Rekey Configuration

Rekey Configuration and Usage

Rekey Controller Installation

The CSM Encryption Rekey CRD Controller is an optional component that, if installed, allows encrypted volumes rekeying in a Kubernetes cluster. The Rekey Controller can be installed via the Dell Helm charts repository.

Dell Helm charts can be added with the command helm repo add dell https://dell.github.io/helm-charts.

Kubeconfig Secret

A secret with kubeconfig must be created with the name cluster-kube-config. Here is an example:


 kubectl create secret generic cluster-kube-config --from-file=config=/root/.kube/config

Helm Chart Values

The Rekey Controller Helm chart defines these values:

# Rekey controller image name.
image: "dellemc/csm-encryption-rekey-controller:v0.2.0"

# Rekey controller image pull policy.
# Allowed values:
#  Always: Always pull the image.
#  IfNotPresent: Only pull the image if it does not already exist on the node.
#  Never: Never pull the image.
imagePullPolicy: IfNotPresent

# logLevel: Log level of the rekey controller.
# Allowed values: "error", "warning", "info", "debug", "trace".
logLevel: "info"

# This value is required and must match encryption.pluginName value
# of the corresponding Dell CSI driver.
provisioner:

# This value is required and must match encryption.apiPort value
# of the corresponding Dell CSI driver.
port:
Parameter Description Required Default
image Rekey controller image name. No “dellemc/csm-encryption-rekey-controller:v0.2.0”
imagePullPolicy Rekey controller image pull policy. No “IfNotPresent”
logLevel Log level of the rekey controller. No “info”
provisioner This value is required and must match encryption.pluginName value of the corresponding Dell CSI driver. Yes
port This value is required and must match encryption.apiPort value of the corresponding Dell CSI driver. Yes

Deployment

Copy the chart’s values.yaml to a local file and adjust the values in the local file for the current cluster. Deploy the controller using a command similar to this:


helm install --values local-values.yaml rekey-controller dell/csm-encryption-rekey-controller

A rekey-controller pod should now be up and running.

Rekey Usage

Rekeying is initiated and monitored via Kubernetes custom resources of type rekeys.encryption.storage.dell.com. This can be done directly using kubectl or in a more user-friendly way using dellctl. Creation of a rekey resource for a PV will kick off a rekey process on this PV. The rekey resource will contain the result of the operation. Refer to Rekey Status for possible status values.

Rekey with dellctl

If dellctl CLI is installed, rekeying an encrypted volume is simple. For example, to rekey a PV with the name k8s-112a5d41bc use a command like this:


dellctl encryption rekey myrekey k8s-112a5d41bc
INFO rekey request "myrekey" submitted successfully for persistent volume "k8s-112a5d41bc".
INFO Run 'dellctl encryption rekey-status myrekey' for more details.

Then to check the status of the newly created rekey with the name myrekey use this command:

dellctl encryption rekey-status myrekey
INFO Status of rekey request myrekey = completed

Rekey with kubectl

Create a cluster-scoped rekey resource to rekey an encrypted volume. For example, to rekey a PV with the name k8s-09a76734f use a command like this:

kubectl create -f - <<EOF
apiVersion: "encryption.storage.dell.com/v1alpha1"
kind: "Rekey"
metadata:
  name: "example-rekey"
spec:
  persistentVolumeName: "k8s-029a76734f"
EOF

Once the rekey resource has been created, after some time, the status of the rekey can be inspected through the status.phase field of the rekey resource.

echo $(kubectl get rekey example-rekey -o jsonpath='{.status.phase}')
completed

Rekey Status

The status.phase field of a rekey resource can have these values:

Value Description
initialized The request has been received by the Rekey Controller.
started The request is being processed by the Encryption driver.
completed The request successfully completed and the volume is protected by a new key.
rejected The rekey process has not started, a non-existent or not encrypted PV in the request is a common reason.
failed The rekey process has failed, possibly due to unreachable Encryption driver or an error response from the driver.
unknown The request was sent to the Encryption driver, but no response was received. It is still possible that the rekey succeeded and the volume key has changed.

Cleanup

Remove old rekey resources just like any other resource, using kubectl delete.