mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
rbd: move KMS initialization into rbdVol.initKMS()
Introduce initKMS() as a function of rbdVolume. KMS functionality does not need to pollute general RBD image functions. Encryption functions are now in internal/rbd.encryption.go, so move initKMS() there as well. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
cf6dae86e9
commit
165a837bca
@ -20,6 +20,7 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/ceph/ceph-csi/internal/util"
|
"github.com/ceph/ceph-csi/internal/util"
|
||||||
@ -152,3 +153,43 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
|
|||||||
|
|
||||||
return mapperFilePath, nil
|
return mapperFilePath, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
|
||||||
|
var (
|
||||||
|
err error
|
||||||
|
ok bool
|
||||||
|
encrypted string
|
||||||
|
)
|
||||||
|
|
||||||
|
// if the KMS is of type VaultToken, additional metadata is needed
|
||||||
|
// depending on the tenant, the KMS can be configured with other
|
||||||
|
// options
|
||||||
|
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
|
||||||
|
rv.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
|
||||||
|
if !ok {
|
||||||
|
util.DebugLog(ctx, "could not detect owner for %s", rv.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
encrypted, ok = volOptions["encrypted"]
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
rv.Encrypted, err = strconv.ParseBool(encrypted)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf(
|
||||||
|
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
||||||
|
} else if !rv.Encrypted {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// deliberately ignore if parsing failed as GetKMS will return default
|
||||||
|
// implementation of kmsID is empty
|
||||||
|
kmsID := volOptions["encryptionKMSID"]
|
||||||
|
rv.KMS, err = util.GetKMS(rv.Owner, kmsID, credentials)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
@ -827,7 +827,6 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
|
|||||||
ok bool
|
ok bool
|
||||||
err error
|
err error
|
||||||
namePrefix string
|
namePrefix string
|
||||||
encrypted string
|
|
||||||
)
|
)
|
||||||
|
|
||||||
rbdVol := &rbdVolume{}
|
rbdVol := &rbdVolume{}
|
||||||
@ -874,33 +873,9 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
|
|||||||
rbdVol.Mounter = rbdDefaultMounter
|
rbdVol.Mounter = rbdDefaultMounter
|
||||||
}
|
}
|
||||||
|
|
||||||
// if the KMS is of type VaultToken, additional metadata is needed
|
err = rbdVol.initKMS(ctx, volOptions, credentials)
|
||||||
// depending on the tenant, the KMS can be configured with other
|
if err != nil {
|
||||||
// options
|
return nil, err
|
||||||
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
|
|
||||||
rbdVol.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
|
|
||||||
if !ok {
|
|
||||||
util.DebugLog(ctx, "could not detect owner for %s", rbdVol.String())
|
|
||||||
}
|
|
||||||
|
|
||||||
rbdVol.Encrypted = false
|
|
||||||
encrypted, ok = volOptions["encrypted"]
|
|
||||||
if ok {
|
|
||||||
rbdVol.Encrypted, err = strconv.ParseBool(encrypted)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf(
|
|
||||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
|
||||||
}
|
|
||||||
|
|
||||||
if rbdVol.Encrypted {
|
|
||||||
// deliberately ignore if parsing failed as GetKMS will return default
|
|
||||||
// implementation of kmsID is empty
|
|
||||||
kmsID := volOptions["encryptionKMSID"]
|
|
||||||
rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, kmsID, credentials)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("invalid encryption kms configuration: %w", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return rbdVol, nil
|
return rbdVol, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user