mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: move existing KMS implementations to the DEKStore interface

Browse Source 
Use DEKStore API for Fetching and Storing passphrases.

Drop the fallback for the old KMS interface that is now provided as
DEKStore. The original implementation has been re-used for the DEKStore
interface.

This also moves GetCryptoPassphrase/StoreNewCryptoPassphrase functions
to methods of VolumeEncryption.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-02-15 10:24:47 +01:00
committed by mergify[bot]
parent b60dd286c6
commit 9ac7f56400
7 changed files with 50 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/rbd/controllerserver.go
View File

@ -691,7 +691,7 @@ func (cs *ControllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVol
}
if rbdVol.isEncrypted() {
if err = rbdVol.encryption.KMS.DeletePassphrase(rbdVol.VolID); err != nil {
if err = rbdVol.encryption.RemoveDEK(rbdVol.VolID); err != nil {
util.WarningLog(ctx, "failed to clean the passphrase for volume %s: %s", rbdVol.VolID, err)
}
}

6
internal/rbd/encryption.go
View File

@ -90,7 +90,7 @@ func (rv *rbdVolume) isEncrypted() bool {
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.encryption.KMS)
err := rv.encryption.StoreNewCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
@ -108,7 +108,7 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
}
func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
passphrase, err := rv.encryption.GetCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
rv.String(), err)
@ -131,7 +131,7 @@ func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error
}
func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) (string, error) {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
passphrase, err := rv.encryption.GetCryptoPassphrase(rv.VolID)
if err != nil {
util.ErrorLog(ctx, "failed to get passphrase for encrypted device %s: %v",
rv.String(), err)