cli: deploy cinder as OpenStack CSI plugin

bootstrapper/internal/kubernetes/kubernetes.go

@@ -507,6 +507,10 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell
 			"yawolNetworkID": networkIDs[0],
 			"yawolAPIHost":   fmt.Sprintf("https://%s:%d", serviceConfig.loadBalancerIP, constants.KubernetesPort),
 		}
+		cinderIni := creds.CloudINI().CinderCSIConfiguration()
+		extraVals["cinder-config"] = map[string]any{
+			"secretData": cinderIni,
+		}
 	}
 	return extraVals, nil
 }

cli/internal/helm/loader.go

@@ -512,6 +512,7 @@ func extendConstellationServicesValues(
 	case cloudprovider.OpenStack:
 		in["openstack"] = map[string]any{
 			"deployYawolLoadBalancer": cfg.DeployYawolLoadBalancer(),
+			"deployCSIDriver":         cfg.DeployCSIDriver(),
 		}
 		if cfg.DeployYawolLoadBalancer() {
 			in["yawol-controller"] = map[string]any{

internal/cloud/openstack/accountkey.go

@@ -162,4 +162,28 @@ region = %s
 `, authURL, username, password, projectID, userDomainName, region)
 }
 
+// CinderCSIConfiguration returns the string representation of the CloudINI subset cinder expects.
+func (i CloudINI) CinderCSIConfiguration() string {
+	// sanitize parameters to not include newlines
+	authURL := newlineRegexp.ReplaceAllString(i.AuthURL, "")
+	username := newlineRegexp.ReplaceAllString(i.Username, "")
+	password := newlineRegexp.ReplaceAllString(i.Password, "")
+	projectID := newlineRegexp.ReplaceAllString(i.ProjectID, "")
+	projectName := newlineRegexp.ReplaceAllString(i.TenantName, "")
+	userDomainName := newlineRegexp.ReplaceAllString(i.UserDomainName, "")
+	tenantDomainName := newlineRegexp.ReplaceAllString(i.TenantDomainName, "")
+	region := newlineRegexp.ReplaceAllString(i.Region, "")
+
+	return fmt.Sprintf(`[Global]
+auth-url = %s
+username = %s
+password = %s
+project-id = %s
+project-name = %s
+user-domain-name = %s
+project-domain-name = %s
+region = %s
+`, authURL, username, password, projectID, projectName, userDomainName, tenantDomainName, region)
+}
+
 var newlineRegexp = regexp.MustCompile(`[\r\n]+`)

internal/cloud/openstack/accountkey_test.go

@@ -194,3 +194,26 @@ domain-name = user-domain-name
 region = region-name
 `, ini.YawolConfiguration())
 }
+
+func TestCinderCSIConfiguration(t *testing.T) {
+	ini := CloudINI{
+		AuthURL:          "auth-url",
+		Username:         "username",
+		Password:         "password",
+		ProjectID:        "project-id",
+		TenantName:       "project-name",
+		UserDomainName:   "user-domain-name",
+		TenantDomainName: "project-domain-name",
+		Region:           "region-name",
+	}
+	assert.Equal(t, `[Global]
+auth-url = auth-url
+username = username
+password = password
+project-id = project-id
+project-name = project-name
+user-domain-name = user-domain-name
+project-domain-name = project-domain-name
+region = region-name
+`, ini.CinderCSIConfiguration())
+}

internal/config/config.go

@@ -239,6 +239,9 @@ type OpenStackConfig struct {
 	// description: |
 	//   OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol
 	YawolFlavorID string `yaml:"yawolFlavorID"`
+	// description: |
+	//   Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
+	DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
 }
 
 // QEMUConfig holds config information for QEMU based Constellation deployments.
@@ -335,6 +338,7 @@ func Default() *Config {
 			OpenStack: &OpenStackConfig{
 				DirectDownload:          toPtr(true),
 				DeployYawolLoadBalancer: toPtr(true),
+				DeployCSIDriver:         toPtr(true),
 			},
 			QEMU: &QEMUConfig{
 				ImageFormat:           "raw",
@@ -539,7 +543,8 @@ func (c *Config) UpdateMAAURL(maaURL string) {
 // DeployCSIDriver returns whether the CSI driver should be deployed for a given cloud provider.
 func (c *Config) DeployCSIDriver() bool {
 	return c.Provider.Azure != nil && c.Provider.Azure.DeployCSIDriver != nil && *c.Provider.Azure.DeployCSIDriver ||
-		c.Provider.GCP != nil && c.Provider.GCP.DeployCSIDriver != nil && *c.Provider.GCP.DeployCSIDriver
+		c.Provider.GCP != nil && c.Provider.GCP.DeployCSIDriver != nil && *c.Provider.GCP.DeployCSIDriver ||
+		c.Provider.OpenStack != nil && c.Provider.OpenStack.DeployCSIDriver != nil && *c.Provider.OpenStack.DeployCSIDriver
 }
 
 // DeployYawolLoadBalancer returns whether the Yawol load balancer should be deployed.

internal/config/config_doc.go

@@ -277,7 +277,7 @@ func init() {
 			FieldName: "openstack",
 		},
 	}
-	OpenStackConfigDoc.Fields = make([]encoder.Doc, 17)
+	OpenStackConfigDoc.Fields = make([]encoder.Doc, 18)
 	OpenStackConfigDoc.Fields[0].Name = "cloud"
 	OpenStackConfigDoc.Fields[0].Type = "string"
 	OpenStackConfigDoc.Fields[0].Note = ""
@@ -363,6 +363,11 @@ func init() {
 	OpenStackConfigDoc.Fields[16].Note = ""
 	OpenStackConfigDoc.Fields[16].Description = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol"
 	OpenStackConfigDoc.Fields[16].Comments[encoder.LineComment] = "OpenStack flavor id used for yawollets. For details see: https://github.com/stackitcloud/yawol"
+	OpenStackConfigDoc.Fields[17].Name = "deployCSIDriver"
+	OpenStackConfigDoc.Fields[17].Type = "bool"
+	OpenStackConfigDoc.Fields[17].Note = ""
+	OpenStackConfigDoc.Fields[17].Description = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
+	OpenStackConfigDoc.Fields[17].Comments[encoder.LineComment] = "Deploy Cinder CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
 
 	QEMUConfigDoc.Type = "QEMUConfig"
 	QEMUConfigDoc.Comments[encoder.LineComment] = "QEMUConfig holds config information for QEMU based Constellation deployments."