From 5c386d0ddbb3bd990dbdd4d2d7d1a2af3bed77cb Mon Sep 17 00:00:00 2001
From: Malay Kumar Parida <mparida@redhat.com>
Date: Thu, 3 Oct 2024 18:37:29 +0530
Subject: [PATCH] Include EiT state as part of the desired state hash sent to
 clients

When in-transit encryption is enabled/disabled the kernel mount option
for cephFS needs to be updated between prefer-crc/secure. So the
desired state hash needs to include the EiT state, so that
if the EiT state is changed the desired state hash will change and
the client will reconcile to get the updated mount option.

Signed-off-by: Malay Kumar Parida <mparida@redhat.com>
---
 services/provider/server/server.go | 63 +++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 10 deletions(-)

diff --git a/services/provider/server/server.go b/services/provider/server/server.go
index 48f433b956..7ad1a6f295 100644
--- a/services/provider/server/server.go
+++ b/services/provider/server/server.go
@@ -185,7 +185,18 @@ func (s *OCSProviderServer) GetStorageConfig(ctx context.Context, req *pb.Storag
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "Failed to construct status response: %v", err)
 		}
-		desiredClientConfigHash := getDesiredClientConfigHash(channelName, consumerObj)
+
+		storageCluster, err := s.getStorageCluster(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		inTransitEncryptionEnabled := false
+		if storageCluster.Spec.Network != nil && storageCluster.Spec.Network.Connections != nil &&
+			storageCluster.Spec.Network.Connections.Encryption != nil && storageCluster.Spec.Network.Connections.Encryption.Enabled {
+			inTransitEncryptionEnabled = true
+		}
+		desiredClientConfigHash := getDesiredClientConfigHash(channelName, inTransitEncryptionEnabled, consumerObj)
 
 		klog.Infof("successfully returned the config details to the consumer.")
 		return &pb.StorageConfigResponse{
@@ -774,15 +785,13 @@ func (s *OCSProviderServer) GetStorageClaimConfig(ctx context.Context, req *pb.S
 				"csi.storage.k8s.io/controller-expand-secret-name": provisionerSecretName,
 			}
 
-			storageClusters := &ocsv1.StorageClusterList{}
-			if err := s.client.List(ctx, storageClusters, client.InNamespace(s.namespace), client.Limit(2)); err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to get storage cluster: %v", err)
-			}
-			if len(storageClusters.Items) != 1 {
-				return nil, status.Errorf(codes.Internal, "expecting one single storagecluster to exist")
+			storageCluster, err := s.getStorageCluster(ctx)
+			if err != nil {
+				return nil, err
 			}
+
 			var kernelMountOptions map[string]string
-			for _, option := range strings.Split(util.GetCephFSKernelMountOptions(&storageClusters.Items[0]), ",") {
+			for _, option := range strings.Split(util.GetCephFSKernelMountOptions(storageCluster), ",") {
 				if kernelMountOptions == nil {
 					kernelMountOptions = map[string]string{}
 				}
@@ -870,7 +879,18 @@ func (s *OCSProviderServer) ReportStatus(ctx context.Context, req *pb.ReportStat
 		return nil, status.Errorf(codes.Internal, "Failed to construct status response: %v", err)
 	}
 
-	desiredClientConfigHash := getDesiredClientConfigHash(channelName, storageConsumer)
+	storageCluster, err := s.getStorageCluster(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	inTransitEncryptionEnabled := false
+	if storageCluster.Spec.Network != nil && storageCluster.Spec.Network.Connections != nil &&
+		storageCluster.Spec.Network.Connections.Encryption != nil && storageCluster.Spec.Network.Connections.Encryption.Enabled {
+		inTransitEncryptionEnabled = true
+	}
+
+	desiredClientConfigHash := getDesiredClientConfigHash(channelName, inTransitEncryptionEnabled, storageConsumer)
 
 	return &pb.ReportStatusResponse{
 		DesiredClientOperatorChannel: channelName,
@@ -878,9 +898,10 @@ func (s *OCSProviderServer) ReportStatus(ctx context.Context, req *pb.ReportStat
 	}, nil
 }
 
-func getDesiredClientConfigHash(channelName string, storageConsumer *ocsv1alpha1.StorageConsumer) string {
+func getDesiredClientConfigHash(channelName string, inTransitEncryptionEnabled bool, storageConsumer *ocsv1alpha1.StorageConsumer) string {
 	var arr = []any{
 		channelName,
+		inTransitEncryptionEnabled,
 		storageConsumer.Spec.StorageQuotaInGiB,
 	}
 	return util.CalculateMD5Hash(arr)
@@ -901,6 +922,28 @@ func (s *OCSProviderServer) getOCSSubscriptionChannel(ctx context.Context) (stri
 	return subscription.Spec.Channel, nil
 }
 
+func (s *OCSProviderServer) getStorageCluster(ctx context.Context) (*ocsv1.StorageCluster, error) {
+	storageClusterList := &ocsv1.StorageClusterList{}
+	if err := s.client.List(ctx, storageClusterList, client.InNamespace(s.namespace)); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list storage clusters: %v", err)
+	}
+	// Filter out external storage clusters if any
+	var storageClusters []ocsv1.StorageCluster
+	for _, cluster := range storageClusterList.Items {
+		if cluster.Spec.ExternalStorage.Enable != true {
+			storageClusters = append(storageClusters, cluster)
+		}
+	}
+	
+	if len(storageClusters) > 1 {
+		return nil, status.Errorf(codes.Internal, "found more than one storage cluster")
+	}
+	if len(storageClusters) == 0 {
+		return nil, status.Errorf(codes.NotFound, "no storage cluster found")
+	}
+	return &storageClusters[0], nil
+}
+
 func extractMonitorIps(data string) ([]string, error) {
 	var ips []string
 	mons := strings.Split(data, ",")