From f988bab4e2e7d7873821e91e51c4d3ea4f174575 Mon Sep 17 00:00:00 2001
From: alexemc <32580729+alexemc@users.noreply.github.com>
Date: Tue, 22 Nov 2022 08:35:44 -0500
Subject: [PATCH] csm-encryption pre-release updates. (#399)

---
 content/docs/references/cli/_index.md         |   2 +-
 content/docs/secure/encryption/_index.md      |   2 +-
 content/docs/secure/encryption/deployment.md  |  25 ++---
 content/docs/secure/encryption/rekey.md       | 103 ++++++++----------
 content/docs/secure/encryption/release.md     |   6 +-
 .../docs/secure/encryption/uninstallation.md  |   6 +-
 6 files changed, 65 insertions(+), 79 deletions(-)
diff --git a/content/docs/references/cli/_index.md b/content/docs/references/cli/_index.md
index 6c110193d7..79121293f1 100644
--- a/content/docs/references/cli/_index.md
+++ b/content/docs/references/cli/_index.md
@@ -29,7 +29,7 @@ This document outlines all dellctl commands, their intended use, options that ca
 | [dellctl schedule delete](#dellctl-schedule-delete) | Delete schedules |
 | [dellctl schedule get](#dellctl-schedule-get) | Get schedules |
 | [dellctl encryption rekey](#dellctl-encryption-rekey) | Rekey an encrypted volume |
-| [dellctl encryption rekey-status](#dellctl-encryption-rekey-status) | Get status of a encryption rekey operation |
+| [dellctl encryption rekey-status](#dellctl-encryption-rekey-status) | Get status of an encryption rekey operation |
 
 
 ## Installation instructions
diff --git a/content/docs/secure/encryption/_index.md b/content/docs/secure/encryption/_index.md
index 83ca0d9c7c..954a4f578e 100644
--- a/content/docs/secure/encryption/_index.md
+++ b/content/docs/secure/encryption/_index.md
@@ -69,7 +69,7 @@ the CSI driver must be restarted to pick up the change.
 | COP/OS | Supported Versions |
 |-|-|
 | Kubernetes | 1.22, 1.23, 1.24, 1.25 |
-| Red Hat OpenShift  | 4.11 |
+| Red Hat OpenShift  | 4.10, 4.11 |
 | RHEL | 7.9, 8.4 |
 | Ubuntu | 18.04, 20.04 |
 | SLES | 15SP2 |
diff --git a/content/docs/secure/encryption/deployment.md b/content/docs/secure/encryption/deployment.md
index e2993a4e06..294941f48b 100644
--- a/content/docs/secure/encryption/deployment.md
+++ b/content/docs/secure/encryption/deployment.md
@@ -18,9 +18,8 @@ from the Kubernetes cluster where the CSI driver is to be deployed.
 
 ## Rekey Controller
 
-The CSM Encryption Rekey CRD Controller is an optional component that, if installed, allows encrypted volumes rekeying in a
-Kubernetes cluster. The Rekey Controller can be installed via the standard Dell Helm Chart repository available at https://github.com/dell/helm-charts.
-For complete details, please see the [installation instructions](../rekey).
+The Encryption Rekey CRD Controller is an optional component that, if installed, allows encrypted volumes rekeying in a
+Kubernetes cluster. Please refer to [Rekey Configuration](../rekey) for the Rekey Controller installation details.
 
 ## Helm Chart Values
 
@@ -35,10 +34,7 @@ encryption:
   pluginName: "sec-isilon.dellemc.com"
 
   # image: Encryption driver image name.
-  image: "dellemc/csm-encryption:v0.1.0"
-
-  # imagePullPolicy: If specified, overrides the chart global imagePullPolicy.
-  imagePullPolicy:
+  image: "dellemc/csm-encryption:v0.2.0"
 
