Adds PVC encryption with LUKS

Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com
2025-06-14 18:53:35 +00:00 · 2019-12-13 11:41:32 +00:00
parent 7c8e66e427
commit 166eaf700f
13 changed files with 619 additions and 39 deletions
--- a/pkg/rbd/rbd_attach.go
+++ b/pkg/rbd/rbd_attach.go
@ -225,7 +225,7 @@ func createPath(ctx context.Context, volOpt *rbdVolume, cr *util.Credentials) (s
 		klog.Warningf(util.Log(ctx, "rbd: map error %v, rbd output: %s"), err, string(output))
 		// unmap rbd image if connection timeout
 		if strings.Contains(err.Error(), rbdMapConnectionTimeout) {
-			detErr := detachRBDImageOrDeviceSpec(ctx, imagePath, true, isNbd)
+			detErr := detachRBDImageOrDeviceSpec(ctx, imagePath, true, isNbd, volOpt.VolID)
 			if detErr != nil {
 				klog.Warningf(util.Log(ctx, "rbd: %s unmap error %v"), imagePath, detErr)
 			}
@ -260,21 +260,38 @@ func waitForrbdImage(ctx context.Context, backoff wait.Backoff, volOptions *rbdV
 	return err
 }

-func detachRBDDevice(ctx context.Context, devicePath string) error {
+func detachRBDDevice(ctx context.Context, devicePath, volumeID string) error {
 	nbdType := false
 	if strings.HasPrefix(devicePath, "/dev/nbd") {
 		nbdType = true
 	}

-	return detachRBDImageOrDeviceSpec(ctx, devicePath, false, nbdType)
+	return detachRBDImageOrDeviceSpec(ctx, devicePath, false, nbdType, volumeID)
 }

 // detachRBDImageOrDeviceSpec detaches an rbd imageSpec or devicePath, with additional checking
 // when imageSpec is used to decide if image is already unmapped
-func detachRBDImageOrDeviceSpec(ctx context.Context, imageOrDeviceSpec string, isImageSpec, ndbType bool) error {
-	var err error
+func detachRBDImageOrDeviceSpec(ctx context.Context, imageOrDeviceSpec string, isImageSpec, ndbType bool, volumeID string) error {
 	var output []byte

+	mapperFile, mapperPath := util.VolumeMapper(volumeID)
+	mappedDevice, mapper, err := util.DeviceEncryptionStatus(ctx, mapperPath)
+	if err != nil {
+		klog.Errorf(util.Log(ctx, "error determining LUKS device on %s, %s: %s"),
+			mapperPath, imageOrDeviceSpec, err)
+		return err
+	}
+	if len(mapper) > 0 {
+		// mapper found, so it is open Luks device
+		err = util.CloseEncryptedVolume(ctx, mapperFile)
+		if err != nil {
+			klog.Warningf(util.Log(ctx, "error closing LUKS device on %s, %s: %s"),
+				mapperPath, imageOrDeviceSpec, err)
+			return err
+		}
+		imageOrDeviceSpec = mappedDevice
+	}
+
 	accessType := accessTypeKRbd
 	if ndbType {
 		accessType = accessTypeNbd