docs: add design for adding new arguments for TLS #173
Conversation
docs/design/podService.md
Outdated
|
|
||
| To address the above challenges, this proposal suggests creating a dedicated Kubernetes Service for each add-ons sidecar Pod. This Service will: | ||
|
|
||
| - Provide a consistent DNS name, eliminating the dependency on IP addresses. |
There was a problem hiding this comment.
Does this works when both deployment and daemonset runs on the host networking? You need to use service with nodePort and the accessibility will be with hostIP+port.
docs/design/podService.md
Outdated
| - Enable TLS certificates to be issued with a stable DNS name. | ||
| - Allow secure connectivity between the manager and the sidecar by abstracting away the networking specifics, especially when host networking is enabled. | ||
|
|
||
| The Service could be of type `ClusterIP`, as the primary objective is intra-cluster communication between the manager and sidecar. |
There was a problem hiding this comment.
If we are trying to stick to a single IP for accessing the pod, using clusterIP can be a problem for edge case where the service is deleted and recreated.
docs/design/podService.md
Outdated
|
|
||
| - The sidecar Pod will have an annotation, e.g., `csi.addons.service/name`, that stores the corresponding Service name. | ||
| - The CSI Addons Manager will parse this annotation and resolve the Service DNS name. | ||
| - The TLS certificate will then be generated using this DNS name, enabling secure and verifiable communication. |
There was a problem hiding this comment.
Who is going to generate it? Is it user or the csi operator?
docs/design/podService.md
Outdated
|
|
||
| ## Implementation Details | ||
|
|
||
| 1. **Service Creation**: Modify the ceph-csi-operator configuration to create a Service for each sidecar Pod, with the appropriate pod-selectors. |
There was a problem hiding this comment.
If the service need to be created before hand , this could be very tricky especially for Daemonset with taints and toleration. where the user can just go and a taint to a node to schedule a new csi plugin pod on the node.
docs/design/podService.md
Outdated
| #### Pod annotations | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: addon-sidecar | ||
| namespace: <namespace> | ||
| annotations: | ||
| csi.addons.service/name: addon-sidecar-service | ||
| spec: | ||
| containers: | ||
| - name: addon-sidecar | ||
| image: <sidecar-image> | ||
| ``` |
There was a problem hiding this comment.
Please add an example how this looks with deployment and daemonset.
Do we need a unique service per pod or could the pod selector route work as well? |
|
@Madhu-1 if these replicas of these Deployments need to be identified uniquely and connected could we perhaps use StatefulSets? |
As per kubernetes-csi community we are using deployment, we cannot switch to statefulset |
Anything works We need a way to connect to the sidecar container. |
|
@Madhu-1 @bipuladh This design needs to be discussed and drilled down in one of our upcoming ceph csi operator meeting before we commit to it |
@nb-ohad nothing is committed, the above was just a review, @bipuladh is planning to have a meeting to talk more about it. |
Signed-off-by: Bipul Adhikari <[email protected]>
bipuladh
changed the title
docs/design/podService.md
Outdated
|
|
||
| ### Operator changes | ||
|
|
||
| The Ceph CSI Operator is only responsible for taking in the information mounted to it and project those as volumes in the CSI Addons sidecar. The deployer of CSI Addons should create these certificates and mount it at `/etc/tls/tls.crt` and `/etc/tls/tls.key`. We keep this hardcoded to reduce the number of new arguments introduced. The logger should provide enough information if the user is not mounting this correctly for easy debugging. |
There was a problem hiding this comment.
@bipuladh I am not sure I understand
The deployer of CSI Addons should create these certificates
Can you please elaborate or rephrase?
There was a problem hiding this comment.
This is not possible. I have updated the doc to reflect that client operator would pass the certificate using a secret. The locator for the secret will be added in a new field that I propose in the latest commit.
| # Add support for TLS certificates for CSI Addons communication | ||
|
|
||
| The Kubernetes CSI Addons project currently connects the CSI Addons Manager to the add-on sidecar without TLS in place. | ||
| We propose a introduction of an arugment which enabled should mount the TLS certificates into the sidecar container. |
There was a problem hiding this comment.
Please provide a code snippet that describes the desired outcome of this new field within the API you would like to augment.
The code snippet should be descriptive enough so the following will be clear:
- The name of the new field
- The type of the new field
- The API is being introduced into
- The location (path) in the API where the new field will be added
- An explanation of what the field is describing
- And validation rules needed on the field (can be provided as standalone text or as a comment within the snippet)
Signed-off-by: Bipul Adhikari <[email protected]>
| certificateSecretname string | ||
| cretificateSecretNamespace string |
There was a problem hiding this comment.
This is just a Namespaced Name. But I would prefer to use a LocalObjectReference instead
| type TLSConfiguration struct { | ||
| certificateSecretname string | ||
| cretificateSecretNamespace string | ||
| enableTLS bool |
There was a problem hiding this comment.
Why do we need an enable flag? The existance of the section is a good enough indication that we should use TLD
| // Allow overwrite of hardcoded defaults for any driver managed by this operator | ||
| //+kubebuilder:validation:Optional | ||
| DriverSpecDefaults *DriverSpec `json:"driverSpecDefaults,omitempty"` | ||
| TLSConfiguration *TLSConfiguration // Conigure TLS certificates for CSI addons |
There was a problem hiding this comment.
I think this needs to have a Driver scope, not an operator scope. The decision to use or not use TLS should be determined on a driver basis
|
/hold |
Describe what this PR does
This PR adds a design doc, proposing the introduction of Services in front of pods that have addons sidecar container running in them.
Is there anything that requires special attention
Do you have any questions?
Is the change backward compatible?
Yes
Are there concerns around backward compatibility?
No
Provide any external context for the change, if any.
The addition of Service is required to allow secure communication between the add-ons manager and the sidecar. Related PR on the addons repo: csi-addons/kubernetes-csi-addons#692
Related issues
csi-addons/kubernetes-csi-addons#692
#172
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.