   # logLevel: Log level of the encryption driver.
   # Allowed values: "error", "warning", "info", "debug", "trace".
@@ -73,15 +69,14 @@ encryption:
 
 | Parameter | Description| Required | Default |
 | --------- |------------|----------| ------- |  
-| enabled | Enable/disable volume encryption feature.| No | false |
-| pluginName | The name of the provisioner to use for encrypted volumes.| No | "sec-isilon.dellemc.com" |
-| image | Encryption driver image name. | No | "dellemc/csm-encryption:v0.1.0" |
-| imagePullPolicy | If specified, overrides the chart global imagePullPolicy.| No | CSI driver global imagePullPolicy |
-| logLevel | Log level of the encryption driver.<br/>Allowed values: "error", "warning", "info", "debug, `"trace". | No | "error" |
-| apiPort | TCP Port number used by the REST API Server.| No | 3838 |
-| livenessPort | HTTP liveness probe port number. Leave empty to disable the liveness probe.| No | |
+| enabled | Enable/disable volume encryption feature. | No | false |
+| pluginName | The name of the provisioner to use for encrypted volumes. | No | "sec-isilon.dellemc.com" |
+| image | Encryption driver image name. | No | "dellemc/csm-encryption:v0.2.0" |
+| logLevel | Log level of the encryption driver.<br/>Allowed values: "error", "warning", "info", "debug", "trace". | No | "error" |
+| apiPort | TCP Port number used by the REST API Server. | No | 3838 |
+| livenessPort | HTTP liveness probe port number. Leave empty to disable the liveness probe. | No | |
 | ocp | Enable when running an OCP Platform with CoreOS worker nodes. | No | false |
-| ocpCoreID| User ID and group ID of user core on CoreOS worker nodes. Ignored when ocp is set to false.| No | "1000:1000" |
+| ocpCoreID | User ID and group ID of user core on CoreOS worker nodes. Ignored when ocp is set to false. | No | "1000:1000" |
 | extraArgs | Extra command line parameters to pass to the encryption driver.<br/>Allowed values:<br/>"\-\-sharedStorage" - may be required by some applications to work properly.<br/>When set, performance is reduced and hard links cannot be created.<br/>See the [gocryptfs documentation](https://github.com/rfjakob/gocryptfs/blob/v2.2.1/Documentation/MANPAGE.md#-sharedstorage) for more details. | No | [] |
 
 ## Secrets and Config Maps
diff --git a/content/docs/secure/encryption/rekey.md b/content/docs/secure/encryption/rekey.md
index 5738bd6bdf..a943bc5c78 100644
--- a/content/docs/secure/encryption/rekey.md
+++ b/content/docs/secure/encryption/rekey.md
@@ -9,23 +9,25 @@ Description: >
 ## Rekey Controller Installation
 
 The CSM Encryption Rekey CRD Controller is an optional component that, if installed, allows encrypted volumes rekeying in a
-Kubernetes cluster. The Rekey Controller can be installed via the standard Dell Helm Chart repository available 
-at https://github.com/dell/helm-charts.
+Kubernetes cluster. The Rekey Controller can be installed via the Dell Helm charts [repository](https://github.com/dell/helm-charts).
 
-Dell Helm charts can also be added with the command `helm repo add dell https://dell.github.io/helm-charts`.
+Dell Helm charts can be added with the command `helm repo add dell https://dell.github.io/helm-charts`.
 
-A secret of the cluster config must be created with the name ``cluster-kube-config`` typically from the .kube/config. Here is an example:  
+### Kubeconfig Secret
+
+A secret with kubeconfig must be created with the name `cluster-kube-config`. Here is an example:  
 
 ```shell
- kubectl create secret generic cluster-kube-config --from-file=/home/root/.kube/config
+ kubectl create secret generic cluster-kube-config --from-file=config=/root/.kube/config
 ```
 
