Add: vsphere csi encryption set chain (openshift#37476)

bmanzari · Mar 30, 2023 · ae97177 · ae97177
1 parent db2577f
commit ae97177
Show file tree

Hide file tree

Showing 7 changed files with 110 additions and 0 deletions.
diff --git a/...tep-registry/storage/conf/storageclass/add-default-vsphere-encryption-storageclass/OWNERS b/...tep-registry/storage/conf/storageclass/add-default-vsphere-encryption-storageclass/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+- storage-approvers
+- duanwei33
+- Phaow
+reviewers:
+- storage-reviewers
+- duanwei33
+- Phaow
diff --git a/...storage-conf-storageclass-add-default-vsphere-encryption-storageclass-chain.metadata.json b/...storage-conf-storageclass-add-default-vsphere-encryption-storageclass-chain.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "storage/conf/storageclass/add-default-vsphere-encryption-storageclass/storage-conf-storageclass-add-default-vsphere-encryption-storageclass-chain.yaml",
+	"owners": {
+		"approvers": [
+			"storage-approvers",
+			"duanwei33",
+			"Phaow"
+		],
+		"reviewers": [
+			"storage-reviewers",
+			"duanwei33",
+			"Phaow"
+		]
+	}
+}
diff --git a/...ageclass/storage-conf-storageclass-add-default-vsphere-encryption-storageclass-chain.yaml b/...ageclass/storage-conf-storageclass-add-default-vsphere-encryption-storageclass-chain.yaml
@@ -0,0 +1,11 @@
+chain:
+  as: storage-conf-storageclass-add-default-vsphere-encryption-storageclass
+  steps:
+  - ref: storage-conf-storageclass-add-vsphere-encryption-storageclass
+  - ref: storage-conf-storageclass-set-default-storageclass
+  env:
+  - name: REQUIRED_DEFAULT_STORAGECLASS
+    default: "thin-csi-encryption"
+  documentation: |-
+    The storage-conf-storageclass-add-default-vsphere-encryption-storageclass step adds an encryption csi storageclass to an encryption vSphere cluster and set it to default.
+    The step only available for vsphere OCP clusters install with encryption nodes of 4.13 above versions.
diff --git a/...erator/step-registry/storage/conf/storageclass/add-vsphere-encryption-storageclass/OWNERS b/...erator/step-registry/storage/conf/storageclass/add-vsphere-encryption-storageclass/OWNERS
@@ -0,0 +1,8 @@
+approvers:
+- storage-approvers
+- duanwei33
+- Phaow
+reviewers:
+- storage-reviewers
+- duanwei33
+- Phaow
diff --git a/...on-storageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-commands.sh b/...on-storageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-commands.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+if test -s "${SHARED_DIR}/proxy-conf.sh" ; then
+    echo "setting the proxy"
+    echo "source ${SHARED_DIR}/proxy-conf.sh"
+    source "${SHARED_DIR}/proxy-conf.sh"
+else
+    echo "no proxy setting."
+fi
+
+DATA_STORE_URL=$(oc -n openshift-cluster-csi-drivers get cm/vsphere-csi-config -o jsonpath='{.data.cloud\.conf}'|grep -Eo 'ds:///.*/$')
+echo "Default datastore is: \"${DATA_STORE_URL}\""
+
+oc apply -f - <<EOF
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ${REQUIRED_ENCRYPTION_STORAGECLASS_NAME}
+parameters:
+  # Using the vsphere preset encrypt storage policy
+  storagepolicyname: ${REQUIRED_ENCRYPTION_POLICY}
+  datastoreurl: ${DATA_STORE_URL}
+provisioner: csi.vsphere.vmware.com
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+EOF
diff --git a/...rageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-ref.metadata.json b/...rageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-ref.metadata.json
@@ -0,0 +1,15 @@
+{
+	"path": "storage/conf/storageclass/add-vsphere-encryption-storageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-ref.yaml",
+	"owners": {
+		"approvers": [
+			"storage-approvers",
+			"duanwei33",
+			"Phaow"
+		],
+		"reviewers": [
+			"storage-reviewers",
+			"duanwei33",
+			"Phaow"
+		]
+	}
+}
diff --git a/...ption-storageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-ref.yaml b/...ption-storageclass/storage-conf-storageclass-add-vsphere-encryption-storageclass-ref.yaml
@@ -0,0 +1,23 @@
+ref:
+  as: storage-conf-storageclass-add-vsphere-encryption-storageclass
+  from: cli
+  # inject oc binary
+  cli: latest
+  commands: storage-conf-storageclass-add-vsphere-encryption-storageclass-commands.sh
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+  env:
+  - name: REQUIRED_ENCRYPTION_POLICY
+    # Using the vsphere preset encrypt storage policy by default
+    default: "Management Storage policy - Encryption"
+    documentation: |-
+      Name of the vsphere encrypt storage policy set in storageclass parameter.
+  - name: REQUIRED_ENCRYPTION_STORAGECLASS_NAME
+    default: "thin-csi-encryption"
+    documentation: |-
+      Name of the storage class to created with encryption settings.
+  documentation: |-
+    The storage-conf-storageclass-add-vsphere-encryption-storageclass step adds an encryption csi storageclass to an encryption vSphere cluster.
+    The step only available for vsphere OCP clusters install with encryption nodes of 4.13 above versions.