mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: set encryption passphrase on CreateVolume

Browse Source 
Have the provisioner create the passphrase for the volume, instead of
doign it lazily at the time the volume is used for the 1st time. This
prevents potential races where pods on different nodes try to store
different passphrases at the (almost) same time.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-02-15 10:53:25 +01:00
committed by mergify[bot]
parent 47c6223b3a
commit 9b6c2117f3
3 changed files with 46 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
internal/rbd/controllerserver.go
View File

@ -144,7 +144,7 @@ func (cs *ControllerServer) parseVolCreateRequest(ctx context.Context, req *csi.
func buildCreateVolumeResponse(ctx context.Context, req *csi.CreateVolumeRequest, rbdVol *rbdVolume) (*csi.CreateVolumeResponse, error) {
if rbdVol.Encrypted {
err := rbdVol.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
err := rbdVol.setupEncryption(ctx)
if err != nil {
util.ErrorLog(ctx, err.Error())
return nil, status.Error(codes.Internal, err.Error())
@ -507,10 +507,9 @@ func (cs *ControllerServer) createBackingImage(ctx context.Context, cr *util.Cre
}
}
if rbdVol.Encrypted {
err = rbdVol.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
err = rbdVol.setupEncryption(ctx)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting image %s: %s",
rbdVol, err)
util.ErrorLog(ctx, "failed to setup encroption for image %s: %v", rbdVol, err)
return status.Error(codes.Internal, err.Error())
}
}
@ -1138,3 +1137,24 @@ func (cs *ControllerServer) ControllerExpandVolume(ctx context.Context, req *csi
NodeExpansionRequired: nodeExpansion,
}, nil
}
// setupEncryption configures the metadata of the RBD image for encryption:
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
return err
}
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
"image %s: %s", rv.String(), err)
return err
}
return nil
}