rbd: set encryption passphrase on CreateVolume

Have the provisioner create the passphrase for the volume, instead of
doign it lazily at the time the volume is used for the 1st time. This
prevents potential races where pods on different nodes try to store
different passphrases at the (almost) same time.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-15 10:53:25 +01:00 committed by mergify[bot]
parent 47c6223b3a
commit 9b6c2117f3
3 changed files with 46 additions and 26 deletions

View File

@ -144,7 +144,7 @@ func (cs *ControllerServer) parseVolCreateRequest(ctx context.Context, req *csi.
func buildCreateVolumeResponse(ctx context.Context, req *csi.CreateVolumeRequest, rbdVol *rbdVolume) (*csi.CreateVolumeResponse, error) { func buildCreateVolumeResponse(ctx context.Context, req *csi.CreateVolumeRequest, rbdVol *rbdVolume) (*csi.CreateVolumeResponse, error) {
if rbdVol.Encrypted { if rbdVol.Encrypted {
err := rbdVol.ensureEncryptionMetadataSet(rbdImageRequiresEncryption) err := rbdVol.setupEncryption(ctx)
if err != nil { if err != nil {
util.ErrorLog(ctx, err.Error()) util.ErrorLog(ctx, err.Error())
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
@ -507,10 +507,9 @@ func (cs *ControllerServer) createBackingImage(ctx context.Context, cr *util.Cre
} }
} }
if rbdVol.Encrypted { if rbdVol.Encrypted {
err = rbdVol.ensureEncryptionMetadataSet(rbdImageRequiresEncryption) err = rbdVol.setupEncryption(ctx)
if err != nil { if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting image %s: %s", util.ErrorLog(ctx, "failed to setup encroption for image %s: %v", rbdVol, err)
rbdVol, err)
return status.Error(codes.Internal, err.Error()) return status.Error(codes.Internal, err.Error())
} }
} }
@ -1138,3 +1137,24 @@ func (cs *ControllerServer) ControllerExpandVolume(ctx context.Context, req *csi
NodeExpansionRequired: nodeExpansion, NodeExpansionRequired: nodeExpansion,
}, nil }, nil
} }
// setupEncryption configures the metadata of the RBD image for encryption:
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
return err
}
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
"image %s: %s", rv.String(), err)
return err
}
return nil
}

View File

@ -830,7 +830,7 @@ func (ns *NodeServer) processEncryptedDevice(ctx context.Context, volOptions *rb
} }
func encryptDevice(ctx context.Context, rbdVol *rbdVolume, devicePath string) error { func encryptDevice(ctx context.Context, rbdVol *rbdVolume, devicePath string) error {
passphrase, err := util.GetCryptoPassphrase(ctx, rbdVol.VolID, rbdVol.KMS) passphrase, err := util.GetCryptoPassphrase(rbdVol.VolID, rbdVol.KMS)
if err != nil { if err != nil {
util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v", util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
rbdVol, err) rbdVol, err)
@ -853,7 +853,7 @@ func encryptDevice(ctx context.Context, rbdVol *rbdVolume, devicePath string) er
} }
func openEncryptedDevice(ctx context.Context, volOptions *rbdVolume, devicePath string) (string, error) { func openEncryptedDevice(ctx context.Context, volOptions *rbdVolume, devicePath string) (string, error) {
passphrase, err := util.GetCryptoPassphrase(ctx, volOptions.VolID, volOptions.KMS) passphrase, err := util.GetCryptoPassphrase(volOptions.VolID, volOptions.KMS)
if err != nil { if err != nil {
util.ErrorLog(ctx, "failed to get passphrase for encrypted device %s: %v", util.ErrorLog(ctx, "failed to get passphrase for encrypted device %s: %v",
volOptions, err) volOptions, err)

View File

@ -95,9 +95,10 @@ func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
return kms.passphrase, nil return kms.passphrase, nil
} }
// SavePassphrase is not implemented. // SavePassphrase does nothing, as there is no passphrase per key (volume), so
// no need to store is anywhere.
func (kms SecretsKMS) SavePassphrase(key, value string) error { func (kms SecretsKMS) SavePassphrase(key, value string) error {
return fmt.Errorf("save new passphrase is not implemented for Kubernetes secrets") return nil
} }
// DeletePassphrase is doing nothing as no new passphrases are saved with // DeletePassphrase is doing nothing as no new passphrases are saved with
@ -171,27 +172,26 @@ func GetKMS(tenant, kmsID string, secrets map[string]string) (EncryptionKMS, err
return nil, fmt.Errorf("unknown encryption KMS type %s", kmsType) return nil, fmt.Errorf("unknown encryption KMS type %s", kmsType)
} }
// GetCryptoPassphrase Retrieves passphrase to encrypt volume. // StoreNewCryptoPassphrase generates a new passphrase and saves it in the KMS.
func GetCryptoPassphrase(ctx context.Context, volumeID string, kms EncryptionKMS) (string, error) { func StoreNewCryptoPassphrase(volumeID string, kms EncryptionKMS) error {
passphrase, err := kms.GetPassphrase(volumeID) passphrase, err := generateNewEncryptionPassphrase()
if err == nil {
return passphrase, nil
}
if _, ok := err.(MissingPassphrase); ok {
DebugLog(ctx, "Encryption passphrase is missing for %s. Generating a new one",
volumeID)
passphrase, err = generateNewEncryptionPassphrase()
if err != nil { if err != nil {
return "", fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err) return fmt.Errorf("failed to generate passphrase for %s: %w", volumeID, err)
} }
err = kms.SavePassphrase(volumeID, passphrase) err = kms.SavePassphrase(volumeID, passphrase)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err) return fmt.Errorf("failed to save the passphrase for %s: %w", volumeID, err)
}
return nil
}
// GetCryptoPassphrase Retrieves passphrase to encrypt volume.
func GetCryptoPassphrase(volumeID string, kms EncryptionKMS) (string, error) {
passphrase, err := kms.GetPassphrase(volumeID)
if err != nil {
return "", err
} }
return passphrase, nil return passphrase, nil
}
ErrorLog(ctx, "failed to get encryption passphrase for %s: %s", volumeID, err)
return "", err
} }
// generateNewEncryptionPassphrase generates a random passphrase for encryption. // generateNewEncryptionPassphrase generates a random passphrase for encryption.