Kms cluster encryption #7153

a2batic · 2020-11-08T20:06:46Z

Merged after: #7062

afreen23

High level review for now

afreen23 · 2020-11-24T06:12:05Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Fix import hierarchy

afreen23 · 2020-11-24T06:31:15Z

...e-plugin/src/components/ocs-install/internal-mode/install-wizard-steps/review-and-create.tsx

The KMS connection is done after clicking create, this should be better

Suggested change

Connect to external key management service: {kms.name}

External key management service: {kms.name}

afreen23 · 2020-11-24T06:35:31Z

frontend/packages/ceph-storage-plugin/src/components/ocs-install/ocs-request-data.ts

I would prefer to make ocs-kms-vault-token a constant, since used at multiple places.

afreen23 · 2020-11-24T06:38:19Z

frontend/packages/ceph-storage-plugin/src/constants/ocs-install.ts

It would be better to prefix names with kms- to understand what its for ?

afreen23 · 2020-11-24T06:44:25Z

...end/packages/ceph-storage-plugin/src/components/ocs-install/internal-mode/install-wizard.tsx

Please remove any restriction from individual steps, until we push validation based wizard.

Suggested change

enableNext: state.encryption.hasHandled && hasConfiguredNetwork && state.kms.hasHandled,

It was decided to have Next button blocked wrt validations in the wizard.
@cloudbehl @yuvalgalanti

yes that's what was planned.

We have navs still clickable, I thnk we should block them as well.
(Possibly in another PR)

+1 @afreen23

afreen23 · 2020-11-24T06:47:30Z

...rc/components/ocs-install/attached-devices/create-sc/wizard-pages/review-and-create-step.tsx

Suggested change

<p>Encryption Level: {getEncryptionType(encryption)}</p>

<p>Encryption Level: {getEncryptionLevel(encryption)}</p>

afreen23 · 2020-11-24T06:47:45Z

...rc/components/ocs-install/attached-devices/create-sc/wizard-pages/review-and-create-step.tsx

Suggested change

Connect to external key management service: {kms.name}

External key management service: {kms.name}

As per UX, its Connected since its connected after Create button click, so changed it to Connect.

afreen23 · 2020-11-24T06:48:56Z

...e-plugin/src/components/ocs-install/internal-mode/install-wizard-steps/review-and-create.tsx

Why not kms.hasHandled here ?

{encryption.advanced && (

I have removed at the other place too, it's not required.

afreen23 · 2020-11-24T06:51:22Z

frontend/packages/ceph-storage-plugin/src/components/ocs-install/install-wizard/configure.tsx

I would prefer to call it following, just to avoid confusion with root state dispatcher

Suggested change

setDispatch(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch);

setKms(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch);

afreen23 · 2020-11-24T06:52:41Z

...ackages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.scss

missing new line

bipuladh · 2020-11-24T06:56:33Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

const setServiceName = (name: string) => {

setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch);

};

const setServiceName = (name: string) => setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch);

bipuladh · 2020-11-24T06:57:34Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

const validateAddressMessage = () => {

if (kms.address === '') {

return 'This is a required field';

}

return 'Please enter a URL';

};

const validateAddressMessage = () => (kms.address === '') ?

'This is a required field' : 'Please enter a URL';

bipuladh · 2020-11-24T06:58:03Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

const validatePort = () => {

return _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port

? ValidatedOptions.error

: ValidatedOptions.default;

};

const validatePort = () => _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port

? ValidatedOptions.error

: ValidatedOptions.default;

bipuladh · 2020-11-24T06:58:57Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

const openAdvancedModal = () => {

return advancedKMSModal({

const openAdvancedModal = () => advancedKMSModal({

bipuladh · 2020-11-24T07:01:58Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

Fix import order.

bipuladh · 2020-11-24T07:04:09Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

Why do we need another state here that is derived from another state? Can't we use dispatch and update the state over there.

The advance modal has a Save button, on clicking which the data has to be added in the state, to locally store data, I have added local states.

bipuladh · 2020-11-24T07:04:26Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

Why not use PF form?

Then, we need to use PF form Modal as well. Console Modal's CSS breaks in PF4 form.

bipuladh · 2020-11-24T07:07:54Z

...d/packages/ceph-storage-plugin/src/components/ocs-install/install-wizard/install-wizard.scss

Can we have a comment on why we are overriding using important?

cloudbehl · 2020-11-30T06:05:10Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

onChange={(e) => setKMSProvider(e)}

onChange={setKMSProvider}

cloudbehl · 2020-11-30T06:05:57Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

we are not setting the isDisabled.

