helm: support encryption config in ceph-csi-cephfs chart

this chart currently lack the ability to properly configure encryption, as well as granting sufficent permission to allow controllers to access secret when needed. Signed-off-by: Antoine C <hi@acolombier.dev>
2025-06-13 02:33:34 +00:00 · 2024-04-01 23:49:57 +01:00
parent dc4ca2015e
commit cc407d157e
8 changed files with 120 additions and 0 deletions
--- a/charts/ceph-csi-cephfs/templates/encryptionkms-configmap.yaml
+++ b/charts/ceph-csi-cephfs/templates/encryptionkms-configmap.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.kmsConfigMapName | quote }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+data:
+  config.json: |-
+{{ toJson .Values.encryptionKMSConfig | indent 4 -}}
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
@ -3,6 +3,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ include "ceph-csi-cephfs.name" . }}
    chart: {{ include "ceph-csi-cephfs.chart" . }}
@ -14,10 +15,14 @@ rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
+  # allow to read Vault Token and connection options from the Tenants namespace
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace)) }}
+  # allow to read the encryption key used with the metadata KMS
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
 {{- end -}}
+{{- end -}}
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
@ -0,0 +1,21 @@
+{{- if .Values.rbac.create -}}
+{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace  .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+  # allow to read the encryption key used with the metadata KMS
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: [{{ .Values.encryptionKMSConfig.secretName | quote }}]
+{{- end -}}
+{{- end -}}
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
@ -0,0 +1,24 @@
+{{- if .Values.rbac.create -}}
+{{- if and (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
+{{- end -}}
--- a/charts/ceph-csi-cephfs/templates/storageclass.yaml
+++ b/charts/ceph-csi-cephfs/templates/storageclass.yaml
@ -20,6 +20,12 @@ parameters:
 {{- if .Values.storageClass.pool }}
  pool: {{ .Values.storageClass.pool }}
 {{- end }}
+{{- if .Values.storageClass.encrypted }}
+  encrypted: "{{ .Values.storageClass.encrypted }}"
+{{- end }}
+{{- if .Values.storageClass.encryptionKMSID }}
+  encryptionKMSID: {{ .Values.storageClass.encryptionKMSID }}
+{{- end }}
 {{- if .Values.storageClass.fuseMountOptions }}
  fuseMountOptions: "{{ .Values.storageClass.fuseMountOptions }}"
 {{- end }}