merge queue: embarking devel (4eb84a0) and #5913 together#6060
Closed
mergify[bot] wants to merge 9 commits into
Closed
merge queue: embarking devel (4eb84a0) and #5913 together#6060mergify[bot] wants to merge 9 commits into
mergify[bot] wants to merge 9 commits into
Conversation
Implement SecurityKeyNVMEOFManager to manage NVMe-oF DH-CHAP authentication keys using pluggable KMS backends (Vault, metadata KMS, etc). In the future will be used also for tls\psk keys - Encrypts/decrypts keys using KMS - Supports both integrated KMS (Vault) and external DEKStore (RBD metadata) - Provides StoreKey/GetKey/RemoveKey for key lifecycle management Defaults to "metadata" KMS for **testing**, which stores encrypted keys in RBD image metadata via external DEKStore. Signed-off-by: gadi-didi <gadi.didi@ibm.com>
Add DH-CHAP authentication key operations for NVMe-oF connections: - generateDHCHAPKey(): Creates NVMe spec-compliant keys in DHHC-1:hash:base64:crc32 format (supports SHA-256/384/512) - GetOrCreateDHCHAPHostKey/SubsystemKey(): Manages per-connection keys - buildDHCHAPKeyID(): Generates unique key IDs using nodeID and hashed subsystemNQN (e.g., nvmeof-dhchap-host-node1-abc123) Keys are stored/retrieved via SecurityKeyNVMEOFManager using KMS encryption. Each node-subsystem pair gets a unique authentication key. Signed-off-by: gadi-didi <gadi.didi@ibm.com>
- get the dhchap mode- it can be "none", "unidirectional", "bidirectional", or empty and store it in volumeContext (for ControllerPublishVolume()) - get authenticationKMSID var. also can be empty. and store it in volumeContext. Signed-off-by: gadi-didi <gadi.didi@ibm.com>
adding these vars because there are going to be in used in removing dh-chap keys- in ControllerunPblishVoluem(). Signed-off-by: gadi-didi <gadi.didi@ibm.com>
Implement kms.DEKStore using RBD image metadata for testing/development. Stores encrypted DH-CHAP keys as metadata entries in the backing RBD image. - Keys stored with prefix "nvmeof.csi.ceph.com/" to distinguish from volume encryption and NVMe-oF resource metadata - Used with "metadata" KMS type (secrets-metadata) for POC/testing - Production deployments should use Vault KMS with integrated storage Signed-off-by: gadi-didi <gadi.didi@ibm.com>
add instace of SecurityKeyNVMEOFManager into controller server struct. also add getOrInitSecurityKeys() , lazy init for SecurityKeyNVMEOFManager struct. this field is the manager of sercurity things like dh-chap psk\tls. Signed-off-by: gadi-didi <gadi.didi@ibm.com>
Implement DH-CHAP authentication for NVMe-oF host connections with pluggable KMS backend support for secure key management. Changes: - setupDHCHAPKeys(): Initialize KMS, retrieve/generate host authentication keys, and configure DEKStore (RBD metadata for testing, Vault for prod) - cleanupDHCHAPKeys(): Remove DH-CHAP keys during ControllerUnpublishVolume - Update AddHost() to accept optional DH-CHAP host key parameter - Add dhchapMode volume context parameter (none/unidirectional/bidirectional) Authentication flow: 1. Parse dhchapMode from volume context (defaults to "metadata" KMS) 2. Initialize SecurityKeyNVMEOFManager with KMS credentials 3. For metadata KMS: Set RBD volume as DEKStore (test mode only) 4. GetOrCreateDHCHAPHostKey() retrieves existing or generates new key 5. Pass encrypted key to gateway AddHost() call Keys are stored per node-subsystem pair, encrypted with KMS (KEK from K8s Secret), and persist across volume operations. Production deployments should use Vault KMS with integrated DEK storage. Signed-off-by: gadi-didi <gadi.didi@ibm.com>
Implement DH-CHAP authentication for NVMe-oF initiator connections with support for both unidirectional and bidirectional modes. Changes: - setupDHCHAPAuth(): Retrieve host/subsystem keys from KMS and configure ConnectRequest with authentication parameters - Pass dhchapMode from volume context through connection flow - Add --dhchap-secret and --dhchap-ctrl-secret to nvme connect command - Support RBD metadata DEKStore (testing) and Vault KMS (production) Authentication flow: 1. NodeStageVolume receives dhchapMode from volume context 2. Initialize SecurityKeyNVMEOFManager with same KMS as controller 3. Retrieve existing DH-CHAP keys (generated during ControllerPublishVolume) 4. For unidirectional: Add host key to nvme connect 5. For bidirectional: Add both host and subsystem keys Signed-off-by: gadi-didi <gadi.didi@ibm.com>
Collaborator
|
/test ci/centos/k8s-e2e-external-storage/1.35 |
Collaborator
|
/test ci/centos/mini-e2e-helm/k8s-1.35 |
Collaborator
|
/test ci/centos/upgrade-tests-cephfs |
Collaborator
|
/test ci/centos/k8s-e2e-external-storage/1.33 |
Collaborator
|
/test ci/centos/mini-e2e/k8s-1.35 |
Collaborator
|
/test ci/centos/upgrade-tests-rbd |
Collaborator
|
/test ci/centos/k8s-e2e-external-storage/1.34 |
Collaborator
|
/test ci/centos/mini-e2e-helm/k8s-1.33 |
Collaborator
|
/test ci/centos/mini-e2e/k8s-1.33 |
Collaborator
|
/test ci/centos/mini-e2e-helm/k8s-1.34 |
Collaborator
|
/test ci/centos/mini-e2e/k8s-1.34 |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎉 This pull request has been checked successfully and will be merged soon. 🎉
Branch devel (4eb84a0) and #5913 are embarked together for merge.
