[release-ocm-2.17] ACM-35997: apply disk encryption defaults on cluster create and update

internal/bminventory/inventory.go

@@ -443,11 +443,9 @@ func (b *bareMetalInventory) setDefaultRegisterClusterParams(ctx context.Context
 		params.NewClusterParams.AdditionalNtpSource = &b.Config.DefaultNTPSource
 	}
 	if params.NewClusterParams.DiskEncryption == nil {
-		params.NewClusterParams.DiskEncryption = &models.DiskEncryption{
-			EnableOn: swag.String(models.DiskEncryptionEnableOnNone),
-			Mode:     swag.String(models.DiskEncryptionModeTpmv2),
-		}
+		params.NewClusterParams.DiskEncryption = &models.DiskEncryption{}
 	}
+	common.ApplyDiskEncryptionDefaults(params.NewClusterParams.DiskEncryption)
 
 	params.NewClusterParams.NetworkType, err = getDefaultNetworkType(params)
 	if err != nil {
@@ -919,14 +917,7 @@ func setDiskEncryptionWithDefaultValues(c *models.Cluster, config *models.DiskEn
 	}
 
 	c.DiskEncryption = config
-
-	if c.DiskEncryption.EnableOn == nil {
-		c.DiskEncryption.EnableOn = swag.String(models.DiskEncryptionEnableOnNone)
-	}
-
-	if config.Mode == nil {
-		c.DiskEncryption.Mode = swag.String(models.DiskEncryptionModeTpmv2)
-	}
+	common.ApplyDiskEncryptionDefaults(c.DiskEncryption)
 }
 
 func updateSSHPublicKey(cluster *common.Cluster) error {
@@ -2635,7 +2626,7 @@ func (b *bareMetalInventory) updateDhcpNetworkParams(db *gorm.DB, id *strfmt.UUI
 
 func (b *bareMetalInventory) setDiskEncryptionUsage(c *models.Cluster, diskEncryption *models.DiskEncryption, usages map[string]models.Usage) {
 
-	if c.DiskEncryption == nil || swag.StringValue(c.DiskEncryption.EnableOn) == models.DiskEncryptionEnableOnNone {
+	if !common.IsConfigured(c.DiskEncryption) {
 		return
 	}
 
@@ -2647,7 +2638,7 @@ func (b *bareMetalInventory) setDiskEncryptionUsage(c *models.Cluster, diskEncry
 		props["mode"] = swag.StringValue(diskEncryption.Mode)
 		props["tang_servers"] = diskEncryption.TangServers
 	}
-	b.setUsage(swag.StringValue(c.DiskEncryption.EnableOn) != models.DiskEncryptionEnableOnNone, usage.DiskEncryption, &props, usages)
+	b.setUsage(common.IsConfigured(c.DiskEncryption), usage.DiskEncryption, &props, usages)
 }
 
 func (b *bareMetalInventory) updateClusterData(_ context.Context, cluster *common.Cluster, params installer.V2UpdateClusterParams, usages map[string]models.Usage, db *gorm.DB, log logrus.FieldLogger, interactivity Interactivity, mirrorRegistryConfiguration *common.MirrorRegistryConfiguration, primaryIPStackUpdated bool, primaryIPStack *common.PrimaryIPStack) error {
@@ -2719,9 +2710,13 @@ func (b *bareMetalInventory) updateClusterData(_ context.Context, cluster *commo
 			return common.NewApiError(http.StatusBadRequest, errors.New(msg))
 		}
 		if params.ClusterUpdateParams.DiskEncryption.EnableOn != nil {
+			enableOn, _ := common.DiskEncryptionFieldDefaults(params.ClusterUpdateParams.DiskEncryption.EnableOn, nil)
+			params.ClusterUpdateParams.DiskEncryption.EnableOn = swag.String(enableOn)
 			updates["disk_encryption_enable_on"] = params.ClusterUpdateParams.DiskEncryption.EnableOn
 		}
 		if params.ClusterUpdateParams.DiskEncryption.Mode != nil {
+			_, mode := common.DiskEncryptionFieldDefaults(nil, params.ClusterUpdateParams.DiskEncryption.Mode)
+			params.ClusterUpdateParams.DiskEncryption.Mode = swag.String(mode)
 			updates["disk_encryption_mode"] = params.ClusterUpdateParams.DiskEncryption.Mode
 		}
 		if params.ClusterUpdateParams.DiskEncryption.TangServers != "" {

internal/cluster/validations/validations.go

@@ -776,10 +776,10 @@ func ValidateDiskEncryptionParams(diskEncryptionParams *models.DiskEncryption, D
 	if diskEncryptionParams == nil {
 		return nil
 	}
-	if !DiskEncryptionSupport && swag.StringValue(diskEncryptionParams.EnableOn) != models.DiskEncryptionEnableOnNone {
+	if !DiskEncryptionSupport && common.RequestsConfiguration(diskEncryptionParams) {
 		return errors.New("Disk encryption support is not enabled. Cannot apply configurations to the cluster")
 	}
-	if diskEncryptionParams.Mode != nil && swag.StringValue(diskEncryptionParams.Mode) == models.DiskEncryptionModeTang {
+	if common.HasMode(diskEncryptionParams, models.DiskEncryptionModeTang) {
 		if diskEncryptionParams.TangServers == "" {
 			return errors.New("Setting Tang mode but tang_servers isn't set")
 		}

