PV Support for VSecM Safe (#947)

* added volume claim templates

Signed-off-by: Volkan Özçelik <[email protected]>

* new yamls

Signed-off-by: Volkan Özçelik <[email protected]>

* update makefiles

Signed-off-by: Volkan Özçelik <[email protected]>

* pvc

Signed-off-by: Volkan Özçelik <[email protected]>

* storageclass fix

Signed-off-by: Volkan Özçelik <[email protected]>

* vsecm-data

Signed-off-by: Volkan Özçelik <[email protected]>

* update build script

Signed-off-by: Volkan Özçelik <[email protected]>

* wait

Signed-off-by: Volkan Özçelik <[email protected]>

* condition

Signed-off-by: Volkan Özçelik <[email protected]>

* removed volume claim templates

Signed-off-by: Volkan Özçelik <[email protected]>

---------

Signed-off-by: Volkan Özçelik <[email protected]>

Author: v0lkan

core/env/safe.go

@@ -230,11 +230,12 @@ func ManualRootKeyUpdatesK8sSecret() bool {
 
 // DataPathForSafe returns the path to the safe data directory.
 // The path is determined by the VSECM_SAFE_DATA_PATH environment variable.
-// If the environment variable is not set, the default path "/data" is returned.
+// If the environment variable is not set, the default path "/var/local/vsecm/data"
+// is returned.
 func DataPathForSafe() string {
 	p := os.Getenv("VSECM_SAFE_DATA_PATH")
 	if p == "" {
-		p = "/data"
+		p = "/var/local/vsecm/data"
 	}
 	return p
 }

core/env/safe_test.go

@@ -599,7 +599,7 @@ func TestSafeDataPath(t *testing.T) {
 	}{
 		{
 			name: "default_safe_data_path",
-			want: "/data",
+			want: "/var/local/vsecm/data",
 		},
 		{
 			name: "safe_data_path_from_env",

docs/_pages/0260-changelog.md

@@ -18,7 +18,13 @@ next_url: /docs/releases/
 
 ## Recent Updates
 
-TBD
+* Converted VSecM Safe and SPIRE Server to StatefulSets (because they are stateful).
+* VSecM Sentinel "init command" loop now exits the container if it cannot execute
+  commands after exponential backoff. The former behavior was to retry forever,
+  and that was not a cloud-native way of handling the situation. Panicking 
+  early and thus killing the pod fixed issues with things like persistent volumes
+  and CSI drivers.
+* Minor bug fixes in the VSecM Sentinel init command workflow.
 
 ## [0.25.0] - 2024-04-24
 

examples/workshop_federation/cluster-2/safe/Deployment.yaml

@@ -65,7 +65,7 @@ spec:
             - name: VSECM_SAFE_SPIFFEID_PREFIX
               value: "spiffe://cluster2.demo/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
             - name: VSECM_SAFE_DATA_PATH
-              value: "/data"
+              value: "/var/local/vsecm/data"
             - name: VSECM_ROOT_KEY_NAME
               value: "vsecm-root-key"
             - name: VSECM_ROOT_KEY_PATH

helm-charts/0.25.1/charts/safe/templates/Deployment.yaml renamed to helm-charts/0.25.1/charts/safe/templates/StatefulSet.yaml

