server: distribute nfc to clients

Signed-off-by: Rewant Soni <[email protected]>

Author: rewantsoni

config/rbac/provider_server_cr.yaml

@@ -25,3 +25,10 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+    - csiaddons.openshift.io
+  resources:
+    - networkfenceclasses
+  verbs:
+    - get
+    - list

controllers/util/networkfenceclasses.go

@@ -1,7 +1,12 @@
 package util
 
 import (
+	"context"
 	"fmt"
+	csiaddonsv1alpha1 "github.com/csi-addons/kubernetes-csi-addons/api/csiaddons/v1alpha1"
+	ocsv1a1 "github.com/red-hat-storage/ocs-operator/api/v4/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type NetworkFenceClassType string
@@ -17,3 +22,92 @@ func GenerateNameForNetworkFenceClass(storageClusterName string, networkFenceCla
 	}
 	return fmt.Sprintf("%s-%s-networkfenceclass", storageClusterName, networkFenceClassType)
 }
+
+func NewDefaultRbdNetworkFenceClass(
+	provisionerSecret,
+	namespace,
+	storageId string,
+) *csiaddonsv1alpha1.NetworkFenceClass {
+
+	nfc := &csiaddonsv1alpha1.NetworkFenceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{},
+			Labels:      map[string]string{},
+		},
+		Spec: csiaddonsv1alpha1.NetworkFenceClassSpec{
+			Provisioner: RbdDriverName,
+			Parameters: map[string]string{
+				"csiaddons.openshift.io/networkfence-secret-name":      provisionerSecret,
+				"csiaddons.openshift.io/networkfence-secret-namespace": namespace,
+			},
+		},
+	}
+	if storageId != "" {
+		AddAnnotation(nfc, storageIdLabelKey, storageId)
+	}
+	return nfc
+}
+
+func NewDefaultCephFsNetworkFenceClass(
+	provisionerSecret,
+	namespace,
+	storageId string,
+) *csiaddonsv1alpha1.NetworkFenceClass {
+
+	nfc := &csiaddonsv1alpha1.NetworkFenceClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{},
+			Labels:      map[string]string{},
+		},
+		Spec: csiaddonsv1alpha1.NetworkFenceClassSpec{
+			Provisioner: CephFSDriverName,
+			Parameters: map[string]string{
+				"csiaddons.openshift.io/networkfence-secret-name":      provisionerSecret,
+				"csiaddons.openshift.io/networkfence-secret-namespace": namespace,
+			},
+		},
+	}
+	if storageId != "" {
+		AddAnnotation(nfc, storageIdLabelKey, storageId)
+	}
+	return nfc
+}
+
+func NetworkFenceClassFromExisting(
+	ctx context.Context,
+	kubeClient client.Client,
+	networkFenceClassName string,
+	consumer *ocsv1a1.StorageConsumer,
+	consumerConfig StorageConsumerResources,
+	rbdStorageId,
+	cephFsStorageId string,
+) (*csiaddonsv1alpha1.NetworkFenceClass, error) {
+	nfc := &csiaddonsv1alpha1.NetworkFenceClass{}
+	nfc.Name = networkFenceClassName
+	if err := kubeClient.Get(ctx, client.ObjectKeyFromObject(nfc), nfc); err != nil {
+		return nil, err
+	}
+	provisionerSecretName := ""
+	storageId := ""
+	operatorNamespace := consumer.Status.Client.OperatorNamespace
+	switch nfc.Spec.Provisioner {
+	case RbdDriverName:
+		provisionerSecretName = consumerConfig.GetCsiRbdProvisionerCephUserName()
+		storageId = rbdStorageId
+	case CephFSDriverName:
+		provisionerSecretName = consumerConfig.GetCsiCephFsProvisionerCephUserName()
+		storageId = cephFsStorageId
+	default:
+		return nil, UnsupportedProvisioner
+	}
+
+	params := nfc.Spec.Parameters
+	if params == nil {
+		params = map[string]string{}
+		nfc.Spec.Parameters = params
+	}
+	params["csiaddons.openshift.io/networkfence-secret-name"] = provisionerSecretName
+	params["csiaddons.openshift.io/networkfence-secret-namespace"] = operatorNamespace
+	AddAnnotation(nfc, storageIdLabelKey, storageId)
+	return nfc, nil
+}

deploy/csv-templates/ocs-operator.csv.yaml.in

@@ -79,7 +79,7 @@ metadata:
           "spec": null
         }
       ]
-    createdAt: "2025-09-10T07:51:15Z"
+    createdAt: "2025-09-10T08:22:22Z"
     description: Red Hat OpenShift Container Storage provides hyperconverged storage
       for applications within an OpenShift cluster.
     operators.operatorframework.io/builder: operator-sdk-v1.30.0
@@ -564,6 +564,13 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - csiaddons.openshift.io
+          resources:
+          - networkfenceclasses
+          verbs:
+          - get
+          - list
         serviceAccountName: ocs-provider-server
       - rules:
         - apiGroups:

deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml

@@ -56,7 +56,7 @@ metadata:
     capabilities: Deep Insights
     categories: Storage
     containerImage: quay.io/ocs-dev/ocs-operator:latest
-    createdAt: "2025-09-10T07:51:15Z"
+    createdAt: "2025-09-10T08:22:22Z"
     description: Red Hat OpenShift Container Storage provides hyperconverged storage
       for applications within an OpenShift cluster.
     external.features.ocs.openshift.io/supported-platforms: '["BareMetal", "None",
@@ -583,6 +583,13 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - csiaddons.openshift.io
+          resources:
+          - networkfenceclasses
+          verbs:
+          - get
+          - list
         serviceAccountName: ocs-provider-server
       - rules:
         - apiGroups: