Chart `ceph-csi-cephfs` doesn't support encryption

[acolombier]

Describe the bug

The helm chart ceph-csi-cephfs doesn't support encryption out of the box.

• It doesn't contain the volume mount for the encryption configuration as per the RBD one
• It is lacking configmap/read permission and POD_NAMESPACE envvar to read config directly (not sure this is still the way to go)

Environment details

• Image/version of Ceph CSI driver : quay.io/cephcsi/cephcsi:v3.10.2
• Helm chart version : 3.10.2
• Kernel version : N/D
• Mounter used for mounting PVC (for cephFS its fuse or kernel. for rbd its
  krbd or rbd-nbd) : rbd-nbd
• Kubernetes cluster version : 1.26
• Ceph cluster version : 17.2.7 quincy (stable)

Steps to reproduce

Steps to reproduce the behavior:

1. Install the chart
2. Create a custom storageClass with encryption, for example

   apiVersion: storage.k8s.io/v1
   kind: StorageClass
   metadata:
     name: cephfs-encrypted
   provisioner: cephfs.csi.ceph.com
   parameters:
     clusterID: {{ .Values.ceph.storageClass.clusterID }}
     csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret
     csi.storage.k8s.io/controller-expand-secret-namespace: {{ .Release.Namespace }}
     csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret
     csi.storage.k8s.io/node-stage-secret-namespace: {{ .Release.Namespace }}
     csi.storage.k8s.io/provisioner-secret-name: csi-cephfs-secret
     csi.storage.k8s.io/provisioner-secret-namespace: {{ .Release.Namespace }}
     csi.storage.k8s.io/fstype: ext4
     fsName: encrypted
     encrypted: "true"
     encryptionKMSID: "kubernetes"
   reclaimPolicy: Delete
   volumeBindingMode: Immediate
   allowVolumeExpansion: true
   mountOptions:
     - debug
   ---
   apiVersion: v1
   kind: ConfigMap
   data:
     kubernetes: |-
       {
         "encryptionKMSType": "metadata",
         "secretName": "cephfs-encryption-passphrase",
         "secretNamespace": "{{ .Release.Namespace}}"
       }
   metadata:
     name: csi-kms-connection-details
   ---
   apiVersion: v1
   stringData:
     encryptionPassphrase: mypassphrase
   kind: Secret
   metadata:
     name: cephfs-encryption-passphrase
   type: Opaque

3. Create a PVC with that storageClass

Actual results

The PVC cannot be created due to missing envvar POD_NAMESPACE. Once added, it creates it, but the nodeplugin cannot mount it due envvar and configmap access denied.

Expected behavior

The PVC gets created and can be mounted by nodeplugin.

Logs

Omitted

Additional context

N/A

[acolombier]

I'd be happy to help fixing this by using the RBD chart as reference for missing config. Let me know if you would like that!

[dragoangel]

@acolombier looks reasonable to fix this, as cephfs supports encryption, it's just missing in helm

[NymanRobin]

Hey @acolombier,
I wanted to check in on the progress of this issue. I'm experiencing the same problem, and am eager to find a resolution soon. If you've been busy and haven't had the chance to address it, I'd be more than willing to give it a try

[acolombier]

I have started working on the chart changes, but I would need some time to test it. Unfortunately, I still need to sort out kernel version as I would need a 6.6+ to test my usecase (fscrypt + cephfs for mount) which is likely going to take me a few more days. If you get the chance to get something together faster, please do! 😃

[NymanRobin]

We are in the same boat then 😃
But I should be able to get my hands on the required kernel and test it out, but meanwhile I already opened the PR to keep things moving forward. If any feedback or concerns regarding the PR let me know, and sorry for barging in on the issue like this.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

[acolombier]

PR currently waiting for review