Make the pkcs11 config more generic #199
Conversation
vakwetu
force-pushed
the
simplify_luna_deploy
branch
from
d035b77 to
6f7cd13
Compare
vakwetu
force-pushed
the
simplify_luna_deploy
branch
2 times, most recently
from
4f21104 to
f3e693b
Compare
vakwetu
force-pushed
the
simplify_luna_deploy
branch
2 times, most recently
from
0e3b919 to
4cc913e
Compare
vakwetu
force-pushed
the
simplify_luna_deploy
branch
from
4cc913e to
03e16f4
Compare
vakwetu
changed the title
vakwetu
force-pushed
the
simplify_luna_deploy
branch
from
03e16f4 to
a1fe6b5
Compare
| ) | ||
|
|
||
| var ( | ||
| commonWatchFields = []string{ | ||
| workerWatchFields = []string{ |
There was a problem hiding this comment.
adding it here as you can not comment on not changed parts in the file. since this barbican controller renders the main config, it should also index/reconcile when the p11 secrets change. otherwise the config won't get updated. Needs that added in SetupWithManager
There was a problem hiding this comment.
This is a larger question that this, I think.
The config that is generated in the top-level controller is passed down to the sub-component controllers (BarbicanAPI, BarbicanWorker, BarbicanKeystoneListener) - and the reconciliation that takes placed based on those watches is done in those components.
This is similar to what is done in cinder: https://github.com/search?q=repo%3Aopenstack-k8s-operators%2Fcinder-operator%20commonWatchFields&type=code
So, if there is a change in any of the watched things, then there will be a reconciliation triggered in the sub-components.
If there is something that is lacking here, then we need a separate change to reconcile all of the common secrets in the top-level controller. (not just pk11 secrets).
I'm not sure what effect that will have - and whether we'll end up with cascading reconciliations.
The top-level controller only initiates some setup jobs (dbsync, p11-prep). Not sure if we want to rerun these jobs when the config changes.
If something needs to change here, then we should open a Jira for this and address it separately. (And we'd probably need to fix it in cinder too!)
There was a problem hiding this comment.
yes, lets follow up on this. here in barbican it is, right now, not an issue, since all controller render the global config, due to the link used for the templates directory. if the components would just consume the global config ,rendered by the main controller, and this one does not index/watch properly the input secret, the component controllers would reconcile, but not getting an updated rendered global config of the updated secret since the main controller did not reconcile. so something to keep in mind when removing the link as mentioned bellow, since there could be a situation where the user updated the config secret, but still using the old config since it has not rendered again.
|
|
||
| // BarbicanPKCS11Template - Includes common HSM properties | ||
| type BarbicanPKCS11Template struct { |
There was a problem hiding this comment.
Do we need BarbicanPKCS11Template as part of the of the component api at all [11]. it would probably be enough to have it just on the barbican as we fetch the global config from there. But since this was done from beginning with other global parameters, I am not sure if you want to do such a change at this point for P11, we can not change it for the params which are there since GA.
There was a problem hiding this comment.
I'm not entirely clear as to what you're proposing here, but yeah, I think we want to follow the pattern we've been using from the beginning.
There was a problem hiding this comment.
just wanted to mention that the component controllers right now have parameters in their api which they probably won't need, since its a global thing would only required to be rendered in the main controller, where the sub components consume the global config for the generated secret.
| if err != nil { | ||
| return err | ||
| } | ||
| customData[barbican.CustomConfigFileName] = string(barbicanSecret.Data[barbican.CustomConfigFileName]) |
There was a problem hiding this comment.
since we render and get the main config from the secret the barbican controller renders, I think we might want to consider to no longer use links for the component template directories? similar how it is done in cinder
$ ll templates/
barbican
barbicanapi -> barbican
barbicankeystonelistener -> barbican
barbicanworker -> barbican
Otherwise we'd still render the configs and have the global one + the local rendered? if we make dedicated directories for each one and just have the component specific config as part of its directory, we won't have to check for the global secrets and set templateParameters.
There was a problem hiding this comment.
agreed. We should do this. But I think we should do this as a separate change. That way we can focus on making sure that particular change doesn't break anything.
There was a problem hiding this comment.
Lets open a separate Jira for this.
| AlwaysSetCKASensitive bool `json:"alwaysSetCKASensitive"` | ||
| // +kubebuilder:validation:Required | ||
| // The OpenShift secret that stores the HSM client data. | ||
| // These will be mounted to /var/lib/config-data/hsm |
There was a problem hiding this comment.
Where does /var/lib/config-data/hsm come from?
There was a problem hiding this comment.
Per design discussion, we will mount the data in a standard location and use kolla to move the data to the location designated by ClientDataPath.
The path we currently use for kolla stuff is /var/lib/config-data/default. This is just a branch close to this.
The reason for this is that if we mount the secret to ClientDataPath directly, then we end up overwriting whatever is already there. So, if we wanted to use /usr/local/luna is the client path, we'd end up deleting everything in that directory and only having the secrets there.
| } | ||
|
|
||
| // check for PKCS11 secret holding the PKCS11 Crypto Login | ||
| if slices.Contains(instance.Spec.EnabledSecretStores, barbicanv1beta1.SecretStorePKCS11) && instance.Spec.PKCS11 != nil { |
There was a problem hiding this comment.
Should we test here for len(instance.Spec.EnabledSecretStores) == 0 as above?
There was a problem hiding this comment.
I don't think so. If instance.Spec.EnabledSecretStores is [], then the first term here will fail without throwing any error - as we'd expect.
The length check above is so that we default to simple_crypto in case EnabledSecretStores is undefined.
vakwetu
force-pushed
the
simplify_luna_deploy
branch
2 times, most recently
from
6c8fc91 to
c16a257
Compare
Modify the PKCS11 support to make it more generic and hopefully make it easier to then support different HSM configurations. Updated the PKCS11 functional tests. Fix tls-e kuttl tests
vakwetu
force-pushed
the
simplify_luna_deploy
branch
from
c16a257 to
772d803
Compare
|
Just merged all the changes into a single commit to trigger new kuttl test run now that openshift/release#60903 has merged. |
|
/override ci/prow/precommit-check |
|
@stuggi: Overrode contexts on behalf of stuggi: ci/prow/precommit-check In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stuggi, vakwetu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit cf83ce8
into
openstack-k8s-operators:main
Made the pkcs11 more generic so that hopefully we will be able to support many HSMs and configurations without
too many changes.
Jira: https://issues.redhat.com/browse/OSPRH-12972