CNV-60438: Correct misleading information about vTPM devices #92553
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jhradilek: This pull request references CNV-60438 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/XS
|
/label cnv |
modules/virt-about-vtpm-devices.adoc
Outdated
| from a Windows 11 image to function without a physical TPM chip. A vTPM device also protects virtual machines by storing secrets without physical hardware. | ||
|
|
||
| A vTPM device also protects virtual machines by storing secrets without physical hardware. {VirtProductName} supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. You must specify the storage class to be used by the PVC by setting the `vmStateStorageClass` attribute in the `HyperConverged` custom resource (CR): | ||
| {VirtProductName} supports persisting vTPM device state by using Persistent Volume Claims (PVCs) for VMs. If you do not specify the storage class for this PVC, {VirtProductName} uses the default storage class for virtualization workloads. If the default storage class for virtualization workloads is not set, {VirtProductName} uses the default storage class for the cluster. For information about how to review or change the default storage classes, see xref:../../virt/storage/virt-automatic-bootsource-updates.adoc#virt-configuring-default-and-virt-default-storage-class_virt-automatic-bootsource-updates[Configuring the default and virt-default storage classes]. |
There was a problem hiding this comment.
🤖 [error] OpenShiftAsciiDoc.NoXrefInModules: Do not include xrefs in modules, only assemblies.
|
@jhradilek: This pull request references CNV-60438 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
jhradilek
force-pushed
the
CNV-60438-vmstatestorageslass-for-vtpm
branch
from
b72d5d5 to
ec12150
Compare
openshift-ci
bot
added
size/S
modules/virt-about-vtpm-devices.adoc
Outdated
| You can use a vTPM device with any operating system, but Windows 11 requires | ||
| the presence of a TPM chip to install or boot. A vTPM device allows VMs created | ||
| from a Windows 11 image to function without a physical TPM chip. | ||
| from a Windows 11 image to function without a physical TPM chip. A vTPM device also protects virtual machines by storing secrets without physical hardware. |
There was a problem hiding this comment.
I don't think we should say this. I am not sure what it means, or if it is accurate. When I see secrets I immediately think kubernetes secrets which is not the case.
There was a problem hiding this comment.
Thank you, you are right that this is misleading and I wonder if we are entering the territory of trying to explain what a physical TPM device is. If this information is required, I think it would make more sense earlier in the paragraph right after the first sentence and we should be more specific about what certificates and private keys it is used for. @alromeros What do you think?
There was a problem hiding this comment.
I think it would make more sense earlier in the paragraph right after the first sentence and we should be more specific about what certificates and private keys it is used for
I agree. If we want to include this sentence it makes more sense to have it earlier in the paragraph. I don't consider it a must though.
When I see secrets I immediately think kubernetes secrets which is not the case.
This was my first thought too. In case we want to keep this sentence I'd try to say something more generic, such as "sensitive data" instead of secrets.
There was a problem hiding this comment.
Thank you. I removed it as it does not feel like we are doing justice to explaining what TPM devices are and I don't think it is the purpose of this section.
modules/virt-about-vtpm-devices.adoc
Outdated
| To ensure consistent behavior, configure only one storage class as the default for virtualization workloads and for the cluster respectively. | ||
| ==== | ||
|
|
||
| Because this behavior might change in the future, it is recommended that you specify the storage class explicitly by setting the `vmStateStorageClass` attribute in the `HyperConverged` custom resource (CR): |
There was a problem hiding this comment.
This is a personal concern but I don't know if I would voice it in downstream documentation. I'd say it's still recommended to set vmStateStorageClass as it's the intended way to define the storage class for backend PVCs, but don't know if it's appropriate to say that the fallback behavior could change in the future.
There was a problem hiding this comment.
Thank you, that makes sense. I removed the first part of the sentence.
jhradilek
force-pushed
the
CNV-60438-vmstatestorageslass-for-vtpm
branch
from
ec12150 to
4839c20
Compare
|
I have updated the wording as suggested. @alromeros do you have any other suggestions or can I proceed to seek QE review? |
Looks good to me! |
|
@jhradilek From QE review, I have reviewed it and the content looks good |
|
Thank you very much, @stesrn! /label peer-review-needed |
openshift-ci
bot
added
the
peer-review-needed
mburke5678
added
the
peer-review-in-progress
modules/virt-about-vtpm-devices.adoc
Outdated
| [source,terminal] | ||
| ---- | ||
| $ oc get sc -o json | jq '.items[].metadata|select(.annotations."storageclass.kubevirt.io/is-default-virt-class"=="true")|.name' |
There was a problem hiding this comment.
Per the doc guidelines, Do not use jq in commands (unless it is truly required).
modules/virt-about-vtpm-devices.adoc
Outdated
| $ oc get sc -o json | jq '.items[].metadata|select(.annotations."storageclass.kubevirt.io/is-default-virt-class"=="true")|.name' | ||
| ---- | ||
| Similarly, the default storage class for the cluster has the annotation `storageclass.kubernetes.io/is-default-class` set to "true". To find this storage class, run: |
There was a problem hiding this comment.
| Similarly, the default storage class for the cluster has the annotation `storageclass.kubernetes.io/is-default-class` set to "true". To find this storage class, run: | |
| Similarly, the default storage class for the cluster has the annotation `storageclass.kubernetes.io/is-default-class` set to "true". To find this storage class, run the following command: |
There was a problem hiding this comment.
Thank you, I will fix this.
modules/virt-about-vtpm-devices.adoc
Outdated
| [source,terminal] | ||
| ---- | ||
| $ oc get sc -o json | jq '.items[].metadata|select(.annotations."storageclass.kubernetes.io/is-default-class"=="true")|.name' |
There was a problem hiding this comment.
Per the doc guidelines, Do not use jq in commands (unless it is truly required).
There was a problem hiding this comment.
Thank you. I was hoping this would be justified as it is sadly the most straightforward way to get this information that I could find. The same jq command is actually also used later on in the book, but I cannot link to it as cross-references from modules are forbidden too. The alternative is to oc get sc and look for lines with (default) in the first column, but then it is not clear which default it is.
|
@jhradilek A few comments. Otherwise LGTM |
mburke5678
added
peer-review-done
jhradilek
force-pushed
the
CNV-60438-vmstatestorageslass-for-vtpm
branch
from
4839c20 to
cefaaf1
Compare
|
Hi @stesrn, during a peer review Michael correctly pointed out that according to our guidelines, |
|
@jhradilek: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@jhradilek No problems. I have verified with the new commands that uses jsonpath. That looks good. Overall content is also good. |
|
@jhradilek: This pull request references CNV-60438 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Thank you! /label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
sheriff-rh
added
merge-review-in-progress
|
/cherrypick enterprise-4.19 |
|
/cherrypick enterprise-4.18 |
|
@sheriff-rh: new pull request created: #93285 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@sheriff-rh: new pull request created: #93286 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
9 participants
Version(s): 4.18+
Issue: CNV-60438
Link to docs preview:
QE review:
Additional information: N/A