rbd: add rbdImage.copyEncryptionConfig() to copy encryption metadata

Cloning volumes requires copying the DEK from the source to the newly
cloned volume. Introduce copyEncryptionConfig() as a helper for that.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-03-12 14:26:21 +01:00 committed by mergify[bot]
parent 7e6feecc25
commit 7b332a0184

View File

@ -111,6 +111,45 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error {
return nil
}
// copyEncryptionConfig copies the VolumeEncryption object from the source
// rbdImage to the passed argument. This function re-encrypts the passphrase
// from the original, so that both encrypted passphrases (potentially, depends
// on the DEKStore) have different contents.
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
// get the unencrypted passphrase
passphrase, err := ri.encryption.GetCryptoPassphrase(ri.VolID)
if err != nil {
return fmt.Errorf("failed to fetch passphrase for %q: %w",
ri.String(), err)
}
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
if errors.Is(err, util.ErrDEKStoreNeeded) {
cp.encryption.SetDEKStore(cp)
}
// re-encrypt the plain passphrase for the cloned volume
err = cp.encryption.StoreCryptoPassphrase(cp.VolID, passphrase)
if err != nil {
return fmt.Errorf("failed to store passphrase for %q: %w",
cp.String(), err)
}
// copy encryption status for the original volume
status, err := ri.checkRbdImageEncrypted(context.TODO())
if err != nil {
return fmt.Errorf("failed to get encryption status for %q: %w",
ri.String(), err)
}
err = cp.ensureEncryptionMetadataSet(status)
if err != nil {
return fmt.Errorf("failed to store encryption status for %q: "+
"%w", cp.String(), err)
}
return nil
}
func (ri *rbdImage) encryptDevice(ctx context.Context, devicePath string) error {
passphrase, err := ri.encryption.GetCryptoPassphrase(ri.VolID)
if err != nil {