mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: unexport SecretsKMS from KMS implementation

Browse Source 
This commit unexport SecretsKMS from KMS implementation.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit is contained in:
Humble Chirammal 2022-01-24 18:43:07 +05:30 committed by mergify[bot]
parent 4058246637
commit 4ee4fdfebd
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
internal/kms/secretskms.go
View File

@ -48,8 +48,8 @@ const (
metadataSecretNamespaceKey = "secretNamespace" metadataSecretNamespaceKey = "secretNamespace"
) )
// SecretsKMS is default KMS implementation that means no KMS is in use. // secretsKMS is default KMS implementation that means no KMS is in use.
type SecretsKMS struct { type secretsKMS struct {
integratedDEK integratedDEK
passphrase string passphrase string
@ -60,7 +60,7 @@ var _ = RegisterProvider(Provider{
Initializer: newSecretsKMS, Initializer: newSecretsKMS,
}) })
// newSecretsKMS initializes a SecretsKMS that uses the passphrase from the // newSecretsKMS initializes a secretsKMS that uses the passphrase from the
// secret that is configured for the StorageClass. This KMS provider uses a // secret that is configured for the StorageClass. This KMS provider uses a
// single (LUKS) passhprase for all volumes. // single (LUKS) passhprase for all volumes.
func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) { func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) {
@ -69,35 +69,35 @@ func newSecretsKMS(args ProviderInitArgs) (EncryptionKMS, error) {
return nil, errors.New("missing encryption passphrase in secrets") return nil, errors.New("missing encryption passphrase in secrets")
} }
return SecretsKMS{passphrase: passphraseValue}, nil return secretsKMS{passphrase: passphraseValue}, nil
} }
// Destroy frees all used resources. // Destroy frees all used resources.
func (kms SecretsKMS) Destroy() { func (kms secretsKMS) Destroy() {
// nothing to do // nothing to do
} }
// FetchDEK returns passphrase from Kubernetes secrets. // FetchDEK returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) FetchDEK(key string) (string, error) { func (kms secretsKMS) FetchDEK(key string) (string, error) {
return kms.passphrase, nil return kms.passphrase, nil
} }
// StoreDEK does nothing, as there is no passphrase per key (volume), so // StoreDEK does nothing, as there is no passphrase per key (volume), so
// no need to store is anywhere. // no need to store is anywhere.
func (kms SecretsKMS) StoreDEK(key, value string) error { func (kms secretsKMS) StoreDEK(key, value string) error {
return nil return nil
} }
// RemoveDEK is doing nothing as no new passphrases are saved with // RemoveDEK is doing nothing as no new passphrases are saved with
// SecretsKMS. // secretsKMS.
func (kms SecretsKMS) RemoveDEK(key string) error { func (kms secretsKMS) RemoveDEK(key string) error {
return nil return nil
} }
// secretsMetadataKMS is a KMS based on the secretKMS, but stores the // secretsMetadataKMS is a KMS based on the secretKMS, but stores the
// Data-Encryption-Key (DEK) in the metadata of the volume. // Data-Encryption-Key (DEK) in the metadata of the volume.
type secretsMetadataKMS struct { type secretsMetadataKMS struct {
secretKMS secretsKMS
} }
var _ = RegisterProvider(Provider{ var _ = RegisterProvider(Provider{
@ -130,7 +130,7 @@ func initSecretsMetadataKMS(args ProviderInitArgs) (EncryptionKMS, error) {
"missing %q in storageclass secret", encryptionPassphraseKey) "missing %q in storageclass secret", encryptionPassphraseKey)
} }
} }
smKMS.SecretsKMS = SecretsKMS{passphrase: encryptionPassphrase} smKMS.secretsKMS = secretsKMS{passphrase: encryptionPassphrase}
return smKMS, nil return smKMS, nil
} }
@ -183,10 +183,10 @@ func (kms secretsMetadataKMS) fetchEncryptionPassphrase(
// Destroy frees all used resources. // Destroy frees all used resources.
func (kms secretsMetadataKMS) Destroy() { func (kms secretsMetadataKMS) Destroy() {
kms.secretKMS.Destroy() kms.secretsKMS.Destroy()
} }
func (kms secretsMetadataKMS) RequiresDEKStore() dekStoreType { func (kms secretsMetadataKMS) RequiresDEKStore() DEKStoreType {
return DEKStoreMetadata return DEKStoreMetadata
} }
@ -202,12 +202,12 @@ type encryptedMetedataDEK struct {
} }
// EncryptDEK encrypts the plainDEK with a key derived from the passphrase from // EncryptDEK encrypts the plainDEK with a key derived from the passphrase from
// the SecretsKMS and the volumeID. // the secretsKMS and the volumeID.
// The resulting encryptedDEK contains a JSON with the encrypted DEK and the // The resulting encryptedDEK contains a JSON with the encrypted DEK and the
// nonce that was used for encrypting. // nonce that was used for encrypting.
func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) { func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
// use the passphrase from the secretKMS // use the passphrase from the secretKMS
passphrase, err := kms.secretKMS.FetchDEK(volumeID) passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to get passphrase: %w", err) return "", fmt.Errorf("failed to get passphrase: %w", err)
} }
@ -237,7 +237,7 @@ func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, err
// fetches secretKMS passphrase to decrypt the DEK. // fetches secretKMS passphrase to decrypt the DEK.
func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) { func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
// use the passphrase from the secretKMS // use the passphrase from the secretKMS
passphrase, err := kms.secretKMS.FetchDEK(volumeID) passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to get passphrase: %w", err) return "", fmt.Errorf("failed to get passphrase: %w", err)
} }