Skip to content

Commit

Permalink
controllers: Add logic to Create cephfs encrypted storageclass
Browse files Browse the repository at this point in the history
Signed-off-by: Nitin Goyal <[email protected]>
  • Loading branch information
iamniting committed May 13, 2024
1 parent 1fc6d8f commit a2985f1
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 9 deletions.
7 changes: 7 additions & 0 deletions controllers/storagecluster/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,13 @@ func generateNameForEncryptedCephBlockPoolSC(initData *ocsv1.StorageCluster) str
return fmt.Sprintf("%s-ceph-rbd-encrypted", initData.Name)
}

func generateNameForEncryptedCephFileSystemSC(initData *ocsv1.StorageCluster) string {
if initData.Spec.Encryption.CephFs.StorageClassName != "" {
return initData.Spec.Encryption.CephFs.StorageClassName
}
return fmt.Sprintf("%s-cephfs-encrypted", initData.Name)
}

func generateNameForCephNetworkFilesystemSC(initData *ocsv1.StorageCluster) string {
if initData.Spec.NFS.StorageClassName != "" {
return initData.Spec.NFS.StorageClassName
Expand Down
6 changes: 6 additions & 0 deletions controllers/storagecluster/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,12 @@ func validateCustomStorageClassNames(sc *ocsv1.StorageCluster) error {
}
scMap[sc.Spec.Encryption.StorageClassName] = true
}
if sc.Spec.Encryption.CephFs.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable && sc.Spec.Encryption.CephFs.StorageClassName != "" {
if _, ok := scMap[sc.Spec.Encryption.CephFs.StorageClassName]; ok {
duplicateNames = append(duplicateNames, "Encryption")
}
scMap[sc.Spec.Encryption.CephFs.StorageClassName] = true
}

if len(duplicateNames) > 0 {
return fmt.Errorf("Duplicate StorageClass name(s) provided: %v", duplicateNames)
Expand Down
31 changes: 27 additions & 4 deletions controllers/storagecluster/storageclasses.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,20 @@ func newEncryptedCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageC
return encryptedStorageClassConfig
}

// newEncryptedCephFileSystemStorageClassConfiguration generates configuration options for an encrypted Ceph File System StorageClass.
// when user has asked for PV encryption during deployment.
func newEncryptedCephFileSystemStorageClassConfiguration(initData *ocsv1.StorageCluster, serviceName string) StorageClassConfiguration {
allowVolumeExpansion := true
encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData)
encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData)
// adding a annotation to support smart cloning across namespace for encrypted volume
encryptedStorageClassConfig.storageClass.ObjectMeta.Annotations["cdi.kubevirt.io/clone-strategy"] = "copy"
encryptedStorageClassConfig.storageClass.Parameters["encrypted"] = "true"
encryptedStorageClassConfig.storageClass.Parameters["encryptionKMSID"] = serviceName
encryptedStorageClassConfig.storageClass.AllowVolumeExpansion = &allowVolumeExpansion
return encryptedStorageClassConfig
}

// newCephOBCStorageClassConfiguration generates configuration options for a Ceph Object Store StorageClass.
func newCephOBCStorageClassConfiguration(initData *ocsv1.StorageCluster) StorageClassConfiguration {
reclaimPolicy := corev1.PersistentVolumeReclaimDelete
Expand Down Expand Up @@ -475,13 +489,22 @@ func (r *StorageClusterReconciler) newStorageClassConfigurations(initData *ocsv1
if initData.Spec.ExternalStorage.Enable || !skip {
ret = append(ret, newCephOBCStorageClassConfiguration(initData))
}
// encrypted Ceph Block Pool storageclass will be returned only if
// storage-class encryption + kms is enabled and KMS ConfigMap is available
if initData.Spec.Encryption.StorageClass && initData.Spec.Encryption.KeyManagementService.Enable {

if initData.Spec.Encryption.KeyManagementService.Enable {
kmsConfig, err := getKMSConfigMap(KMSConfigMapName, initData, r.Client)

if err == nil && kmsConfig != nil {
serviceName := kmsConfig.Data["KMS_SERVICE_NAME"]
ret = append(ret, newEncryptedCephBlockPoolStorageClassConfiguration(initData, serviceName))
// encrypted Ceph Block Pool storageclass will be returned only if
// storage-class encryption + kms is enabled and KMS ConfigMap is available
if initData.Spec.Encryption.StorageClass {
ret = append(ret, newEncryptedCephBlockPoolStorageClassConfiguration(initData, serviceName))
}
// encrypted Ceph File System storageclass will be returned only if
// storage-class encryption + kms is enabled and KMS ConfigMap is available
if initData.Spec.Encryption.CephFs.StorageClass {
ret = append(ret, newEncryptedCephFileSystemStorageClassConfiguration(initData, serviceName))
}
} else {
r.Log.Error(err, "Error while getting ConfigMap.", "ConfigMap", klog.KRef(initData.Namespace, KMSConfigMapName))
}
Expand Down
6 changes: 4 additions & 2 deletions functests/ocs/cluster_upgrade_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ func ClusterUpgradeTest() {
"CephFilesystems": "custom-cephfs-sc",
"CephNonResilientPools": "custom-ceph-non-resilient-rbd-sc",
"NFS": "custom-ceph-nfs-sc",
"Encryption": "custom-ceph-rbd-encrypted-sc",
"EncryptedRBD": "custom-ceph-rbd-encrypted-sc",
"EncryptedCephFS": "custom-cephfs-encrypted-sc",
}
err = deployManager.AddCustomStorageClassName(customSCName)
gomega.Expect(err).To(gomega.BeNil())
Expand All @@ -102,7 +103,8 @@ func ClusterUpgradeTest() {
"CephFilesystems": "custom-cephfs-new-sc",
"CephNonResilientPools": "custom-ceph-non-resilient-rbd-new-sc",
"NFS": "custom-ceph-nfs-new-sc",
"Encryption": "custom-ceph-rbd-encrypted-new-sc",
"EncryptionRBD": "custom-ceph-rbd-encrypted-new-sc",
"EncryptionCephFS": "custom-cephfs-encrypted-sc",
}
err = deployManager.AddCustomStorageClassName(customSCNameNew)
gomega.Expect(err).To(gomega.BeNil())
Expand Down
11 changes: 8 additions & 3 deletions pkg/deploy-manager/storagecluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -473,9 +473,11 @@ func (t *DeployManager) AddCustomStorageClassName(customSCNames map[string]strin
}

if sc.Spec.Encryption.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable {
sc.Spec.Encryption = ocsv1.EncryptionSpec{
StorageClassName: customSCNames["Encryption"],
}
sc.Spec.Encryption.StorageClassName = customSCNames["EncryptedRBD"]
}

if sc.Spec.Encryption.CephFs.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable {
sc.Spec.Encryption.CephFs.StorageClassName = customSCNames["EncryptedCephFS"]
}

err = t.Client.Update(context.TODO(), sc)
Expand Down Expand Up @@ -510,6 +512,9 @@ func (t *DeployManager) VerifyStorageClassesExist(oldSC map[string]bool) (bool,
if sc.Spec.Encryption.StorageClassName != "" {
expectedSC[sc.Spec.Encryption.StorageClassName] = true
}
if sc.Spec.Encryption.CephFs.StorageClassName != "" {
expectedSC[sc.Spec.Encryption.CephFs.StorageClassName] = true
}

for name := range expectedSC {
if !currentSC[name] {
Expand Down

0 comments on commit a2985f1

Please sign in to comment.