ceph: add opa config options to ObjectStoreSpec #8731
Conversation
This PR adds the options in ObjectStore CRD for configuring OPA authentication with RGW. Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
|
@thotz Is this related to a BZ or feature request? |
Yes it would be helpful just to have more background on requirements for new features, thanks. |
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:Required | ||
| // +required | ||
| URL string `json:"url,omitempty"` |
There was a problem hiding this comment.
| URL string `json:"url,omitempty"` | |
| URL string `json:"url"` |
Since this is required.
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:Required | ||
| // +required | ||
| Token string `json:"token,omitempty"` |
There was a problem hiding this comment.
| Token string `json:"token,omitempty"` | |
| Token string `json:"token"` |
| @@ -210,6 +210,19 @@ func TestSSLPodSpec(t *testing.T) { | |||
| s, err = c.makeRGWPodSpec(rgwConfig) | |||
| assert.NoError(t, err) | |||
| podTemplate = cephtest.NewPodTemplateSpecTester(t, &s) | |||
| podTemplate.RunFullSuite(cephconfig.RgwType, "default", "rook-ceph-rgw", "mycluster", "quay.io/ceph/ceph:myversion", | |||
| if c.store.Spec.Security.OpenPolicyAgentService.VerifySSL != nil { | ||
| container.Args = append(container.Args, | ||
| cephconfig.NewFlag("rgw opa verify ssl", | ||
| strconv.FormatBool(*c.store.Spec.Security.OpenPolicyAgentService.VerifySSL))) |
There was a problem hiding this comment.
Is the bool pointer really necessary? If it's not required why not just let the default. false?
We need to know how to prioritize incoming feature requests. A new Rook issue is good, but let's get a BZ (or Jira?) against OCS/ODF that PM can prioritize. Since this is a cross-team request, we have to have an understanding of who needs it, when they need it, and why they need it. We cannot guarantee that Rook upstream can spend time on under-the-table requests like this. |
I have opened a Jira ticket https://issues.redhat.com/browse/RGW-173 in the RGW kanban board as beginning, try to involve more people to get more understanding about the plan on the ticket |
| @@ -199,6 +201,15 @@ $ vault write -f transit/keys/<mybucketkey> exportable=true # transit engine | |||
|
|
|||
| * TLS authentication with custom certs between Vault and RGW are yet to be supported. | |||
|
|
|||
| Here example for OPA config: | |||
| ```yaml | |||
| opa: | |||
There was a problem hiding this comment.
Let's avoid non-obvious acronyms in the CR property names
| opa: | |
| openPolicyAgent: |
| token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 | ||
| verifySSL: true | ||
| ``` | ||
| The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details w.r.t RGW, please refer [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). |
There was a problem hiding this comment.
| The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details w.r.t RGW, please refer [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). | |
| The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details, please refer to the [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). |
| // Indicate whether the server certificate is validated by the client or not | ||
| // +optional | ||
| // +nullable | ||
| VerifySSL *bool `json:"verifySSL,omitempty"` |
There was a problem hiding this comment.
Is the behavior of "not set" and "false" the same? If so, how about removing the pointer for simplicity?
| VerifySSL *bool `json:"verifySSL,omitempty"` | |
| VerifySSL bool `json:"verifySSL,omitempty"` |
| // +optional | ||
| // +nullable | ||
| VerifySSL *bool `json:"verifySSL,omitempty"` | ||
| // Token is the token for the OPA |
There was a problem hiding this comment.
| // Token is the token for the OPA | |
| // Token for the OPA |
|
I think #8579 is the more high priority item that we definitely have in our requirements for ODF 4.10. Let's focus on that PR first. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
|
This pull request has merge conflicts that must be resolved before it can be merged. @thotz please rebase it. https://rook.io/docs/rook/latest/development-flow.html#updating-your-fork |
|
I am closing this PR since there is no more interest wrt to this feature atm, not planning to work on it anytime soon. I will open once again when priority changes |
1 similar comment
|
I am closing this PR since there is no more interest wrt to this feature atm, not planning to work on it anytime soon. I will open once again when priority changes |
Description of your changes:
This PR adds the options in ObjectStore CRD for configuring OPA
authentication with RGW.
Resolves #8737
Signed-off-by: Jiffin Tony Thottan thottanjiffin@gmail.com
Checklist:
make codegen) has been run to update object specifications, if necessary.