tam7t tam7t mentioned this issue Dec 18, 2022
Closed
3 tasks
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 26, 2023
@aramase
Copy link
Member Author

aramase commented Jan 26, 2023

/remove-lifecycle rotten

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 25, 2023
@aramase
Copy link
Member Author

aramase commented Feb 27, 2023

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 27, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 28, 2023
@aramase
Copy link
Member Author

aramase commented May 30, 2023

/remove-lifecycle stale
/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aramase aramase

Labels
feature/rotation kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
v1.4.0
Development

Successfully merging a pull request may close this issue.

feat: require RequiresRepublish for rotation tam7t/secrets-store-csi-driver
7 participants
@nlamirault @fjallot @tam7t @nilekhc @aramase @k8s-ci-robot @k8s-triage-robot