mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-12-18 11:00:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: use the KMS as DEKStore if it supports it

Browse Source 
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-03-01 16:35:35 +01:00 committed by mergify[bot]
parent ee033da8e9
commit b60dd286c6
4 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
internal/util/crypto.go
View File

@ -66,15 +66,41 @@ var (
type VolumeEncryption struct { type VolumeEncryption struct {
KMS EncryptionKMS KMS EncryptionKMS
// dekStore that will be used, this can be the EncryptionKMS or a
// different object implementing the DEKStore interface.
dekStore DEKStore
} }
// NewVolumeEncryption creates a new instance of VolumeEncryption. // NewVolumeEncryption creates a new instance of VolumeEncryption and
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
// Callers that receive a ErrDEKStoreNeeded error, should use
// VolumeEncryption.SetDEKStore() to configure an alternative storage for the
// DEKs.
func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) { func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
ve := &VolumeEncryption{KMS: kms} ve := &VolumeEncryption{KMS: kms}
if kms.requiresDEKStore() == DEKStoreIntegrated {
dekStore, ok := kms.(DEKStore)
if !ok {
return nil, fmt.Errorf("KMS %T does not implement the "+
"DEKStore interface", kms)
}
ve.dekStore = dekStore
return ve, nil return ve, nil
} }
return ve, ErrDEKStoreNeeded
}
// SetDEKStore sets the DEKStore for this VolumeEncryption instance. It will be
// used when StoreNewCryptoPassphrase() or RemoveDEK() is called.
func (ve *VolumeEncryption) SetDEKStore(dekStore DEKStore) {
ve.dekStore = dekStore
}
// Destroy frees any resources that the VolumeEncryption instance allocated. // Destroy frees any resources that the VolumeEncryption instance allocated.
func (ve *VolumeEncryption) Destroy() { func (ve *VolumeEncryption) Destroy() {
ve.KMS.Destroy() ve.KMS.Destroy()

2
internal/util/secretskms.go
View File

@ -30,6 +30,8 @@ const (
// SecretsKMS is default KMS implementation that means no KMS is in use. // SecretsKMS is default KMS implementation that means no KMS is in use.
type SecretsKMS struct { type SecretsKMS struct {
integratedDEK
passphrase string passphrase string
} }

1
internal/util/vault.go
View File

@ -79,6 +79,7 @@ type vaultConnection struct {
type VaultKMS struct { type VaultKMS struct {
vaultConnection vaultConnection
integratedDEK
// vaultPassphrasePath (VPP) used to be added before the "key" of the // vaultPassphrasePath (VPP) used to be added before the "key" of the
// secret (like /v1/secret/data/<VPP>/key) // secret (like /v1/secret/data/<VPP>/key)

1
internal/util/vault_tokens.go
View File

@ -161,6 +161,7 @@ Example JSON structure in the KMS config is,
*/ */
type VaultTokensKMS struct { type VaultTokensKMS struct {
vaultConnection vaultConnection
integratedDEK
// Tenant is the name of the owner of the volume // Tenant is the name of the owner of the volume
Tenant string Tenant string