@@ -9,7 +9,7 @@
 # */
 
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "safe.fullname" . }}
   namespace: {{ .Values.global.vsecm.namespace }}
@@ -50,11 +50,12 @@ spec:
               name: http
               protocol: TCP
           volumeMounts:
+            - name: vsecm-data
+              mountPath: {{ .Values.data.hostPath.path }}
+              readOnly: false
             - name: spire-agent-socket
               mountPath: /spire-agent-socket
               readOnly: true
-            - name: vsecm-data
-              mountPath: /data
             - name: vsecm-root-key
               mountPath: /key
               readOnly: true
@@ -99,20 +100,34 @@ spec:
           csi:
             driver: "csi.spiffe.io"
             readOnly: true
+
+{{- if not .Values.data.persistent }}
         # `vsecm-data` is used to persist the encrypted backups of the secrets.
         - name: vsecm-data
-          {{- if .Values.data.persistent }}
-          persistentVolumeClaim:
-            claimName: {{ .Values.data.persistentVolumeClaim.claimName }}
-          {{- else }}
           hostPath:
             path: {{ .Values.data.hostPath.path }}
             type: DirectoryOrCreate
-          {{- end }}
+{{- end}}
+
         # `vsecm-root-key` stores the encryption keys to restore secrets from vsecm-data.
         - name: vsecm-root-key
           secret:
             secretName: {{ .Values.rootKeySecretName }}
             items:
               - key: KEY_TXT
                 path: key.txt
+
+{{- if .Values.data.persistent }}
+  volumeClaimTemplates:
+    - metadata:
+        name: vsecm-data
+      spec:
+        accessModes:
+          - {{ .Values.data.persistentVolumeClaim.accessMode | default "ReadWriteOnce" }}
+        resources:
+          requests:
+            storage: {{ .Values.data.persistentVolumeClaim.size }}
+        {{- if .Values.data.persistentVolumeClaim.storageClass }}
+        storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }}
+        {{- end }}
+{{- end }}

helm-charts/0.25.1/charts/safe/values.yaml

@@ -22,7 +22,10 @@ data:
   persistent: false
   # Define the PVC if `persistent` is true.
   persistentVolumeClaim:
-    claimName: "your-pvc-name" # Replace with your PVC name.
+    storageClass: ""
+    accessMode: ReadWriteOnce
+    size: 1Gi
+
   # Define the hostPath if `persistent` is false.
   hostPath:
     path: "/var/local/vsecm/data"
@@ -45,7 +48,7 @@ environments:
   - name: VSECM_ROOT_KEY_PATH
     value: "/key/key.txt"
   - name: VSECM_SAFE_DATA_PATH
-    value: "/data"
+    value: "/var/local/vsecm/data"
   - name: VSECM_SAFE_ENDPOINT_URL
     value: "https://vsecm-safe.vsecm-system.svc.cluster.local:8443/"
   - name: VSECM_SAFE_FIPS_COMPLIANT

helm-charts/0.25.1/charts/spire/templates/spire-server-app.yaml renamed to helm-charts/0.25.1/charts/spire/templates/spire-server-stateful-set.yaml

@@ -9,22 +9,15 @@
 # */
 
 apiVersion: apps/v1
-{{- if eq .Values.server.kind "deployment" }}
-kind: Deployment
-{{- else }}
 kind: StatefulSet
-{{- end }}
 metadata:
   name: spire-server
   namespace: {{ .Values.global.spire.namespace }}
   labels:
     app: spire-server
     app.kubernetes.io/component: server
 spec:
-  {{- if eq .Values.server.kind "statefulset" }}
-  # noinspection KubernetesUnknownKeys
   serviceName: spire-server
-  {{- end }}
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
@@ -132,6 +125,6 @@ spec:
           requests:
             storage: {{ .Values.data.persistentVolumeClaim.size }}
         {{- if .Values.data.persistentVolumeClaim.storageClass }}
-        storageClassName: {{ .Values.data.persistentVolumeClaim }}
+        storageClassName: {{ .Values.data.persistentVolumeClaim.storageClass }}
         {{- end }}
   {{- end }}

helm-charts/0.25.1/charts/spire/values.yaml

@@ -17,11 +17,6 @@
 ## @param replicaCount SPIRE server currently runs with a sqlite database. Scaling to multiple instances will not work until we use an external database.
 replicaCount: 1
 
-## @param server.kind Define SPIRE server deployment type. 
-## Can be statefulset/deployment. Defaults to statefulset if not set. This feature is experimental.
-server:
-  kind: deployment
-
 # Override it with an image pull secret that you need as follows:
 # imagePullSecrets:
 #  - name: my-registry-secret