util: move existing KMS implementations to the DEKStore interface

Use DEKStore API for Fetching and Storing passphrases.

Drop the fallback for the old KMS interface that is now provided as
DEKStore. The original implementation has been re-used for the DEKStore
interface.

This also moves GetCryptoPassphrase/StoreNewCryptoPassphrase functions
to methods of VolumeEncryption.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-15 10:24:47 +01:00 committed by mergify[bot]
parent b60dd286c6
commit 9ac7f56400
7 changed files with 50 additions and 31 deletions

View File

@ -691,7 +691,7 @@ func (cs *ControllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVol
}
if rbdVol.isEncrypted() {
if err = rbdVol.encryption.KMS.DeletePassphrase(rbdVol.VolID); err != nil {
if err = rbdVol.encryption.RemoveDEK(rbdVol.VolID); err != nil {
util.WarningLog(ctx, "failed to clean the passphrase for volume %s: %s", rbdVol.VolID, err)
}
}

View File

@ -90,7 +90,7 @@ func (rv *rbdVolume) isEncrypted() bool {
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.encryption.KMS)
err := rv.encryption.StoreNewCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
@ -108,7 +108,7 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
}
func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
passphrase, err := rv.encryption.GetCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
rv.String(), err)
@ -131,7 +131,7 @@ func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error
}
func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) (string, error) {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
passphrase, err := rv.encryption.GetCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to get passphrase for encrypted device %s: %v",
rv.String(), err)

View File

@ -106,13 +106,20 @@ func (ve *VolumeEncryption) Destroy() {
ve.KMS.Destroy()
}
// RemoveDEK deletes the DEK for a particular volumeID from the DEKStore linked
// with this VolumeEncryption instance.
func (ve *VolumeEncryption) RemoveDEK(volumeID string) error {
if ve.dekStore == nil {
return ErrDEKStoreNotFound
}
return ve.dekStore.RemoveDEK(volumeID)
}
// EncryptionKMS provides external Key Management System for encryption
// passphrases storage.
type EncryptionKMS interface {
Destroy()
GetPassphrase(key string) (string, error)
SavePassphrase(key, value string) error
DeletePassphrase(key string) error
GetID() string
// requiresDEKStore returns the DEKStoreType that is needed to be
@ -148,6 +155,13 @@ type DEKStore interface {
RemoveDEK(volumeID string) error
}
// integratedDEK is a DEKStore that can not be configured. Either the KMS does
// not use a DEK, or the DEK is stored in the KMS without additional
// configuration options.
type integratedDEK struct{}
func (i integratedDEK) requiresDEKStore() DEKStoreType { return DEKStoreIntegrated }
// GetKMS returns an instance of Key Management System.
//
// - tenant is the owner of the Volume, used to fetch the Vault Token from the
@ -209,12 +223,13 @@ func GetKMS(tenant, kmsID string, secrets map[string]string) (EncryptionKMS, err
}
// StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
func StoreNewCryptoPassphrase(volumeID string, kms EncryptionKMS) error {
func (ve *VolumeEncryption) StoreNewCryptoPassphrase(volumeID string) error {
passphrase, err := generateNewEncryptionPassphrase()
if err != nil {
return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
}
err = kms.SavePassphrase(volumeID, passphrase)
err = ve.dekStore.StoreDEK(volumeID, passphrase)
if err != nil {
return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err)
}
@ -222,8 +237,8 @@ func StoreNewCryptoPassphrase(volumeID string, kms EncryptionKMS) error {
}
// GetCryptoPassphrase Retrieves passphrase to encrypt volume.
func GetCryptoPassphrase(volumeID string, kms EncryptionKMS) (string, error) {
passphrase, err := kms.GetPassphrase(volumeID)
func (ve *VolumeEncryption) GetCryptoPassphrase(volumeID string) (string, error) {
passphrase, err := ve.dekStore.FetchDEK(volumeID)
if err != nil {
return "", err
}

View File

@ -60,12 +60,16 @@ func TestKMSWorkflow(t *testing.T) {
require.NotNil(t, kms)
assert.Equal(t, defaultKMSType, kms.GetID())
ve, err := NewVolumeEncryption(kms)
assert.NoError(t, err)
require.NotNil(t, ve)
volumeID := "volume-id"
err = StoreNewCryptoPassphrase(volumeID, kms)
err = ve.StoreNewCryptoPassphrase(volumeID)
assert.NoError(t, err)
passphrase, err := GetCryptoPassphrase(volumeID, kms)
passphrase, err := ve.GetCryptoPassphrase(volumeID)
assert.NoError(t, err)
assert.Equal(t, secrets[encryptionPassphraseKey], passphrase)
}

