block: address CR feedback

Author: vermavis

charts/vastblock/templates/node.yaml

@@ -39,6 +39,7 @@ spec:
           {{- toYaml .Values.node.podAntiAffinity | nindent 10 }}
         nodeAffinity:
           {{- toYaml .Values.node.nodeAffinity | nindent 10 }}
+      hostIPC: true
       containers:
         - name: csi-node-driver-registrar
           image: {{ printf "%s:%s" $csi_images.csiNodeDriverRegistrar.repository (toString $csi_images.csiNodeDriverRegistrar.tag) }}

charts/vastblock/templates/shared/_helpers.tpl

@@ -64,3 +64,19 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ include "vastcsi.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+
+{{- define "vastcsi.dictToYaml" -}}
+{{- $input := index . 0 -}}        {{/* The map to render */}}
+{{- $prefix := index . 1 | default "" -}}  {{/* Optional prefix for keys */}}
+{{- if not (kindIs "map" $input) }}
+  {{- $errorMsg := printf "Invalid format. Expected a dictionary but got:\n%s" (toYaml $input) }}
+  {{- fail $errorMsg }}
+{{- else }}
+  {{- range $k, $v := $input }}
+    {{- if and $v (ne $v "") }}
+{{ printf "%s%s: %s" $prefix $k ($v | quote) }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/vastblock/templates/storage-class.yaml

@@ -26,7 +26,6 @@
 
 {{- $tenant_name := pluck "tenantName" $options $.Values.storageClassDefaults | first | quote -}}
 {{- $volume_group := pluck "volumeGroup" $options $.Values.storageClassDefaults | first | quote -}}
-{{- $volume_encryption := pluck "volumeEncryption" $options $.Values.storageClassDefaults | first | quote -}}
 {{- $mount_options :=  pluck "mountOptions" $options $.Values.storageClassDefaults | first -}}
 {{- $reclaim_policy :=  pluck "reclaimPolicy" $options $.Values.storageClassDefaults | first | quote -}}
 {{-
@@ -39,7 +38,7 @@
 {{- $storage_class_secret_namespace := pluck "secretNamespace" $options $.Values.storageClassDefaults | first | default $.Release.Namespace | quote -}}
 {{- $fstype := pluck "fsType" $options $.Values.storageClassDefaults | first -}}
 {{- $transport_type := pluck "transportType" $options $.Values.storageClassDefaults | first -}}
-
+{{- $host_encryption := pluck "hostEncryption" $options $.Values.storageClassDefaults | first | default dict -}}
 
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
@@ -54,11 +53,14 @@ metadata:
 reclaimPolicy: {{ $reclaim_policy }}
 parameters:
   subsystem: {{ $subsystem }}
-{{- range $key, $value := dict "vip_pool_name" $vip_pool_name "vip_pool_fqdn" $vip_pool_fqdn "volume_group" $volume_group "volume_encryption" $volume_encryption "transport_type" $transport_type "fsType" $fstype "tenant_name" $tenant_name }}
+{{- range $key, $value := dict "vip_pool_name" $vip_pool_name "vip_pool_fqdn" $vip_pool_fqdn "volume_group" $volume_group "transport_type" $transport_type "fsType" $fstype "tenant_name" $tenant_name }}
   {{- if and $value (ne $value ( quote "" )) }}
   {{ $key }}: {{ if (kindIs "int" $value) }}{{ $value | quote }}{{ else }}{{ $value }}{{ end }}
   {{- end }}
 {{- end }}
+{{- if $host_encryption }}
+{{- include "vastcsi.dictToYaml" (list $host_encryption "host_encryption.") | indent 2 }}
+{{- end }}
 {{-  if ne $storage_class_secret ( quote "" ) }}
   csi.storage.k8s.io/provisioner-secret-name: {{ $storage_class_secret }}
   csi.storage.k8s.io/provisioner-secret-namespace: {{ $storage_class_secret_namespace }}

charts/vastblock/values.yaml

@@ -59,20 +59,19 @@ storageClassDefaults:
   #   - "folder1/folder2/block-{namespace}-{id}
   volumeGroup: ""
   # Enables encryption using LUKS on the device on the client side.
-  # If set to true, the CSI driver will expect a volume-specific secret to be provided
-  # with the encryption passphrase.
-  # This secret must be referenced in the StorageClass with the keys:
-  #   csi.storage.k8s.io/volume-secret-name: <secret-name>
-  #   csi.storage.k8s.io/volume-secret-namespace: <namespace>
+  # If set to true, the CSI driver will expect a passphrase to be provided
+  # with the vast-mgmt secret.
 
