controllers: Add logic to Create cephfs encrypted storageclass

api/v1/storagecluster_types.go

@@ -456,18 +456,33 @@ type EncryptionSpec struct {
 	Enable bool `json:"enable,omitempty"`
 	// +optional
 	ClusterWide bool `json:"clusterWide,omitempty"`
+	// Configure the RBD encrypted storage class
 	// +optional
 	StorageClass bool `json:"storageClass,omitempty"`
 	// StorageClassName specifies the name of the storage class created for ceph encrypted block pools
 	// +kubebuilder:validation:MaxLength=253
 	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	StorageClassName     string                   `json:"storageClassName,omitempty"`
+	StorageClassName string `json:"storageClassName,omitempty"`
+	// Configure the CephFS encrypted storage class
+	// +optional
+	CephFS               StorageClassSpec         `json:"cephFS,omitempty"`
 	KeyManagementService KeyManagementServiceSpec `json:"kms,omitempty"`
 	// KeyRotation defines options for Key Rotation.
 	// +optional
 	KeyRotation KeyRotationSpec `json:"keyRotation,omitempty"`
 }
 
+type StorageClassSpec struct {
+	// Create storage class
+	// +optional
+	StorageClass bool `json:"storageClass,omitempty"`
+	// StorageClassName specifies the name of the storage class
+	// +optional
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	StorageClassName string `json:"storageClassName,omitempty"`
+}
+
 // KeyRotationSpec represents the settings for Key Rotation.
 type KeyRotationSpec struct {
 	// Enable represents whether the key rotation is enabled.

config/crd/bases/ocs.openshift.io_storageclusters.yaml

@@ -567,6 +567,19 @@ spec:
                 description: EncryptionSpec defines if encryption should be enabled
                   for the Storage Cluster It is optional and defaults to false.
                 properties:
+                  cephFS:
+                    description: Configure the CephFS encrypted storage class
+                    properties:
+                      storageClass:
+                        description: Create storage class
+                        type: boolean
+                      storageClassName:
+                        description: StorageClassName specifies the name of the storage
+                          class
+                        maxLength: 253
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                    type: object
                   clusterWide:
                     type: boolean
                   enable:
@@ -595,6 +608,7 @@ spec:
                         type: boolean
                     type: object
                   storageClass:
+                    description: Configure the RBD encrypted storage class
                     type: boolean
                   storageClassName:
                     description: StorageClassName specifies the name of the storage

controllers/storagecluster/generate.go

@@ -95,6 +95,13 @@ func generateNameForEncryptedCephBlockPoolSC(initData *ocsv1.StorageCluster) str
 	return fmt.Sprintf("%s-ceph-rbd-encrypted", initData.Name)
 }
 
+func generateNameForEncryptedCephFileSystemSC(initData *ocsv1.StorageCluster) string {
+	if initData.Spec.Encryption.CephFS.StorageClassName != "" {
+		return initData.Spec.Encryption.CephFS.StorageClassName
+	}
+	return fmt.Sprintf("%s-cephfs-encrypted", initData.Name)
+}
+
 func generateNameForCephNetworkFilesystemSC(initData *ocsv1.StorageCluster) string {
 	if initData.Spec.NFS.StorageClassName != "" {
 		return initData.Spec.NFS.StorageClassName

controllers/storagecluster/reconcile.go

@@ -849,10 +849,16 @@ func validateCustomStorageClassNames(sc *ocsv1.StorageCluster) error {
 	}
 	if sc.Spec.Encryption.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable && sc.Spec.Encryption.StorageClassName != "" {
 		if _, ok := scMap[sc.Spec.Encryption.StorageClassName]; ok {
-			duplicateNames = append(duplicateNames, "Encryption")
+			duplicateNames = append(duplicateNames, "RBD-Encryption")
 		}
 		scMap[sc.Spec.Encryption.StorageClassName] = true
 	}
+	if sc.Spec.Encryption.CephFS.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable && sc.Spec.Encryption.CephFS.StorageClassName != "" {
+		if _, ok := scMap[sc.Spec.Encryption.CephFS.StorageClassName]; ok {
+			duplicateNames = append(duplicateNames, "CephFS-Encryption")
+		}
+		scMap[sc.Spec.Encryption.CephFS.StorageClassName] = true
+	}
 
 	if len(duplicateNames) > 0 {
 		return fmt.Errorf("Duplicate StorageClass name(s) provided: %v", duplicateNames)

controllers/storagecluster/storageclasses.go

@@ -413,6 +413,18 @@ func newEncryptedCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageC
 	return encryptedStorageClassConfig
 }
 
