mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
rbd: add backwards compatible encryption in NodeStageVolume
When a volume was provisioned by an old Ceph-CSI provisioner, the metadata of the RBD image will contain `requiresEncryption` to indicate a passphrase needs to be created. New Ceph-CSI provisioners create the passphrase in the CreateVolume request, and set `encryptionPrepared` instead. When a new node-plugin detects that `requiresEncryption` is set in the RBD image metadata, it will fallback to the old behaviour. In case `encryptionPrepared` is read from the RBD image metadata, the passphrase is used to cryptsetup/format the image. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
ee79b22c97
commit
4937e59c4d
@ -189,7 +189,8 @@ possible to encrypt them with ceph-csi by using LUKS encryption.
|
||||
|
||||
* create volume request received
|
||||
* volume requested to be created in Ceph
|
||||
* encrypted state "requiresEncryption" is saved in image-meta in Ceph
|
||||
* new passphrase is generated and stored in selected KMS if KMS is in use
|
||||
* encrypted state "encryptionPrepared" is saved in image-meta in Ceph
|
||||
|
||||
**Attach volume**:
|
||||
|
||||
@ -197,8 +198,8 @@ possible to encrypt them with ceph-csi by using LUKS encryption.
|
||||
* volume is attached to provisioner container
|
||||
* on first time attachment
|
||||
(no file system on the attached device, checked with blkid)
|
||||
* new passphrase is generated and stored in selected KMS if KMS is in use
|
||||
* device is encrypted with LUKS using a passphrase from K8s secrets.
|
||||
* passphrase is retrieved from selected KMS if KMS is in use
|
||||
* device is encrypted with LUKS using a passphrase from K8s Secret or KMS
|
||||
* image-meta updated to "encrypted" in Ceph
|
||||
* passphrase is retrieved from selected KMS if KMS is in use
|
||||
* device is open and device path is changed to use a mapper device
|
||||
|
@ -18,18 +18,37 @@ package rbd
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/ceph/ceph-csi/internal/util"
|
||||
|
||||
librbd "github.com/ceph/go-ceph/rbd"
|
||||
)
|
||||
|
||||
// rbdEncryptionState describes the status of the process where the image is
|
||||
// with respect to being encrypted.
|
||||
type rbdEncryptionState string
|
||||
|
||||
const (
|
||||
// Encryption statuses for RbdImage
|
||||
rbdImageEncryptionUnknown = rbdEncryptionState("")
|
||||
rbdImageEncrypted = rbdEncryptionState("encrypted")
|
||||
// rbdImageEncryptionUnknown means the image is not encrypted, or the
|
||||
// metadata of the image can not be fetched.
|
||||
rbdImageEncryptionUnknown = rbdEncryptionState("")
|
||||
// rbdImageEncrypted is set in the image metadata after the image has
|
||||
// been formatted with cryptsetup. Future usage of the image should
|
||||
// unlock the image before mounting.
|
||||
rbdImageEncrypted = rbdEncryptionState("encrypted")
|
||||
// rbdImageEncryptionPrepared gets set in the image metadata once the
|
||||
// passphrase for the image has been generated and stored in the KMS.
|
||||
// When using the image for the first time, it needs to be encrypted
|
||||
// with cryptsetup before updating the state to `rbdImageEncrypted`.
|
||||
rbdImageEncryptionPrepared = rbdEncryptionState("encryptionPrepared")
|
||||
|
||||
// rbdImageRequiresEncryption has been deprecated, it is used only for
|
||||
// volumes that have been created with an old provisioner, were never
|
||||
// attached/mounted and now get staged by a new node-plugin
|
||||
// TODO: remove this backwards compatibility support
|
||||
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
|
||||
|
||||
// image metadata key for encryption
|
||||
@ -39,13 +58,16 @@ const (
|
||||
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
|
||||
func (rv *rbdVolume) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
|
||||
value, err := rv.GetMetadata(encryptionMetaKey)
|
||||
if err != nil {
|
||||
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv, err)
|
||||
if errors.Is(err, librbd.ErrNotFound) {
|
||||
util.DebugLog(ctx, "image %s encrypted state not set", rv.String())
|
||||
return rbdImageEncryptionUnknown, nil
|
||||
} else if err != nil {
|
||||
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv.String(), err)
|
||||
return rbdImageEncryptionUnknown, err
|
||||
}
|
||||
|
||||
encrypted := rbdEncryptionState(strings.TrimSpace(value))
|
||||
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv, encrypted)
|
||||
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv.String(), encrypted)
|
||||
return encrypted, nil
|
||||
}
|
||||
|
||||
@ -69,7 +91,7 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
|
||||
return err
|
||||
}
|
||||
|
||||
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
|
||||
err = rv.ensureEncryptionMetadataSet(rbdImageEncryptionPrepared)
|
||||
if err != nil {
|
||||
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
|
||||
"image %s: %s", rv.String(), err)
|
||||
|
@ -790,7 +790,24 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
|
||||
return "", err
|
||||
}
|
||||
|
||||
if encrypted == rbdImageRequiresEncryption {
|
||||
switch {
|
||||
case encrypted == rbdImageRequiresEncryption:
|
||||
// If we get here, it means the image was created with a
|
||||
// ceph-csi version that creates a passphrase for the encrypted
|
||||
// device in NodeStage. New versions moved that to
|
||||
// CreateVolume.
|
||||
// Use the same setupEncryption() as CreateVolume does, and
|
||||
// continue with the common process to crypt-format the device.
|
||||
err = volOptions.setupEncryption(ctx)
|
||||
if err != nil {
|
||||
util.ErrorLog(ctx, "failed to setup encryption for rbd"+
|
||||
"image %s: %v", imageSpec, err)
|
||||
return "", err
|
||||
}
|
||||
|
||||
// make sure we continue with the encrypting of the device
|
||||
fallthrough
|
||||
case encrypted == rbdImageEncryptionPrepared:
|
||||
diskMounter := &mount.SafeFormatAndMount{Interface: ns.mounter, Exec: utilexec.New()}
|
||||
// TODO: update this when adding support for static (pre-provisioned) PVs
|
||||
var existingFormat string
|
||||
@ -816,7 +833,7 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
|
||||
return "", fmt.Errorf("can not encrypt rbdImage %s that already has file system: %s",
|
||||
imageSpec, existingFormat)
|
||||
}
|
||||
} else if encrypted != rbdImageEncrypted {
|
||||
case encrypted != rbdImageEncrypted:
|
||||
return "", fmt.Errorf("rbd image %s found mounted with unexpected encryption status %s",
|
||||
imageSpec, encrypted)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user