helm: support encryption config in ceph-csi-cephfs chart

this chart currently lack the ability to properly configure encryption, as well as granting sufficent permission to allow controllers to access secret when needed. Signed-off-by: Antoine C <hi@acolombier.dev>
2025-06-13 10:33:35 +00:00 · 2024-04-01 23:49:57 +01:00
parent dc4ca2015e
commit cc407d157e
8 changed files with 120 additions and 0 deletions
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
@ -3,6 +3,7 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ include "ceph-csi-cephfs.name" . }}
    chart: {{ include "ceph-csi-cephfs.chart" . }}
@ -14,10 +15,14 @@ rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
+  # allow to read Vault Token and connection options from the Tenants namespace
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace)) }}
+  # allow to read the encryption key used with the metadata KMS
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
 {{- end -}}
+{{- end -}}