Adds PVC encryption with LUKS

Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com
2025-06-14 18:53:35 +00:00 · 2019-12-13 11:41:32 +00:00
parent 7c8e66e427
commit 166eaf700f
13 changed files with 619 additions and 39 deletions
--- a/pkg/rbd/rbd_util.go
+++ b/pkg/rbd/rbd_util.go
@ -24,6 +24,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"

@ -53,6 +54,10 @@ const (
 	rbdTaskRemoveCmdInvalidString1      = "no valid command found"
 	rbdTaskRemoveCmdInvalidString2      = "Error EINVAL: invalid command"
 	rbdTaskRemoveCmdAccessDeniedMessage = "Error EACCES:"
+
+	// Encryption statuses for RbdImage
+	rbdImageEncrypted          = "encrypted"
+	rbdImageRequiresEncryption = "requiresEncryption"
 )

 // rbdVolume represents a CSI volume and its RBD image specifics
@ -71,15 +76,16 @@ type rbdVolume struct {
 	DataPool           string
 	ImageFormat        string `json:"imageFormat"`
 	ImageFeatures      string `json:"imageFeatures"`
-	VolSize            int64  `json:"volSize"`
 	AdminID            string `json:"adminId"`
 	UserID             string `json:"userId"`
 	Mounter            string `json:"mounter"`
-	DisableInUseChecks bool   `json:"disableInUseChecks"`
 	ClusterID          string `json:"clusterId"`
 	RequestName        string
 	VolName            string `json:"volName"`
 	MonValueFromSecret string `json:"monValueFromSecret"`
+	VolSize            int64  `json:"volSize"`
+	DisableInUseChecks bool   `json:"disableInUseChecks"`
+	Encrypted          bool
 }

 // rbdSnapshot represents a CSI snapshot and its RBD snapshot specifics
@ -486,6 +492,16 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st
 		rbdVol.Mounter = rbdDefaultMounter
 	}

+	rbdVol.Encrypted = false
+	encrypted, ok := volOptions["encrypted"]
+	if ok {
+		rbdVol.Encrypted, err = strconv.ParseBool(encrypted)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
+		}
+	}
+
 	return rbdVol, nil
 }

@ -831,3 +847,30 @@ func resizeRBDImage(rbdVol *rbdVolume, newSize int64, cr *util.Credentials) erro

 	return nil
 }
+
+func getVolumeName(volID string) (string, error) {
+	var vi util.CSIIdentifier
+
+	err := vi.DecomposeCSIID(volID)
+	if err != nil {
+		err = fmt.Errorf("error decoding volume ID (%s) (%s)", err, volID)
+		return "", ErrInvalidVolID{err}
+	}
+
+	return volJournal.NamingPrefix() + vi.ObjectUUID, nil
+}
+
+func ensureEncryptionMetadataSet(ctx context.Context, cr *util.Credentials, rbdVol *rbdVolume) error {
+	rbdImageName, err := getVolumeName(rbdVol.VolID)
+	if err != nil {
+		return err
+	}
+	imageSpec := rbdVol.Pool + "/" + rbdImageName
+
+	err = util.SaveRbdImageEncryptionStatus(ctx, cr, rbdVol.Monitors, imageSpec, rbdImageRequiresEncryption)
+	if err != nil {
+		return fmt.Errorf("failed to save encryption status for %s: %v", imageSpec, err)
+	}
+
+	return nil
+}