From cd42ad67b2a6140d08504d256154d38cc3acf65e Mon Sep 17 00:00:00 2001
From: Marcel Lauhoff <marcel.lauhoff@suse.com>
Date: Fri, 19 Aug 2022 16:51:49 +0200
Subject: [PATCH] examples: Ceph FS fscrypt / KMS additions

Add encryption configuration to Ceph FS examples

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
---
 examples/cephfs/secret.yaml       |  3 +++
 examples/cephfs/storageclass.yaml | 11 +++++++++++
 examples/kms/vault/vault.yaml     |  2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/examples/cephfs/secret.yaml b/examples/cephfs/secret.yaml
index 6cb1f8f8c..0eb370781 100644
--- a/examples/cephfs/secret.yaml
+++ b/examples/cephfs/secret.yaml
@@ -12,3 +12,6 @@ stringData:
   # Required for dynamically provisioned volumes
   adminID: <plaintext ID>
   adminKey: <Ceph auth key corresponding to ID above>
+
+  # Encryption passphrase
+  encryptionPassphrase: test_passphrase
diff --git a/examples/cephfs/storageclass.yaml b/examples/cephfs/storageclass.yaml
index b23fa0213..4dab9ea2d 100644
--- a/examples/cephfs/storageclass.yaml
+++ b/examples/cephfs/storageclass.yaml
@@ -52,6 +52,17 @@ parameters:
   # (defaults to `false`)
   # backingSnapshot: "true"
 
+  # (optional) Instruct the plugin it has to encrypt the volume
+  # By default it is disabled. Valid values are "true" or "false".
+  # A string is expected here, i.e. "true", not true.
+  # encrypted: "true"
+
+  # (optional) Use external key management system for encryption passphrases by
+  # specifying a unique ID matching KMS ConfigMap. The ID is only used for
+  # correlation to configmap entry.
+  # encryptionKMSID: <kms-config-id>
+
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
 mountOptions:
diff --git a/examples/kms/vault/vault.yaml b/examples/kms/vault/vault.yaml
index 379b8897a..8621a8b73 100644
--- a/examples/kms/vault/vault.yaml
+++ b/examples/kms/vault/vault.yaml
@@ -169,7 +169,7 @@ spec:
             - name: PLUGIN_ROLE
               value: csi-kubernetes
             - name: SERVICE_ACCOUNTS
-              value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner
+              value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner,cephfs-csi-nodeplugin,cephfs-csi-provisioner,csi-cephfsplugin,csi-cephfsplugin-provisioner
             - name: SERVICE_ACCOUNTS_NAMESPACE
               value: default
             - name: VAULT_ADDR