search

ceph / ceph-csi-operator

Kubernetes operator for managing the CephCSI plugins
Apache License 2.0
16 stars 18 forks source link

drivers not created when encryption is needed #146

Closed iPraveenParihar closed 1 month ago

iPraveenParihar commented 1 month ago

Describe the bug

I was trying to setup encryption and I find that drivers doesn't come up as the operator reconcile fails with

2024-09-26T05:54:37Z ERROR Reconciler error {"controller": "driver", "controllerGroup": "csi.ceph.io", "controllerKind": "Driver", "Driver": {"name":"rbd.csi.ceph.com","namespace":"ceph-csi-operator-system"}, "namespace": "ceph-csi-operator-system", "name": "rbd.csi.ceph.com", "reconcileID": "b365e828-2203-4ced-8ecd-71246315f0d2", "error": "DaemonSet.apps \"rbd.csi.ceph.com-nodeplugin\" is invalid: [spec.template.spec.volumes[10].name: Required value, spec.template.spec.containers[0].volumeMounts[9].name: Not found: \"ceph-csi-kms-config\"]\nDeployment.apps \"rbd.csi.ceph.com-ctrlplugin\" is invalid: [spec.template.spec.volumes[7].name: Required value, spec.template.spec.containers[0].volumeMounts[6].name: Not found: \"ceph-csi-kms-config\"]"}

I looked at the code and found that the name for the KMS configMap volume is not provided https://github.com/ceph/ceph-csi-operator/blob/f3030b0ac9f4915e6e09de5b60bfcfb95a380287/internal/utils/csi.go#L129-L143

Madhu-1 commented 1 month ago

@iPraveenParihar have you created the configmap with name ceph-csi-kms-config? if not the operator will not create it, its user responsibility to create the configmap which is specified in the CR

iPraveenParihar commented 1 month ago

@Madhu-1, I have created CM with name ceph-csi-encryption-kms-config and provided the same in driver

pm@dhcp53-176:~$ k get drivers.csi.ceph.io rbd.csi.ceph.com  -oyaml
apiVersion: csi.ceph.io/v1alpha1
kind: Driver
metadata:
  creationTimestamp: "2024-09-26T06:20:40Z"
  generation: 1
  name: rbd.csi.ceph.com
  namespace: ceph-csi-operator-system
  resourceVersion: "2384074"
  uid: 20ed8216-9091-4434-9423-a96e2ea52566
spec:
  controllerPlugin:
    labels:
      app: rbd-ctrlplugin
    replicas: 1
  deployCsiAddons: false
  encryption:
    configMapName:
      name: ceph-csi-encryption-kms-config
  fsGroupPolicy: File
  liveness:
    metricsPort: 8000
    ...
iPraveenParihar commented 1 month ago

Problem is, we are adding the volumeMount with Name kmsConfigVolumeName (ceph-csi-kms-config) https://github.com/ceph/ceph-csi-operator/blob/f3030b0ac9f4915e6e09de5b60bfcfb95a380287/internal/utils/csi.go#L247-L251

and in Volumes when adding the KMS configMap volume we don't have the Name field that KMS volumeMount could refer https://github.com/ceph/ceph-csi-operator/blob/f3030b0ac9f4915e6e09de5b60bfcfb95a380287/internal/utils/csi.go#L129-L143

Also, it looks like the KMS configMapName is hardcoded to ceph-csi-kms-config. Then whats the need of driver.spec.encryption.configMapName.name?

Madhu-1 commented 1 month ago

Tha name of the volume is missing, testing the changes. PR will be up soon once testing is done

iPraveenParihar commented 1 month ago

@Madhu-1, what about this?

Also, it looks like the KMS configMapName is hardcoded to ceph-csi-kms-config. Then whats the need of driver.spec.encryption.configMapName.name?

Madhu-1 commented 1 month ago

sorry am not getting that, why that is required?

iPraveenParihar commented 1 month ago

My question was, do user need to create KMS configMap with name ceph-csi-kms-config ONLY? If so, why the driver CR has driver.spec.encryption.configMapName.name field?

or am I missing something here?

Madhu-1 commented 1 month ago

https://github.com/ceph/ceph-csi-operator/blob/9ad05e208b675633a53db4ee4f5c48d0e99a74fa/internal/utils/csi.go#L129-L144

take a look at the above ceph-csi-kms-config is the name for the volume (corresponding to the volume mount) and it uses the configmap created by user to mount that to the pod.

iPraveenParihar commented 1 month ago

Ahh, I overlooked the code. Thanks!