-  # Example Kubernetes Secret for volume encryption:
-  #     kubectl create secret generic volume-secret-namespace \
-  #     --from-literal=passphrase='my-secret-pass'
+  # Example Kubernetes Secret for host encryption:
+  # kubectl create secret generic vast-mgmt --from-literal=username='' --from-literal=password='' --from-literal=endpoint='' --from-literal=passphrase=''
 
-  # Ensure the StorageClass has the following parameters set when volume_encryption is true:
-  #   csi.storage.k8s.io/volume-secret-name: volume-secret
-  #   csi.storage.k8s.io/volume-secret-namespace: default
-  volume_encryption: true
+  # Ensure the StorageClass has the following parameters set when host Eencryption is true:
+  # Optional host encryption parameters (will default if not specified):
+  #   cipher: "aes-xts-plain64"           # Encryption cipher
+  #   key_size: "512"                     # Key size in bits (e.g., 256 or 512)
+  #   hash: "sha256"                      # Hashing algorithm
+  #   pbkdf_memory: "65536"               # Memory cost for PBKDF in KB
+  hostEncryption: {}
   # Name of VAST VIP pool to use. Must specify either vipPool or vipPoolFQDN.
   vipPool: ""
   # The FQDN of the VIP pool to use. Must specify either vipPool or vipPoolFQDN.

examples/block/sc-vol-encryption.yaml renamed to examples/block/sc-with-host-encryption.yaml

@@ -10,9 +10,12 @@ parameters:
   csi.storage.k8s.io/provisioner-secret-name: vast-mgmt
   csi.storage.k8s.io/provisioner-secret-namespace: default
   subsystem: myblock
-  vip_pool_name: vip1
+  vip_pool_name: vippool-1
   transport_type: TCP
-  volume_encryption: "true"
-  csi.storage.k8s.io/volume-secret-name: volume-secret
-  csi.storage.k8s.io/volume-secret-namespace: default
+  hostEncryption:
+    luks_type: luks2
+    cipher: aes-xts-plain64
+    key_size: "512"
+    hash_algo: sha256
+    pbkdf_mem: "65536"
 provisioner: block.csi.vastdata.com

vast_csi/block_utils.py

@@ -30,44 +30,6 @@ def is_native_multipath_enabled():
     except Exception:
         return False
 
-def is_luks_device(device_path: str) -> bool:
-    """
-    Check if the given device is a LUKS-encrypted volume.
-
-    Args:
-        device_path (str): The path to the block device.
-
-    Returns:
-        bool: True if the device is LUKS, False otherwise.
-    """
-    try:
-        run(["cryptsetup", "isLuks", device_path])
-        return True
-    except ProcessExecutionError:
-        return False
-
-def is_crypto_luks(device_path):
-    """
-    Determines whether the given device is a LUKS-encrypted block device.
-
-    Args:
-        device_path (str): The path to the block device (e.g., /dev/nvme0n1).
-
-    Returns:
-        bool: True if the device is using LUKS encryption (FSTYPE is crypto_LUKS), False otherwise.
-    """
-    try:
-        result = subprocess.run(
-            ['lsblk', '-no', 'FSTYPE', device_path],
-            check=True,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.DEVNULL,
-            text=True
-        )
-        return result.stdout.strip() == 'crypto_LUKS'
-    except subprocess.CalledProcessError:
-        return False
-
 def list_nvme_sessions():
     """
     Example output:

vast_csi/builders/block.py

@@ -37,7 +37,7 @@ class BlockProvisionBase(BaseVolumeBuilder):
     capacity_range: Optional[int] = None
     pvc_name: Optional[str] = None
     pvc_namespace: Optional[str] = None
-    volume_encryption: Optional[str] = None
+    host_encryption: Optional[dict] = None
     volume_content_source: Optional[types.VolumeContentSource] = None  # Either volume or snapshot
 
