Skip to content

Commit 3bab129

Browse files
ankush-ntxankush-ntx
authored
Added TLS Support to ObjectStore endpoint (#405)
1. Added HTTPS Support to COSI (#404): Now HTTPS with TLS Cert support is added. 2. Fixed wrong image registry in the manual kustomization (#397): Manual deployment specs fixed. 3. Fixed Helm install fails due to account_name reference in secret template (#411): account_name ref fixed in helm deployment.
1 parent c7c00aa commit 3bab129

File tree

15 files changed

+280
-56
lines changed

15 files changed

+280
-56
lines changed

Makefile

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ CMDS=cosi-driver-nutanix
1717
REGISTRY_NAME=ghcr.io/nutanix-cloud-native/cosi-driver-nutanix
1818
IMAGE_TAG=latest
1919

20+
LOCAL_IMAGE_NAME=cosi-driver-nutanix
21+
LOCAL_IMAGE_TAG=debug
22+
2023
all: build
2124

2225
.PHONY: build-% build container-% container clean
@@ -50,3 +53,8 @@ docker-push:
5053

5154
clean:
5255
-rm -rf bin
56+
57+
# Creates an image of the driver in local environment
58+
local-%: build-%
59+
docker build -t $(LOCAL_IMAGE_NAME):$(LOCAL_IMAGE_TAG) -f package/docker/Dockerfile --label revision=$(REV) .
60+
local: $(CMDS:%=local-%)

README.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,13 @@ $ cd cosi-driver-nutanix
4242
- `ACCESS_KEY` : Nutanix Object Store Access Key
4343
- `SECRET_KEY` : Nutanix Object Store Secret Key
4444
- `PC_SECRET` : Prism Central Credentials in the form 'prism-ip:prism-port:username:password'
45+
- `S3_INSECURE` : Controls whether certificate chain will be validated for S3 endpoint (Default: "false")
46+
- `PC_INSECURE` : Controls whether certificate chain will be validated for Prism Central (Default: "false")
4547
- `ACCOUNT_NAME` (Optional) : DisplayName identifier prefix for Nutanix Object Store (Default_Prefix: ntnx-cosi-iam-user)
48+
- `S3_CA_CERT` (Optional) : Base64 encoded content of the root certificate authority file for S3 endpoint (Default: "")
49+
- `PC_CA_CERT` (Optional) : Base64 encoded content of the root certificate authority file for Prism Central (Default: "")
50+
51+
**NOTE**: Certificates should be in `PEM` encoded format.
4652

