CNTRLPLANE-3513: add kms health reports #2881
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -267,6 +267,77 @@ const ( | |
| EncryptionTypeKMS EncryptionType = "KMS" | ||
| ) | ||
|
|
||
| // +openshift:validation:Enum="";healthy;unhealthy;error | ||
| type KMSPluginHealthStatus string | ||
|
|
||
| const ( | ||
| KMSPluginHealthStatusHealthy KMSPluginHealthStatus = "Healthy" | ||
|
|
||
| KMSPluginHealthStatusUnhealthy KMSPluginHealthStatus = "Unhealthy" | ||
|
|
||
| KMSPluginHealthStatusError KMSPluginHealthStatus = "Error" | ||
| ) | ||
|
|
||
| // +openshift:compatibility-gen:level=1 | ||
| type KMSPluginHealthReport struct { | ||
|
|
||
| // nodeName is the name of the node this instance of the plugin runs on. | ||
| // The combination of NodeName/KeyId makes this health report unique. | ||
| // The value must be between 1 and 512 characters. | ||
| // +kubebuilder:validation:MinLength=1 | ||
|
Contributor
There was a problem hiding this comment. Document the minimum length as well.
Contributor
Author
There was a problem hiding this comment. I will, but what's the point of defining it in code and in the documentation. Can't you just generate this as a suffix to the docsstring automatically? |
||
| // +kubebuilder:validation:MaxLength=512 | ||
| // +required | ||
| NodeName string `json:"nodeName,omitempty"` | ||
|
Contributor
There was a problem hiding this comment. node names follow the DNS subdomain name format. We should use the format validation CEL library in kube for validating the input against that naming format: https://kubernetes.io/docs/reference/using-api/cel/#kubernetes-format-library
Contributor
Author
There was a problem hiding this comment. I'm afraid this will clash with the way that the node controller reports those, I'll add the CEL though.
Contributor
Author
There was a problem hiding this comment. actually, are you sure that this is the case? |
||
|
|
||
| // keyId is the encryption-key-secret id (kms-{keyId}.sock), a unique identifier of the plugin on that node. | ||
| // This is not a cryptographic key used to encrypt/decrypt any resources. | ||
| // The value must be between 1 and 512 characters. | ||
| // +kubebuilder:validation:MinLength=1 | ||
|
Contributor
There was a problem hiding this comment. Document the minimum length as well. |
||
| // +kubebuilder:validation:MaxLength=512 | ||
| // +required | ||
| KeyId string `json:"keyId,omitempty"` | ||
|
Contributor
There was a problem hiding this comment. Does the key id follow a specific format that we can validate?
Contributor
Author
There was a problem hiding this comment. I wouldn't make many assumptions here, this is a concatenation of some strings and integers. |
||
|
|
||
| // status contains a health indicator for the respective KMS plugin | ||
| // The field can have three states: healthy, unhealthy, error. | ||
| // With error and unhealthy containing additional information in Detail. | ||
| // | ||
| // +kubebuilder:validation:MinLength=1 | ||
| // +kubebuilder:validation:MaxLength=10 | ||
| // +required | ||
| Status KMSPluginHealthStatus `json:"status,omitempty"` | ||
|
|
||
| // lastChecked is a timestamp of when the probe was last checked. | ||
| // +required | ||
| LastChecked metav1.Time `json:"lastChecked,omitempty"` | ||
|
|
||
| // kekId refers to the remote KEK id from KMS v2 StatusResponse.key_id. | ||
| // This is not a cryptographic key, but a unique representation of the KEK. | ||
| // +kubebuilder:validation:MinLength=0 | ||
| // +kubebuilder:validation:MaxLength=1024 | ||
| // +optional | ||
| KEKId *string `json:"kekId,omitempty"` | ||
|
Contributor
There was a problem hiding this comment. What does it mean for
Member
There was a problem hiding this comment. That means there is a connection error between health monitor and kms plugin. So ideally we should expect that
Contributor
Author
There was a problem hiding this comment. @ibihim how do you intent do deal with this? are you just keeping the last value of a KEK in the conditions or are you always wiping it on error? Otherwise we can also make this required from the start. |
||
|
|
||
| // detail contains additional error/health information; omitted when healthy | ||
| // +kubebuilder:validation:MinLength=0 | ||
| // +kubebuilder:validation:MaxLength=1024 | ||
| // +optional | ||
| Detail *string `json:"detail,omitempty"` | ||
|
Comment on lines
+300
to
+324
Contributor
There was a problem hiding this comment. Aside from For example, I think this could probably all be wrapped into a single condition. Happy path: type: Healthy
status: True
reason: AsExpected
lastTransitionTime: ....Unhealthy scenario: type: Healthy
status: False
reason: SomethingIsWrong
message: "error: something is wrong"
lastTransitionTime: ....While
Contributor
Author
There was a problem hiding this comment. @ibihim does that work for you to replace it?
Contributor
Author
There was a problem hiding this comment. we would need NodeName,KeyId,KekId however - so the condition would replace only the health status, lastchecked and detail
Contributor
There was a problem hiding this comment. We do use conditions for this today and learned that it's difficult to work with. Operators end up parsing JSON field with no schema behind it. Please see for more details about the structure. It seems that a dedicated type fits better:
Contributor
There was a problem hiding this comment. i am pasting the conditions we use today from the kep i shared in the previous message: |
||
| } | ||
|
|
||
| // +openshift:compatibility-gen:level=1 | ||
| // +kubebuilder:validation:MinProperties=1 | ||
| type APIServerEncryptionStatus struct { | ||
| // healthReports contains all KMS plugin health reports for this APIServer. | ||
| // When omitted, no health reports are available. | ||
| // Each entry must have a unique combination of nodeName and keyId. | ||
| // +optional | ||
| // +kubebuilder:validation:MinItems=0 | ||
| // +kubebuilder:validation:MaxItems=100 | ||
| // +openshift:validation:XValidation,rule="self.all(x, self.exists_one(y, y.nodeName == x.nodeName && y.keyId == x.keyId))",message="each health report must have a unique nodeName/keyId combination" | ||
| // +listType=atomic | ||
|
Contributor
There was a problem hiding this comment. Any particular reason for this to be an atomic list?
Contributor
Author
There was a problem hiding this comment. what else should it be? |
||
| HealthReports []KMSPluginHealthReport `json:"healthReports,omitempty"` | ||
|
Contributor
There was a problem hiding this comment. Is there a semantic difference between |
||
| } | ||
|
|
||
| type APIServerStatus struct { | ||
| } | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the changes here are only used in the operator/v1 group - any reason these changes shouldn't be placed in that group instead of this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because it is semantically correlated with the KMS and encryption configurations above.