mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-01-17 18:29:30 +00:00
util: use the KMS as DEKStore if it supports it
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
ee033da8e9
commit
b60dd286c6
@ -66,13 +66,39 @@ var (
|
||||
|
||||
type VolumeEncryption struct {
|
||||
KMS EncryptionKMS
|
||||
|
||||
// dekStore that will be used, this can be the EncryptionKMS or a
|
||||
// different object implementing the DEKStore interface.
|
||||
dekStore DEKStore
|
||||
}
|
||||
|
||||
// NewVolumeEncryption creates a new instance of VolumeEncryption.
|
||||
// NewVolumeEncryption creates a new instance of VolumeEncryption and
|
||||
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
|
||||
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
|
||||
// Callers that receive a ErrDEKStoreNeeded error, should use
|
||||
// VolumeEncryption.SetDEKStore() to configure an alternative storage for the
|
||||
// DEKs.
|
||||
func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
|
||||
ve := &VolumeEncryption{KMS: kms}
|
||||
|
||||
return ve, nil
|
||||
if kms.requiresDEKStore() == DEKStoreIntegrated {
|
||||
dekStore, ok := kms.(DEKStore)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("KMS %T does not implement the "+
|
||||
"DEKStore interface", kms)
|
||||
}
|
||||
|
||||
ve.dekStore = dekStore
|
||||
return ve, nil
|
||||
}
|
||||
|
||||
return ve, ErrDEKStoreNeeded
|
||||
}
|
||||
|
||||
// SetDEKStore sets the DEKStore for this VolumeEncryption instance. It will be
|
||||
// used when StoreNewCryptoPassphrase() or RemoveDEK() is called.
|
||||
func (ve *VolumeEncryption) SetDEKStore(dekStore DEKStore) {
|
||||
ve.dekStore = dekStore
|
||||
}
|
||||
|
||||
// Destroy frees any resources that the VolumeEncryption instance allocated.
|
||||
|
@ -30,6 +30,8 @@ const (
|
||||
|
||||
// SecretsKMS is default KMS implementation that means no KMS is in use.
|
||||
type SecretsKMS struct {
|
||||
integratedDEK
|
||||
|
||||
passphrase string
|
||||
}
|
||||
|
||||
|
@ -79,6 +79,7 @@ type vaultConnection struct {
|
||||
|
||||
type VaultKMS struct {
|
||||
vaultConnection
|
||||
integratedDEK
|
||||
|
||||
// vaultPassphrasePath (VPP) used to be added before the "key" of the
|
||||
// secret (like /v1/secret/data/<VPP>/key)
|
||||
|
@ -161,6 +161,7 @@ Example JSON structure in the KMS config is,
|
||||
*/
|
||||
type VaultTokensKMS struct {
|
||||
vaultConnection
|
||||
integratedDEK
|
||||
|
||||
// Tenant is the name of the owner of the volume
|
||||
Tenant string
|
||||
|
Loading…
Reference in New Issue
Block a user