Azure kms handling for noobaa #1311
Conversation
vh05
force-pushed
the
azure_kms
branch
2 times, most recently
from
ad83444 to
d948357
Compare
vh05
force-pushed
the
azure_kms
branch
2 times, most recently
from
da67397 to
2005ffb
Compare
| // | ||
|
|
||
| // Config returns this driver secret config | ||
| func (*AzureVault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error) { |
There was a problem hiding this comment.
missing v no?
| func (*AzureVault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error) { | |
| func (v *AzureVault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error) { |
There was a problem hiding this comment.
Actually *AzureVault is just used to bind it to method and not using it inside the function/method
There was a problem hiding this comment.
I see, I was confused with the key, value (k,v) in line 40
There was a problem hiding this comment.
but let's remove all the unneeded as well, like in Get/Set/DeleteContext
There was a problem hiding this comment.
These are the once we need to interface them with the driver type. Here: https://github.com/noobaa/noobaa-operator/blob/906a82032bfc8927145186984034c41577467c9d/pkg/util/kms/kms.go#L44C1-L53C2
Here are the functions calling Get/Set/Delete context.
noobaa-operator/pkg/util/kms/kms_version.go
Lines 40 to 74 in 906a820
There was a problem hiding this comment.
I was talking about GetContext and SetContext, but never mind as I see that also in the other implementations, we sometimes write with the variable name and sometimes without when we don't use the variable.
pkg/util/kms/kms_azure.go
Outdated
| c[k] = v | ||
| } | ||
|
|
||
| // create TLS files out of secrets |
There was a problem hiding this comment.
Give some info about what is needed by the secrets module. What is this cert file and why did we create it also about the other config variables
There was a problem hiding this comment.
We get below data as part of config map[string]string parameter. This details comes from connectiondetails section of noobaa CR (
noobaa-operator/pkg/util/kms/kms.go
Line 99 in 906a820
ex: configmap data:
data:
AZURE_CERT_SECRET_NAME: azure-ocs-ffwc9o1j
AZURE_CLIENT_ID: az-client-id1
AZURE_TENANT_ID: az-tenant-id1
AZURE_VAULT_URL: az-valut-url1
KMS_PROVIDER: azure-kv
KMS_SERVICE_NAME: kms-conn-azure1
Below are the connection details that are going to be populated on Noobaa CR by ex: configmap data: |
vh05
force-pushed
the
azure_kms
branch
8 times, most recently
from
067c6b1 to
114439b
Compare
There was a problem hiding this comment.
I have some comment, the main issue I have is with AZURE_CERT_SECRET_NAME
which I don't understand if it needs to be in a file and where this requirement is coming for, what I did find in the secrets was AZURE_CLIENT_SECRET which I'm not sure if that't what you meant, and it looks like a regular string.
pkg/util/kms/kms_azure.go
Outdated
| } | ||
|
|
||
| // create TLS files out of secrets | ||
| // replace in azure vaultConfig secret names with local temp files paths |
There was a problem hiding this comment.
from where do we know that we expect a file path and not just the string itself?
There was a problem hiding this comment.
That is what I found in the secrets: https://github.com/libopenstorage/secrets/blob/5f4b25ceede180e8d67577288bba4223af658eb1/azure/azure_kv.go#L64
Am I missing something?
There was a problem hiding this comment.
This explains what is not there in the existing libopenstorage/secrets implemenation and why the file path for secret certificate is needed in the comment: #1311 (comment)
pkg/util/kms/kms_azure.go
Outdated
| c[k] = v | ||
| } | ||
|
|
||
| // create TLS files out of secrets |
There was a problem hiding this comment.
Does it really has to do with TLS? otherwise, I think we would expect a both key and cert.
There was a problem hiding this comment.
In case of azure vault, as per our requirement we dont support secret as string. Only providing support for secret as certificate. Did I answer that ?
pkg/util/kms/kms_azure.go
Outdated
| // Config utils | ||
| // | ||
|
|
||
| // create temp files with TLS keys and certs |
There was a problem hiding this comment.
Not sure if it has to do with TLS, I would expect both key and cert in that case. maybe you just need to update the comment...
There was a problem hiding this comment.
Yes. will update the comment. Thats misleading.
There are 2 things.
