Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to migrate storeAccountKey from true to false #1218

Closed
susanwangmcpod opened this issue Apr 10, 2023 · 12 comments · Fixed by #1295
Closed

How to migrate storeAccountKey from true to false #1218

susanwangmcpod opened this issue Apr 10, 2023 · 12 comments · Fixed by #1295
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@susanwangmcpod
Copy link

My customer uses AKS with Azure Files PVs, which were dynamically provisioned previously, and the storage account keys are stored in the secrets.

Now due to security policies, they need to rotate storage account keys periodically. If the PVs are dynamically provisioned from SC with parameter storeAccountKey: false, then it just needs to recreate pods after storage account keys are changed.

However, customer now has many existing PVs which were dynamically provisioned from SC without specifying the parameter storeAccountKey, so the storage account keys are stored in the secrets now.

So are there any ways to migrate storeAccountKey from true to false? If this is not possible, then whether we have any other methods to update secrets with new storage account keys automatically? Thanks in advance.
@andyzhangx
Copy link
Member

andyzhangx commented Apr 10, 2023
edited
Loading

@susanwangmcpod if you don't want to store AccountKey as secret, you need to:

  1. grant kubelet identity reader permission to the storage accounts
  2. delete existing secrets with naming rule azure-storage-account-{accountname}-secret
  3. when you rotate account key, existing azure file volume mount would become invalid, recreate those pods with azure file mounts, and azure file driver would use kubelet identity to get the updated account key directly.

@susanwangmcpod
Copy link
Author

Thanks, Andy. I will have a test.

@susanwangmcpod
Copy link
Author

@andyzhangx my customer spent some time in testing above shared steps. It works. But they feedbacked that this is still unable to meet their requirements, because pods are unable to access files after storage account keys rotate. This means their app still have some downtime until these pods are recreated. So customer is asking whether there exists any other methods to avoid such downtime when storage account keys rotate? Thanks in advance.

@andyzhangx
Copy link
Member

andyzhangx commented May 4, 2023
edited
Loading

@andyzhangx my customer spent some time in testing above shared steps. It works. But they feedbacked that this is still unable to meet their requirements, because pods are unable to access files after storage account keys rotate. This means their app still have some downtime until these pods are recreated. So customer is asking whether there exists any other methods to avoid such downtime when storage account keys rotate? Thanks in advance.

@susanwangmcpod
there is a better way to reduce downtime, e.g.

  1. update secret with secondary account key
  2. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen)
  3. rotate primary account key
  4. update secret with primary account key
  5. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen)

@susanwangmcpod
Copy link
Author

Thanks, Andy.

@susanwangmcpod
Copy link
Author

Hello @andyzhangx ,

I did some tests, and it looks like that kubelet identity always fetches the first storage account key (key1). Is this by design?

My guess is if kubelet identity can fetch the latest rotated key, then we may follow the similar steps as above to reduce downtime with kubelet identity as well.

Thanks.

@andyzhangx
Copy link
Member

andyzhangx commented May 12, 2023
edited
Loading

Hello @andyzhangx ,

I did some tests, and it looks like that kubelet identity always fetches the first storage account key (key1). Is this by design?

My guess is if kubelet identity can fetch the latest rotated key, then we may follow the similar steps as above to reduce downtime with kubelet identity as well.

Thanks.

@susanwangmcpod that's a good suggestion, currently it's always getting the first key, but I think we make a change in the next version to always get the key with latest CreationTime, by that way, if you are using kubelet identity to get account key directly, it could be:

1. rotate secondary key
2. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen)
3. rotate primary account key
4. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen)

// AccountKey an access key for the storage account.
type AccountKey struct {
	// KeyName - READ-ONLY; Name of the key.
	KeyName *string `json:"keyName,omitempty"`
	// Value - READ-ONLY; Base 64-encoded value of the key.
	Value *string `json:"value,omitempty"`
	// Permissions - READ-ONLY; Permissions for the key -- read-only or full permissions. Possible values include: 'KeyPermissionRead', 'KeyPermissionFull'
	Permissions KeyPermission `json:"permissions,omitempty"`
	// CreationTime - READ-ONLY; Creation time of the key, in round trip date format.
	CreationTime *date.Time `json:"creationTime,omitempty"`
}

@andyzhangx andyzhangx added the kind/feature Categorizes issue or PR as related to a new feature. label May 12, 2023
@susanwangmcpod
Copy link
Author

Many thanks, Andy.

@yzhang0727
Copy link

@andyzhangx hello andy, for the time of next version release, do you have an estimation time?

@andyzhangx andyzhangx mentioned this issue Jun 7, 2023
Merged
4 tasks
@andyzhangx
Copy link
Member

@andyzhangx hello andy, for the time of next version release, do you have an estimation time?

@yzhang0727 working on this now

@andyzhangx andyzhangx mentioned this issue Jun 8, 2023
Merged
@rkarra08101992
Copy link

Hello Andy, I see that there so many manual steps involved to rotate keys. Is there a way to automatically do this without having to perform those steps?

@andyzhangx
Copy link
Member

andyzhangx commented Dec 12, 2023
edited
Loading

@rkarra08101992 after setting following two parameters in storage class, you could try following steps to validate it works, and then you could automate those cli commands

  • option#1: account key is already stored as k8s secret
parameters:
  getLatestAccountKey: "true"
  1. update secret with secondary account key
  2. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen, and with getLatestAccountKey: "true" CSI driver will pick the secondary account key)
  3. rotate primary account key
  4. update secret with primary account key
  5. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen, and with getLatestAccountKey: "true" CSI driver will pick the primary account key)
  • option#2: account key is NOT already stored (more straightforward)
parameters:
  storeAccountKey: "false"
  getLatestAccountKey: "true"
  1. rotate secondary account key
  2. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen, and with getLatestAccountKey: "true" CSI driver will pick the secondary account key)
  3. rotate primary account key
  4. recreate pods by moving pods to the node which does not have this file share mount (this could make sure remount happen, and with getLatestAccountKey: "true" CSI driver will pick the primary account key)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add getLatestAccountKey parameter in storage class kubernetes-sigs/azurefile-csi-driver
4 participants
@andyzhangx @yzhang0727 @susanwangmcpod @rkarra08101992