Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chart ceph-csi-cephfs doesn't support encryption #4470

Open
acolombier opened this issue Mar 3, 2024 · 7 comments
Open

Chart ceph-csi-cephfs doesn't support encryption #4470

acolombier opened this issue Mar 3, 2024 · 7 comments
Labels
wontfix This will not be worked on

Comments

@acolombier
Copy link
Contributor

Describe the bug

The helm chart ceph-csi-cephfs doesn't support encryption out of the box.

  • It doesn't contain the volume mount for the encryption configuration as per the RBD one
  • It is lacking configmap/read permission and POD_NAMESPACE envvar to read config directly (not sure this is still the way to go)

Environment details

  • Image/version of Ceph CSI driver : quay.io/cephcsi/cephcsi:v3.10.2
  • Helm chart version : 3.10.2
  • Kernel version : N/D
  • Mounter used for mounting PVC (for cephFS its fuse or kernel. for rbd its
    krbd or rbd-nbd) : rbd-nbd
  • Kubernetes cluster version : 1.26
  • Ceph cluster version : 17.2.7 quincy (stable)

Steps to reproduce

Steps to reproduce the behavior:

  1. Install the chart
  2. Create a custom storageClass with encryption, for example
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: cephfs-encrypted
    provisioner: cephfs.csi.ceph.com
    parameters:
      clusterID: {{ .Values.ceph.storageClass.clusterID }}
      csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret
      csi.storage.k8s.io/controller-expand-secret-namespace: {{ .Release.Namespace }}
      csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret
      csi.storage.k8s.io/node-stage-secret-namespace: {{ .Release.Namespace }}
      csi.storage.k8s.io/provisioner-secret-name: csi-cephfs-secret
      csi.storage.k8s.io/provisioner-secret-namespace: {{ .Release.Namespace }}
      csi.storage.k8s.io/fstype: ext4
      fsName: encrypted
      encrypted: "true"
      encryptionKMSID: "kubernetes"
    reclaimPolicy: Delete
    volumeBindingMode: Immediate
    allowVolumeExpansion: true
    mountOptions:
      - debug
    ---
    apiVersion: v1
    kind: ConfigMap
    data:
      kubernetes: |-
        {
          "encryptionKMSType": "metadata",
          "secretName": "cephfs-encryption-passphrase",
          "secretNamespace": "{{ .Release.Namespace}}"
        }
    metadata:
      name: csi-kms-connection-details
    ---
    apiVersion: v1
    stringData:
      encryptionPassphrase: mypassphrase
    kind: Secret
    metadata:
      name: cephfs-encryption-passphrase
    type: Opaque
  3. Create a PVC with that storageClass

Actual results

The PVC cannot be created due to missing envvar POD_NAMESPACE. Once added, it creates it, but the nodeplugin cannot mount it due envvar and configmap access denied.

Expected behavior

The PVC gets created and can be mounted by nodeplugin.

Logs

Omitted

Additional context

N/A

@acolombier
Copy link
Contributor Author

I'd be happy to help fixing this by using the RBD chart as reference for missing config. Let me know if you would like that!

@dragoangel
Copy link
Contributor

dragoangel commented Mar 5, 2024

@acolombier looks reasonable to fix this, as cephfs supports encryption, it's just missing in helm

@NymanRobin
Copy link
Contributor

Hey @acolombier,
I wanted to check in on the progress of this issue. I'm experiencing the same problem, and am eager to find a resolution soon. If you've been busy and haven't had the chance to address it, I'd be more than willing to give it a try

@acolombier
Copy link
Contributor Author

I have started working on the chart changes, but I would need some time to test it. Unfortunately, I still need to sort out kernel version as I would need a 6.6+ to test my usecase (fscrypt + cephfs for mount) which is likely going to take me a few more days. If you get the chance to get something together faster, please do! 😃

@NymanRobin
Copy link
Contributor

We are in the same boat then 😃
But I should be able to get my hands on the required kernel and test it out, but meanwhile I already opened the PR to keep things moving forward. If any feedback or concerns regarding the PR let me know, and sorry for barging in on the issue like this.

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the wontfix This will not be worked on label Apr 17, 2024
@acolombier
Copy link
Contributor Author

PR currently waiting for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
wontfix This will not be worked on
Projects
None yet
Development

No branches or pull requests

3 participants