Currently, the flow for creating a LUKS key is:
- When the operator detects new machine creation, it creates a new LUKS key.
- The operator creates a Kubernetes secret to hold the LUKS key.
- Patch the trustee deployment to add the secret as a confidential resource.
Step 3 will trigger the trustee deployment to restart with the new secret mounted. We want to avoid this. Other objects (policies, reference-values, etc) can be handled similarly.
I start implementing two different approaches to solving this issue:
- Create a sidecar inside the trustee deployment that listens for new machine creation and manages the LUKS key as a Kubernetes secret. A draft implementation can be found here. Based on my tests, this implementation is functional.
- Use the kbs API (
kbs-client) from trustee to update the LUKS key and other trustee configuration. While the first two steps of the flow remain the same, the third step is replaced by a direct API call to the KBS. A draft implementation is available here. This version is currently incomplete and has not been fully tested.
I would like to get your feedback on what is a better approach
Currently, the flow for creating a LUKS key is:
Step 3 will trigger the trustee deployment to restart with the new secret mounted. We want to avoid this. Other objects (policies, reference-values, etc) can be handled similarly.
I start implementing two different approaches to solving this issue:
kbs-client) from trustee to update the LUKS key and other trustee configuration. While the first two steps of the flow remain the same, the third step is replaced by a direct API call to the KBS. A draft implementation is available here. This version is currently incomplete and has not been fully tested.I would like to get your feedback on what is a better approach