PV Support for VSecM Safe (#947)

* added volume claim templates Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * new yamls Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * update makefiles Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * pvc Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * storageclass fix Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * vsecm-data Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * update build script Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * wait Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * condition Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> * removed volume claim templates Signed-off-by: Volkan Özçelik <ovolkan@vmware.com> --------- Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>
vmware-tanzu · Apr 27, 2024 · 8238a7e · 8238a7e
1 parent 3ec6188
commit 8238a7e
Show file tree

Hide file tree

Showing 16 changed files with 688 additions and 662 deletions.
diff --git a/core/env/safe.go b/core/env/safe.go
@@ -230,11 +230,12 @@ func ManualRootKeyUpdatesK8sSecret() bool {
 
 // DataPathForSafe returns the path to the safe data directory.
 // The path is determined by the VSECM_SAFE_DATA_PATH environment variable.
-// If the environment variable is not set, the default path "/data" is returned.
+// If the environment variable is not set, the default path "/var/local/vsecm/data"
+// is returned.
 func DataPathForSafe() string {
  p := os.Getenv("VSECM_SAFE_DATA_PATH")
  if p == "" {
- p = "/data"
+ p = "/var/local/vsecm/data"
  }
  return p
 }

diff --git a/core/env/safe_test.go b/core/env/safe_test.go
@@ -599,7 +599,7 @@ func TestSafeDataPath(t *testing.T) {
  }{
  {
  name: "default_safe_data_path",
- want: "/data",
+ want: "/var/local/vsecm/data",
  },
  {
  name: "safe_data_path_from_env",

diff --git a/docs/_pages/0260-changelog.md b/docs/_pages/0260-changelog.md
@@ -18,7 +18,13 @@ next_url: /docs/releases/
 
 ## Recent Updates
 
-TBD
+* Converted VSecM Safe and SPIRE Server to StatefulSets (because they are stateful).
+* VSecM Sentinel "init command" loop now exits the container if it cannot execute
+ commands after exponential backoff. The former behavior was to retry forever,
+ and that was not a cloud-native way of handling the situation. Panicking 
+ early and thus killing the pod fixed issues with things like persistent volumes
+ and CSI drivers.
+* Minor bug fixes in the VSecM Sentinel init command workflow.
 
 ## [0.25.0] - 2024-04-24
 

diff --git a/examples/workshop_federation/cluster-2/safe/Deployment.yaml b/examples/workshop_federation/cluster-2/safe/Deployment.yaml
@@ -65,7 +65,7 @@ spec:
  - name: VSECM_SAFE_SPIFFEID_PREFIX
  value: "spiffe://cluster2.demo/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
  - name: VSECM_SAFE_DATA_PATH
- value: "/data"
+ value: "/var/local/vsecm/data"
  - name: VSECM_ROOT_KEY_NAME
  value: "vsecm-root-key"
  - name: VSECM_ROOT_KEY_PATH

diff --git a/...5.1/charts/safe/templates/Deployment.yaml → ....1/charts/safe/templates/StatefulSet.yaml b/...5.1/charts/safe/templates/Deployment.yaml → ....1/charts/safe/templates/StatefulSet.yaml
@@ -9,7 +9,7 @@
 # */
 
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
  name: {{ include "safe.fullname" . }}
  namespace: {{ .Values.global.vsecm.namespace }}
@@ -50,11 +50,12 @@ spec:
  name: http
  protocol: TCP
  volumeMounts:
+ - name: vsecm-data
+ mountPath: {{ .Values.data.hostPath.path }}
+ readOnly: false
  - name: spire-agent-socket
  mountPath: /spire-agent-socket
  readOnly: true
- - name: vsecm-data
- mountPath: /data
  - name: vsecm-root-key
  mountPath: /key
  readOnly: true
@@ -99,20 +100,34 @@ spec:
  csi:
  driver: "csi.spiffe.io"
  readOnly: true
+
+{{- if not .Values.data.persistent }}
  # `vsecm-data` is used to persist the encrypted backups of the secrets.
  - name: vsecm-data
- {{- if .Values.data.persistent }}
- persistentVolumeClaim:
- claimName: {{ .Values.data.persistentVolumeClaim.claimName }}
- {{- else }}
  hostPath:
  path: {{ .Values.data.hostPath.path }}
  type: DirectoryOrCreate
- {{- end }}
+{{- end}}
+
  # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data.
  - name: vsecm-root-key
  secret:
  secretName: {{ .Values.rootKeySecretName }}
  items:
  - key: KEY_TXT
  path: key.txt
+
+{{- if .Values.data.persistent }}
+ volumeClaimTemplates:
+ - metadata:
+ name: vsecm-data
+ spec:
+ accessModes:
+ - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }}
+ resources:
+ requests:
+ storage: {{ .Values.data.persistentVolumeClaim.size }}
+ {{- if .Values.data.persistentVolumeClaim.storageClass }}
+ storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }}
+ {{- end }}
+{{- end }}
diff --git a/helm-charts/0.25.1/charts/safe/values.yaml b/helm-charts/0.25.1/charts/safe/values.yaml
@@ -22,7 +22,10 @@ data:
  persistent: false
  # Define the PVC if `persistent` is true.
  persistentVolumeClaim:
- claimName: "your-pvc-name" # Replace with your PVC name.
+ storageClass: ""
+ accessMode: ReadWriteOnce
+ size: 1Gi
+
  # Define the hostPath if `persistent` is false.
  hostPath:
  path: "/var/local/vsecm/data"
@@ -45,7 +48,7 @@ environments:
  - name: VSECM_ROOT_KEY_PATH
  value: "/key/key.txt"
  - name: VSECM_SAFE_DATA_PATH
- value: "/data"
+ value: "/var/local/vsecm/data"
  - name: VSECM_SAFE_ENDPOINT_URL
  value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"
  - name: VSECM_SAFE_FIPS_COMPLIANT

diff --git a/...rts/spire/templates/spire-server-app.yaml → .../templates/spire-server-stateful-set.yaml b/...rts/spire/templates/spire-server-app.yaml → .../templates/spire-server-stateful-set.yaml
@@ -9,22 +9,15 @@
 # */
 
 apiVersion: apps/v1
-{{- if eq .Values.server.kind "deployment" }}
-kind: Deployment
-{{- else }}
 kind: StatefulSet
-{{- end }}
 metadata:
  name: spire-server
  namespace: {{ .Values.global.spire.namespace }}
  labels:
  app: spire-server
  app.kubernetes.io/component: server
 spec:
- {{- if eq .Values.server.kind "statefulset" }}
- # noinspection KubernetesUnknownKeys
  serviceName: spire-server
- {{- end }}
  replicas: {{ .Values.replicaCount }}
  selector:
  matchLabels:
@@ -132,6 +125,6 @@ spec:
  requests:
  storage: {{ .Values.data.persistentVolumeClaim.size }}
  {{- if .Values.data.persistentVolumeClaim.storageClass }}
- storageClassName: {{ .Values.data.persistentVolumeClaim }}
+ storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }}
  {{- end }}
  {{- end }}
diff --git a/helm-charts/0.25.1/charts/spire/values.yaml b/helm-charts/0.25.1/charts/spire/values.yaml
@@ -17,11 +17,6 @@
 ## @param replicaCount SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database.
 replicaCount: 1
 
-## @param server.kind Define SPIRE server deployment type. 
-## Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental.
-server:
- kind: deployment
-
 # Override it with an image pull secret that you need as follows:
 # imagePullSecrets:
 # - name: my-registry-secret