New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ceph: add opa config options to ObjectStoreSpec #8731
Conversation
This PR adds the options in ObjectStore CRD for configuring OPA authentication with RGW. Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
@thotz Is this related to a BZ or feature request? |
Yes it would be helpful just to have more background on requirements for new features, thanks. |
// +kubebuilder:validation:MinLength=1 | ||
// +kubebuilder:validation:Required | ||
// +required | ||
URL string `json:"url,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
URL string `json:"url,omitempty"` | |
URL string `json:"url"` |
Since this is required.
// +kubebuilder:validation:MinLength=1 | ||
// +kubebuilder:validation:Required | ||
// +required | ||
Token string `json:"token,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Token string `json:"token,omitempty"` | |
Token string `json:"token"` |
@@ -210,6 +210,19 @@ func TestSSLPodSpec(t *testing.T) { | |||
s, err = c.makeRGWPodSpec(rgwConfig) | |||
assert.NoError(t, err) | |||
podTemplate = cephtest.NewPodTemplateSpecTester(t, &s) | |||
podTemplate.RunFullSuite(cephconfig.RgwType, "default", "rook-ceph-rgw", "mycluster", "quay.io/ceph/ceph:myversion", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this actually testing?
if c.store.Spec.Security.OpenPolicyAgentService.VerifySSL != nil { | ||
container.Args = append(container.Args, | ||
cephconfig.NewFlag("rgw opa verify ssl", | ||
strconv.FormatBool(*c.store.Spec.Security.OpenPolicyAgentService.VerifySSL))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the bool pointer really necessary? If it's not required why not just let the default. false
?
We need to know how to prioritize incoming feature requests. A new Rook issue is good, but let's get a BZ (or Jira?) against OCS/ODF that PM can prioritize. Since this is a cross-team request, we have to have an understanding of who needs it, when they need it, and why they need it. We cannot guarantee that Rook upstream can spend time on under-the-table requests like this. |
I have opened a Jira ticket https://issues.redhat.com/browse/RGW-173 in the RGW kanban board as beginning, try to involve more people to get more understanding about the plan on the ticket |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also see my comment about having a new entry like IdentityManagement
to have OPA and LDAP under it
@@ -199,6 +201,15 @@ $ vault write -f transit/keys/<mybucketkey> exportable=true # transit engine | |||
|
|||
* TLS authentication with custom certs between Vault and RGW are yet to be supported. | |||
|
|||
Here example for OPA config: | |||
```yaml | |||
opa: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's avoid non-obvious acronyms in the CR property names
opa: | |
openPolicyAgent: |
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 | ||
verifySSL: true | ||
``` | ||
The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details w.r.t RGW, please refer [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details w.r.t RGW, please refer [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). | |
The config options include url, token for the OPA service. The TLS certs can be passed with help `caBundleRef`. For more details, please refer to the [Ceph OPA documentation](https://docs.ceph.com/en/latest/radosgw/opa/). |
// Indicate whether the server certificate is validated by the client or not | ||
// +optional | ||
// +nullable | ||
VerifySSL *bool `json:"verifySSL,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the behavior of "not set" and "false" the same? If so, how about removing the pointer for simplicity?
VerifySSL *bool `json:"verifySSL,omitempty"` | |
VerifySSL bool `json:"verifySSL,omitempty"` |
// +optional | ||
// +nullable | ||
VerifySSL *bool `json:"verifySSL,omitempty"` | ||
// Token is the token for the OPA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Token is the token for the OPA | |
// Token for the OPA |
I think #8579 is the more high priority item that we definitely have in our requirements for ODF 4.10. Let's focus on that PR first. |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
This pull request has merge conflicts that must be resolved before it can be merged. @thotz please rebase it. https://rook.io/docs/rook/latest/development-flow.html#updating-your-fork |
I am closing this PR since there is no more interest wrt to this feature atm, not planning to work on it anytime soon. I will open once again when priority changes |
1 similar comment
I am closing this PR since there is no more interest wrt to this feature atm, not planning to work on it anytime soon. I will open once again when priority changes |
Description of your changes:
This PR adds the options in ObjectStore CRD for configuring OPA
authentication with RGW.
Resolves #8737
Signed-off-by: Jiffin Tony Thottan thottanjiffin@gmail.com
Checklist:
make codegen
) has been run to update object specifications, if necessary.