block: add volume_encryption flag for dm-crypt support

vermavis · vermavis · commit 4b800a3fe32c · 2025-04-16T22:08:59.000-07:00
Adds a `volume_encryption` flag to the storage class configuration.
When enabled, this flag ensures that the NVMe device discovered via NVMe-TCP
is encrypted using the `dm-crypt` module on the client side.

Users must also provide a volume-specific Kubernetes Secret containing the
encryption passphrase. This secret must be referenced in the StorageClass
using the following parameters:

csi.storage.k8s.io/volume-secret-name: &lt;secret-name&gt;
csi.storage.k8s.io/volume-secret-namespace: &lt;namespace&gt;

Example:
kubectl create secret generic volume-secret --from-literal=passphrase='your-passphrase'
diff --git a/charts/vastblock/templates/storage-class.yaml b/charts/vastblock/templates/storage-class.yaml
@@ -26,6 +26,7 @@
 
 {{- $tenant_name := pluck "tenantName" $options $.Values.storageClassDefaults | first | quote -}}
 {{- $volume_group := pluck "volumeGroup" $options $.Values.storageClassDefaults | first | quote -}}
+{{- $volume_encryption := pluck "volumeEncryption" $options $.Values.storageClassDefaults | first | quote -}}
 {{- $mount_options :=  pluck "mountOptions" $options $.Values.storageClassDefaults | first -}}
 {{- $reclaim_policy :=  pluck "reclaimPolicy" $options $.Values.storageClassDefaults | first | quote -}}
 {{-
@@ -53,7 +54,7 @@ metadata:
 reclaimPolicy: {{ $reclaim_policy }}
 parameters:
   subsystem: {{ $subsystem }}
-{{- range $key, $value := dict "vip_pool_name" $vip_pool_name "vip_pool_fqdn" $vip_pool_fqdn "volume_group" $volume_group "transport_type" $transport_type "fsType" $fstype "tenant_name" $tenant_name }}
+{{- range $key, $value := dict "vip_pool_name" $vip_pool_name "vip_pool_fqdn" $vip_pool_fqdn "volume_group" $volume_group "volume_encryption" $volume_encryption "transport_type" $transport_type "fsType" $fstype "tenant_name" $tenant_name }}
   {{- if and $value (ne $value ( quote "" )) }}
   {{ $key }}: {{ if (kindIs "int" $value) }}{{ $value | quote }}{{ else }}{{ $value }}{{ end }}
   {{- end }}
diff --git a/charts/vastblock/values.yaml b/charts/vastblock/values.yaml
@@ -58,6 +58,21 @@ storageClassDefaults:
   # can represent nested folder structures. For example:
   #   - "folder1/folder2/block-{namespace}-{id}
   volumeGroup: ""
+  # Enables encryption using LUKS on the device on the client side.
+  # If set to true, the CSI driver will expect a volume-specific secret to be provided
+  # with the encryption passphrase.
+  # This secret must be referenced in the StorageClass with the keys:
+  #   csi.storage.k8s.io/volume-secret-name: <secret-name>
+  #   csi.storage.k8s.io/volume-secret-namespace: <namespace>
+
+  # Example Kubernetes Secret for volume encryption:
+  #     kubectl create secret generic volume-secret-namespace \
+  #     --from-literal=passphrase='my-secret-pass'
+
+  # Ensure the StorageClass has the following parameters set when volume_encryption is true:
+  #   csi.storage.k8s.io/volume-secret-name: volume-secret
+  #   csi.storage.k8s.io/volume-secret-namespace: default
+  volume_encryption: true
   # Name of VAST VIP pool to use. Must specify either vipPool or vipPoolFQDN.
   vipPool: ""
   # The FQDN of the VIP pool to use. Must specify either vipPool or vipPoolFQDN.
diff --git a/examples/block/sc-vol-encryption.yaml b/examples/block/sc-vol-encryption.yaml
@@ -0,0 +1,18 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: vastdata-block
+parameters:
+  csi.storage.k8s.io/controller-expand-secret-name: vast-mgmt
+  csi.storage.k8s.io/controller-expand-secret-namespace: default
+  csi.storage.k8s.io/controller-publish-secret-name: vast-mgmt
+  csi.storage.k8s.io/controller-publish-secret-namespace: default
+  csi.storage.k8s.io/provisioner-secret-name: vast-mgmt
+  csi.storage.k8s.io/provisioner-secret-namespace: default
+  subsystem: myblock
+  vip_pool_name: vip1
+  transport_type: TCP
+  volume_encryption: "true"
+  csi.storage.k8s.io/volume-secret-name: volume-secret
+  csi.storage.k8s.io/volume-secret-namespace: default
+provisioner: block.csi.vastdata.com
diff --git a/vast_csi/block_utils.py b/vast_csi/block_utils.py
@@ -30,6 +30,43 @@ def is_native_multipath_enabled():
     except Exception:
         return False
 