View File

@ -56,19 +56,19 @@ func (kms SecretsKMS) Destroy() {
// nothing to do
}
// GetPassphrase returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
// FetchDEK returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) FetchDEK(key string) (string, error) {
return kms.passphrase, nil
}
// SavePassphrase does nothing, as there is no passphrase per key (volume), so
// StoreDEK does nothing, as there is no passphrase per key (volume), so
// no need to store is anywhere.
func (kms SecretsKMS) SavePassphrase(key, value string) error {
func (kms SecretsKMS) StoreDEK(key, value string) error {
return nil
}
// DeletePassphrase is doing nothing as no new passphrases are saved with
// RemoveDEK is doing nothing as no new passphrases are saved with
// SecretsKMS.
func (kms SecretsKMS) DeletePassphrase(key string) error {
func (kms SecretsKMS) RemoveDEK(key string) error {
return nil
}

View File

@ -328,9 +328,9 @@ func (vc *vaultConnection) GetID() string {
return vc.EncryptionKMSID
}
// GetPassphrase returns passphrase from Vault. The passphrase is stored in a
// FetchDEK returns passphrase from Vault. The passphrase is stored in a
// data.data.passphrase structure.
func (kms *VaultKMS) GetPassphrase(key string) (string, error) {
func (kms *VaultKMS) FetchDEK(key string) (string, error) {
s, err := kms.secrets.GetSecret(filepath.Join(kms.vaultPassphrasePath, key), kms.keyContext)
if err != nil {
return "", err
@ -348,8 +348,8 @@ func (kms *VaultKMS) GetPassphrase(key string) (string, error) {
return passphrase, nil
}
// SavePassphrase saves new passphrase in Vault.
func (kms *VaultKMS) SavePassphrase(key, value string) error {
// StoreDEK saves new passphrase in Vault.
func (kms *VaultKMS) StoreDEK(key, value string) error {
data := map[string]interface{}{
"data": map[string]string{
"passphrase": value,
@ -365,8 +365,8 @@ func (kms *VaultKMS) SavePassphrase(key, value string) error {
return nil
}
// DeletePassphrase deletes passphrase from Vault.
func (kms *VaultKMS) DeletePassphrase(key string) error {
// RemoveDEK deletes passphrase from Vault.
func (kms *VaultKMS) RemoveDEK(key string) error {
pathKey := filepath.Join(kms.vaultPassphrasePath, key)
err := kms.secrets.DeleteSecret(pathKey, kms.keyContext)
if err != nil {

View File

@ -347,9 +347,9 @@ func (kms *VaultTokensKMS) initCertificates(config map[string]interface{}) error
return nil
}
// GetPassphrase returns passphrase from Vault. The passphrase is stored in a
// FetchDEK returns passphrase from Vault. The passphrase is stored in a
// data.data.passphrase structure.
func (kms *VaultTokensKMS) GetPassphrase(key string) (string, error) {
func (kms *VaultTokensKMS) FetchDEK(key string) (string, error) {
s, err := kms.secrets.GetSecret(key, kms.keyContext)
if err != nil {
return "", err
@ -367,8 +367,8 @@ func (kms *VaultTokensKMS) GetPassphrase(key string) (string, error) {
return passphrase, nil
}
// SavePassphrase saves new passphrase in Vault.
func (kms *VaultTokensKMS) SavePassphrase(key, value string) error {
// StoreDEK saves new passphrase in Vault.
func (kms *VaultTokensKMS) StoreDEK(key, value string) error {
data := map[string]interface{}{
"data": map[string]string{
"passphrase": value,
@ -383,8 +383,8 @@ func (kms *VaultTokensKMS) SavePassphrase(key, value string) error {
return nil
}
// DeletePassphrase deletes passphrase from Vault.
func (kms *VaultTokensKMS) DeletePassphrase(key string) error {
// RemoveDEK deletes passphrase from Vault.
func (kms *VaultTokensKMS) RemoveDEK(key string) error {
err := kms.secrets.DeleteSecret(key, kms.keyContext)
if err != nil {
return fmt.Errorf("delete passphrase at %s request to vault failed: %w", key, err)