4753
**Pre-requisites:**
4854
Already deployed Nutanix object-store
@@ -165,6 +171,22 @@ Update the `objectstorage-provisioner` secret that is used by the running provis
165171
# PC Credentials in format <prism-ip>:<prism-port>:<user>:<password>.
166172
# eg. "<ip>:<port>:user:password"
167173
PC_SECRET: ""
174+
# Controls whether certificate chain will be validated for S3 endpoint
175+
# If INSECURE is set to true, an insecure connection will be made with
176+
# the S3 endpoint (Certs will not be used)
177+
S3_INSECURE: "false"
178+
# Controls whether certificate chain will be validated for Prism Central
179+
# If INSECURE is set to true, an insecure connection will be made with
180+
# the PC endpoint (Certs will not be used)
181+
PC_INSECURE: "false"
182+
# Base64 encoded content of the root certificate authority file for S3 endpoint
183+
# empty if no certs should be used.
184+
# Example,
185+
# S3_CA_CERT: "LS0tLS1CRU...SUZJQ0FURS0tLS0tCg=="
186+
S3_CA_CERT: ""
187+
# Base64 encoded content of the root certificate authority file for Prism Central
188+
# empty if no certs should be used.
189+
PC_CA_CERT: ""
168190
```
169191
170192
Then restart the provisioner pod so that the new secret changes getting mounted on the new pod and will thereon be used.

charts/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,9 @@ apiVersion: v2
22
name: cosi-driver-nutanix
33
description: A Helm chart to deploy Nutanix COSI driver
44
type: application
5-
version: 0.0.4
5+
version: 0.5.0
66

7-
appVersion: "v0.0.4"
7+
appVersion: "v0.5.0"
88

99
icon: https://www.nutanix.com/content/dam/nutanix/global/icons/products/svg/Nutanix-Objects-40.svg
1010
annotations:

charts/README.md

Lines changed: 47 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -39,34 +39,39 @@ To know more about the various flag options used with upgrade command check out
3939

4040
The following table lists the configurable parameters of the cosi-driver-nutanix chart and their default values.
4141

42-
| Parameter | Description | Default |
43-
|----------------------------------------------------|----------------------------------------------------------------------------|------------------------------------------------------------------------------|
44-
| `nameOverride` | To override the name of the cosi-driver chart | `""` |
45-
| `fullnameOverride` | To override the full name of the cosi-driver chart | `""` |
46-
| `image.registry` | Image registry for cosi-driver-nutanix sidecar | `ghcr.io/` |
47-
| `image.repository` | Image repository for cosi-driver-nutanix sidecar | `nutanix-cloud-native/cosi-driver-nutanix` |
48-
| `image.tag` | Image tag for cosi-driver-nutanix sidecar | `""` |
49-
| `image.pullPolicy` | Image registry for cosi-driver-nutanix sidecar | `IfNotPresent` |
50-
| `secret.enabled` | Enables K8s secret deployment for Nutanix Object Store | `true` |
51-
| `secret.endpoint` | Nutanix Object Store instance endpoint | `""` |
52-
| `secret.access_key` | Admin IAM Access key to be used for Nutanix Objects | `""` |
53-
| `secret.secret_key` | Admin IAM Secret key to be used for Nutanix Objects | `""` |
54-
| `secret.pc_ip` | PC ip | `""` |
55-
| `secret.pc_port` | PC port | `""` |
56-
| `secret.pc_username` | PC username | `""` |
57-
| `secret.pc_password` | PC password | `""` |
58-
| `secret.account_name` | Account Name is a displayName identifier Prefix for Nutanix | `"ntnx-cosi-iam-user"` |
59-
| `cosiController.enabled` | Whether to create the COSI central controller deployment and its resources | `true` |
60-
| `cosiController.logLevel` | Verbosity of logs for COSI central controller deployment | `5` |
61-
| `cosiController.image.registery` | Image registry for COSI central controller deployment | `gcr.io/` |
62-
| `cosiController.image.repository` | Image repository for COSI central controller deployment | `k8s-staging-sig-storage/objectstorage-controller` |
63-
| `cosiController.image.tag` | Image tag for COSI central controller deployment | `v20250110-a29e5f6` |
64-
| `cosiController.image.pullPolicy` | Image pull policy for COSI central controller deployment | `Always` |
65-
| `objectstorageProvisionerSidecar.logLevel` | Verbosity of logs for COSI sidecar | `5` |
66-
| `objectstorageProvisionerSidecar.image.registery` | Image registry for COSI sidecar | `gcr.io/` |
67-
| `objectstorageProvisionerSidecar.image.repository` | Image repository for COSI sidecar | `k8s-staging-sig-storage/objectstorage-sidecar/objectstorage-sidecar@sha256` |
68-
| `objectstorageProvisionerSidecar.image.tag` | Image tag for COSI sidecar | `589c0ad4ef5d0855fe487440e634d01315bc3d883f91c44cb72577ea6e12c890` |
69-
| `objectstorageProvisionerSidecar.image.pullPolicy` | Image pull policy for COSI sidecar | `Always` |
42+
| Parameter | Description | Required | Default |
43+
|----------------------------------------------------|----------------------------------------------------------------------------|----------|------------------------------------------------------------------------------|
44+
| `nameOverride` | To override the name of the cosi-driver chart | No | `""` |
45+
| `fullnameOverride` | To override the full name of the cosi-driver chart | No | `""` |
46+
| `image.registry` | Image registry for cosi-driver-nutanix sidecar | Yes | `ghcr.io/` |
47+
| `image.repository` | Image repository for cosi-driver-nutanix sidecar | Yes | `nutanix-cloud-native/cosi-driver-nutanix` |
48+
| `image.tag` | Image tag for cosi-driver-nutanix sidecar | No | `""` |
49+
| `image.pullPolicy` | Image registry for cosi-driver-nutanix sidecar | Yes | `IfNotPresent` |
50+
| `secret.enabled` | Enables K8s secret deployment for Nutanix Object Store | Yes | `true` |
51+
| `secret.endpoint` | Nutanix Object Store instance endpoint | Yes | `""` |
52+
| `secret.access_key` | Admin IAM Access key to be used for Nutanix Objects | Yes | `""` |
53+
| `secret.secret_key` | Admin IAM Secret key to be used for Nutanix Objects | Yes | `""` |
54+
| `secret.pc_ip` | PC ip | Yes | `""` |
55+
| `secret.pc_port` | PC port | Yes | `""` |
56+
| `secret.pc_username` | PC username | Yes | `""` |
57+
| `secret.pc_password` | PC password | Yes | `""` |
58+
| `secret.account_name` | Account Name is a displayName identifier Prefix for Nutanix | No | `"ntnx-cosi-iam-user"` |
59+
| `tls.caSecretName` | Specify an existing secret name to use for the tls certificates | No | `""` |
60+
| `tls.s3.insecure` | Controls whether S3 certificate chain will be validated | Yes | `false` |
61+
| `tls.s3.rootCAs` | Base64 encoded content of root certificate for objectstore | No | `""` |
62+
| `tls.pc.insecure` | Controls whether PC certificate chain will be validated | Yes | `false` |
63+
| `tls.pc.rootCAs` | Base64 encoded content of root certificate for Prism Central | No | `""` |
64+
| `cosiController.enabled` | Whether to create the COSI central controller deployment and its resources | Yes | `true` |
65+
| `cosiController.logLevel` | Verbosity of logs for COSI central controller deployment | No | `5` |
66+
| `cosiController.image.registery` | Image registry for COSI central controller deployment | No | `gcr.io/` |
67+
| `cosiController.image.repository` | Image repository for COSI central controller deployment | No | `k8s-staging-sig-storage/objectstorage-controller` |
68+
| `cosiController.image.tag` | Image tag for COSI central controller deployment | No | `v20250110-a29e5f6` |
69+
| `cosiController.image.pullPolicy` | Image pull policy for COSI central controller deployment | No | `Always` |
70+
| `objectstorageProvisionerSidecar.logLevel` | Verbosity of logs for COSI sidecar | Yes | `5` |
71+
| `objectstorageProvisionerSidecar.image.registery` | Image registry for COSI sidecar | Yes | `gcr.io/` |
72+
| `objectstorageProvisionerSidecar.image.repository` | Image repository for COSI sidecar | Yes | `k8s-staging-sig-storage/objectstorage-sidecar/objectstorage-sidecar@sha256` |
73+
| `objectstorageProvisionerSidecar.image.tag` | Image tag for COSI sidecar | Yes | `589c0ad4ef5d0855fe487440e634d01315bc3d883f91c44cb72577ea6e12c890` |
74+
| `objectstorageProvisionerSidecar.image.pullPolicy` | Image pull policy for COSI sidecar | Yes | `Always` |
7075

7176
### Configuration examples:
7277

@@ -88,6 +93,20 @@ Install the driver in the `cosi-driver-nutanix` namespace (add the `--create-nam
8893
helm install cosi-driver -n cosi-driver-nutanix -f values.yaml .
8994
```
9095

