From 165a837bca2fee33ffcb776c0c5124fcaff31e40 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Mon, 15 Feb 2021 08:26:35 +0100 Subject: [PATCH] rbd: move KMS initialization into rbdVol.initKMS() Introduce initKMS() as a function of rbdVolume. KMS functionality does not need to pollute general RBD image functions. Encryption functions are now in internal/rbd.encryption.go, so move initKMS() there as well. Signed-off-by: Niels de Vos --- internal/rbd/encryption.go | 41 ++++++++++++++++++++++++++++++++++++++ internal/rbd/rbd_util.go | 31 +++------------------------- 2 files changed, 44 insertions(+), 28 deletions(-) diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index bc393ce09..3241468f2 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -20,6 +20,7 @@ import ( "context" "errors" "fmt" + "strconv" "strings" "github.com/ceph/ceph-csi/internal/util" @@ -152,3 +153,43 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) return mapperFilePath, nil } + +func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[string]string) error { + var ( + err error + ok bool + encrypted string + ) + + // if the KMS is of type VaultToken, additional metadata is needed + // depending on the tenant, the KMS can be configured with other + // options + // FIXME: this works only on Kubernetes, how do other CO supply metadata? + rv.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"] + if !ok { + util.DebugLog(ctx, "could not detect owner for %s", rv.String()) + } + + encrypted, ok = volOptions["encrypted"] + if !ok { + return nil + } + + rv.Encrypted, err = strconv.ParseBool(encrypted) + if err != nil { + return fmt.Errorf( + "invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted) + } else if !rv.Encrypted { + return nil + } + + // deliberately ignore if parsing failed as GetKMS will return default + // implementation of kmsID is empty + kmsID := volOptions["encryptionKMSID"] + rv.KMS, err = util.GetKMS(rv.Owner, kmsID, credentials) + if err != nil { + return fmt.Errorf("invalid encryption kms configuration: %w", err) + } + + return nil +} diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go index c6e0c3d49..293997720 100644 --- a/internal/rbd/rbd_util.go +++ b/internal/rbd/rbd_util.go @@ -827,7 +827,6 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st ok bool err error namePrefix string - encrypted string ) rbdVol := &rbdVolume{} @@ -874,33 +873,9 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st rbdVol.Mounter = rbdDefaultMounter } - // if the KMS is of type VaultToken, additional metadata is needed - // depending on the tenant, the KMS can be configured with other - // options - // FIXME: this works only on Kubernetes, how do other CO supply metadata? - rbdVol.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"] - if !ok { - util.DebugLog(ctx, "could not detect owner for %s", rbdVol.String()) - } - - rbdVol.Encrypted = false - encrypted, ok = volOptions["encrypted"] - if ok { - rbdVol.Encrypted, err = strconv.ParseBool(encrypted) - if err != nil { - return nil, fmt.Errorf( - "invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted) - } - - if rbdVol.Encrypted { - // deliberately ignore if parsing failed as GetKMS will return default - // implementation of kmsID is empty - kmsID := volOptions["encryptionKMSID"] - rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, kmsID, credentials) - if err != nil { - return nil, fmt.Errorf("invalid encryption kms configuration: %w", err) - } - } + err = rbdVol.initKMS(ctx, volOptions, credentials) + if err != nil { + return nil, err } return rbdVol, nil