mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-12-18 11:00:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: Add volume journal encryption support

Browse Source 
Add fscrypt support to the journal to support operations like
snapshotting.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
Marcel Lauhoff 2022-08-12 17:19:34 +02:00 committed by mergify[bot]
parent 9cd8a15c5d
commit 82d92aab4a
1 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
internal/rbd/rbd_journal.go
View File

@ -87,6 +87,17 @@ func validateRbdVol(rbdVol *rbdVolume) error {
return err return err
} }
func getEncryptionConfig(rbdVol *rbdVolume) (string, util.EncryptionType) {
switch {
case rbdVol.isBlockEncrypted():
return rbdVol.blockEncryption.GetID(), util.EncryptionTypeBlock
case rbdVol.isFileEncrypted():
return rbdVol.fileEncryption.GetID(), util.EncryptionTypeFile
default:
return "", util.EncryptionTypeInvalid
}
}
/* /*
checkSnapCloneExists, and its counterpart checkVolExists, function checks if checkSnapCloneExists, and its counterpart checkVolExists, function checks if
the passed in rbdSnapshot or rbdVolume exists on the backend. the passed in rbdSnapshot or rbdVolume exists on the backend.
@ -130,7 +141,7 @@ func checkSnapCloneExists(
defer j.Destroy() defer j.Destroy()
snapData, err := j.CheckReservation(ctx, rbdSnap.JournalPool, snapData, err := j.CheckReservation(ctx, rbdSnap.JournalPool,
rbdSnap.RequestName, rbdSnap.NamePrefix, rbdSnap.RbdImageName, "") rbdSnap.RequestName, rbdSnap.NamePrefix, rbdSnap.RbdImageName, "", util.EncryptionTypeInvalid)
if err != nil { if err != nil {
return false, err return false, err
} }
@ -245,10 +256,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er
return false, err return false, err
} }
kmsID := "" kmsID, encryptionType := getEncryptionConfig(rv)
if rv.isBlockEncrypted() {
kmsID = rv.blockEncryption.GetID()
}
j, err := volJournal.Connect(rv.Monitors, rv.RadosNamespace, rv.conn.Creds) j, err := volJournal.Connect(rv.Monitors, rv.RadosNamespace, rv.conn.Creds)
if err != nil { if err != nil {
@ -257,7 +265,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er
defer j.Destroy() defer j.Destroy()
imageData, err := j.CheckReservation( imageData, err := j.CheckReservation(
ctx, rv.JournalPool, rv.RequestName, rv.NamePrefix, "", kmsID) ctx, rv.JournalPool, rv.RequestName, rv.NamePrefix, "", kmsID, encryptionType)
if err != nil { if err != nil {
return false, err return false, err
} }
@ -386,14 +394,12 @@ func reserveSnap(ctx context.Context, rbdSnap *rbdSnapshot, rbdVol *rbdVolume, c
} }
defer j.Destroy() defer j.Destroy()
kmsID := "" kmsID, encryptionType := getEncryptionConfig(rbdVol)
if rbdVol.isBlockEncrypted() {
kmsID = rbdVol.blockEncryption.GetID()
}
rbdSnap.ReservedID, rbdSnap.RbdSnapName, err = j.ReserveName( rbdSnap.ReservedID, rbdSnap.RbdSnapName, err = j.ReserveName(
ctx, rbdSnap.JournalPool, journalPoolID, rbdSnap.Pool, imagePoolID, ctx, rbdSnap.JournalPool, journalPoolID, rbdSnap.Pool, imagePoolID,
rbdSnap.RequestName, rbdSnap.NamePrefix, rbdVol.RbdImageName, kmsID, rbdSnap.ReservedID, rbdVol.Owner, "") rbdSnap.RequestName, rbdSnap.NamePrefix, rbdVol.RbdImageName, kmsID, rbdSnap.ReservedID, rbdVol.Owner,
"", encryptionType)
if err != nil { if err != nil {
return err return err
} }
@ -460,10 +466,7 @@ func reserveVol(ctx context.Context, rbdVol *rbdVolume, rbdSnap *rbdSnapshot, cr
return err return err
} }
kmsID := "" kmsID, encryptionType := getEncryptionConfig(rbdVol)
if rbdVol.isBlockEncrypted() {
kmsID = rbdVol.blockEncryption.GetID()
}
j, err := volJournal.Connect(rbdVol.Monitors, rbdVol.RadosNamespace, cr) j, err := volJournal.Connect(rbdVol.Monitors, rbdVol.RadosNamespace, cr)
if err != nil { if err != nil {
@ -473,7 +476,7 @@ func reserveVol(ctx context.Context, rbdVol *rbdVolume, rbdSnap *rbdSnapshot, cr
rbdVol.ReservedID, rbdVol.RbdImageName, err = j.ReserveName( rbdVol.ReservedID, rbdVol.RbdImageName, err = j.ReserveName(
ctx, rbdVol.JournalPool, journalPoolID, rbdVol.Pool, imagePoolID, ctx, rbdVol.JournalPool, journalPoolID, rbdVol.Pool, imagePoolID,
rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID, rbdVol.ReservedID, rbdVol.Owner, "") rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID, rbdVol.ReservedID, rbdVol.Owner, "", encryptionType)
if err != nil { if err != nil {
return err return err
} }
@ -548,11 +551,12 @@ func RegenerateJournal(
) (string, error) { ) (string, error) {
ctx := context.Background() ctx := context.Background()
var ( var (
vi util.CSIIdentifier vi util.CSIIdentifier
rbdVol *rbdVolume rbdVol *rbdVolume
kmsID string kmsID string
err error encryptionType util.EncryptionType
ok bool err error
ok bool
) )
rbdVol = &rbdVolume{} rbdVol = &rbdVolume{}
@ -605,7 +609,7 @@ func RegenerateJournal(
rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"] rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"]
imageData, err := j.CheckReservation( imageData, err := j.CheckReservation(
ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID) ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID, encryptionType)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -639,7 +643,7 @@ func RegenerateJournal(
rbdVol.ReservedID, rbdVol.RbdImageName, err = j.ReserveName( rbdVol.ReservedID, rbdVol.RbdImageName, err = j.ReserveName(
ctx, rbdVol.JournalPool, journalPoolID, rbdVol.Pool, imagePoolID, ctx, rbdVol.JournalPool, journalPoolID, rbdVol.Pool, imagePoolID,
rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID, vi.ObjectUUID, rbdVol.Owner, "") rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID, vi.ObjectUUID, rbdVol.Owner, "", encryptionType)
if err != nil { if err != nil {
return "", err return "", err
} }