96+
### Steps to add the TLS certificates to the installation of COSI:
97+
In `values.yaml` file,
98+
1. Ensure `tls.s3.insecure` and `tls.pc.insecure` are set to `false`.
99+
2. Add the root CA certificate in the `tls.s3.rootCAs` (for S3 endpoint) and `tls.pc.rootCAs` (for Prism Central) in Base64 encoded format. Eg: `rootCAs: "LS0tLS1CRUdJTiBDRVJUS...USUZJQ0FURS0tLS0tCg=="`
100+
101+
If using private k8s secret for storing certs, add the k8s secret name in the `tls.caSecretName` field. The secret should be in the same namespace as the driver pod. Secret can be created in this way:
102+
```console
103+
kubectl create secret generic cacert --from-file=S3_CA_CERT=s3_cert.pem --from-file=PC_CA_CERT=pc_cert.crt -n cosi-driver-nutanix
104+
```
105+
Then add the secret name ("cacert") in `values.yaml` `tls.caSecretName` field.
106+
107+
**NOTE**: Certificates should be in `PEM` encoded format.
108+
109+
91110
### Steps to update the Nutanix Object store details while installing COSI:
92111
1. Open Prism Central UI in any browser and go the objects page. In the below screenshot, already an object store called `cosi` is deployed which is ready for use. On the right side of the object store, you will see the objects Public IPs which you can use as the endpoint in the format: `http:<objects public ip>:80`.
93112
<img width="1512" alt="Screenshot 2023-08-10 at 4 31 41 PM" src="https://github.com/nutanix-cloud-native/cosi-driver-nutanix/assets/44068648/ee0d9ef9-5c5a-4a5a-a0c0-ef2d76db118c">

