-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add encryption support #514
Conversation
@timoreimann I'd be very happy if you could review this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good PR.
Have you built and deployed these changes on a DOKS cluster to test their functionality?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This, along with the other files within this directory aren't needed. We'll push a release when we're ready to do so, rather than as a result of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
} | ||
return nil | ||
} else { | ||
err := luksContext.validate() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you able to return a formatted error instead using fmt.Errorf, stating something like validation failed : %s
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, updated
return nil | ||
err = luksFormat(source, mkfsCmd, mkfsArgs, luksContext, m.log) | ||
if err != nil { | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, stating instead that formatting failed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
luksFormat
already return fmt.Errorf
so I think this is OK
@@ -38,6 +38,36 @@ deletionPolicy: Delete | |||
|
|||
--- | |||
|
|||
kind: StorageClass |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that we're already defining quite a few storageclasses, I think it might be better to instead document this feature, rather than explicitly define it for all future clusters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I've removed those LUKS storage classes and updated README.md a bit.
@okamidash yes, I'm using it currently on a DOKS with 144 volumes attached. No issues so far. |
Unit tests passed. 1.24
1.25
1.26
1.27
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @paravibe!
Before doing a review on specific code portions, I'd have two more general questions/requests:
- DO volumes are already encrypted at block storage layer. I wanted to confirm that you are aware of this and that you see a need to have another encryption layer on top of it regardless. Appreciate if you could speak to what your use case for LUKS is in light of this context.
- Would you be open to writing an end-to-end test? If we intend to support LUKS in the CSI driver, then I feel we need something beyond unit tests (e.g., to verify that the tooling installed in the container continues to be compatible and fit the needs of the driver). The good news is that we already have a pretty elaborate e2e test scaffolding in place; the bad news is that it is currently hard-wired to running the official Kubernetes e2e storage tests, so this would be the first time we would have an e2e test of our own. This is certainly possible but would require a bit of refactoring work (and, related, some effort to get familiar with the not super trivial test setup).
Thanks again.
Yes, I know it. This is requirement from our customers. The main reason they are asking about this is because they want to control encryption key.
I can't promise anything on this as this require some time (which I don't have enough right now) and skills (which I also don't have enough). But I'll take a look at it ASAP. |
@timoreimann TODO:
|
@timoreimann @okamidash |
1.25
1.26
1.27
|
Any updates? |
As discussed, this won't be integrated into DOKS. Closing PR. |
This is refactored version of #337 based on the master.
I've added 2 more StorageClasses:
do-block-storage-luks use one key per volume
do-block-storage-luks-global use one key per cluster
Also resize of LUKS partition is supported now. Code was taken from cloudscale-ch/csi-cloudscale.