     @classmethod
@@ -57,7 +57,7 @@ def from_parameters(
         vip_pool_fqdn = parameters.get("vip_pool_fqdn")
         vip_pool_name = parameters.get("vip_pool_name")
         volume_group = parameters.get("volume_group", "")
-        volume_encryption = parameters.get("volume_encryption", "False")
+        host_encryption = cls._extract_host_encryption(parameters)
         transport_type = parameters.get("transport_type", "TCP").upper()
         metadata = cls._parse_metadata_from_params(parameters)
         cls._validate_mount_src(vip_pool_name, vip_pool_fqdn, conf.use_local_ip_for_mount)
@@ -73,9 +73,9 @@ def from_parameters(
             tenant_name=tenant_name,
             transport_type=transport_type,
             volume_group=volume_group,
-            volume_encryption=volume_encryption,
             vip_pool_name=vip_pool_name,
             vip_pool_fqdn=vip_pool_fqdn,
+            host_encryption=host_encryption,
             cluster_name=cluster_name,
             volume_content_source=volume_content_source,
             **metadata,
@@ -104,6 +104,16 @@ def build_volume_name(self) -> str:
         # make sure the volume group is a valid absolute path
         return os.path.join("/", volume_group, self.name).lstrip("/")
 
+    @staticmethod
+    def _extract_host_encryption(parameters):
+        prefix = "host_encryption."
+        host_encryption = {
+            key[len(prefix):]: str(value)
+            for key, value in parameters.items()
+            if key.startswith(prefix)
+        }
+        return host_encryption
+
     @property
     def volume_context(self) -> dict:
         context = {
@@ -116,8 +126,9 @@ def volume_context(self) -> dict:
             context["vip_pool_name"] = self.vip_pool_name
         elif self.vip_pool_fqdn:
             context["vip_pool_fqdn"] = self.vip_pool_fqdn_with_prefix
-        if self.volume_encryption:
-            context["volume_encryption"] = self.volume_encryption
+        if self.host_encryption:
+            for key, value in self.host_encryption.items():
+                context[f"host_encryption.{key}"] = value
         return context
 
 
@@ -282,7 +293,6 @@ class StaticBlockVolumeBuilder(BaseVolumeBuilder):
     cluster_name: Optional[str] = None
     vip_pool_name: Optional[str] = None
     vip_pool_fqdn: Optional[str] = None
-    volume_encryption: Optional[str] None
     transport_type: Optional[str] = "TCP"
 
     @classmethod
@@ -300,7 +310,6 @@ def from_parameters(
         vip_pool_fqdn = parameters.get("vip_pool_fqdn")
         vip_pool_name = parameters.get("vip_pool_name")
         transport_type = parameters.get("transport_type", "TCP").upper()
-        volume_encryption = parameters.get("volume_encryption")
         cls._validate_mount_src(vip_pool_name, vip_pool_fqdn, conf.use_local_ip_for_mount)
         cluster_name = parameters.get("cluster_name")
         return cls(
@@ -314,7 +323,6 @@ def from_parameters(
             vip_pool_fqdn=vip_pool_fqdn,
             transport_type=transport_type,
             cluster_name=cluster_name,
-            volume_encryption=volume_encryption,
         )
 
     @property
@@ -329,8 +337,6 @@ def volume_context(self) -> dict:
             context["vip_pool_name"] = self.vip_pool_name
         elif self.vip_pool_fqdn:
             context["vip_pool_fqdn"] = self.vip_pool_fqdn_with_prefix
-        if self.volume_encryption:
-            context["volume_encryption"] = self.volume_encryption
         return context
 
     def build_volume(self) -> types.Volume:

vast_csi/builders/test.py

@@ -27,7 +27,7 @@ class TestVolumeBuilder(BaseVolumeBuilder):
     cluster_name: Optional[str] = None
     vip_pool_name: Optional[str] = None
     vip_pool_fqdn: Optional[str] = None
-    volume_encryption: Optional[str] = None
+    host_encryption: Optional[dict] = None
     qos_policy: Optional[str] = None
     capacity_range: Optional[int] = None  # Optional desired volume capacity
     pvc_name: Optional[str] = None

vast_csi/filesystem_utils.py

@@ -338,9 +338,12 @@ def need_resize(device: str, target_mount, fs_type: str):
     return device_size > fs_size + block_size
 
 
-def resize_device(device: str, target_mount: str, fs_type: str):
+def resize_device(device: str, target_mount: str, fs_type: str, passphrase=None):
     """Perform resize of the filesystem."""
     if need_resize(device, target_mount, fs_type):
+        if passphrase:
+            luks_manager = LuksManager(logger, device_path=device)
+            luks_manager.luks_resize_device(passphrase)
         if fs_type in ("ext3", "ext4"):
             ext_resize(device)
         elif fs_type == "xfs":