mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
util: use the KMS as DEKStore if it supports it
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
ee033da8e9
commit
b60dd286c6
@ -66,13 +66,39 @@ var (
|
|||||||
|
|
||||||
type VolumeEncryption struct {
|
type VolumeEncryption struct {
|
||||||
KMS EncryptionKMS
|
KMS EncryptionKMS
|
||||||
|
|
||||||
|
// dekStore that will be used, this can be the EncryptionKMS or a
|
||||||
|
// different object implementing the DEKStore interface.
|
||||||
|
dekStore DEKStore
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewVolumeEncryption creates a new instance of VolumeEncryption.
|
// NewVolumeEncryption creates a new instance of VolumeEncryption and
|
||||||
|
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
|
||||||
|
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
|
||||||
|
// Callers that receive a ErrDEKStoreNeeded error, should use
|
||||||
|
// VolumeEncryption.SetDEKStore() to configure an alternative storage for the
|
||||||
|
// DEKs.
|
||||||
func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
|
func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
|
||||||
ve := &VolumeEncryption{KMS: kms}
|
ve := &VolumeEncryption{KMS: kms}
|
||||||
|
|
||||||
|
if kms.requiresDEKStore() == DEKStoreIntegrated {
|
||||||
|
dekStore, ok := kms.(DEKStore)
|
||||||
|
if !ok {
|
||||||
|
return nil, fmt.Errorf("KMS %T does not implement the "+
|
||||||
|
"DEKStore interface", kms)
|
||||||
|
}
|
||||||
|
|
||||||
|
ve.dekStore = dekStore
|
||||||
return ve, nil
|
return ve, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return ve, ErrDEKStoreNeeded
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDEKStore sets the DEKStore for this VolumeEncryption instance. It will be
|
||||||
|
// used when StoreNewCryptoPassphrase() or RemoveDEK() is called.
|
||||||
|
func (ve *VolumeEncryption) SetDEKStore(dekStore DEKStore) {
|
||||||
|
ve.dekStore = dekStore
|
||||||
}
|
}
|
||||||
|
|
||||||
// Destroy frees any resources that the VolumeEncryption instance allocated.
|
// Destroy frees any resources that the VolumeEncryption instance allocated.
|
||||||
|
@ -30,6 +30,8 @@ const (
|
|||||||
|
|
||||||
// SecretsKMS is default KMS implementation that means no KMS is in use.
|
// SecretsKMS is default KMS implementation that means no KMS is in use.
|
||||||
type SecretsKMS struct {
|
type SecretsKMS struct {
|
||||||
|
integratedDEK
|
||||||
|
|
||||||
passphrase string
|
passphrase string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -79,6 +79,7 @@ type vaultConnection struct {
|
|||||||
|
|
||||||
type VaultKMS struct {
|
type VaultKMS struct {
|
||||||
vaultConnection
|
vaultConnection
|
||||||
|
integratedDEK
|
||||||
|
|
||||||
// vaultPassphrasePath (VPP) used to be added before the "key" of the
|
// vaultPassphrasePath (VPP) used to be added before the "key" of the
|
||||||
// secret (like /v1/secret/data/<VPP>/key)
|
// secret (like /v1/secret/data/<VPP>/key)
|
||||||
|
@ -161,6 +161,7 @@ Example JSON structure in the KMS config is,
|
|||||||
*/
|
*/
|
||||||
type VaultTokensKMS struct {
|
type VaultTokensKMS struct {
|
||||||
vaultConnection
|
vaultConnection
|
||||||
|
integratedDEK
|
||||||
|
|
||||||
// Tenant is the name of the owner of the volume
|
// Tenant is the name of the owner of the volume
|
||||||
Tenant string
|
Tenant string
|
||||||
|
Loading…
Reference in New Issue
Block a user