internal/common/disk_encryption.go

@@ -0,0 +1,103 @@
+package common
+
+import (
+	"strings"
+
+	"github.com/go-openapi/swag"
+	"github.com/openshift/assisted-service/models"
+	"github.com/thoas/go-funk"
+)
+
+// IsEnabled reports whether disk encryption is enabled for any role.
+// Empty or "none" enable_on values are treated as disabled.
+func IsEnabled(enableOn *string) bool {
+	v := swag.StringValue(enableOn)
+	return v != "" && v != models.DiskEncryptionEnableOnNone
+}
+
+// IsConfigured reports whether disk encryption is enabled on the cluster.
+func IsConfigured(diskEncryption *models.DiskEncryption) bool {
+	return diskEncryption != nil && IsEnabled(diskEncryption.EnableOn)
+}
+
+// RequestsConfiguration reports whether an API payload carries explicit disk encryption
+// settings beyond the disabled defaults, including tang configuration without enable_on.
+func RequestsConfiguration(diskEncryption *models.DiskEncryption) bool {
+	if diskEncryption == nil {
+		return false
+	}
+	return RequestsDiskEncryptionConfiguration(
+		diskEncryption.EnableOn,
+		diskEncryption.Mode,
+		diskEncryption.TangServers,
+	)
+}
+
+// RequestsDiskEncryptionConfiguration reports whether disk encryption fields carry explicit
+// configuration beyond disabled defaults. Use this when the caller has separate fields
+// instead of a models.DiskEncryption payload (for example AgentClusterInstall spec).
+func RequestsDiskEncryptionConfiguration(enableOn, mode *string, tangServers string) bool {
+	return IsEnabled(enableOn) ||
+		HasMode(&models.DiskEncryption{Mode: mode}, models.DiskEncryptionModeTang) ||
+		tangServers != ""
+}
+
+// DiskEncryptionFieldDefaults returns enable_on and mode with defaults for nil or empty values.
+func DiskEncryptionFieldDefaults(enableOn, mode *string) (string, string) {
+	enableOnValue := swag.StringValue(enableOn)
+	if enableOnValue == "" {
+		enableOnValue = models.DiskEncryptionEnableOnNone
+	}
+	modeValue := swag.StringValue(mode)
+	if modeValue == "" {
+		modeValue = models.DiskEncryptionModeTpmv2
+	}
+	return enableOnValue, modeValue
+}
+
+// ApplyDiskEncryptionDefaults normalizes nil or empty disk encryption fields to their defaults.
+func ApplyDiskEncryptionDefaults(diskEncryption *models.DiskEncryption) {
+	if diskEncryption == nil {
+		return
+	}
+	enableOn, mode := DiskEncryptionFieldDefaults(diskEncryption.EnableOn, diskEncryption.Mode)
+	diskEncryption.EnableOn = swag.String(enableOn)
+	diskEncryption.Mode = swag.String(mode)
+}
+
+// HasMode reports whether disk encryption mode equals the given value.
+func HasMode(diskEncryption *models.DiskEncryption, mode string) bool {
+	if diskEncryption == nil {
+		return false
+	}
+	return swag.StringValue(diskEncryption.Mode) == mode
+}
+
+// IsSetWithTpm reports whether TPM-based disk encryption is configured for any role.
+func IsSetWithTpm(diskEncryption *models.DiskEncryption) bool {
+	return IsConfigured(diskEncryption) && HasMode(diskEncryption, models.DiskEncryptionModeTpmv2)
+}
+
+// IsSetWithTang reports whether Tang-based disk encryption is configured for any role.
+func IsSetWithTang(diskEncryption *models.DiskEncryption) bool {
+	return IsConfigured(diskEncryption) && HasMode(diskEncryption, models.DiskEncryptionModeTang)
+}
+
+// EnabledForRole reports whether disk encryption is enabled for the given host role.
+func EnabledForRole(encryption models.DiskEncryption, role models.HostRole) bool {
+	if swag.StringValue(encryption.EnableOn) == models.DiskEncryptionEnableOnAll {
+		return true
+	}
+
+	enabledGroups := strings.Split(swag.StringValue(encryption.EnableOn), ",")
+	if role == models.HostRoleMaster || role == models.HostRoleBootstrap {
+		return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnMasters)
+	}
+	if role == models.HostRoleArbiter {
+		return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnArbiters)
+	}
+	if role == models.HostRoleWorker {
+		return funk.ContainsString(enabledGroups, models.DiskEncryptionEnableOnWorkers)
+	}
+	return false
+}