mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-01-17 10:19:30 +00:00
util: add EncryptionKMS.Destroy()
Add a new method to the EncryptionKMS interface so that resources can be freed when EncryptionKMS instances get freed. With the move to using the libopenstorage API, a temporary file needs to store the optional CA certificate. The Destroy() method of the vaultConnection type now removes this file. The rbdVolume uses the EncryptionKMS type now, so call the new Destroy() method from withing rbdVolume.Destroy(). Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
eb1ef69cfb
commit
8f91c672d4
@ -169,6 +169,9 @@ func (rv *rbdVolume) Destroy() {
|
||||
if rv.conn != nil {
|
||||
rv.conn.Destroy()
|
||||
}
|
||||
if rv.KMS != nil {
|
||||
rv.KMS.Destroy()
|
||||
}
|
||||
}
|
||||
|
||||
// String returns the image-spec (pool/{namespace/}image) format of the image.
|
||||
|
@ -51,6 +51,7 @@ const (
|
||||
// EncryptionKMS provides external Key Management System for encryption
|
||||
// passphrases storage.
|
||||
type EncryptionKMS interface {
|
||||
Destroy()
|
||||
GetPassphrase(key string) (string, error)
|
||||
SavePassphrase(key, value string) error
|
||||
DeletePassphrase(key string) error
|
||||
@ -75,6 +76,11 @@ func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
|
||||
return SecretsKMS{passphrase: passphraseValue}, nil
|
||||
}
|
||||
|
||||
// Destroy frees all used resources.
|
||||
func (kms SecretsKMS) Destroy() {
|
||||
// nothing to do
|
||||
}
|
||||
|
||||
// GetPassphrase returns passphrase from Kubernetes secrets.
|
||||
func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
|
||||
return kms.passphrase, nil
|
||||
|
@ -167,7 +167,6 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
|
||||
}
|
||||
// TODO: delete f.Name() when vaultConnection is destroyed
|
||||
}
|
||||
|
||||
// update the existing config only if no config is available yet
|
||||
@ -201,6 +200,18 @@ func (vc *vaultConnection) connectVault() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Destroy frees allocated resources. For a vaultConnection that means removing
|
||||
// the created temporary files.
|
||||
func (vc *vaultConnection) Destroy() {
|
||||
if vc.vaultConfig != nil {
|
||||
tmpFile, ok := vc.vaultConfig[api.EnvVaultCACert]
|
||||
if ok {
|
||||
// ignore error on failure to remove tmpfile (gosec complains)
|
||||
_ = os.Remove(tmpFile.(string))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// InitVaultKMS returns an interface to HashiCorp Vault KMS.
|
||||
func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) {
|
||||
kms := &VaultKMS{}
|
||||
|
Loading…
Reference in New Issue
Block a user