+// newEncryptedCephFileSystemStorageClassConfiguration generates configuration options for an encrypted Ceph File System StorageClass.
+// when user has asked for PV encryption during deployment.
+func newEncryptedCephFileSystemStorageClassConfiguration(initData *ocsv1.StorageCluster, serviceName string) StorageClassConfiguration {
+	allowVolumeExpansion := true
+	encryptedStorageClassConfig := newCephFilesystemStorageClassConfiguration(initData)
+	encryptedStorageClassConfig.storageClass.ObjectMeta.Name = generateNameForEncryptedCephFileSystemSC(initData)
+	encryptedStorageClassConfig.storageClass.Parameters["encrypted"] = "true"
+	encryptedStorageClassConfig.storageClass.Parameters["encryptionKMSID"] = serviceName
+	encryptedStorageClassConfig.storageClass.AllowVolumeExpansion = &allowVolumeExpansion
+	return encryptedStorageClassConfig
+}
+
 // newCephOBCStorageClassConfiguration generates configuration options for a Ceph Object Store StorageClass.
 func newCephOBCStorageClassConfiguration(initData *ocsv1.StorageCluster) StorageClassConfiguration {
 	reclaimPolicy := corev1.PersistentVolumeReclaimDelete
@@ -475,13 +487,22 @@ func (r *StorageClusterReconciler) newStorageClassConfigurations(initData *ocsv1
 	if initData.Spec.ExternalStorage.Enable || !skip {
 		ret = append(ret, newCephOBCStorageClassConfiguration(initData))
 	}
-	// encrypted Ceph Block Pool storageclass will be returned only if
-	// storage-class encryption + kms is enabled and KMS ConfigMap is available
-	if initData.Spec.Encryption.StorageClass && initData.Spec.Encryption.KeyManagementService.Enable {
+
+	if initData.Spec.Encryption.KeyManagementService.Enable {
 		kmsConfig, err := getKMSConfigMap(KMSConfigMapName, initData, r.Client)
+
 		if err == nil && kmsConfig != nil {
 			serviceName := kmsConfig.Data["KMS_SERVICE_NAME"]
-			ret = append(ret, newEncryptedCephBlockPoolStorageClassConfiguration(initData, serviceName))
+			// encrypted Ceph Block Pool storageclass will be returned only if
+			// storage-class encryption + kms is enabled and KMS ConfigMap is available
+			if initData.Spec.Encryption.StorageClass {
+				ret = append(ret, newEncryptedCephBlockPoolStorageClassConfiguration(initData, serviceName))
+			}
+			// encrypted Ceph File System storageclass will be returned only if
+			// storage-class encryption + kms is enabled and KMS ConfigMap is available
+			if initData.Spec.Encryption.CephFS.StorageClass {
+				ret = append(ret, newEncryptedCephFileSystemStorageClassConfiguration(initData, serviceName))
+			}
 		} else {
 			r.Log.Error(err, "Error while getting ConfigMap.", "ConfigMap", klog.KRef(initData.Namespace, KMSConfigMapName))
 		}

deploy/csv-templates/crds/ocs/ocs.openshift.io_storageclusters.yaml

@@ -567,6 +567,19 @@ spec:
                 description: EncryptionSpec defines if encryption should be enabled
                   for the Storage Cluster It is optional and defaults to false.
                 properties:
+                  cephFS:
+                    description: Configure the CephFS encrypted storage class
+                    properties:
+                      storageClass:
+                        description: Create storage class
+                        type: boolean
+                      storageClassName:
+                        description: StorageClassName specifies the name of the storage
+                          class
+                        maxLength: 253
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                    type: object
                   clusterWide:
                     type: boolean
                   enable:
@@ -595,6 +608,7 @@ spec:
                         type: boolean
                     type: object
                   storageClass:
+                    description: Configure the RBD encrypted storage class
                     type: boolean
                   storageClassName:
                     description: StorageClassName specifies the name of the storage

