Mount keyring and config override as files in the toolbox deployment#4026
Mount keyring and config override as files in the toolbox deployment#4026sp98 wants to merge 11 commits into
Conversation
Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
This variable will hold the desired cephx key generation value. Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Add a shared annotation key for CephClusters created with CephX support. Set the annotation only during CephCluster creation. Existing clusters are never annotated during reconciliation. Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Add CephX security settings to the generated CephCluster spec. Use the feature annotation to choose the compatible security spec. When the annotation exists, allow ciphers and set CSI and rbdMirrorPeer key to AES. When absent, allow ciphers and enable daemon key rotation with KeyGeneration. Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Mirror CephCluster CephX feature behavior onto managed CephClients. Annotate newly created clients with the CephX feature annotation. Set their CephX key type to AES when the annotation is present. Apply this to metrics exporter and StorageConsumer CSI clients. Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
Add CephCluster reconciliation coverage for both CephX annotation paths. Verify new clusters receive the created-with-CephX feature annotation. Verify existing clusters never gets annotated. Signed-off-by: Nitin Goyal <nigoyal@redhat.com>
The test 'populated cache emits metrics' under TestCephFSSubvolumeCountCollectorCollect in 'cephfs_test.go' file was incorrectly checking metric values because it collected all gauge metrics with 'consumer_name' label without distinguishing between metric types. The 'pvMetadata' metrics (value=1) were overwriting the subvolumeCount values. Signed-off-by: Arun Kumar Mohan <amohan@redhat.com>
Signed-off-by: Arun Kumar Mohan <amohan@redhat.com>
9f04b28 to
206097c
Compare
| }, | ||
| }, | ||
| }, | ||
| {Name: "ceph-admin-secret", VolumeSource: corev1.VolumeSource{ |
There was a problem hiding this comment.
Can you pls correct the formatting?
206097c to
f7f3113
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sp98 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
The OCS operator provides the keyring via ROOK_CEPH_SECRET env var instead of file mount. This PR mounts the keyring secret file and drops the env var. This is useful as now the toolbox script can detect the change in the keyring. Signed-off-by: Santosh <sapillai@redhat.com>
f7f3113 to
5092069
Compare
|
This PR is not rebased on top of #3910 which has all the Ocs operator changes for 4.22. |
|
@sp98: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
parth-gr
left a comment
There was a problem hiding this comment.
is there a possibility the ceph keyring can change?
The OCS operator provides the keyring via ROOK_CEPH_SECRET env var instead of file mount. This PR mounts the keyring secret and config overeide as files and drops the env var, so that toolbox can detect the change in the keyring.