EIT

deploy/kubernetes/driver/kubernetes/manifests/node-server.yaml

@@ -89,6 +89,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: SOCKET_PATH
+              value: "/var/lib/ibmshare.sock"
           resources:
             limits:
               cpu: 200m
@@ -132,6 +134,10 @@ spec:
             - name: cluster-info
               readOnly: true
               mountPath: /etc/storage_ibmc/cluster_info
+            - mountPath: /var/lib
+              name: libpath
+            - mountPath: /tmp/mount-helper
+              name: mh-logs
         - name: liveness-probe
           image: MUSTPATCHWITHKUSTOMIZE
           securityContext:
@@ -219,3 +225,10 @@ spec:
             - serviceAccountToken:
                 path: vault-token
                 expirationSeconds: 600
+        - name: libpath
+          hostPath:
+            path: /var/lib
+            type: Directory
+        - name: mh-logs
+          hostPath:
+            path: /opt/ibm/mount-ibmshare/

deploy/kubernetes/storageclass/ibmc-vpc-file-eit-StorageClass.yaml

@@ -0,0 +1,27 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ibmc-vpc-file-eit
+provisioner: vpc.file.csi.ibm.io
+parameters:
+  profile: "dp2"                    # The VPC Storage profile used. /docs/vpc?topic=vpc-block-storage-profiles&interface=ui#tiers-beta
+  iops: "200"                       # Default IOPS. User can override from secrets
+  billingType: "hourly"             # The default billing policy used. User can override this default
+  encrypted: "false"                # By default, all PVC using this class will only be provider managed encrypted. The user can override this default
+  encryptionKey: ""                 # If encrypted is true, then a user must specify the encryption key used associated KP instance
+  resourceGroup: ""                 # Use resource group if specified here. else use the one mentioned in storage-secrete-store
+  zone: ""                          # By default, the storage vpc driver will select a zone. The user can override this default
+  tags: ""                          # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user
+  classVersion: "1"
+  uid: "0"                          # The initial user identifier for the file share.
+  gid: "0"                          # The initial group identifier for the file share.
+  isENIEnabled: "true"              # VPC File Share will use the ENI/VNI feature
+  isEITEnabled: "true"              # VPC File Share will have EIT enabled.
+  securityGroupIDs: ""              # Give command separated list of security group ids.Use whatever given else default security group will be used
+  subnetID: ""                      # Give subnetID in which the ENI/VNI will be created. If not provided lets use the subnet-id available in the VPC zone same as the one part of the cluster.
+  region: ""
+  zone: ""                          # By default, the storage vpc driver will select a zone. The user can override this default
+  primaryIPID: ""                   # Existing ID of reserved IP from the same subnet as the file share zone.Subnet-id is not mandatory for this
+  primaryIPAddress: ""              # IPAddress for ENI/VNI to be created in the respective subnet of the zone. Subnet-id is mandatory for this.
+reclaimPolicy: "Delete"
+allowVolumeExpansion: true

deploy/kubernetes/storageclass/ibmc-vpc-file-eit-retain-StorageClass.yaml

@@ -0,0 +1,27 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ibmc-vpc-file-eit-retain
+provisioner: vpc.file.csi.ibm.io
+parameters:
+  profile: "dp2"                    # The VPC Storage profile used. /docs/vpc?topic=vpc-block-storage-profiles&interface=ui#tiers-beta
+  iops: "200"                       # Default IOPS. User can override from secrets
+  billingType: "hourly"             # The default billing policy used. User can override this default
+  encrypted: "false"                # By default, all PVC using this class will only be provider managed encrypted. The user can override this default
+  encryptionKey: ""                 # If encrypted is true, then a user must specify the encryption key used associated KP instance
+  resourceGroup: ""                 # Use resource group if specified here. else use the one mentioned in storage-secrete-store
+  zone: ""                          # By default, the storage vpc driver will select a zone. The user can override this default
+  tags: ""                          # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user
+  classVersion: "1"
+  uid: "0"                          # The initial user identifier for the file share.
+  gid: "0"                          # The initial group identifier for the file share.
+  isENIEnabled: "true"              # VPC File Share will use the ENI/VNI feature
+  isEITEnabled: "true"              # VPC File Share will have EIT enabled.
+  securityGroupIDs: ""              # Give command separated list of security group ids.Use whatever given else default security group will be used
+  subnetID: ""                      # Give subnetID in which the ENI/VNI will be created. If not provided lets use the subnet-id available in the VPC zone same as the one part of the cluster.
+  region: ""
+  zone: ""                          # By default, the storage vpc driver will select a zone. The user can override this default
+  primaryIPID: ""                   # Existing ID of reserved IP from the same subnet as the file share zone.Subnet-id is not mandatory for this
+  primaryIPAddress: ""              # IPAddress for ENI/VNI to be created in the respective subnet of the zone. Subnet-id is mandatory for this.
+reclaimPolicy: "Retain"
+allowVolumeExpansion: true

pkg/ibmcsidriver/constants.go

@@ -125,12 +125,18 @@ const (
 	// SecurityGroup
 	SecurityGroup = "security_group"
 
+	// EncryptionTransitMode
+	EncryptionTransitMode = "user_managed"
+
 	// VPC
 	VPC = "vpc"
 
 	// IsENIEnabled
 	IsENIEnabled = "isENIEnabled"
 