-The Rekey Controller Helm chart defines these values:
+### Helm Chart Values
 
+The Rekey Controller Helm chart defines these values:
 
 ```yaml
 # Rekey controller image name.
-image: dellemc/csm-encryption-rekey-controller:v0.1.0
+image: "dellemc/csm-encryption-rekey-controller:v0.1.0"
 
 # Rekey controller image pull policy.
 # Allowed values:
@@ -48,34 +50,35 @@ port:
 ```
 
 | Parameter | Description | Required | Default |
-| --------- |-------------|----------|--|
-| image | Rekey controller image name. | No | dellemc/csm-encryption-rekey-controller:v0.1.0 |
-| imagePullPolicy | Rekey controller image pull policy. | No | IfNotPresent |
-| logLevel | Log level of the rekey controller. | No | info |
+| --------- | ----------- | -------- | ------- |
+| image | Rekey controller image name. | No | "dellemc/csm-encryption-rekey-controller:v0.1.0" |
+| imagePullPolicy | Rekey controller image pull policy. | No | "IfNotPresent" |
+| logLevel | Log level of the rekey controller. | No | "info" |
 | provisioner | This value is required and must match `encryption.pluginName` value of the corresponding Dell CSI driver. | Yes |  |
 | port | This value is required and must match `encryption.apiPort` value of the corresponding Dell CSI driver. | Yes |  |
 
-## Deploy Rekey Controller
+### Deployment
 
-Copy the values.yaml to a local file. Once the CSM Encryption Rekey Controller local values.yaml file has been
-adjusted for the current cluster, deploy the controller by installing the Helm chart. As an example:
+Copy the chart's values.yaml to a local file and adjust the values in the local file for the current cluster.
+Deploy the controller using a command similar to this:
 
-``` helm install --values local-values.yaml rekey-controller dell/csm-encryption-rekey-controller```
+```shell
+helm install --values local-values.yaml rekey-controller dell/csm-encryption-rekey-controller
+```
 
 A rekey-controller pod should now be up and running.
 
+## Rekey Usage
 
-## Rekey Controller Usage
-
-The general procedure for rekeying is to create a rekey custom resource via a simple yaml configuration. This 
-will kick off a rekey process on the PV specified as the `volume`in the resource. 
+Rekeying is initiated and monitored via Kubernetes custom resources of type `rekeys.encryption.storage.dell.com`.
+This can be done directly [using kubectl](#rekey-with-kubectl) or in a more user-friendly way [using dellctl](#rekey-with-dellctl).
+Creation of a rekey resource for a PV will kick off a rekey process on this PV. The rekey resource will contain the result 
+of the operation. Refer to [Rekey Status](#rekey-status) for possible status values.
 
 ### Rekey with dellctl
 
-If dellctl CLI is installed, rekey'ing a volume is simple. First, identify a volume with a PV that is encrypted with the CSM Encryption driver
-provisioner.
-
-For example, let's rekey an encrypted PV with the name ``k8s-112a5d41bc``, and call our rekey object `myrekey`:
+If `dellctl` CLI is installed, rekeying an encrypted volume is simple. 
+For example, to rekey a PV with the name `k8s-112a5d41bc` use a command like this:
 
 ```shell
 $ dellctl encryption rekey myrekey k8s-112a5d41bc
@@ -83,62 +86,50 @@ INFO rekey request "myrekey" submitted successfully for persistent volume "k8s-1
 INFO Run 'dellctl encryption rekey-status myrekey' for more details.
 ```
 
-Then to check the status of the newly created rekey with the name `myrekey`:
+Then to check the status of the newly created rekey with the name `myrekey` use this command:
 
 ```shell
 $ dellctl encryption rekey-status myrekey
 INFO Status of rekey request myrekey = completed
 ```
 
-See [below](../rekey#status-of-the-rekey) for possible Status values and explanations.
-
-### Rekey with manually created Rekey CRs
+### Rekey with kubectl
 
-Identify a volume with a PV that is encrypted with the CSM Encryption driver provisioner.
+Create a cluster-scoped rekey resource to rekey an encrypted volume. 
+For example, to rekey a PV with the name `k8s-09a76734f` use a command like this:
 
-Now create a Rekey Custom Resource to start the rekey of a volume. For example, there is a PV with a name
-`k8s-09a76734f`. An associated example Rekey CR for this volume:
-```yaml 
+```shell
+kubectl create -f - <<EOF
 apiVersion: "encryption.storage.dell.com/v1alpha1"
 kind: "Rekey"
 metadata:
   name: "example-rekey"
 spec:
   persistentVolumeName: "k8s-029a76734f"
+EOF
 ```
 
-Apply this CR yaml file to start the rekey process:
-
-```shell 
-kubectl create -f my-example-rekey.yaml
-```
-
-### Inspect Status of Rekey
-Once the CR has been created, after some time, the status of the rekey can be
-inspected through the `status.phase` field of the rekey custom resource.
+Once the rekey resource has been created, after some time, the status of 
+the rekey can be inspected through the `status.phase` field of the rekey resource.
 
