Add KMS details to places when any of the DeviceSet is encrypted

Earlier we were adding KMS details to CephCluster, CephObjectStore Noobaa & metrics when Cluster wide encryption was enabled. But now we are adding KMS details to these places when any of the deviceSet is encrypted. Signed-off-by: Malay Kumar Parida <[email protected]>
red-hat-storage · Oct 14, 2024 · fc803c9 · fc803c9
1 parent be77c56
commit fc803c9
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 13 deletions.
diff --git a/controllers/storagecluster/cephcluster.go b/controllers/storagecluster/cephcluster.go
@@ -167,10 +167,11 @@ func (obj *ocsCephCluster) ensureCreated(r *StorageClusterReconciler, sc *ocsv1.
 		cephCluster = newExternalCephCluster(sc, monitoringIP, monitoringPort)
 	} else {
 		// Add KMS details to CephCluster spec, only if
-		// cluster-wide encryption is enabled
-		// ie, sc.Spec.Encryption.ClusterWide/sc.Spec.Encryption.Enable is True
+		// cluster-wide encryption is enabled or any of the device set is encrypted
+		// ie, sc.Spec.Encryption.ClusterWide/sc.Spec.Encryption.Enable is True or any device is encrypted
 		// and KMS ConfigMap is available
-		if sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide {
+
+		if util.IsClusterOrDeviceSetEncrypted(sc) {
 			kmsConfigMap, err := getKMSConfigMap(KMSConfigMapName, sc, r.Client)
 			if err != nil {
 				r.Log.Error(err, "Failed to procure KMS ConfigMap.", "KMSConfigMap", klog.KRef(sc.Namespace, KMSConfigMapName))
@@ -882,7 +883,7 @@ func newStorageClassDeviceSets(sc *ocsv1.StorageCluster) []rookCephv1.StorageCla
 				Portable:            portable,
 				TuneSlowDeviceClass: ds.Config.TuneSlowDeviceClass,
 				TuneFastDeviceClass: ds.Config.TuneFastDeviceClass,
-				Encrypted:           sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide,
+				Encrypted:           isDeviceSetToBeEncrypted(sc, ds),
 			}
 
 			if ds.MetadataPVCTemplate != nil {
@@ -989,6 +990,13 @@ func countAndReplicaOf(ds *ocsv1.StorageDeviceSet) (int, int) {
 	return count, replica
 }
 
+func isDeviceSetToBeEncrypted(sc *ocsv1.StorageCluster, ds ocsv1.StorageDeviceSet) bool {
+	if ds.Encrypted != nil {
+		return *ds.Encrypted
+	}
+	return sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide
+}
+
 func newCephDaemonResources(sc *ocsv1.StorageCluster) map[string]corev1.ResourceRequirements {
 	resources := map[string]corev1.ResourceRequirements{
 		"mon": defaults.GetProfileDaemonResources("mon", sc),

diff --git a/controllers/storagecluster/cephobjectstores.go b/controllers/storagecluster/cephobjectstores.go
@@ -7,6 +7,7 @@ import (
 	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/defaults"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/platform"
+	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
 	cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -42,10 +43,10 @@ func (obj *ocsCephObjectStores) ensureCreated(r *StorageClusterReconciler, insta
 	}
 	var cephObjectStores []*cephv1.CephObjectStore
 	// Add KMS details to cephObjectStores spec, only if
-	// cluster-wide encryption is enabled
-	// ie, sc.Spec.Encryption.ClusterWide/sc.Spec.Encryption.Enable is True
+	// cluster-wide encryption is enabled or any of the device set is encrypted
+	// ie, sc.Spec.Encryption.ClusterWide/sc.Spec.Encryption.Enable is True or any of the deviceSet is encrypted
 	// and KMS ConfigMap is available
-	if instance.Spec.Encryption.Enable || instance.Spec.Encryption.ClusterWide {
+	if util.IsClusterOrDeviceSetEncrypted(instance) {
 		kmsConfigMap, err := getKMSConfigMap(KMSConfigMapName, instance, r.Client)
 		if err != nil {
 			r.Log.Error(err, "Failed to procure KMS ConfigMap.", "KMSConfigMap", klog.KRef(instance.Namespace, KMSConfigMapName))

diff --git a/controllers/storagecluster/noobaa_system_reconciler.go b/controllers/storagecluster/noobaa_system_reconciler.go
@@ -230,10 +230,10 @@ func (r *StorageClusterReconciler) setNooBaaDesiredState(nb *nbv1.NooBaa, sc *oc
 
 	// Add KMS details to Noobaa spec, only if
 	// KMS is enabled, along with
-	// ClusterWide encryption OR in a StandAlone Noobaa cluster mode
+	// ClusterWide encryption/any deviceSet Encryption OR in a StandAlone Noobaa cluster mode
 	// PS: sc.Spec.Encryption.Enable field is deprecated and added for backward compatibility
 	if sc.Spec.Encryption.KeyManagementService.Enable &&
-		(sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide || r.IsNoobaaStandalone) {
+		(util.IsClusterOrDeviceSetEncrypted(sc) || r.IsNoobaaStandalone) {
 		if kmsConfig, err := getKMSConfigMap(KMSConfigMapName, sc, r.Client); err != nil {
 			return err
 		} else if kmsConfig != nil {

diff --git a/controllers/util/util.go b/controllers/util/util.go
@@ -5,9 +5,10 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
 	"os"
 
+	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -42,8 +43,8 @@ func GetKeyRotationSpec(sc *ocsv1.StorageCluster) (bool, string) {
 	}
 
 	if sc.Spec.Encryption.KeyRotation.Enable == nil {
-		if (sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide) && !sc.Spec.Encryption.KeyManagementService.Enable {
-			// use key-rotation by default if cluster-wide encryption is opted without KMS & "enable" spec is missing
+		if IsClusterOrDeviceSetEncrypted(sc) && !sc.Spec.Encryption.KeyManagementService.Enable {
+			// use key-rotation by default if cluster-wide encryption/any deviceSet encryption is opted without KMS & "enable" spec is missing
 			return true, schedule
 		}
 		return false, schedule
@@ -103,3 +104,19 @@ func AssertEqual[T comparable](actual T, expected T, exitCode int) {
 		os.Exit(exitCode)
 	}
 }
+
+func IsClusterOrDeviceSetEncrypted(sc *ocsv1.StorageCluster) bool {
+	// If cluster-wide encryption is enabled
+	if sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide {
+		return true
+	}
+
+	// If any device set is encrypted
+	for _, deviceSet := range sc.Spec.StorageDeviceSets {
+		if deviceSet.Encrypted != nil && *deviceSet.Encrypted {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/metrics/internal/collectors/storage-cluster.go b/metrics/internal/collectors/storage-cluster.go
@@ -9,6 +9,7 @@ import (
 
 	v1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
 	"github.com/red-hat-storage/ocs-operator/metrics/v4/internal/options"
+	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
 )
 
 type StorageClusterCollector struct {
@@ -79,7 +80,7 @@ func getAllStorageClusters(lister StorageClusterLister) []*v1.StorageCluster {
 func (c *StorageClusterCollector) collectKMSConnectionStatuses(ch chan<- prometheus.Metric, storageClusters []*v1.StorageCluster) {
 	for _, storageCluster := range storageClusters {
 		v := 2
-		if storageCluster.Spec.Encryption.Enable || storageCluster.Spec.Encryption.ClusterWide {
+		if util.IsClusterOrDeviceSetEncrypted(storageCluster) {
 			v = 0
 			if storageCluster.Status.KMSServerConnection.KMSServerConnectionError != "" {
 				v = 1