Hi - I had a question regarding the CSI Driver. Does it support TLS 1.3 for NFS?
All I see is SSL here.
Is SSL & TLS being used interchangeably in this documentation?
Thanks
Hi @billhill thanks for posting. Here are further details:
Check out this KB to configure TLS encryption with NFS. This is the procedure for using encryption with NFS, using TLS (v1.2 or 1.3). Note that it is not dynamically done via the CSI driver and needs to be configured.
Thanks @ram! Do you have a URL to the CSI driver config docs.
Hi, checking with the team.
To clarify, are you looking for the values used by helm for deploying? Here are the config values to deploy (also referenced in the docs).
Thanks @ram This is what led me to my initial question. Everything refers to SSL, not TLS. So, I just wanted to verify whether the two terms were being used interchangeably, since there are differences.
Thanks for clarifying - let me circle back after confirming.
The CSI driver communicates as follows:
- Control plane: CSI Driver → VMS REST API over HTTPS
- Data plane: k8s pods → VAST Cluster over NFS
So the SSL values verifySsl and sslCert are for the control plane, to validate the VMS endpoint certificate, and have nothing to do with NFS.
Thanks ram. Is it SSL or TLS for the data plane? Will data be encrypted in flight from Kubernetes to the Vast cluster over an SSL or TLS connection using CSI Driver? As you mentioned previously, “it is not dynamically done via the CSI driver and needs to be configured.” That is the essence of my question.
Data plane encryption via Configuring TLS Encryption with NFS would be TLS. Control plane encrpytion is over SSL.
Let me have someone follow up if you have further inquiries.
Hi @billhill the flags in values.yaml such as verifySsl are for control plane access to VMS. And the terminology is dated… the HTTPS connection is being secured by TLS not deprecated SSL.
For our block (NVMe o TCP) CSI Driver, there is support for dynamic host-based encryption that leverages LUKS.
But for securing NFSv4, we don’t have anything in the driver to dynamically take care of setting up a tunnel. VAST does support running NFSv4 over encryption, which is detailed in the kb doc @ram shared. There are steps required on the host that are not taken care of dynamically by the CSI driver, however the CSI driver does support mountOptions (per storageClass) to accomodate any of the options mentioned in that kb article. And the storageClass is also where you would define a view policy that has the appropriate options set for using NFSv4 with encryption. As for the view created for your PV/PVC, it’ll automatically get created with NFSv4 enabled when you include vers=4.1(or 4.2) in your mountOptions.
Hopefully this helps.
Thank you @rob.girard !!! I assume NFSv3 is included. Looking at custom View policies enforcing TLS, NFSv3 looked to be supported too. Just verifying.
Correction, its possible to use vast-csi with NF with tls.
- k8s hosts should be running ktls-utils
- /etc/tlshd.conf should have the ca that signed the server side certificate
- Csi storage class mountOptions should include xprtsec=tls
- View policy should set tls settings
- Both nfsv3 and nfsv4 are supported
- Minimum vast server should be 5.2.2
- Rocky 9.5 and ubuntu24.04 are supporting this, perhaps also others.
Hello @sagi Great stuff! The documentation is certainly not clear on the ktls-utils or tlshd.conf. Also - I don’t see xprtsec=tls in the values.yaml Storage Class mountOptions vast-csi/charts/vastcsi/values.yaml at v2.6 · vast-data/vast-csi · GitHub . Thank you for helping clarify the configuration procedure!
Hello @sagi - Does support have to enable the RPC over TLS capability or does it come enabled by default in 5.2.2? Also - if not on 5.2.2 can a TLS Tunnel be used with CSI Driver?
@billhill mountOptions are an array of mount options that are following exactly nfs mount paramters. 5.2.2 support comes by default. However you need to populate cluster certificate, and set the view policy that is used by CSI storage class to enforce TLS (relaxed mode required for NFSv3).