Encryption support (#42)

api/v1/duros_types.go

@@ -88,6 +88,7 @@ type StorageClass struct {
 	ReplicaCount int    `json:"replicas"`
 	Compression  bool   `json:"compression"`
 	Default      bool   `json:"default" description:"if set to true this storageclass is configured as default"`
+	Encryption   bool   `json:"encryption,omitempty"`
 }
 
 func init() {

config/crd/bases/storage.metal-stack.io_duros.yaml

@@ -56,6 +56,8 @@ spec:
                       type: boolean
                     default:
                       type: boolean
+                    encryption:
+                      type: boolean
                     name:
                       type: string
                     replicas:

controllers/images.go

@@ -1,14 +1,14 @@
 package controllers
 
 const (
-	lbCSIPluginImage             = "docker.lightbitslabs.com/lightos-csi/lb-csi-plugin:1.9.0"
-	lbDiscoveryClientImage       = "docker.lightbitslabs.com/lightos-csi/lb-nvme-discovery-client:1.9.0"
+	lbCSIPluginImage             = "docker.lightbitslabs.com/lightos-csi/lb-csi-plugin:1.9.1"
+	lbDiscoveryClientImage       = "docker.lightbitslabs.com/lightos-csi/lb-nvme-discovery-client:1.9.1"
 	csiProvisionerImage          = "k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2"
 	csiAttacherImage             = "k8s.gcr.io/sig-storage/csi-attacher:v3.5.0"
 	csiResizerImage              = "k8s.gcr.io/sig-storage/csi-resizer:v1.5.0"
 	csiNodeDriverRegistrarImage  = "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.1"
 	snapshotControllerImageBeta1 = "k8s.gcr.io/sig-storage/snapshot-controller:v4.1.0"
 	csiSnapshotterImageBeta1     = "k8s.gcr.io/sig-storage/csi-snapshotter:v4.1.0"
-	snapshotControllerImage      = "k8s.gcr.io/sig-storage/snapshot-controller:v6.0.1" // for k8s >= 1.20
-	csiSnapshotterImage          = "k8s.gcr.io/sig-storage/csi-snapshotter:v6.0.1"     // for k8s >= 1.20
+	snapshotControllerImage      = "registry.k8s.io/sig-storage/snapshot-controller:v6.1.0" // for k8s >= 1.20
+	csiSnapshotterImage          = "registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0"     // for k8s >= 1.20
 )

controllers/resources.go

@@ -474,16 +474,14 @@ var (
 	// ResourceLimits
 	cpu100m, _            = resource.ParseQuantity("100m")
 	memory100m, _         = resource.ParseQuantity("100M")
-	cpu200m, _            = resource.ParseQuantity("200m")
-	memory200m, _         = resource.ParseQuantity("200M")
+	memory4Gi, _          = resource.ParseQuantity("4Gi")
 	defaultResourceLimits = corev1.ResourceRequirements{
 		Requests: corev1.ResourceList{
 			"cpu":    cpu100m,
 			"memory": memory100m,
 		},
 		Limits: corev1.ResourceList{
-			"cpu":    cpu200m,
-			"memory": memory200m,
+			"memory": memory4Gi,
 		},
 	}
 