+def is_luks_device(device_path: str) -> bool:
+    """
+    Check if the given device is a LUKS-encrypted volume.
+
+    Args:
+        device_path (str): The path to the block device.
+
+    Returns:
+        bool: True if the device is LUKS, False otherwise.
+    """
+    try:
+        run(["cryptsetup", "isLuks", device_path])
+        return True
+    except ProcessExecutionError:
+        return False
+
+def is_crypto_luks(device_path):
+    """
+    Determines whether the given device is a LUKS-encrypted block device.
+
+    Args:
+        device_path (str): The path to the block device (e.g., /dev/nvme0n1).
+
+    Returns:
+        bool: True if the device is using LUKS encryption (FSTYPE is crypto_LUKS), False otherwise.
+    """
+    try:
+        result = subprocess.run(
+            ['lsblk', '-no', 'FSTYPE', device_path],
+            check=True,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.DEVNULL,
+            text=True
+        )
+        return result.stdout.strip() == 'crypto_LUKS'
+    except subprocess.CalledProcessError:
+        return False
 
 def list_nvme_sessions():
     """
diff --git a/vast_csi/builders/block.py b/vast_csi/builders/block.py
@@ -37,6 +37,7 @@ class BlockProvisionBase(BaseVolumeBuilder):
     capacity_range: Optional[int] = None
     pvc_name: Optional[str] = None
     pvc_namespace: Optional[str] = None
+    volume_encryption: Optional[str] = None
     volume_content_source: Optional[types.VolumeContentSource] = None  # Either volume or snapshot
 
     @classmethod
@@ -56,6 +57,7 @@ def from_parameters(
         vip_pool_fqdn = parameters.get("vip_pool_fqdn")
         vip_pool_name = parameters.get("vip_pool_name")
         volume_group = parameters.get("volume_group", "")
+        volume_encryption = parameters.get("volume_encryption", "False")
         transport_type = parameters.get("transport_type", "TCP").upper()
         metadata = cls._parse_metadata_from_params(parameters)
         cls._validate_mount_src(vip_pool_name, vip_pool_fqdn, conf.use_local_ip_for_mount)
@@ -71,6 +73,7 @@ def from_parameters(
             tenant_name=tenant_name,
             transport_type=transport_type,
             volume_group=volume_group,
+            volume_encryption=volume_encryption,
             vip_pool_name=vip_pool_name,
             vip_pool_fqdn=vip_pool_fqdn,
             cluster_name=cluster_name,
@@ -113,6 +116,8 @@ def volume_context(self) -> dict:
             context["vip_pool_name"] = self.vip_pool_name
         elif self.vip_pool_fqdn:
             context["vip_pool_fqdn"] = self.vip_pool_fqdn_with_prefix
+        if self.volume_encryption:
+            context["volume_encryption"] = self.volume_encryption
         return context
 
 
@@ -277,6 +282,7 @@ class StaticBlockVolumeBuilder(BaseVolumeBuilder):
     cluster_name: Optional[str] = None
     vip_pool_name: Optional[str] = None
     vip_pool_fqdn: Optional[str] = None
+    volume_encryption: Optional[str] None
     transport_type: Optional[str] = "TCP"
 
     @classmethod
@@ -294,6 +300,7 @@ def from_parameters(
         vip_pool_fqdn = parameters.get("vip_pool_fqdn")
         vip_pool_name = parameters.get("vip_pool_name")
         transport_type = parameters.get("transport_type", "TCP").upper()
+        volume_encryption = parameters.get("volume_encryption")
         cls._validate_mount_src(vip_pool_name, vip_pool_fqdn, conf.use_local_ip_for_mount)
         cluster_name = parameters.get("cluster_name")
         return cls(
@@ -307,6 +314,7 @@ def from_parameters(
             vip_pool_fqdn=vip_pool_fqdn,
             transport_type=transport_type,
             cluster_name=cluster_name,
+            volume_encryption=volume_encryption,
         )
 
     @property
@@ -321,6 +329,8 @@ def volume_context(self) -> dict:
             context["vip_pool_name"] = self.vip_pool_name
         elif self.vip_pool_fqdn:
             context["vip_pool_fqdn"] = self.vip_pool_fqdn_with_prefix
+        if self.volume_encryption:
+            context["volume_encryption"] = self.volume_encryption
         return context
 
     def build_volume(self) -> types.Volume:
diff --git a/vast_csi/builders/test.py b/vast_csi/builders/test.py
@@ -27,6 +27,7 @@ class TestVolumeBuilder(BaseVolumeBuilder):
     cluster_name: Optional[str] = None
     vip_pool_name: Optional[str] = None
     vip_pool_fqdn: Optional[str] = None
+    volume_encryption: Optional[str] = None
     qos_policy: Optional[str] = None
     capacity_range: Optional[int] = None  # Optional desired volume capacity
     pvc_name: Optional[str] = None
diff --git a/vast_csi/plugins/base.py b/vast_csi/plugins/base.py
@@ -68,6 +68,7 @@ def wrapper(self, request, context):
             params = {fld.name: value for fld, value in request.ListFields()}
             # secrets are not logged and not the part of function signature.
             secrets = params.pop("secrets", {})
+            volume_secret = params.pop("volume_secret", {})
             missing_params = required_params - {"request", "context", "vms_session", "exit_stack"} - set(params)
 
