diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index aa1494755..fcafe20b8 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -507,6 +507,10 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell "yawolNetworkID": networkIDs[0], "yawolAPIHost": fmt.Sprintf("https://%s:%d", serviceConfig.loadBalancerIP, constants.KubernetesPort), } + cinderIni := creds.CloudINI().CinderCSIConfiguration() + extraVals["cinder-config"] = map[string]any{ + "secretData": cinderIni, + } } return extraVals, nil } diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go index 1c1455ff5..59b59ee9c 100644 --- a/cli/internal/helm/loader.go +++ b/cli/internal/helm/loader.go @@ -512,6 +512,7 @@ func extendConstellationServicesValues( case cloudprovider.OpenStack: in["openstack"] = map[string]any{ "deployYawolLoadBalancer": cfg.DeployYawolLoadBalancer(), + "deployCSIDriver": cfg.DeployCSIDriver(), } if cfg.DeployYawolLoadBalancer() { in["yawol-controller"] = map[string]any{ diff --git a/internal/cloud/openstack/accountkey.go b/internal/cloud/openstack/accountkey.go index 277f0cc1a..d781091e9 100644 --- a/internal/cloud/openstack/accountkey.go +++ b/internal/cloud/openstack/accountkey.go @@ -162,4 +162,28 @@ region = %s `, authURL, username, password, projectID, userDomainName, region) } +// CinderCSIConfiguration returns the string representation of the CloudINI subset cinder expects. +func (i CloudINI) CinderCSIConfiguration() string { + // sanitize parameters to not include newlines + authURL := newlineRegexp.ReplaceAllString(i.AuthURL, "") + username := newlineRegexp.ReplaceAllString(i.Username, "") + password := newlineRegexp.ReplaceAllString(i.Password, "") + projectID := newlineRegexp.ReplaceAllString(i.ProjectID, "") + projectName := newlineRegexp.ReplaceAllString(i.TenantName, "") + userDomainName := newlineRegexp.ReplaceAllString(i.UserDomainName, "") + tenantDomainName := newlineRegexp.ReplaceAllString(i.TenantDomainName, "") + region := newlineRegexp.ReplaceAllString(i.Region, "") + + return fmt.Sprintf(`[Global] +auth-url = %s +username = %s +password = %s +project-id = %s +project-name = %s +user-domain-name = %s +project-domain-name = %s +region = %s +`, authURL, username, password, projectID, projectName, userDomainName, tenantDomainName, region) +} + var newlineRegexp = regexp.MustCompile(`[\r\n]+`) diff --git a/internal/cloud/openstack/accountkey_test.go b/internal/cloud/openstack/accountkey_test.go index b46ce14a5..e9805e1d9 100644 --- a/internal/cloud/openstack/accountkey_test.go +++ b/internal/cloud/openstack/accountkey_test.go @@ -194,3 +194,26 @@ domain-name = user-domain-name region = region-name `, ini.YawolConfiguration()) } + +func TestCinderCSIConfiguration(t *testing.T) { + ini := CloudINI{ + AuthURL: "auth-url", + Username: "username", + Password: "password", + ProjectID: "project-id", + TenantName: "project-name", + UserDomainName: "user-domain-name", + TenantDomainName: "project-domain-name", + Region: "region-name", + } + assert.Equal(t, `[Global] +auth-url = auth-url +username = username +password = password +project-id = project-id +project-name = project-name +user-domain-name = user-domain-name +project-domain-name = project-domain-name +region = region-name +`, ini.CinderCSIConfiguration()) +} diff --git a/internal/config/config.go b/internal/config/config.go index 3800ca123..f79506633 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -239,6 +239,9 @@ type OpenStackConfig struct { // description: | // OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol YawolFlavorID string `yaml:"yawolFlavorID"` + // description: | + // Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage + DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"` } // QEMUConfig holds config information for QEMU based Constellation deployments. @@ -335,6 +338,7 @@ func Default() *Config { OpenStack: &OpenStackConfig{ DirectDownload: toPtr(true), DeployYawolLoadBalancer: toPtr(true), + DeployCSIDriver: toPtr(true), }, QEMU: &QEMUConfig{ ImageFormat: "raw", @@ -539,7 +543,8 @@ func (c *Config) UpdateMAAURL(maaURL string) { // DeployCSIDriver returns whether the CSI driver should be deployed for a given cloud provider. func (c *Config) DeployCSIDriver() bool { return c.Provider.Azure != nil && c.Provider.Azure.DeployCSIDriver != nil && *c.Provider.Azure.DeployCSIDriver || - c.Provider.GCP != nil && c.Provider.GCP.DeployCSIDriver != nil && *c.Provider.GCP.DeployCSIDriver + c.Provider.GCP != nil && c.Provider.GCP.DeployCSIDriver != nil && *c.Provider.GCP.DeployCSIDriver || + c.Provider.OpenStack != nil && c.Provider.OpenStack.DeployCSIDriver != nil && *c.Provider.OpenStack.DeployCSIDriver } // DeployYawolLoadBalancer returns whether the Yawol load balancer should be deployed. diff --git a/internal/config/config_doc.go b/internal/config/config_doc.go index 4c48ddf11..992fb1082 100644 --- a/internal/config/config_doc.go +++ b/internal/config/config_doc.go @@ -277,7 +277,7 @@ func init() { FieldName: "openstack", }, } - OpenStackConfigDoc.Fields = make([]encoder.Doc, 17) + OpenStackConfigDoc.Fields = make([]encoder.Doc, 18) OpenStackConfigDoc.Fields[0].Name = "cloud" OpenStackConfigDoc.Fields[0].Type = "string" OpenStackConfigDoc.Fields[0].Note = "" @@ -363,6 +363,11 @@ func init() { OpenStackConfigDoc.Fields[16].Note = "" OpenStackConfigDoc.Fields[16].Description = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" OpenStackConfigDoc.Fields[16].Comments[encoder.LineComment] = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol" + OpenStackConfigDoc.Fields[17].Name = "deployCSIDriver" + OpenStackConfigDoc.Fields[17].Type = "bool" + OpenStackConfigDoc.Fields[17].Note = "" + OpenStackConfigDoc.Fields[17].Description = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" + OpenStackConfigDoc.Fields[17].Comments[encoder.LineComment] = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage" QEMUConfigDoc.Type = "QEMUConfig" QEMUConfigDoc.Comments[encoder.LineComment] = "QEMUConfig holds config information for QEMU based Constellation deployments."