Skip to content

Add controller publish secrets to default RBD/CephFS StorageClasses #3374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add controller publish secrets to default RBD/CephFS StorageClasses #3374

wants to merge 1 commit into from

Conversation

@iPraveenParihar
Copy link
Member

@iPraveenParihar iPraveenParihar commented Jul 15, 2025
edited
Loading

Ceph-CSI will be implementing ControllerPublishVolume()/ControllerUnpublishVolume() which requires
controller-publish-secret from StorageClass. The secret is needed to access the Ceph cluster for [add|remove] metadata/blocklist operations.

The following parameters to be added in default RBD/CephFS StorageClasses created by ocs-operator.

csi.storage.k8s.io/controller-publish-secret-name
csi.storage.k8s.io/controller-publish-secret-namespace

Story: https://issues.redhat.com/browse/RHSTOR-7598

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 15, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: iPraveenParihar
Once this PR has been reviewed and has the lgtm label, please assign nbalacha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@iPraveenParihar iPraveenParihar force-pushed the csi/add-controller-publish-secret branch 2 times, most recently from d39673f to 28f6a00 Compare July 15, 2025 12:05
@iPraveenParihar
csi: add controller publish secret params for default RBD/CephFS SC
8039102 
ControllerPublishVolume()`/`ControllerUnpublishVolume()` requires
controller-publish-secret. The secret is needed to access the Ceph
cluster for metadata/blocklist operations.

The following parameters to be added in default RBD/CephFS
StorageClasses created by ocs-operator.

```
csi.storage.k8s.io/controller-publish-secret-name
csi.storage.k8s.io/controller-publish-secret-namespace
```

Signed-off-by: Praveen M <[email protected]>
@iPraveenParihar iPraveenParihar force-pushed the csi/add-controller-publish-secret branch from 28f6a00 to 8039102 Compare July 15, 2025 12:09
@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Jul 15, 2025

cc @Madhu-1 @Rakshith-R

@iPraveenParihar iPraveenParihar changed the title csi: add controller publish secret params for default RBD/CephFS StorageClasses Add controller publish secrets to default RBD/CephFS StorageClasses Jul 15, 2025
@Madhu-1
Copy link
Member

Madhu-1 commented Jul 15, 2025

@iPraveenParihar How about implementing the changes in ceph-csi first and later we can add the required parameters to the SC later?

@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Jul 15, 2025

@iPraveenParihar How about implementing the changes in ceph-csi first and later we can add the required parameters to the SC later?

Since theses changes are not dependent, thought raising the PR for reviews.
Anyway, these changes will not harm existing functionalities?

@Madhu-1
Copy link
Member

Madhu-1 commented Jul 15, 2025

@iPraveenParihar How about implementing the changes in ceph-csi first and later we can add the required parameters to the SC later?

Since theses changes are not dependent, thought raising the PR for reviews. Anyway, these changes will not harm existing functionalities?

Even we might not need this change if we just update the csi configmap with the right secrets. If this PR gets merged first, not have the cephcsi PR merged on time. we might end up having extra secrets in the storageclass but not the functionality.

@iPraveenParihar iPraveenParihar marked this pull request as draft July 15, 2025 13:53
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 15, 2025
@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Jul 24, 2025

@Madhu-1, since the ceph-csi PR is merged. Can we check on this?
Are you suggesting to not add controller secrets to StorageClass and add directly in ceph-csi-config Map?

Madhu-1
Madhu-1 reviewed Jul 24, 2025
View reviewed changes
Copy link
Member

@Madhu-1 Madhu-1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No harm in setting this one.

@iPraveenParihar if we set it in the Clientprofile CR, we dont need this change right? what is the benefit of setting it in both places?

@nb-ohad WDYT?

@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Jul 24, 2025

@iPraveenParihar if we set it in the Clientprofile CR, we dont need this change right? what is the benefit of setting it in both places?

If the controller secrets are not present in StorageClass, then Ceph-CSI will attempt to fetch by making a k8s API call.
For now, ceph-csi doesn't have a cache mechanism so it would be a load on k8s API server making a call for each PV.

Its just having controller-publish-secret{name|namespace} parameter in StorageClass, should not harm?

@Madhu-1
Copy link
Member

Madhu-1 commented Jul 24, 2025

@iPraveenParihar if we set it in the Clientprofile CR, we dont need this change right? what is the benefit of setting it in both places?

If the controller secrets are not present in StorageClass, then Ceph-CSI will attempt to fetch by making a k8s API call. For now, ceph-csi doesn't have a cache mechanism so it would be a load on k8s API server making a call for each PV.

If the secrets are present its the same. it will be fetched by the external attacher itself, i dont think it uses cache client. Does it uses cache client?

Its just having controller-publish-secret{name|namespace} parameter in StorageClass, should not harm?

No harm, just waiting for confirmation, what i heard was the ODF has plan to move to configmap not to add more secrets to the storageclass. tagged Ohad to confirm on that one.

@iPraveenParihar
Copy link
Member Author

iPraveenParihar commented Jul 24, 2025

If the secrets are present its the same. it will be fetched by the external attacher itself, i dont think it uses cache client. Does it uses cache client?

My bad, I was assuming it uses cache client. Then it should be fine.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 24, 2025
@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Sep 24, 2025

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Madhu-1 Madhu-1 Madhu-1 left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iPraveenParihar @Madhu-1 @openshift-merge-robot