             # Get cluster_name from volume_id, snapshot_id or source_volume_id in case of id identifier with metadata
@@ -93,6 +94,9 @@ def wrapper(self, request, context):
                 for line in stringify_dict(params):
                     log(f"({method})    {line}")
 
+            if volume_secret:
+                log(f"({method})    volume_secret: <redacted>")
+
             if "vms_session" in required_params:
                 # If secret exist and method signature requires `vms_session`
                 # then `vms_session` with secret will be injected into function parameters
@@ -104,6 +108,12 @@ def wrapper(self, request, context):
                 except LookupFieldError:
                     params["vms_session"] = None
 
+            if "volume_secret" in required_params:
+                params["volume_secret"] = volume_secret
+            elif "volume_secret" in non_required_params:
+                if volume_secret:
+                    params["volume_secret"] = volume_secret
+
             exit_stack = ExitStack()
             if "exit_stack" in required_params:
                 params["exit_stack"] = exit_stack
diff --git a/vast_csi/plugins/block.py b/vast_csi/plugins/block.py
@@ -53,6 +53,8 @@
     try_nvme_probes,
     change_io_policy,
     is_native_multipath_enabled,
+    is_luks_device,
+    is_luks_crypto,
 )
 from vast_csi.utils import (
     stringify_dict,
@@ -313,6 +315,7 @@ def ControllerPublishVolume(
         )
         vip_pool_name = volume_context.get("vip_pool_name")
         vip_pool_fqdn = volume_context.get("vip_pool_fqdn")
+        volume_encryption = volume_context.get("volume_encryption")
         if vip_pool_fqdn:
             discovery_server = vip_pool_fqdn
         elif vip_pool_name:
@@ -329,6 +332,7 @@ def ControllerPublishVolume(
                 host_nqn=blockhost.nqn,
                 nguid=nguid,
                 discovery_server=discovery_server,
+                volume_encryption=volume_encryption
             )
         return types.CtrlPublishResp(publish_context=publish_context)
 
@@ -426,6 +430,7 @@ def NodeStageVolume(
             vms_session=None,
             publish_context=None,
             volume_context=None,
+            volume_secret=None,
     ):
         exit_stack.enter_context(volume_locked(volume_id))
         volume_context = volume_context or dict()
@@ -450,6 +455,7 @@ def NodeStageVolume(
         host_nqn = publish_context["host_nqn"]
         nguid = publish_context["nguid"]
         discovery_server = publish_context["discovery_server"]  # Either vip pool ip or fqdn
+        volume_encryption = publish_context["volume_encryption"]
         need_resize = volume_context.get("need_resize", False)
 
         if nvme_session := get_connected_session(host_nqn=host_nqn, sybsystem_nqn=subsystem_nqn):
@@ -479,6 +485,37 @@ def NodeStageVolume(
         device_path = device.DevicePath
         change_io_policy(device_name=device.Name, io_policy="round-robin")
 
+        if volume_encryption:
+            luks_device_name = f"crypt-{volume_id}"
+            luks_device_path = f"/dev/mapper/{luks_device_name}"
+
+            if volume_secret:
+                passphrase = volume_secret.get("passphrase")
+                if not passphrase:
+                    raise Abort(INVALID_ARGUMENT, "Missing passphrase for encrypted volume")
+            else:
+                raise Abort(INVALID_ARGUMENT, "Volume encryption detected, but 'volume_secret' not provided. Please provide a passphrase for the encrypted volume.")
+
+            if not os.path.exists(luks_device_path):
+                is_luks = is_luks_device() and is_luks_crypto()
+
+                if not is_luks:
+                    logger.info(f"Formatting device {device_path} with LUKS")
+                    try:
+                        hostcmd.run(["cryptsetup", "luksFormat", "--batch-mode", device_path], input=passphrase.encode())
+                    except ProcessExecutionError as e:
+                        raise Abort(INTERNAL, f"LUKS format failed for {device_path}: {e.stderr.strip()}")
+
+                logger.info(f"Opening encrypted device {device_path} as {luks_device_name}")
+                try:
+                    hostcmd.run(["cryptsetup", "open", device_path, luks_device_name], input=passphrase.encode())
+                except ProcessExecutionError as e:
+                    raise Abort(INTERNAL, f"Failed to open LUKS device {device_path}: {e.stderr.strip()}")
+            else:
+                logger.info(f"LUKS device already opened at {luks_device_path}")
+
+            device_path = luks_device_path
+
         if volume_capabilities.is_filesystem:
             fs_type = volume_capabilities.fs_type
             formatted = format_device(requested_fs=fs_type, device=device_path)
