-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add design for adding new arguments for TLS #173
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Add support for TLS certificates for CSI Addons communication | ||
|
||
The Kubernetes CSI Addons project currently connects the CSI Addons Manager to the add-on sidecar without TLS in place. | ||
We propose a introduction of an arugment which enabled should mount the TLS certificates into the sidecar container. | ||
The operator is only responsible for propagation of the certificates. | ||
|
||
## Problem Statement | ||
|
||
CSI addons sidecar which is being deployed here needs certificates. Currently we have no argument to enable this propagation of certificates. | ||
|
||
## Proposed Solution | ||
|
||
### Introduce a new argument for TLS | ||
|
||
We introduce a new argument in the commands to enable TLS. It is diabled by default. But if this is enabled the deployer is expected to have mounted a secret that contains the required certificates. We will essentially need a certifiate that is compatible with the hostname that the manager will be issuing network calls using it. | ||
|
||
### Operator changes | ||
|
||
The Ceph CSI Operator when deploying the sidecar for CSI Addons should will the secret provided in the OperatorConfig in `/etc/tls` folder. The infomration about the secret should be provided via OperatorConfig which in then will be used during sidecar creation. The secret contains information the certficate that is going to be used by the CSI Addons sidecar. | ||
|
||
## Guide to the operator incharge of creating certificates (Optional) | ||
|
||
Based on the type of networking that is to be used. Hostnames used to connect to the Sidecar endpoint should be set in the certificate accordingly. | ||
|
||
## Changes proposed to OperatorConfig | ||
|
||
``` | ||
// New struct proposed | ||
type TLSConfiguration struct { | ||
certificateSecretname string | ||
cretificateSecretNamespace string | ||
Comment on lines
+30
to
+31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is just a Namespaced Name. But I would prefer to use a |
||
enableTLS bool | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do we need an enable flag? The existance of the section is a good enough indication that we should use TLD |
||
} | ||
|
||
// OperatorConfigSpec defines the desired state of OperatorConfig | ||
type OperatorConfigSpec struct { | ||
//+kubebuilder:validation:Optional | ||
Log *OperatorLogSpec `json:"log,omitempty"` | ||
|
||
// Allow overwrite of hardcoded defaults for any driver managed by this operator | ||
//+kubebuilder:validation:Optional | ||
DriverSpecDefaults *DriverSpec `json:"driverSpecDefaults,omitempty"` | ||
TLSConfiguration *TLSConfiguration // Conigure TLS certificates for CSI addons | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this needs to have a Driver scope, not an operator scope. The decision to use or not use TLS should be determined on a driver basis |
||
} | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please provide a code snippet that describes the desired outcome of this new field within the API you would like to augment.
The code snippet should be descriptive enough so the following will be clear: