Encryption of block volumes using EncryptionClasses #3106
Conversation
Signed-off-by: Nikolay Andreev <[email protected]>
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: nikolay-andreev The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @nikolay-andreev! |
|
Hi @nikolay-andreev. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@nikolay-andreev: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| @@ -431,6 +431,8 @@ const ( | |||
| WorkloadDomainIsolationFSS = "workload-domain-isolation" | |||
| // VPCCapabilitySupervisor is a supervisor capability indicating if VPC FSS is enabled | |||
| VPCCapabilitySupervisor = "VPC_Supported" | |||
| // TODO: WCP_VMService_BYOK_FSS enables Bring Your Own Key (BYOK) capabilities. | |||
| BYOK_FSS = "byok" | |||
There was a problem hiding this comment.
Can you confirm if this capability name exists in the required repository on GitLab.
| @@ -358,6 +359,17 @@ func initSyncerComponents(ctx context.Context, clusterFlavor cnstypes.CnsCluster | |||
| os.Exit(0) | |||
| } | |||
| }() | |||
| if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.BYOK_FSS) && | |||
| clusterFlavor == cnstypes.CnsClusterFlavorWorkload { | |||
There was a problem hiding this comment.
Can we move condition clusterFlavor == cnstypes.CnsClusterFlavorWorkload first, so FSS related log does not get printed for other flavors.
|
|
||
| defer func() { | ||
| log.Info("Cleaning up vc sessions cns operator") | ||
| if r := recover(); r != nil { |
There was a problem hiding this comment.
if you are sharing the same VC session used by other services, we do not need to handle recover here to logout sessions. We are already doing this in the main - https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/cmd/syncer/main.go#L349-L354
| @@ -22,7 +22,8 @@ require ( | |||
| github.com/prometheus/client_golang v1.18.0 | |||
| github.com/stretchr/testify v1.9.0 | |||
| github.com/vmware-tanzu/vm-operator/api v1.8.2 | |||
| github.com/vmware/govmomi v0.46.0 | |||
| github.com/vmware-tanzu/vm-operator/external/byok v0.0.0-20241108223224-20f977201370 | |||
There was a problem hiding this comment.
we need to make sure we have release tag for github.com/vmware-tanzu/vm-operator having this dependency. Do we have a plan to cut release for vm-operator for this change?
| @@ -22,7 +22,8 @@ require ( | |||
| github.com/prometheus/client_golang v1.18.0 | |||
| github.com/stretchr/testify v1.9.0 | |||
| github.com/vmware-tanzu/vm-operator/api v1.8.2 | |||
| github.com/vmware/govmomi v0.46.0 | |||
| github.com/vmware-tanzu/vm-operator/external/byok v0.0.0-20241108223224-20f977201370 | |||
| github.com/vmware/govmomi v0.47.0-alpha.0.0.20241111085955-321b6f0907a4 | |||
There was a problem hiding this comment.
we need to make sure to use govmomi release tag
There was a problem hiding this comment.
Is that a repo rule? In VM Op we link to commits all the time. There is not always a release. It does not really matter from a technical standpoint as a tag is just a pointer to a ref. So I'm guessing it is a repo requirement?
There was a problem hiding this comment.
at least before release we make sure we do not use any user commit from the repo.
this is repo specific requirement we are following.
There was a problem hiding this comment.
we need to make sure to use govmomi release tag
Created a v0.46.1 release with just @nikolay-andreev 's changes and a small vcsim fix: vmware/govmomi@v0.46.0...v0.46.1
| @@ -0,0 +1,247 @@ | |||
| package crypto | |||
There was a problem hiding this comment.
we need to add Copyright header in new files.
| ) | ||
|
|
||
| type Provider interface { | ||
| DoesProfileSupportEncryption(ctx context.Context, profileID string) (bool, error) |
| @@ -0,0 +1,294 @@ | |||
| /* | |||
| Copyright 2021 The Kubernetes Authors. | |||
| p.reinitialize = true | ||
| } | ||
|
|
||
| func (p *defaultProvider) getVcClient(ctx context.Context) (*cnsvsphere.VirtualCenter, error) { |
There was a problem hiding this comment.
Can we use existing util file we have to get VC Client?
https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/pkg/csi/service/common/util.go#L51-L68
| lock sync.RWMutex | ||
| } | ||
|
|
||
| func (p *defaultProvider) DoesProfileSupportEncryption(ctx context.Context, profileID string) (bool, error) { |
There was a problem hiding this comment.
Can you move this function to common pbm.go file
https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/pkg/common/cns-lib/vsphere/pbm.go
| @@ -431,6 +431,8 @@ const ( | |||
| WorkloadDomainIsolationFSS = "workload-domain-isolation" | |||
| // VPCCapabilitySupervisor is a supervisor capability indicating if VPC FSS is enabled | |||
| VPCCapabilitySupervisor = "VPC_Supported" | |||
| // TODO: WCP_VMService_BYOK_FSS enables Bring Your Own Key (BYOK) capabilities. | |||
| BYOK_FSS = "byok" | |||
There was a problem hiding this comment.
it is better to manage this with wcp capability so both vm service and csi can make use of common source of truth to determine if fss needs to be enabled or disabled.
|
@nikolay-andreev can you also fix linter issues on the PR? |
What this PR does / why we need it:
Implement encryption of block volumes using EncryptionClass associated with PVC
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Testing done:
GINKGO_FOCUS=encryption make test-e2e
SUCCESS! -- 5 Passed | 0 Failed | 0 Pending | 905 Skipped
PASS
Special notes for your reviewer:
Release note:
-->