From e6e8c14985af4e259df9c8eb82be1058033608d9 Mon Sep 17 00:00:00 2001
From: Santosh Pillai <sapillai@redhat.com>
Date: Wed, 15 Jan 2025 12:54:58 +0530
Subject: [PATCH] add support for enabling clusterwide encryption as day-2
 operation

Signed-off-by: Santosh Pillai <sapillai@redhat.com>
---
 controllers/storagecluster/cephcluster.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/controllers/storagecluster/cephcluster.go b/controllers/storagecluster/cephcluster.go
index 1cfaad2717..c2bb7849cb 100644
--- a/controllers/storagecluster/cephcluster.go
+++ b/controllers/storagecluster/cephcluster.go
@@ -271,6 +271,11 @@ func (obj *ocsCephCluster) ensureCreated(r *StorageClusterReconciler, sc *ocsv1.
 	// Update OSD store to `bluestore`
 	cephCluster.Spec.Storage.Store = updateOSDStore(found.Spec.Storage.Store)
 
+	// confirm OSD migration if encryption is enbled as day-2 operation
+	if isEncrptionSettingUpdated(cephCluster.Spec.Storage.StorageClassDeviceSets, found.Spec.Storage.StorageClassDeviceSets) {
+		cephCluster.Spec.Storage.Migration.Confirmation = "yes-really-migrate-osds"
+	}
+
 	// Add it to the list of RelatedObjects if found
 	objectRef, err := reference.GetReference(r.Scheme, found)
 	if err != nil {
@@ -1399,3 +1404,17 @@ func determineDefaultCephDeviceClass(foundDeviceClasses []rookCephv1.DeviceClass
 	// if no device classes are found in status return empty string
 	return ""
 }
+
+// isEncrptionSettingUpdated checks whether ecryption was enabled or disabled for the storageClassDeviceSet.
+func isEncrptionSettingUpdated(newDeviceSet, existingDeviceSet []rookCephv1.StorageClassDeviceSet) bool {
+	if len(newDeviceSet) != len(existingDeviceSet) {
+		return false
+	}
+
+	for i := range newDeviceSet {
+		if newDeviceSet[i].Encrypted != existingDeviceSet[i].Encrypted {
+			return true
+		}
+	}
+	return false
+}