rbd: move KMS initialization into rbdVol.initKMS()

Introduce initKMS() as a function of rbdVolume. KMS functionality does
not need to pollute general RBD image functions. Encryption functions
are now in internal/rbd.encryption.go, so move initKMS() there as well.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-15 08:26:35 +01:00 committed by mergify[bot]
parent cf6dae86e9
commit 165a837bca
2 changed files with 44 additions and 28 deletions

View File

@ -20,6 +20,7 @@ import (
"context"
"errors"
"fmt"
"strconv"
"strings"
"github.com/ceph/ceph-csi/internal/util"
@ -152,3 +153,43 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
return mapperFilePath, nil
}
func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
var (
err error
ok bool
encrypted string
)
// if the KMS is of type VaultToken, additional metadata is needed
// depending on the tenant, the KMS can be configured with other
// options
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
rv.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
if !ok {
util.DebugLog(ctx, "could not detect owner for %s", rv.String())
}
encrypted, ok = volOptions["encrypted"]
if !ok {
return nil
}
rv.Encrypted, err = strconv.ParseBool(encrypted)
if err != nil {
return fmt.Errorf(
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
} else if !rv.Encrypted {
return nil
}
// deliberately ignore if parsing failed as GetKMS will return default
// implementation of kmsID is empty
kmsID := volOptions["encryptionKMSID"]
rv.KMS, err = util.GetKMS(rv.Owner, kmsID, credentials)
if err != nil {
return fmt.Errorf("invalid encryption kms configuration: %w", err)
}
return nil
}

View File

@ -827,7 +827,6 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
ok bool
err error
namePrefix string
encrypted string
)
rbdVol := &rbdVolume{}
@ -874,33 +873,9 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
rbdVol.Mounter = rbdDefaultMounter
}
// if the KMS is of type VaultToken, additional metadata is needed
// depending on the tenant, the KMS can be configured with other
// options
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
rbdVol.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
if !ok {
util.DebugLog(ctx, "could not detect owner for %s", rbdVol.String())
}
rbdVol.Encrypted = false
encrypted, ok = volOptions["encrypted"]
if ok {
rbdVol.Encrypted, err = strconv.ParseBool(encrypted)
err = rbdVol.initKMS(ctx, volOptions, credentials)
if err != nil {
return nil, fmt.Errorf(
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
}
if rbdVol.Encrypted {
// deliberately ignore if parsing failed as GetKMS will return default
// implementation of kmsID is empty
kmsID := volOptions["encryptionKMSID"]
rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, kmsID, credentials)
if err != nil {
return nil, fmt.Errorf("invalid encryption kms configuration: %w", err)
}
}
return nil, err
}
return rbdVol, nil