Skip to content
This repository has been archived by the owner on Oct 21, 2020. It is now read-only.

CephFS Provisioner: Add secret namespace support. #550

Merged
merged 1 commit into from
Jan 18, 2018
Merged

CephFS Provisioner: Add secret namespace support. #550

merged 1 commit into from
Jan 18, 2018

Conversation

cofyc
Copy link
Contributor

@cofyc cofyc commented Jan 10, 2018
edited
Loading

What this PR does / why we need it:

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

fixes #309.

Special notes for reviewer:

We can deploy cephfs-provisioner in a dedicated namepsace, e.g. cephfs, and configure it to store secrets in this dedicated namespace. Then cephfs provisioner will don't need CREATE|DELETE permission on any namespace.

example deployment.yaml:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cephfs-provisioner
  namespace: cephfs
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: cephfs-provisioner
    spec:
      containers:
      - name: cephfs-provisioner
        image: "quay.io/external_storage/cephfs-provisioner:latest"
        imagePullPolicy: IfNotPresent
        env:
        - name: PROVISIONER_NAME
          value: ceph.com/cephfs
        - name: PROVISIONER_SECRET_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        command:
        - "/usr/local/bin/cephfs-provisioner"
        args:
        - "-id=cephfs-provisioner-1"
        - "-v=4"
      serviceAccount: cephfs-provisioner

example role.yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: cephfs-provisioner
  namespace: cephfs
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create", "delete"]

example rolebinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: cephfs-provisioner
  namespace: cephfs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cephfs-provisioner
subjects:
- kind: ServiceAccount
  name: cephfs-provisioner

cc @wongma7 @rootfs

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 10, 2018
@cofyc cofyc force-pushed the fix_cephfs_provisioner branch from 0b861f1 to 859ad43 Compare January 10, 2018 12:21
@cofyc
CephFS Provisioner: Add secret namespace support.
859ad43 
- Administrators can configure a dedicated secret namespace for CephFS
  provisioner (fix kubernetes-retired#309)
- Fix a bug in deleting secrets (should be backward compatible)
@rootfs
Copy link
Contributor

rootfs commented Jan 10, 2018

@jsafrane can you merge?

@rootfs
Copy link
Contributor

rootfs commented Jan 11, 2018

ping @wongma7

@jsafrane
Copy link
Contributor

sorry, I can't merge to this repo, "You're not authorized to merge this pull request." :-(

@cofyc cofyc mentioned this pull request Jan 18, 2018
Merged
@wongma7 wongma7 added lgtm Indicates that a PR is ready to be merged. area/ceph/cephfs labels Jan 18, 2018
@wongma7 wongma7 merged commit a86c5b2 into kubernetes-retired:master Jan 18, 2018
@cofyc cofyc deleted the fix_cephfs_provisioner branch January 23, 2018 10:01
@cofyc cofyc mentioned this pull request Mar 19, 2018
Merged
@mcronce mcronce mentioned this pull request Mar 30, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
area/ceph/cephfs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ceph provisioner requires creating secrets in PVC namespaces
5 participants
@cofyc @rootfs @jsafrane @wongma7 @k8s-ci-robot