deploy/ocs-operator/manifests/storagecluster.crd.yaml

@@ -566,6 +566,19 @@ spec:
                 description: EncryptionSpec defines if encryption should be enabled
                   for the Storage Cluster It is optional and defaults to false.
                 properties:
+                  cephFS:
+                    description: Configure the CephFS encrypted storage class
+                    properties:
+                      storageClass:
+                        description: Create storage class
+                        type: boolean
+                      storageClassName:
+                        description: StorageClassName specifies the name of the storage
+                          class
+                        maxLength: 253
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                    type: object
                   clusterWide:
                     type: boolean
                   enable:
@@ -594,6 +607,7 @@ spec:
                         type: boolean
                     type: object
                   storageClass:
+                    description: Configure the RBD encrypted storage class
                     type: boolean
                   storageClassName:
                     description: StorageClassName specifies the name of the storage

functests/ocs/cluster_upgrade_test.go

@@ -78,7 +78,8 @@ func ClusterUpgradeTest() {
 					"CephFilesystems":       "custom-cephfs-sc",
 					"CephNonResilientPools": "custom-ceph-non-resilient-rbd-sc",
 					"NFS":                   "custom-ceph-nfs-sc",
-					"Encryption":            "custom-ceph-rbd-encrypted-sc",
+					"EncryptedRBD":          "custom-ceph-rbd-encrypted-sc",
+					"EncryptedCephFS":       "custom-cephfs-encrypted-sc",
 				}
 				err = deployManager.AddCustomStorageClassName(customSCName)
 				gomega.Expect(err).To(gomega.BeNil())
@@ -102,7 +103,8 @@ func ClusterUpgradeTest() {
 					"CephFilesystems":       "custom-cephfs-new-sc",
 					"CephNonResilientPools": "custom-ceph-non-resilient-rbd-new-sc",
 					"NFS":                   "custom-ceph-nfs-new-sc",
-					"Encryption":            "custom-ceph-rbd-encrypted-new-sc",
+					"EncryptionRBD":         "custom-ceph-rbd-encrypted-new-sc",
+					"EncryptionCephFS":      "custom-cephfs-encrypted-sc",
 				}
 				err = deployManager.AddCustomStorageClassName(customSCNameNew)
 				gomega.Expect(err).To(gomega.BeNil())

pkg/deploy-manager/storagecluster.go

@@ -473,9 +473,11 @@ func (t *DeployManager) AddCustomStorageClassName(customSCNames map[string]strin
 	}
 
 	if sc.Spec.Encryption.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable {
-		sc.Spec.Encryption = ocsv1.EncryptionSpec{
-			StorageClassName: customSCNames["Encryption"],
-		}
+		sc.Spec.Encryption.StorageClassName = customSCNames["EncryptedRBD"]
+	}
+
+	if sc.Spec.Encryption.CephFS.StorageClass && sc.Spec.Encryption.KeyManagementService.Enable {
+		sc.Spec.Encryption.CephFS.StorageClassName = customSCNames["EncryptedCephFS"]
 	}
 
 	err = t.Client.Update(context.TODO(), sc)
@@ -510,6 +512,9 @@ func (t *DeployManager) VerifyStorageClassesExist(oldSC map[string]bool) (bool,
 	if sc.Spec.Encryption.StorageClassName != "" {
 		expectedSC[sc.Spec.Encryption.StorageClassName] = true
 	}
+	if sc.Spec.Encryption.CephFS.StorageClassName != "" {
+		expectedSC[sc.Spec.Encryption.CephFS.StorageClassName] = true
+	}
 
 	for name := range expectedSC {
 		if !currentSC[name] {