 ```shell
 $ echo $(kubectl get rekey example-rekey -o jsonpath='{.status.phase}')
 completed
 ```
 
-If `status.phase` has been set to `completed`, then the rekey was successful.
-
-
-### Status of the Rekey
-The `status.phase` field can have the following possible values:
-
-| status.phase    | **Description** |
-|-----------------|-----------------|
-| **initialized** | The request has been received by rekey controller. 
-| **started**     | The Rekey process preconditions are satisfied. 
-| **unknown**     | Request was sent but no response was received, and it is possible that the rekey was successfull. 
-| **failed**      | The Rekey process has failed, possibly due to no reachable CSM Encryption driver. 
-| **rejected**    | Rekey was not done. The volume may have no associated PV, or may not be encrypted. 
-| **completed**   | The Rekey successfully completed. 
+### Rekey Status
 
+The `status.phase` field of a rekey resource can have these values:
 
+| Value | Description |
+| ----- | ----------- |
+| initialized | The request has been received by the Rekey Controller. |
+| started | The request is being processed by the Encryption driver. |
+| completed | The request successfully completed and the volume is protected by a new key. |
+| rejected | The rekey process has not started, a non-existent or not encrypted PV in the request is a common reason. |
+| failed | The rekey process has failed, possibly due to unreachable Encryption driver or an error response from the driver. |
+| unknown | The request was sent to the Encryption driver, but no response was received. It is still possible that the rekey succeeded and the volume key has changed. |
 
-## Remove old rekeys
+### Cleanup
 
-To remove old rekeys, one can obtain the list and remove them just like any resource, using ```kubectl```.
+Remove old rekey resources just like any other resource, using `kubectl delete`.
diff --git a/content/docs/secure/encryption/release.md b/content/docs/secure/encryption/release.md
index 0e68d57b09..f55b045f35 100644
--- a/content/docs/secure/encryption/release.md
+++ b/content/docs/secure/encryption/release.md
@@ -9,9 +9,9 @@ Description: >
 ### New Features/Changes
 
 - [Technical preview release](https://github.com/dell/csm/issues/437)
-- PowerScale CSI volumes encryption (for new volumes)
-- Encryption keys stored in Hashicorp Vault
 - Shallow Rekey with Rekey CRDs.
+- OpenShift Container Platform support (4.10 and 4.11).
+- Kubernetes 1.25 support.
 
 ### Fixed Issues
 
@@ -19,4 +19,4 @@ There are no fixed issues in this release.
 
 ### Known Issues
 
-There are no known issues in this release. 
\ No newline at end of file
+There are no known issues in this release.
diff --git a/content/docs/secure/encryption/uninstallation.md b/content/docs/secure/encryption/uninstallation.md
index 7a9f31353b..008caec40d 100644
--- a/content/docs/secure/encryption/uninstallation.md
+++ b/content/docs/secure/encryption/uninstallation.md
@@ -32,12 +32,12 @@ It can be removed with `sed -i '/^ssh-rsa .* driver-sec$/d' /root/.ssh/authorize
 
 ## Remove Kubernetes Resources
 
-Remove [the resources that were created in Kubernetes cluster for Encryption](../deployment#secrets-and-config-maps).
+Remove [the resources](../deployment#secrets-and-config-maps) created in Kubernetes cluster for Encryption.
 
 ## Remove Vault Server Configuration
 
-Remove [the configuration created in the Vault server for Encryption](../vault#minimum-server-configuration).
+Remove [the configuration](../vault#minimum-server-configuration) created in the Vault server for Encryption.
 
 ## Remove Rekey Controller
 
-Remove [the configuration created in the Rekey Controller for Encryption](../#rekey-controller-installation).
+Remove [the resources](../rekey#rekey-controller-installation) created during the installation of the Rekey Controller.
