mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 14:20:19 +00:00
rbd: move KMS initialization into rbdVol.initKMS()
Introduce initKMS() as a function of rbdVolume. KMS functionality does not need to pollute general RBD image functions. Encryption functions are now in internal/rbd.encryption.go, so move initKMS() there as well. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
cf6dae86e9
commit
165a837bca
@ -20,6 +20,7 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/ceph/ceph-csi/internal/util"
|
||||
@ -152,3 +153,43 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
|
||||
|
||||
return mapperFilePath, nil
|
||||
}
|
||||
|
||||
func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
|
||||
var (
|
||||
err error
|
||||
ok bool
|
||||
encrypted string
|
||||
)
|
||||
|
||||
// if the KMS is of type VaultToken, additional metadata is needed
|
||||
// depending on the tenant, the KMS can be configured with other
|
||||
// options
|
||||
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
|
||||
rv.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
|
||||
if !ok {
|
||||
util.DebugLog(ctx, "could not detect owner for %s", rv.String())
|
||||
}
|
||||
|
||||
encrypted, ok = volOptions["encrypted"]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
|
||||
rv.Encrypted, err = strconv.ParseBool(encrypted)
|
||||
if err != nil {
|
||||
return fmt.Errorf(
|
||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
||||
} else if !rv.Encrypted {
|
||||
return nil
|
||||
}
|
||||
|
||||
// deliberately ignore if parsing failed as GetKMS will return default
|
||||
// implementation of kmsID is empty
|
||||
kmsID := volOptions["encryptionKMSID"]
|
||||
rv.KMS, err = util.GetKMS(rv.Owner, kmsID, credentials)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
@ -827,7 +827,6 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
|
||||
ok bool
|
||||
err error
|
||||
namePrefix string
|
||||
encrypted string
|
||||
)
|
||||
|
||||
rbdVol := &rbdVolume{}
|
||||
@ -874,33 +873,9 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
|
||||
rbdVol.Mounter = rbdDefaultMounter
|
||||
}
|
||||
|
||||
// if the KMS is of type VaultToken, additional metadata is needed
|
||||
// depending on the tenant, the KMS can be configured with other
|
||||
// options
|
||||
// FIXME: this works only on Kubernetes, how do other CO supply metadata?
|
||||
rbdVol.Owner, ok = volOptions["csi.storage.k8s.io/pvc/namespace"]
|
||||
if !ok {
|
||||
util.DebugLog(ctx, "could not detect owner for %s", rbdVol.String())
|
||||
}
|
||||
|
||||
rbdVol.Encrypted = false
|
||||
encrypted, ok = volOptions["encrypted"]
|
||||
if ok {
|
||||
rbdVol.Encrypted, err = strconv.ParseBool(encrypted)
|
||||
err = rbdVol.initKMS(ctx, volOptions, credentials)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf(
|
||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
||||
}
|
||||
|
||||
if rbdVol.Encrypted {
|
||||
// deliberately ignore if parsing failed as GetKMS will return default
|
||||
// implementation of kmsID is empty
|
||||
kmsID := volOptions["encryptionKMSID"]
|
||||
rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, kmsID, credentials)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||
}
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return rbdVol, nil
|
||||
|
Loading…
Reference in New Issue
Block a user