mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-01-18 10:49:30 +00:00
rbd: unexport SecretsKMS from KMS implementation
This commit unexport SecretsKMS from KMS implementation. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit is contained in:
parent
4058246637
commit
4ee4fdfebd
@ -48,8 +48,8 @@ const (
|
|||||||
metadataSecretNamespaceKey = "secretNamespace"
|
metadataSecretNamespaceKey = "secretNamespace"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SecretsKMS is default KMS implementation that means no KMS is in use.
|
// secretsKMS is default KMS implementation that means no KMS is in use.
|
||||||
type SecretsKMS struct {
|
type secretsKMS struct {
|
||||||
integratedDEK
|
integratedDEK
|
||||||
|
|
||||||
passphrase string
|
passphrase string
|
||||||
@ -60,7 +60,7 @@ var _ = RegisterProvider(Provider{
|
|||||||
Initializer: newSecretsKMS,
|
Initializer: newSecretsKMS,
|
||||||
})
|
})
|
||||||
|
|
||||||
// newSecretsKMS initializes a SecretsKMS that uses the passphrase from the
|
// newSecretsKMS initializes a secretsKMS that uses the passphrase from the
|
||||||
// secret that is configured for the StorageClass. This KMS provider uses a
|
// secret that is configured for the StorageClass. This KMS provider uses a
|
||||||
// single (LUKS) passhprase for all volumes.
|
// single (LUKS) passhprase for all volumes.
|
||||||
func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
||||||
@ -69,35 +69,35 @@ func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
|||||||
return nil, errors.New("missing encryption passphrase in secrets")
|
return nil, errors.New("missing encryption passphrase in secrets")
|
||||||
}
|
}
|
||||||
|
|
||||||
return SecretsKMS{passphrase: passphraseValue}, nil
|
return secretsKMS{passphrase: passphraseValue}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Destroy frees all used resources.
|
// Destroy frees all used resources.
|
||||||
func (kms SecretsKMS) Destroy() {
|
func (kms secretsKMS) Destroy() {
|
||||||
// nothing to do
|
// nothing to do
|
||||||
}
|
}
|
||||||
|
|
||||||
// FetchDEK returns passphrase from Kubernetes secrets.
|
// FetchDEK returns passphrase from Kubernetes secrets.
|
||||||
func (kms SecretsKMS) FetchDEK(key string) (string, error) {
|
func (kms secretsKMS) FetchDEK(key string) (string, error) {
|
||||||
return kms.passphrase, nil
|
return kms.passphrase, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// StoreDEK does nothing, as there is no passphrase per key (volume), so
|
// StoreDEK does nothing, as there is no passphrase per key (volume), so
|
||||||
// no need to store is anywhere.
|
// no need to store is anywhere.
|
||||||
func (kms SecretsKMS) StoreDEK(key, value string) error {
|
func (kms secretsKMS) StoreDEK(key, value string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// RemoveDEK is doing nothing as no new passphrases are saved with
|
// RemoveDEK is doing nothing as no new passphrases are saved with
|
||||||
// SecretsKMS.
|
// secretsKMS.
|
||||||
func (kms SecretsKMS) RemoveDEK(key string) error {
|
func (kms secretsKMS) RemoveDEK(key string) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// secretsMetadataKMS is a KMS based on the secretKMS, but stores the
|
// secretsMetadataKMS is a KMS based on the secretKMS, but stores the
|
||||||
// Data-Encryption-Key (DEK) in the metadata of the volume.
|
// Data-Encryption-Key (DEK) in the metadata of the volume.
|
||||||
type secretsMetadataKMS struct {
|
type secretsMetadataKMS struct {
|
||||||
secretKMS
|
secretsKMS
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ = RegisterProvider(Provider{
|
var _ = RegisterProvider(Provider{
|
||||||
@ -130,7 +130,7 @@ func initSecretsMetadataKMS(args ProviderInitArgs) (EncryptionKMS, error) {
|
|||||||
"missing %q in storageclass secret", encryptionPassphraseKey)
|
"missing %q in storageclass secret", encryptionPassphraseKey)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
smKMS.SecretsKMS = SecretsKMS{passphrase: encryptionPassphrase}
|
smKMS.secretsKMS = secretsKMS{passphrase: encryptionPassphrase}
|
||||||
|
|
||||||
return smKMS, nil
|
return smKMS, nil
|
||||||
}
|
}
|
||||||
@ -183,10 +183,10 @@ func (kms secretsMetadataKMS) fetchEncryptionPassphrase(
|
|||||||
|
|
||||||
// Destroy frees all used resources.
|
// Destroy frees all used resources.
|
||||||
func (kms secretsMetadataKMS) Destroy() {
|
func (kms secretsMetadataKMS) Destroy() {
|
||||||
kms.secretKMS.Destroy()
|
kms.secretsKMS.Destroy()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (kms secretsMetadataKMS) RequiresDEKStore() dekStoreType {
|
func (kms secretsMetadataKMS) RequiresDEKStore() DEKStoreType {
|
||||||
return DEKStoreMetadata
|
return DEKStoreMetadata
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -202,12 +202,12 @@ type encryptedMetedataDEK struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// EncryptDEK encrypts the plainDEK with a key derived from the passphrase from
|
// EncryptDEK encrypts the plainDEK with a key derived from the passphrase from
|
||||||
// the SecretsKMS and the volumeID.
|
// the secretsKMS and the volumeID.
|
||||||
// The resulting encryptedDEK contains a JSON with the encrypted DEK and the
|
// The resulting encryptedDEK contains a JSON with the encrypted DEK and the
|
||||||
// nonce that was used for encrypting.
|
// nonce that was used for encrypting.
|
||||||
func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
|
||||||
// use the passphrase from the secretKMS
|
// use the passphrase from the secretKMS
|
||||||
passphrase, err := kms.secretKMS.FetchDEK(volumeID)
|
passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
||||||
}
|
}
|
||||||
@ -237,7 +237,7 @@ func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, err
|
|||||||
// fetches secretKMS passphrase to decrypt the DEK.
|
// fetches secretKMS passphrase to decrypt the DEK.
|
||||||
func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
|
func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
|
||||||
// use the passphrase from the secretKMS
|
// use the passphrase from the secretKMS
|
||||||
passphrase, err := kms.secretKMS.FetchDEK(volumeID)
|
passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
return "", fmt.Errorf("failed to get passphrase: %w", err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user