This pull request has been created by Mergify to speculatively check the mergeability of #5913.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.
Required conditions of queue
defaultfor merge:#approved-reviews-by >= 2[🛡 GitHub branch protection]#changes-requested-reviews-by = 0[🛡 GitHub branch protection]base=develstatus-success=codespellstatus-success=go-teststatus-success=golangci-lintstatus-success=lint-extrasstatus-success=mod-checkstatus-success=multi-arch-buildstatus-success=uncommitted-code-checklabel=ci/skip/e2estatus-success=ci/centos/k8s-e2e-external-storage/1.33status-success=ci/centos/k8s-e2e-external-storage/1.34status-success=ci/centos/k8s-e2e-external-storage/1.35status-success=ci/centos/mini-e2e-helm/k8s-1.33status-success=ci/centos/mini-e2e-helm/k8s-1.34status-success=ci/centos/mini-e2e-helm/k8s-1.35status-success=ci/centos/mini-e2e/k8s-1.33status-success=ci/centos/mini-e2e/k8s-1.34status-success=ci/centos/mini-e2e/k8s-1.35status-success=ci/centos/upgrade-tests-cephfsstatus-success=ci/centos/upgrade-tests-rbdbase~=^(release-.+)$status-success=codespellstatus-success=go-teststatus-success=golangci-lintstatus-success=lint-extrasstatus-success=mod-checkstatus-success=multi-arch-buildstatus-success=uncommitted-code-checklabel=ci/skip/e2estatus-success=ci/centos/k8s-e2e-external-storage/1.32status-success=ci/centos/mini-e2e-helm/k8s-1.32status-success=ci/centos/mini-e2e/k8s-1.32status-success=ci/centos/k8s-e2e-external-storage/1.33status-success=ci/centos/k8s-e2e-external-storage/1.34status-success=ci/centos/mini-e2e-helm/k8s-1.33status-success=ci/centos/mini-e2e-helm/k8s-1.34status-success=ci/centos/mini-e2e/k8s-1.33status-success=ci/centos/mini-e2e/k8s-1.34status-success=ci/centos/upgrade-tests-cephfsstatus-success=ci/centos/upgrade-tests-rbdbase=release-v3.15status-success=codespellstatus-success=go-teststatus-success=golangci-lintstatus-success=lint-extrasstatus-success=mod-checkstatus-success=multi-arch-buildstatus-success=uncommitted-code-checklabel=ci/skip/e2estatus-success=ci/centos/k8s-e2e-external-storage/1.31status-success=ci/centos/k8s-e2e-external-storage/1.32status-success=ci/centos/mini-e2e-helm/k8s-1.31status-success=ci/centos/mini-e2e-helm/k8s-1.32status-success=ci/centos/mini-e2e/k8s-1.31status-success=ci/centos/mini-e2e/k8s-1.32status-success=ci/centos/k8s-e2e-external-storage/1.33status-success=ci/centos/mini-e2e-helm/k8s-1.33status-success=ci/centos/mini-e2e/k8s-1.33status-success=ci/centos/upgrade-tests-cephfsstatus-success=ci/centos/upgrade-tests-rbdbase=ci/centosstatus-success=ci/centos/jjb-validatestatus-success=ci/centos/job-validationRequired conditions to stay in the queue:
#approved-reviews-by >= 2[🛡 GitHub branch protection]#changes-requested-reviews-by = 0[🛡 GitHub branch protection]