rbd: add backwards compatible encryption in NodeStageVolume

When a volume was provisioned by an old Ceph-CSI provisioner, the
metadata of the RBD image will contain `requiresEncryption` to indicate
a passphrase needs to be created. New Ceph-CSI provisioners create the
passphrase in the CreateVolume request, and set `encryptionPrepared`
instead.

When a new node-plugin detects that `requiresEncryption` is set in the
RBD image metadata, it will fallback to the old behaviour.

In case `encryptionPrepared` is read from the RBD image metadata, the
passphrase is used to cryptsetup/format the image.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-16 16:56:42 +01:00 committed by mergify[bot]
parent ee79b22c97
commit 4937e59c4d
3 changed files with 52 additions and 12 deletions

View File

@ -189,7 +189,8 @@ possible to encrypt them with ceph-csi by using LUKS encryption.
* create volume request received
* volume requested to be created in Ceph
* encrypted state "requiresEncryption" is saved in image-meta in Ceph
* new passphrase is generated and stored in selected KMS if KMS is in use
* encrypted state "encryptionPrepared" is saved in image-meta in Ceph
**Attach volume**:
@ -197,8 +198,8 @@ possible to encrypt them with ceph-csi by using LUKS encryption.
* volume is attached to provisioner container
* on first time attachment
(no file system on the attached device, checked with blkid)
* new passphrase is generated and stored in selected KMS if KMS is in use
* device is encrypted with LUKS using a passphrase from K8s secrets.
* passphrase is retrieved from selected KMS if KMS is in use
* device is encrypted with LUKS using a passphrase from K8s Secret or KMS
* image-meta updated to "encrypted" in Ceph
* passphrase is retrieved from selected KMS if KMS is in use
* device is open and device path is changed to use a mapper device

View File

@ -18,18 +18,37 @@ package rbd
import (
"context"
"errors"
"fmt"
"strings"
"github.com/ceph/ceph-csi/internal/util"
librbd "github.com/ceph/go-ceph/rbd"
)
// rbdEncryptionState describes the status of the process where the image is
// with respect to being encrypted.
type rbdEncryptionState string
const (
// Encryption statuses for RbdImage
rbdImageEncryptionUnknown = rbdEncryptionState("")
rbdImageEncrypted = rbdEncryptionState("encrypted")
// rbdImageEncryptionUnknown means the image is not encrypted, or the
// metadata of the image can not be fetched.
rbdImageEncryptionUnknown = rbdEncryptionState("")
// rbdImageEncrypted is set in the image metadata after the image has
// been formatted with cryptsetup. Future usage of the image should
// unlock the image before mounting.
rbdImageEncrypted = rbdEncryptionState("encrypted")
// rbdImageEncryptionPrepared gets set in the image metadata once the
// passphrase for the image has been generated and stored in the KMS.
// When using the image for the first time, it needs to be encrypted
// with cryptsetup before updating the state to `rbdImageEncrypted`.
rbdImageEncryptionPrepared = rbdEncryptionState("encryptionPrepared")
// rbdImageRequiresEncryption has been deprecated, it is used only for
// volumes that have been created with an old provisioner, were never
// attached/mounted and now get staged by a new node-plugin
// TODO: remove this backwards compatibility support
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
// image metadata key for encryption
@ -39,13 +58,16 @@ const (
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
func (rv *rbdVolume) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
value, err := rv.GetMetadata(encryptionMetaKey)
if err != nil {
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv, err)
if errors.Is(err, librbd.ErrNotFound) {
util.DebugLog(ctx, "image %s encrypted state not set", rv.String())
return rbdImageEncryptionUnknown, nil
} else if err != nil {
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv.String(), err)
return rbdImageEncryptionUnknown, err
}
encrypted := rbdEncryptionState(strings.TrimSpace(value))
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv, encrypted)
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv.String(), encrypted)
return encrypted, nil
}
@ -69,7 +91,7 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
return err
}
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
err = rv.ensureEncryptionMetadataSet(rbdImageEncryptionPrepared)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
"image %s: %s", rv.String(), err)

View File

@ -790,7 +790,24 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
return "", err
}
if encrypted == rbdImageRequiresEncryption {
switch {
case encrypted == rbdImageRequiresEncryption:
// If we get here, it means the image was created with a
// ceph-csi version that creates a passphrase for the encrypted
// device in NodeStage. New versions moved that to
// CreateVolume.
// Use the same setupEncryption() as CreateVolume does, and
// continue with the common process to crypt-format the device.
err = volOptions.setupEncryption(ctx)
if err != nil {
util.ErrorLog(ctx, "failed to setup encryption for rbd"+
"image %s: %v", imageSpec, err)
return "", err
}
// make sure we continue with the encrypting of the device
fallthrough
case encrypted == rbdImageEncryptionPrepared:
diskMounter := &mount.SafeFormatAndMount{Interface: ns.mounter, Exec: utilexec.New()}
// TODO: update this when adding support for static (pre-provisioned) PVs
var existingFormat string
@ -816,7 +833,7 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
return "", fmt.Errorf("can not encrypt rbdImage %s that already has file system: %s",
imageSpec, existingFormat)
}
} else if encrypted != rbdImageEncrypted {
case encrypted != rbdImageEncrypted:
return "", fmt.Errorf("rbd image %s found mounted with unexpected encryption status %s",
imageSpec, encrypted)
}