Encrypt Data via Ceph

This guide explains how to encrypt data at rest by specifying a Kubernetes storageClass that enables disk encryption during the installation of HPE Machine Learning Inferencing Software. You can manage this using the following Helm parameters:

db.storageClassName: Specifies the StorageClass that provides disk encryption for your database.
master.storageClassName: Specifies the StorageClass that provides disk encryption for your system audit log.

Example Installation Command #

helm install mlis \
    --set "db.storageClassName=csi-cephfs-sc" \
    --set "master.storageClassName=csi-cephfs-sc" \
    --set 'global.imagePullSecrets[0].name=regcred' \
    --set 'global.imagePullSecrets[1].name=hpe-mlis-registry' \
    --set imageRegistry=hub.myenterpriselicense.hpe.com/hpe-mlis/<SKU> \
    --set defaultPassword=<CREATE_ADMIN_PASSWORD> \
    --values values.yaml \
    <SKU>_aioli-helm-chart<release/majorMinorPatchNumber>}}.tgz

Before You Start #

Implementation Options #

There are several ways to provide an encrypting storageClass on Kubernetes. This guide provides tested steps for using the Ceph Container Storage Interface (CSI) plugin v3.11.0+ for CephFS backed volumes. Ceph CSI plugins implement an interface between a CSI-enabled Container Orchestrator (CO) and Ceph clusters.

You must have a running Ceph cluster configured for storage and encryption to use this implementation option.

CephFS Support Matrix

Plugin	Features	Feature Status	CSI Driver Version	CSI Spec Version	Ceph Cluster Version	Kubernetes Version
CephFS	Dynamically provision, de-provision File mode RWO volume	GA	v1.1.0+	v1.0.0+	Pacific (v16.2.0+)	v1.14.0+
CephFS	Dynamically provision, de-provision File mode RWX volume	GA	v1.1.0+	v1.0.0+	Pacific (v16.2.0+)	v1.14.0+
CephFS	Dynamically provision, de-provision File mode ROX volume	Alpha	v3.0.0+	v1.0.0+	Pacific (v16.2.0+)	v1.14.0+
CephFS	Dynamically provision, de-provision File mode RWOP volume	Alpha	v3.5.0+	v1.5.0+	Pacific (v16.2.0+)	v1.22.0+
CephFS	Creating and deleting snapshot	GA	v3.1.0+	v1.0.0+	Pacific (v16.2.0+)	v1.17.0+
CephFS	Provision volume from snapshot	GA	v3.1.0+	v1.0.0+	Pacific (v16.2.0+)	v1.17.0+
CephFS	Provision volume from another volume	GA	v3.1.0+	v1.0.0+	Pacific (v16.2.0+)	v1.16.0+
CephFS	Expand volume	Beta	v2.0.0+	v1.1.0+	Pacific (v16.2.0+)	v1.15.0+
CephFS	Volume/PV Metrics of File Mode Volume	GA	v1.2.0+	v1.1.0+	Pacific (v16.2.0+)	v1.15.0+

How to Set Up Ceph CSI #

Install the Ceph CSI Plugin #

Add the chart repository to Helm:

helm repo add ceph-csi https://ceph.github.io/csi-charts

Install the Ceph CSI plugin:

# my_values.yaml
# Configuration for the CSI to connect to the Ceph cluster
# Ref: https://github.com/ceph/ceph-csi/blob/devel/examples/README.md
# Example:
csiConfig:
   - clusterID: "ba6b823e-07f8-11ef-9d12-216d3df7f599"
     monitors:
       - "ceph-5-single"
provisioner:
  replicaCount: 1

Create the namespace where Helm should install the components:
```
kubectl create namespace ceph-csi-cephfs
```

Run the Helm install command:

helm install -f my_values.yaml --namespace "ceph-csi-cephfs" "ceph-csi-cephfs" ceph-csi/ceph-csi-cephfs

Configure and Set up Ceph CSI Storage #

The following Secret and StorageClass should be created prior to using the storage.

Create Kubernetes Secret #

Obtain the adminID and adminKey from the Ceph cluster:
```
ceph auth get-key client.admin
```

Create a Kubernetes Secret in the ceph-csi-cephfs namespace with the following content:

---
apiVersion: v1
kind: Secret
metadata:
  name: csi-cephfs-secret
  namespace: ceph-csi-cephfs
stringData:
  # Required for dynamically provisioned volumes
  adminID: admin
  adminKey: <admin-key>

Create StorageClass #

Make sure the cephfs_data pool exists in the Ceph cluster. If not, create it:
```
ceph osd pool create cephfs_data 128
```

Create a StorageClass in the ceph-csi-cephfs namespace with the following content:

---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-cephfs-sc
  annotations:
    meta.helm.sh/release-name: ceph-csi-cephfs
    meta.helm.sh/release-namespace: ceph-csi-cephfs
  labels:
    app: ceph-csi-cephfs
    app.kubernetes.io/managed-by: Helm
    chart: ceph-csi-cephfs-3.11.0
    heritage: Helm
    release: ceph-csi-cephfs
provisioner: cephfs.csi.ceph.com
parameters:
  clusterID: ba6b823e-07f8-11ef-9d12-216d3df7f599
  csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret
  csi.storage.k8s.io/controller-expand-secret-namespace: ceph-csi-cephfs
  csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret
  csi.storage.k8s.io/node-stage-secret-namespace: ceph-csi-cephfs
  csi.storage.k8s.io/provisioner-secret-name: csi-cephfs-secret
  csi.storage.k8s.io/provisioner-secret-namespace: ceph-csi-cephfs
  fsName: cephfs
  mounter: kernel
  pool: cephfs_data
reclaimPolicy: Delete
volumeBindingMode: Immediate

Install Platform via Helm #

When installing HPE Machine Learning Inferencing Software, set the StorageClass that was created for the Ceph CSI plugin. For example, to set the csi-cephfs-sc StorageClass, use the following command:

--set "db.storageClassName=csi-cephfs-sc" \

helm install mlis \
    --set "db.storageClassName=csi-cephfs-sc" \
    --set "master.storageClassName=csi-cephfs-sc" \
    --set 'global.imagePullSecrets[0].name=regcred' \
    --set 'global.imagePullSecrets[1].name=hpe-mlis-registry' \
    --set imageRegistry=hub.myenterpriselicense.hpe.com/hpe-mlis/<SKU> \
    --set defaultPassword=<CREATE_ADMIN_PASSWORD> \
    --values values.yaml \
    <SKU>_aioli-helm-chart<release/majorMinorPatchNumber>}}.tgz