For 4.7, it will always be disabled.

cloudbehl · 2020-11-30T06:10:54Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

create a generic function and use it for all fields. Like isValid(name)

cloudbehl · 2020-11-30T06:13:05Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/utils.tsx

nit: can be put in a shared folder. Will do in next PR.

a2batic · 2020-12-01T15:24:18Z

@bipuladh will address this comment(#7153 (comment)) with the follow up PR: #7330. Please review the rest.

a2batic · 2020-12-01T15:26:07Z

@afreen23 @cloudbehl please review.

a2batic · 2020-12-01T15:43:30Z

/retest

afreen23 · 2020-12-01T15:58:12Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

id needs to match with FormGroup

Suggested change

id="kms-provider-name"

id="kms-provider"

afreen23 · 2020-12-01T16:00:27Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

here as well.

Suggested change

id="kms-address"

id="kms-service-address"

afreen23 · 2020-12-01T16:03:45Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Fix id names

afreen23 · 2020-12-01T16:05:13Z

frontend/packages/ceph-storage-plugin/src/components/kms-config/kms-config.tsx

Suggested change

const serviceName = (name: string) => {

const setServiceName = (name: string) => {

afreen23 · 2020-12-01T16:11:39Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

Does not setting value helps here ?
Because anyways you are setting state. I think you can avoid the guard here

afreen23 · 2020-12-01T16:13:39Z

...ages/ceph-storage-plugin/src/components/ocs-install/attached-devices/create-sc/create-sc.tsx

I understand its not the part of PR, but this is a minor :)

Suggested change

await Promise.all(promises).then(() => k8sCreate(OCSServiceModel, storageCluster));

await Promise.all(promises).then(() => k8sCreate(StorageClusterModel, storageCluster));

No worries to take in another PR, this needs fix at various places.

afreen23 · 2020-12-01T16:14:57Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

Then, we need to use PF form Modal as well. Console Modal's CSS breaks in PF4 form.

afreen23 · 2020-12-01T16:17:44Z

frontend/packages/ceph-storage-plugin/src/constants/ocs-install.ts

Suggested change

'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace.';

'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault". They have separate login paths and support creating and managing data isolated to their namespace.';

afreen23 · 2020-12-01T17:22:37Z

frontend/packages/ceph-storage-plugin/src/components/ocs-install/ocs-request-data.ts

Just for consistency, can you use Object.assign as well similar to arbiter and network?

afreen23 · 2020-12-01T17:25:28Z

frontend/packages/ceph-storage-plugin/src/components/ocs-install/internal-mode/reducer.ts

Why payload optional ? Can't we pass empty params to the same action , used to set kms ActionType.SET_KMS_ENCRYPTION ?

afreen23 · 2020-12-01T17:34:41Z

...packages/ceph-storage-plugin/src/components/modals/advanced-kms-modal/advanced-kms-modal.tsx

nit: pool-form-modal

Suggested change

<Form onSubmit={submit} key="pool-form-modal">

<Form onSubmit={submit} key="">

afreen23 · 2020-12-01T17:38:55Z

frontend/packages/ceph-storage-plugin/src/constants/ocs-install.ts

Lets be consistent with names.

Suggested change

export const kmsMaxFileUploadSize = 4000000;

export const kmsFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.';

export const KMSConfigMapName = 'ocs-kms-connection-details';

export const KMSSecretName = 'ocs-kms-token';

export const KMSMaxFileUploadSize = 4000000;

export const KMSFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.';

export const KMSConfigMapName = 'ocs-kms-connection-details';

export const KMSSecretName = 'ocs-kms-token';

Signed-off-by: Kanika Murarka <kmurarka@redhat.com>

a2batic · 2020-12-02T06:05:26Z

/test e2e-gcp-console

afreen23

/lgtm

openshift-ci-robot · 2020-12-02T06:09:41Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: a2batic, afreen23

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~frontend/packages/ceph-storage-plugin/OWNERS~~ [a2batic,afreen23]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 8, 2020

a2batic marked this pull request as draft November 8, 2020 20:06

openshift-ci-robot added the component/ceph Related to ceph-storage-plugin label Nov 8, 2020

openshift-ci-robot requested review from afreen23 and rawagner November 8, 2020 20:07

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 8, 2020

a2batic force-pushed the kms-cluster-encryption branch from 6de77aa to 7213815 Compare November 18, 2020 06:26

a2batic mentioned this pull request Nov 18, 2020

Add Encryption workflow for storage cluster creation #7062

Merged

a2batic force-pushed the kms-cluster-encryption branch from 7213815 to f064b54 Compare November 18, 2020 12:01

a2batic marked this pull request as ready for review November 18, 2020 13:22

a2batic changed the title ~~[WIP] Kms cluster encryption~~ Kms cluster encryption Nov 18, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 18, 2020

a2batic force-pushed the kms-cluster-encryption branch 3 times, most recently from cb38464 to 6dcb79e Compare November 23, 2020 20:21

openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 23, 2020

a2batic force-pushed the kms-cluster-encryption branch from 6dcb79e to dc1c90a Compare November 23, 2020 20:43

openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 23, 2020

afreen23 suggested changes Nov 24, 2020

View reviewed changes

bipuladh reviewed Nov 24, 2020

View reviewed changes

a2batic mentioned this pull request Nov 25, 2020

KMS flow for storage class creation #7330

Merged

a2batic force-pushed the kms-cluster-encryption branch 3 times, most recently from 813c34c to e36ddc2 Compare November 29, 2020 13:55

cloudbehl reviewed Nov 30, 2020

View reviewed changes

a2batic force-pushed the kms-cluster-encryption branch from e36ddc2 to fef77ec Compare December 1, 2020 15:12

a2batic force-pushed the kms-cluster-encryption branch from fef77ec to 36b92b3 Compare December 1, 2020 16:01

afreen23 suggested changes Dec 1, 2020

View reviewed changes

a2batic force-pushed the kms-cluster-encryption branch from 36b92b3 to 36a0469 Compare December 1, 2020 17:02

afreen23 suggested changes Dec 1, 2020

View reviewed changes

KMS Support for cluster creation

226c6f3

Signed-off-by: Kanika Murarka <kmurarka@redhat.com>

a2batic force-pushed the kms-cluster-encryption branch from 36a0469 to 226c6f3 Compare December 1, 2020 20:46

afreen23 approved these changes Dec 2, 2020

View reviewed changes

openshift-ci-robot assigned afreen23 Dec 2, 2020

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 2, 2020

openshift-merge-robot merged commit d73d98e into openshift:master Dec 2, 2020

spadgett added this to the v4.7 milestone Dec 9, 2020

	Connect to external key management service: {kms.name}
	External key management service: {kms.name}

	<p>Encryption Level: {getEncryptionType(encryption)}</p>
	<p>Encryption Level: {getEncryptionLevel(encryption)}</p>

	setDispatch(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch);
	setKms(ActionType.SET_KMS_ENCRYPTION, kmsObject, mode, dispatch);

-  const setServiceName = (name: string) => {
-    setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch);
-  };
+  const setServiceName = (name: string) => setDispatch(ActionType.SET_KMS_ENCRYPTION, { ...kms, name }, mode, dispatch);

-  const validateAddressMessage = () => {
-    if (kms.address === '') {
-      return 'This is a required field';
-    }
-    return 'Please enter a URL';
-  };
+  const validateAddressMessage = () => (kms.address === '') ?
+     'This is a required field' : 'Please enter a URL';

-  const validatePort = () => {
-    return _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port
-      ? ValidatedOptions.error
-      : ValidatedOptions.default;
-  };
+  const validatePort = () =>  _.isNaN(Number(kms.port)) || kms.port < 0 || !kms.port
+      ? ValidatedOptions.error
+      : ValidatedOptions.default;

	const openAdvancedModal = () => {
	return advancedKMSModal({
	const openAdvancedModal = () => advancedKMSModal({

	onChange={(e) => setKMSProvider(e)}
	onChange={setKMSProvider}

	const serviceName = (name: string) => {
	const setServiceName = (name: string) => {

	await Promise.all(promises).then(() => k8sCreate(OCSServiceModel, storageCluster));
	await Promise.all(promises).then(() => k8sCreate(StorageClusterModel, storageCluster));

	'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault." They have separate login paths and support creating and managing data isolated to their namespace.';
	'Vault enterprise namespaces are isolated environments that functionally exist as "Vaults within a Vault". They have separate login paths and support creating and managing data isolated to their namespace.';

	<Form onSubmit={submit} key="pool-form-modal">
	<Form onSubmit={submit} key="">

-export const kmsMaxFileUploadSize = 4000000;
-export const kmsFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.';
-export const KMSConfigMapName = 'ocs-kms-connection-details';
-export const KMSSecretName = 'ocs-kms-token';
+export const KMSMaxFileUploadSize = 4000000;
+export const KMSFileSizeErrorMsg = 'Maximum file size exceeded. File limit is 4MB.';
+export const KMSConfigMapName = 'ocs-kms-connection-details';
+export const KMSSecretName = 'ocs-kms-token';

Kms cluster encryption #7153

Kms cluster encryption #7153

Uh oh!

Conversation

a2batic commented Nov 8, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

afreen23 left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

a2batic Nov 29, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

a2batic commented Dec 1, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

a2batic commented Dec 1, 2020

Uh oh!

a2batic commented Dec 1, 2020

a2batic commented Nov 8, 2020 •

edited

Loading

a2batic Nov 29, 2020 •

edited

Loading

a2batic commented Dec 1, 2020 •

edited

Loading