@@ -879,7 +877,7 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 		}
 		log.Info("csidriver", "name", csiDriver.Name, "operation", op)
 		snapshotsSupported = true
-		if r.shootK8sVersionGreater120() {
+		if r.shootK8sVersionGreaterOrEqual120() {
 			snapshotControllerContainer.Image = snapshotControllerImage
 			csiSnapshotterContainer.Image = csiSnapshotterImage
 		} else {
@@ -1014,7 +1012,10 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 
 	for i := range scs {
 		sc := scs[i]
-
+		if sc.Encryption && !r.shootK8sVersionGreaterOrEqual120() {
+			log.Info("storageclass has encryption enabled but the k8s version is lower than 1.20, ignoring this storageclass", "name", sc.Name)
+			continue
+		}
 		annotations := map[string]string{
 			"storageclass.kubernetes.io/is-default-class": strconv.FormatBool(sc.Default),
 			metaltag.ClusterDescription:                   "DO NOT EDIT - This resource is managed by duros-controller. Any modifications are discarded and the resource is returned to the original state.",
@@ -1046,18 +1047,18 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 			if sc.Compression {
 				obj.Parameters["compression"] = "enabled"
 			}
-			// if sc.Encryption {
-			// 	secretName := "storage-encryption-key"
-			// 	//nolint:gosec
-			// 	secretNamespace := "${pvc.namespace}"
-			// 	obj.Parameters["encryption"] = "enabled"
-			// 	obj.Parameters["csi.storage.k8s.io/controller-expand-secret-name"] = secretName
-			// 	obj.Parameters["csi.storage.k8s.io/controller-expand-secret-namespace"] = secretNamespace
-			// 	obj.Parameters["csi.storage.k8s.io/node-publish-secret-name"] = secretName
-			// 	obj.Parameters["csi.storage.k8s.io/node-publish-secret-namespace"] = secretNamespace
-			// 	obj.Parameters["csi.storage.k8s.io/node-stage-secret-name"] = secretName
-			// 	obj.Parameters["csi.storage.k8s.io/node-stage-secret-namespace"] = secretNamespace
-			// }
+
+			if sc.Encryption {
+				secretName := "storage-encryption-key"
+				//nolint:gosec
+				secretNamespace := "${pvc.namespace}"
+				obj.Parameters["compression"] = "disabled"
+				obj.Parameters["host-encryption"] = "enabled"
+				obj.Parameters["csi.storage.k8s.io/node-publish-secret-name"] = secretName
+				obj.Parameters["csi.storage.k8s.io/node-publish-secret-namespace"] = secretNamespace
+				obj.Parameters["csi.storage.k8s.io/node-stage-secret-name"] = secretName
+				obj.Parameters["csi.storage.k8s.io/node-stage-secret-namespace"] = secretNamespace
+			}
 			return nil
 		})
 		if err != nil {
@@ -1071,8 +1072,7 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 			}
 			return err
 		}
-
-		if r.shootK8sVersionGreater120() {
+		if r.shootK8sVersionGreaterOrEqual120() {
 			annotations := map[string]string{
 				"snapshot.storage.kubernetes.io/is-default-class": "true",
 				metaltag.ClusterDescription:                       "DO NOT EDIT - This resource is managed by duros-controller. Any modifications are discarded and the resource is returned to the original state.",
@@ -1104,7 +1104,7 @@ func (r *DurosReconciler) deployCSI(ctx context.Context, projectID string, scs [
 	return nil
 }
 
-func (r *DurosReconciler) shootK8sVersionGreater120() bool {
+func (r *DurosReconciler) shootK8sVersionGreaterOrEqual120() bool {
 	v, err := r.DiscoveryClient.ServerVersion()
 	if err != nil {
 		return false

go.mod

@@ -1,24 +1,24 @@
 module github.com/metal-stack/duros-controller
 
-go 1.18
+go 1.19
 
 require (
 	github.com/Masterminds/semver/v3 v3.1.1
 	github.com/go-logr/logr v1.2.3
 	github.com/go-logr/zapr v1.2.3
 	github.com/golang-jwt/jwt/v4 v4.4.2
-	github.com/kubernetes-csi/external-snapshotter/client/v6 v6.0.1
+	github.com/kubernetes-csi/external-snapshotter/client/v6 v6.1.0
 	github.com/metal-stack/duros-go v0.4.0
 	github.com/metal-stack/metal-lib v0.11.2
 	github.com/metal-stack/v v1.0.3
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/gomega v1.20.2
+	github.com/onsi/gomega v1.22.1
 	go.uber.org/zap v1.23.0
-	google.golang.org/grpc v1.49.0
-	k8s.io/api v0.25.0
-	k8s.io/apimachinery v0.25.0
-	k8s.io/client-go v0.25.0
-	k8s.io/utils v0.0.0-20220823124924-e9cbc92d1a73
+	google.golang.org/grpc v1.50.0
+	k8s.io/api v0.25.2
+	k8s.io/apimachinery v0.25.2
+	k8s.io/client-go v0.25.2
+	k8s.io/utils v0.0.0-20221011040102-427025108f67
 	sigs.k8s.io/controller-runtime v0.13.0
 )
 
@@ -27,7 +27,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -46,7 +46,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -59,15 +59,15 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/net v0.0.0-20220921203646-d300de134e69 // indirect
-	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
-	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 // indirect
+	golang.org/x/net v0.0.0-20221004154528-8021a29435af // indirect
+	golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
+	golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect
 	golang.org/x/term v0.0.0-20220919170432-7a66f970e087 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20220920022843-2ce7c2934d45 // indirect
+	golang.org/x/text v0.3.8 // indirect
+	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220921223823-23cae91e6737 // indirect
+	google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
@@ -76,7 +76,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.25.0 // indirect
 	k8s.io/component-base v0.25.0 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect