Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator support for mounting secrets from CSI secret store #748

Merged
merged 4 commits into from
Mar 13, 2024
Merged

operator support for mounting secrets from CSI secret store #748

merged 4 commits into from
Mar 13, 2024

Conversation

jmazzitelli
Copy link
Contributor

@jmazzitelli jmazzitelli commented Mar 12, 2024
edited
Loading

part of: kiali/kiali#6942

helm-charts companion PR: kiali/helm-charts#250

@jmazzitelli jmazzitelli self-assigned this Mar 12, 2024
@jmazzitelli
Copy link
Contributor Author

This is not ready yet. Need to write some jinja code to loop through the custom_secrets and convert snake_case so it retains the camelCase

@jmazzitelli jmazzitelli marked this pull request as draft March 12, 2024 16:52
@jmazzitelli
Copy link
Contributor Author

jinja code added. Ready for review.

@jmazzitelli jmazzitelli marked this pull request as ready for review March 12, 2024 17:08
jmazzitelli
jmazzitelli commented Mar 12, 2024
View reviewed changes
crd-docs/crd/kiali.io_kialis.yaml
description: "The name of the secret that is to be mounted to the Kiali pod's file system. The name of the custom secret must not be the same name as one created by the operator. Names such as `kiali`, `kiali-cert-secret`, and `kiali-cabundle` should not be used as a custom secret name because the operator may want to create one with one of those names."
type: string
csi:
description: "Defines CSI-specific settings that allows a secret from an external CSI secret store to be injected in the pod via a volume mount. For details, see https://secrets-store-csi-driver.sigs.k8s.io/"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rumstead can you review this little documentation blurb? This will show up in the kiali.io documentation website in the Kiali CR reference page - it will end up somewhere around here. I just want to make sure I'm not blowing smoke :) If you have some better documentation blurb to put here, please suggest it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Should we add an example to the already existing examples?

Maybe:

    - name: "kiali-secret-csi"
      mount: "/mnt/secrets-store"
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: kiali-secretprovider

If you think we need more docs in the future like there are for custom dashboards I can contribute something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Should we add an example to the already existing examples?

We could. I can add it to this PR. I don't know what the true values would/should look like, so please suggest something that would be good for that example CR.

If you think we need more docs in the future like there are for custom dashboards I can contribute something.

Yes. I was thinking we should have a dedicated "something" in the docs for this. I was thinking it is a simple FAQ that we would add here which shows up here. Feel free to submit a PR over in the kiali.io repo.

@jmazzitelli jmazzitelli mentioned this pull request Mar 12, 2024
Closed
@jmazzitelli
Copy link
Contributor Author

I did some quick manual testing just to confirm there isn't obvious bugs here (and with the helm charts PR) and everything looks good. It appears CSI secrets must exist at the time of deployment (there is no optional option as discussed here) so my little blurb in the reference docs in my latest commit should handle that.

So this PR is ready to be merged.

@jmazzitelli jmazzitelli mentioned this pull request Mar 13, 2024
Merged
@jmazzitelli
Copy link
Contributor Author

For the record, I do not have CSI set up, so my testing just involved deploying a Kiali CR and seeing the server pod try to start up (even though it can't) and that it has the proper deployment yaml.

So in short, did the following quick test:

  1. Deploy a dev build of the server and operator using make: make -e CLUSTER_TYPE=minikube -e HELM_CHARTS_REPO_PULL=false build build-ui cluster-push operator-create
  2. I edited the kiali_cr_dev.yaml in the operator repo:
diff --git a/deploy/kiali/kiali_cr_dev.yaml b/deploy/kiali/kiali_cr_dev.yaml
index d80ebe4..62d46ba 100644
--- a/deploy/kiali/kiali_cr_dev.yaml
+++ b/deploy/kiali/kiali_cr_dev.yaml
@@ -28,6 +28,15 @@ spec:
     service_type: $SERVICE_TYPE
     logger:
       log_level: info
+    custom_secrets:
+    - name: csi-test
+      mount: /csi-test
+      optional: true
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: kiali-secretprovider
  1. Deploy that Kiali CR via make: make -e CLUSTER_TYPE=minikube kiali-create

At this point you will see the server pod trying to start but failing because CSI isn't set up - but that confirms the CSI yaml is correctly configured:

$ kubectl describe pods -n istio-system -l app.kubernetes.io/name=kiali
Name:             kiali-696494dfd-bjp6k
Namespace:        istio-system
...
    Mounts:
      /csi-test from csi-test (rw)
      /kiali-cabundle from kiali-cabundle (rw)
      /kiali-configuration from kiali-configuration (rw)
      /kiali-override-secrets/login-token-signing-key from login-token-signing-key (ro)
      /kiali-secret from kiali-secret (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-j8l8r (ro)
...
Volumes:
...
  csi-test:
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    Driver:            secrets-store.csi.k8s.io
    FSType:            
    ReadOnly:          true
    VolumeAttributes:      secretProviderClass=kiali-secretprovider
...
Events:
  Type     Reason       Age                From               Message
  ----     ------       ----               ----               -------
  Normal   Scheduled    54s                default-scheduler  Successfully assigned istio-system/kiali-696494dfd-bjp6k to ci
  Warning  FailedMount  22s (x7 over 54s)  kubelet            MountVolume.SetUp failed for volume "csi-test" : kubernetes.io/csi: mounter.SetUpAt failed to get CSI client: driver name secrets-store.csi.k8s.io not found in the list of registered CSI drivers

You'll notice optional: true that I specified in the Kiali CR is ignored.

@jmazzitelli jmazzitelli merged commit d7ebff8 into kiali:master Mar 13, 2024
1 check passed
@jmazzitelli jmazzitelli deleted the 6942-csi-mount branch March 13, 2024 14:01
@jshaughn jshaughn added the test: n/a PR does not need test additions or updates label Mar 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rumstead rumstead rumstead left review comments

@nrfox nrfox nrfox approved these changes

Assignees

@jmazzitelli jmazzitelli

Labels
requires helm chart PR test: n/a PR does not need test additions or updates
Projects
Kiali Sprint 25-01 | Kiali v2.4
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jmazzitelli @nrfox @rumstead @jshaughn