mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-12-18 02:50:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: add EncryptionKMS.Destroy()

Browse Source 
Add a new method to the EncryptionKMS interface so that resources can be
freed when EncryptionKMS instances get freed.

With the move to using the libopenstorage API, a temporary file needs to
store the optional CA certificate. The Destroy() method of the
vaultConnection type now removes this file.

The rbdVolume uses the EncryptionKMS type now, so call the new Destroy()
method from withing rbdVolume.Destroy().

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-03 09:25:52 +01:00 committed by mergify[bot]
parent eb1ef69cfb
commit 8f91c672d4
3 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
internal/rbd/rbd_util.go
View File

@ -169,6 +169,9 @@ func (rv *rbdVolume) Destroy() {
if rv.conn != nil { if rv.conn != nil {
rv.conn.Destroy() rv.conn.Destroy()
} }
if rv.KMS != nil {
rv.KMS.Destroy()
}
} }
// String returns the image-spec (pool/{namespace/}image) format of the image. // String returns the image-spec (pool/{namespace/}image) format of the image.

6
internal/util/crypto.go
View File

@ -51,6 +51,7 @@ const (
// EncryptionKMS provides external Key Management System for encryption // EncryptionKMS provides external Key Management System for encryption
// passphrases storage. // passphrases storage.
type EncryptionKMS interface { type EncryptionKMS interface {
Destroy()
GetPassphrase(key string) (string, error) GetPassphrase(key string) (string, error)
SavePassphrase(key, value string) error SavePassphrase(key, value string) error
DeletePassphrase(key string) error DeletePassphrase(key string) error
@ -75,6 +76,11 @@ func initSecretsKMS(secrets map[string]string) (EncryptionKMS, error) {
return SecretsKMS{passphrase: passphraseValue}, nil return SecretsKMS{passphrase: passphraseValue}, nil
} }
// Destroy frees all used resources.
func (kms SecretsKMS) Destroy() {
// nothing to do
}
// GetPassphrase returns passphrase from Kubernetes secrets. // GetPassphrase returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) GetPassphrase(key string) (string, error) { func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
return kms.passphrase, nil return kms.passphrase, nil

13
internal/util/vault.go
View File

@ -167,7 +167,6 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
if err != nil { if err != nil {
return fmt.Errorf("failed to create temporary file for Vault CA: %w", err) return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
} }
// TODO: delete f.Name() when vaultConnection is destroyed
} }
// update the existing config only if no config is available yet // update the existing config only if no config is available yet
@ -201,6 +200,18 @@ func (vc *vaultConnection) connectVault() error {
return nil return nil
} }
// Destroy frees allocated resources. For a vaultConnection that means removing
// the created temporary files.
func (vc *vaultConnection) Destroy() {
if vc.vaultConfig != nil {
tmpFile, ok := vc.vaultConfig[api.EnvVaultCACert]
if ok {
// ignore error on failure to remove tmpfile (gosec complains)
_ = os.Remove(tmpFile.(string))
}
}
}
// InitVaultKMS returns an interface to HashiCorp Vault KMS. // InitVaultKMS returns an interface to HashiCorp Vault KMS.
func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) { func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) {
kms := &VaultKMS{} kms := &VaultKMS{}