+	// IsEITEnabled
+	IsEITEnabled = "isEITEnabled"
+
 	// SecurityGroupIDs
 	SecurityGroupIDs = "securityGroupIDs"
 

pkg/ibmcsidriver/controller.go

@@ -269,6 +269,7 @@ func (csiCS *CSIControllerServer) CreateVolume(ctx context.Context, req *csi.Cre
 	ctxLogger.Info("VolumeAccessPoint is in stable state", zap.Reflect("Volume Access Point", volumeAccessPointObj.AccessPointID))
 
 	volumeObj.AccessControlMode = requestedVolume.AccessControlMode
+	volumeObj.TransitEncryption = requestedVolume.TransitEncryption
 
 	// return csi volume object
 	return createCSIVolumeResponse(*volumeObj, *volumeAccessPointObj, int64(*(requestedVolume.Capacity)*utils.GB), nil, csiCS.CSIProvider.GetClusterID()), nil

pkg/ibmcsidriver/controller_helper.go

@@ -178,7 +178,9 @@ func getVolumeParameters(logger *zap.Logger, req *csi.CreateVolumeRequest, confi
 				volume.VPCVolume.SubnetID = value
 			}
 		case IsENIEnabled:
-			err = setISENIEnabled(volume, key, strings.ToLower(value))
+			err = checkAndSetISENIEnabled(volume, key, strings.ToLower(value))
+		case IsEITEnabled:
+			err = checkAndSetISEITEnabled(volume, key, strings.ToLower(value))
 		case ResourceGroup:
 			if len(value) > ResourceGroupIDMaxLen {
 				err = fmt.Errorf("%s:<%v> exceeds %d chars", key, value, ResourceGroupIDMaxLen)
@@ -318,6 +320,13 @@ func getVolumeParameters(logger *zap.Logger, req *csi.CreateVolumeRequest, confi
 		}
 	}
 
+	// For enabling EIT, check if ENI is enabled or not. If not, fail with error as to enable encryption in transit, accessControlMode must be set to security_group.
+	if volume.VPCVolume.TransitEncryption == EncryptionTransitMode && volume.VPCVolume.AccessControlMode != SecurityGroup {
+		err = fmt.Errorf("ENI must be enabled i.e accessControlMode must be set to security_group for creating EIT enabled fileShare. Set 'isENIEnabled' to 'true' in storage class parameters")
+		logger.Error("getVolumeParameters", zap.NamedError("InvalidParameter", err))
+		return volume, err
+	}
+
 	//TODO port the code from VPC BLOCK to find region if zone is given
 
 	//If the zone is not provided in storage class parameters then we pick from the Topology
@@ -346,8 +355,8 @@ func setSecurityGroupList(volume *provider.Volume, value string) {
 	volume.VPCVolume.SecurityGroups = &securityGroups
 }
 
-// setISENIEnabled
-func setISENIEnabled(volume *provider.Volume, key string, value string) error {
+// checkAndSetISENIEnabled
+func checkAndSetISENIEnabled(volume *provider.Volume, key string, value string) error {
 	var err error
 	if value != TrueStr && value != FalseStr {
 		err = fmt.Errorf("'<%v>' is invalid, value of '%s' should be [true|false]", value, key)
@@ -362,6 +371,19 @@ func setISENIEnabled(volume *provider.Volume, key string, value string) error {
 	return err
 }
 
+// checkAndSetISEITEnabled
+func checkAndSetISEITEnabled(volume *provider.Volume, key string, value string) error {
+	var err error
+	if value != TrueStr && value != FalseStr {
+		err = fmt.Errorf("'<%v>' is invalid, value of '%s' should be [true|false]", value, key)
+		return err
+	}
+	if value == TrueStr {
+		volume.VPCVolume.TransitEncryption = EncryptionTransitMode
+	}
+	return nil
+}
+
 // setPrimaryIPID
 func setPrimaryIPID(volume *provider.Volume, key string, value string) error {
 	//We are failing in case PrimaryIPAddress is already set.
@@ -501,7 +523,9 @@ func overrideParams(logger *zap.Logger, req *csi.CreateVolumeRequest, config *co
 				volume.VPCVolume.SubnetID = value
 			}
 		case IsENIEnabled:
-			err = setISENIEnabled(volume, key, strings.ToLower(value))
+			err = checkAndSetISENIEnabled(volume, key, strings.ToLower(value))
+		case IsEITEnabled:
+			err = checkAndSetISEITEnabled(volume, key, strings.ToLower(value))
 		default:
 			err = fmt.Errorf("<%s> is an invalid parameter", key)
 		}
@@ -585,6 +609,11 @@ func createCSIVolumeResponse(vol provider.Volume, volAccessPointResponse provide
 
 	labels[NFSServerPath] = volAccessPointResponse.MountPath
 
+	// Update label in case EIT is enabled
+	if vol.TransitEncryption == EncryptionTransitMode {
+		labels[IsEITEnabled] = TrueStr
+	}
+
 	// Create csi volume response
 	//Volume ID is in format volumeID:volumeAccessPointID, to assist the deletion of access point in delete volume
 	volResp := &csi.CreateVolumeResponse{
@@ -595,6 +624,7 @@ func createCSIVolumeResponse(vol provider.Volume, volAccessPointResponse provide
 			AccessibleTopology: []*csi.Topology{topology},
 		},
 	}
+
 	return volResp
 }