From af8524a6a0b76f017a0df11f5367c0af8198f70a Mon Sep 17 00:00:00 2001
From: sp98 <sapillai@redhat.com>
Date: Mon, 4 Mar 2024 20:36:22 +0530
Subject: [PATCH] add support for Azure key vault

Signed-off-by: sp98 <sapillai@redhat.com>
---
 controllers/storagecluster/cephcluster.go      | 2 ++
 controllers/storagecluster/cephcluster_test.go | 8 ++++++++
 controllers/storagecluster/kms_resources.go    | 2 ++
 3 files changed, 12 insertions(+)

diff --git a/controllers/storagecluster/cephcluster.go b/controllers/storagecluster/cephcluster.go
index 59b118d088..d416a0fddb 100644
--- a/controllers/storagecluster/cephcluster.go
+++ b/controllers/storagecluster/cephcluster.go
@@ -185,6 +185,8 @@ func (obj *ocsCephCluster) ensureCreated(r *StorageClusterReconciler, sc *ocsv1.
 				sc.Status.KMSServerConnection.KMSServerConnectionError = ""
 				if kmsConfigMap.Data["KMS_PROVIDER"] == "vault" {
 					sc.Status.KMSServerConnection.KMSServerAddress = kmsConfigMap.Data["VAULT_ADDR"]
+				} else if kmsConfigMap.Data["KMS_PROVIDER"] == AzureKSMProvider {
+					sc.Status.KMSServerConnection.KMSServerAddress = kmsConfigMap.Data["AZURE_VAULT_URL"]
 				}
 				if err = reachKMSProvider(kmsConfigMap); err != nil {
 					sc.Status.KMSServerConnection.KMSServerConnectionError = err.Error()
diff --git a/controllers/storagecluster/cephcluster_test.go b/controllers/storagecluster/cephcluster_test.go
index 0f114a1c0e..d2ca035cfb 100644
--- a/controllers/storagecluster/cephcluster_test.go
+++ b/controllers/storagecluster/cephcluster_test.go
@@ -704,7 +704,13 @@ func createDummyKMSConfigMap(kmsProvider, kmsAddr string, kmsAuthMethod string)
 		cm.Data["IBM_KP_SECRET_NAME"] = "my-kms-key"
 		cm.Data["IBM_KP_BASE_URL"] = "my-base-url"
 		cm.Data["IBM_KP_TOKEN_URL"] = "my-token-url"
+	case AzureKSMProvider:
+		cm.Data["AZURE_CLIENT_ID"] = "azure-client-id"
+		cm.Data["AZURE_TENANT_ID"] = "azure-tenant-id"
+		cm.Data["AZURE_VAULT_URL"] = kmsAddr
+		cm.Data["AZURE_CERT_SECRET_NAME"] = "cert-secret"
 	}
+
 	return cm
 }
 
@@ -737,6 +743,8 @@ func TestKMSConfigChanges(t *testing.T) {
 			enabled: true, kmsAddress: "http://localhost:5678", authMethod: VaultSAAuthMethod},
 		{testLabel: "case 8", kmsProvider: ThalesKMSProvider,
 			clusterWideEncryption: true, kmsAddress: "http://localhost:5671"},
+		{testLabel: "case 9", kmsProvider: AzureKSMProvider,
+			clusterWideEncryption: true, kmsAddress: "http://localhost:5671"},
 	}
 	for _, kmsArgs := range validKMSArgs {
 		t.Run(kmsArgs.testLabel, func(t *testing.T) {
diff --git a/controllers/storagecluster/kms_resources.go b/controllers/storagecluster/kms_resources.go
index 7fdb92c885..cf6a6a0848 100644
--- a/controllers/storagecluster/kms_resources.go
+++ b/controllers/storagecluster/kms_resources.go
@@ -35,6 +35,8 @@ const (
 	IbmKeyProtectKMSProvider = "ibmkeyprotect"
 	// ThalesKMSProvider a constant to represent Thales (using KMIP) KMS provider
 	ThalesKMSProvider = "kmip"
+	// AzureKSMProvider represents the Azure Key vault.
+	AzureKSMProvider = "azure-kv"
 )
 
 var (