Currently libopenstorage/secrets dont support secret as certificate. We have (Member from Rook team, Santosh, working for azure kms on rook side and owning this azure kms story) pushed a patch to libopenstorage/sectes support secret certificate and that can be found here: https://github.com/libopenstorage/secrets/pull/83/files#diff-91153976f4824b52d20fd598108e77d2a5d605f6b67dedec4f0ba53e70ca5e49R82-R93 With the certificate handling in place, we need to create a temp file and put the temp path in the map. This is used at libopenstrorage/secrets to create a service principle. The code for the same is here at: https://github.com/libopenstorage/secrets/pull/83/files#diff-feaeae3297b3a2250b55e5307f4f8ef82bf0c6032af4ffe0736c6814ec7855f5R33-R37 The path we store in the map is accessed at the libopenstorage/secrets at here: https://github.com/libopenstorage/secrets/pull/83/files#diff-91153976f4824b52d20fd598108e77d2a5d605f6b67dedec4f0ba53e70ca5e49R74 I have imported the hash for the same in this PR which here: https://github.com/noobaa/noobaa-operator/pull/1311/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R5-R8 |
I'm a bit worried about us relying on a PR that is not yet merged, and not even properly reviewed... |
Quick update to this. Rook is planning to have The cloned branch (submodule at rook: https://github.com/rook/secrets) is The PR is merged at the rook side. This temp arrangement is required since the PR is not yet reviewed by Changes at Noobaa side that facilitates the above explained approach: https://github.com/noobaa/noobaa-operator/pull/1311/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R5-R9 Your thoughts ? |
Agree that we don't have it reviewed by the maintainers yet. Pinged them a few weeks ago and pinged on slack, but no response yet. We have review comments from the our own team members that have been addressed. For rook, we created a fork and plan to use that fork. This is temporary until the PR is reviewed by the library maintainer and merged. Since the changes were made for |
vh05
force-pushed
the
azure_kms
branch
2 times, most recently
from
3ce1f33 to
a934974
Compare
This patch provides the support for azure keyvault. We are using "libopenstorage/secrets" as the wrapper package to integrate with different kms and package provides the abstraction over several kms. It also provides the integraton support for azure and helps communication with azure key vault. We are required to provide the definition for house keeping calls registered calls with libopenstorage/secrets. "libopenstorage/secrets" does the creation of client handle based on the details provided in configmap. The certificate details present in the secret are preserved inside a temp file and used to establish the connection with azure key vault as of now. Below are the connection details that are going to be populated on Noobaa CR by `noobaa_system_reconciler` at ocs side and this is the ocs code where connectiondetails on Noobaa CR are built: https://github.com/red-hat-storage/ocs-operator/blob/2d082fc4c1ac4cec961406053cece448f4b07684/controllers/storagecluster/noobaa_system_reconciler.go#L249 ex: configmap data: ``` data: AZURE_CERT_SECRET_NAME: azure-ocs-ffwc9o1j AZURE_CLIENT_ID: az-client-id1 AZURE_TENANT_ID: az-tenant-id1 AZURE_VAULT_URL: az-valut-url1 KMS_PROVIDER: azure-kv KMS_SERVICE_NAME: kms-conn-azure1 ``` Signed-off-by: Vinayakswami Hariharmath <[email protected]>
This patch provides the support for azure keyvault.
We are using
libopenstorage/secretsas the wrapper package to integrate with different kms and package provides the abstraction over several kms. It also provides the integraton support for azure and helps communication with azure key vault.We are required to provide the definition for house keeping calls registered calls with libopenstorage/secrets.
libopenstorage/secretsdoes the creation of client handle based on the details provided in config data. Noobaa CR will have these details underconnectionDetailsand these details are popupated on Noobaa CR by Noobaa ocs by reading the configmap provided by ODF. The certificate details present in the secret are copied into a temp file and used to establish the connection with azure key vault as of now.libopenstorage/secretssupports only secret as string as of now. Our requirement is to authenticate using certificate. To facililate this, we have PR to accomodate certificate related handling and the PR can be found here: https://github.com/libopenstorage/secrets/pull/83/filesBelow are the connection details that are going to be populated on Noobaa CR by
noobaa_system_reconcilerat ocs side and this is the ocs code where connectiondetails on Noobaa CR are built: https://github.com/red-hat-storage/ocs-operator/blob/2d082fc4c1ac4cec961406053cece448f4b07684/controllers/storagecluster/noobaa_system_reconciler.go#L249ex: configmap data:
AZURE_CERT_SECRET_NAME = Secret name from which we extract the certificate data and send it to libopenstorage/secrets to get the client handle for service principle to access the root master key