Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rfc: add secure pv injection rfc #1204

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

rfc: add secure pv injection rfc #1204

wants to merge 1 commit into from

Conversation

davidweisse
Copy link
Contributor

No description provided.

@davidweisse davidweisse added the no changelog PRs not listed in the release notes label Feb 3, 2025
burgerdev
burgerdev reviewed Feb 3, 2025
View reviewed changes
rfc/009-secure-pv-injection.md Outdated
Comment on lines 55 to 56
- A PVC with the name `state` will be added to the resource with size specified
by `contrast.edgeless.systems/secure-pv-size` or 1Gi by default.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only works for resources that support VolumeClaimTemplates (i.e. StatefulSet), right? I think we should also support a simple pod with a pre-existing pvc, or a DaemonSet with a hostPath device. So I'd say we should assume existence of a volume with a given name and work from there. The name of the emptyDir should probably stay an input, so the annotation should go something like

  contrast.edgeless.systems/secure-pv: "my-volume-name:my-volume-mount-name"

This format would also allow straightforward extension to $n > 1$ volumes.

rfc/009-secure-pv-injection.md Outdated
Comment on lines 79 to 82
With this change, there is no longer any need for the `cryptsetup` subcommand to
be specified through the `cobra` library, as everything now happens in one
container. The `cryptsetup` subcommand can be removed and replaced by internal
decision making in the Initializer.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the automatic cryptsetup does not work for my use-case and I'd like to use the initializer as a separate init container as documented today?

@davidweisse davidweisse force-pushed the dav/rfc-cryptsetup-injection branch from f104bd7 to 00dc969 Compare February 4, 2025 10:07
@davidweisse davidweisse force-pushed the dav/rfc-cryptsetup-injection branch from 00dc969 to a1f7226 Compare February 4, 2025 10:11
@katexochen katexochen removed their request for review February 6, 2025 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no changelog PRs not listed in the release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidweisse @burgerdev