provider-server: send info of kernelMountOptions for cephfs to client

add kernel mount option ms_mode=secure to cephfs storageclass data when encryption in transit is enabled Signed-off-by: Rohan Gupta <rohgupta@redhat.com>
red-hat-storage · Jul 20, 2024 · 3e165cc · 3e165cc
1 parent f62ae00
commit 3e165cc
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/services/provider/server/server.go b/services/provider/server/server.go
@@ -52,8 +52,9 @@ const (
 )
 
 const (
-	monConfigMap = "rook-ceph-mon-endpoints"
-	monSecret    = "rook-ceph-mon"
+	monConfigMap            = "rook-ceph-mon-endpoints"
+	monSecret               = "rook-ceph-mon"
+	kernelMountOptionSecure = "ms_mode=secure"
 )
 
 type OCSProviderServer struct {
@@ -655,6 +656,12 @@ func (s *OCSProviderServer) GetStorageClaimConfig(ctx context.Context, req *pb.S
 				"csi.storage.k8s.io/controller-expand-secret-name": provisionerSecretName,
 			}
 
+			if kernelMountOptions, err := s.getCephfsKernelMountOptions(ctx); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get kernel mount options. %v", err)
+			} else if kernelMountOptions != "" {
+				cephfsStorageClassData["kernelmountoptions"] = kernelMountOptions
+			}
+
 			extR = append(extR,
 				&pb.ExternalResource{
 					Name: "cephfs",
@@ -737,3 +744,25 @@ func (s *OCSProviderServer) getOCSSubscriptionChannel(ctx context.Context) (stri
 	}
 	return subscription.Spec.Channel, nil
 }
+
+func (s *OCSProviderServer) getCephfsKernelMountOptions(ctx context.Context) (string, error) {
+
+	clusters, err := util.GetClusters(ctx, s.client)
+	if err != nil {
+		return "", fmt.Errorf("failed to get clusters: %v", err)
+	}
+
+	storageClusters := clusters.GetStorageClustersInNamespace(s.namespace)
+	if len(storageClusters) == 0 {
+		return "", fmt.Errorf("no storage clusters found in namespace %s", s.namespace)
+	}
+
+	if storageClusters[0].Spec.Network != nil &&
+		storageClusters[0].Spec.Network.Connections != nil &&
+		storageClusters[0].Spec.Network.Connections.Encryption != nil &&
+		storageClusters[0].Spec.Network.Connections.Encryption.Enabled {
+		return kernelMountOptionSecure, nil
+	}
+
+	return "", nil
+}
diff --git a/services/provider/server/server_test.go b/services/provider/server/server_test.go
@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"testing"
 
+	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
 	ocsv1alpha1 "github.com/red-hat-storage/ocs-operator/api/v4/v1alpha1"
 	controllers "github.com/red-hat-storage/ocs-operator/v4/controllers/storageconsumer"
 	pb "github.com/red-hat-storage/ocs-operator/v4/services/provider/pb"
@@ -680,6 +681,13 @@ func TestOCSProviderServerGetStorageClaimConfig(t *testing.T) {
 				Phase: ocsv1alpha1.StorageRequestFailed,
 			},
 		}
+		storageClusterResourceName = "mock-storage-cluster"
+		storageClustersResource    = &ocsv1.StorageCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      storageClusterResourceName,
+				Namespace: serverNamespace,
+			},
+		}
 	)
 
 	ctx := context.TODO()
@@ -690,6 +698,7 @@ func TestOCSProviderServerGetStorageClaimConfig(t *testing.T) {
 		claimResourceInitializing,
 		claimResourceCreating,
 		claimResourceFailed,
+		storageClustersResource,
 	}
 
 	// Create a fake client to mock API calls.