charts/templates/deploy.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@ spec:
3131
- envFrom:
3232
- secretRef:
3333
name: objectstorage-provisioner
34+
{{- if .Values.tls.caSecretName }}
35+
- secretRef:
36+
name: {{ .Values.tls.caSecretName }}
37+
{{- end }}
3438
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
3539
imagePullPolicy: {{ .Values.image.pullPolicy }}
3640
name: cosi-driver-nutanix

charts/templates/secret.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,17 @@ metadata:
1010
namespace: {{ .Release.Namespace }}
1111
stringData:
1212
ACCESS_KEY: {{ required "access_key is required." .Values.secret.access_key | quote }}
13-
ACCOUNT_NAME: {{ .Values.account_name | quote }}
13+
ACCOUNT_NAME: {{ .Values.secret.account_name | quote }}
1414
ENDPOINT: {{ required "endpoint is required." .Values.secret.endpoint | quote }}
1515
PC_SECRET: "{{ required "pc_ip is required." .Values.secret.pc_ip }}:{{ required "pc_port is required." .Values.secret.pc_port }}:{{ required "pc_username is required." .Values.secret.pc_username }}:{{ required "pc_password is required." .Values.secret.pc_password }}"
1616
SECRET_KEY: {{ required "secret_key is required." .Values.secret.secret_key | quote }}
17+
S3_INSECURE: {{ .Values.tls.s3.insecure | default "false" | quote }}
18+
PC_INSECURE: {{ .Values.tls.pc.insecure | default "false" | quote }}
19+
{{- if and (not .Values.tls.caSecretName ) (eq .Values.tls.s3.insecure false) }}
20+
S3_CA_CERT: {{ required "CA Certificate required if insecure set to false" .Values.tls.s3.rootCAs }}
21+
{{- end }}
22+
{{- if and (not .Values.tls.caSecretName ) (eq .Values.tls.pc.insecure false) }}
23+
PC_CA_CERT: {{ required "CA Certificate required if insecure set to false" .Values.tls.pc.rootCAs }}
24+
{{- end }}
1725
type: Opaque
1826
{{- end }}

0 commit comments

Comments
 (0)