mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 06:10:22 +00:00
Use --keyfile option to pass keys to all Ceph CLIs
Every Ceph CLI that is invoked at present passes the key via the --key option, and hence is exposed to key being displayed on the host using a ps command or such means. This commit addresses this issue by stashing the key in a tmp file, which is again created on a tmpfs (or empty dir backed by memory). Further using such tmp files as arguments to the --keyfile option for every CLI that is invoked. This prevents the key from being visible as part of the argument list of the invoked program on the system. Fixes: #318 Signed-off-by: ShyamsundarR <srangana@redhat.com>
This commit is contained in:
parent
c2835183e5
commit
bd204d7d45
@ -106,6 +106,8 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
resources:
|
resources:
|
||||||
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -142,6 +144,10 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ .Values.configMapName | quote }}
|
name: {{ .Values.configMapName | quote }}
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
{{- if .Values.nodeplugin.affinity -}}
|
{{- if .Values.nodeplugin.affinity -}}
|
||||||
affinity:
|
affinity:
|
||||||
{{ toYaml .Values.nodeplugin.affinity . | indent 8 }}
|
{{ toYaml .Values.nodeplugin.affinity . | indent 8 }}
|
||||||
|
@ -90,6 +90,8 @@ spec:
|
|||||||
mountPath: "/rootfs"
|
mountPath: "/rootfs"
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
resources:
|
resources:
|
||||||
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -102,6 +104,10 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ .Values.configMapName | quote }}
|
name: {{ .Values.configMapName | quote }}
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
{{- if .Values.provisioner.affinity -}}
|
{{- if .Values.provisioner.affinity -}}
|
||||||
affinity:
|
affinity:
|
||||||
{{ toYaml .Values.provisioner.affinity . | indent 8 }}
|
{{ toYaml .Values.provisioner.affinity . | indent 8 }}
|
||||||
|
@ -94,6 +94,8 @@ spec:
|
|||||||
mountPath: /dev
|
mountPath: /dev
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
volumes:
|
volumes:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
@ -111,3 +113,7 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: ceph-csi-config
|
name: ceph-csi-config
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
|
@ -90,6 +90,8 @@ spec:
|
|||||||
mountPath: /dev
|
mountPath: /dev
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
volumes:
|
volumes:
|
||||||
- name: mount-cache-dir
|
- name: mount-cache-dir
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -121,3 +123,7 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: ceph-csi-config
|
name: ceph-csi-config
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
|
@ -105,6 +105,8 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
resources:
|
resources:
|
||||||
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -139,6 +141,10 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ .Values.configMapName | quote }}
|
name: {{ .Values.configMapName | quote }}
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
{{- if .Values.nodeplugin.affinity -}}
|
{{- if .Values.nodeplugin.affinity -}}
|
||||||
affinity:
|
affinity:
|
||||||
{{ toYaml .Values.nodeplugin.affinity . | indent 8 }}
|
{{ toYaml .Values.nodeplugin.affinity . | indent 8 }}
|
||||||
|
@ -107,6 +107,8 @@ spec:
|
|||||||
mountPath: "/rootfs"
|
mountPath: "/rootfs"
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
resources:
|
resources:
|
||||||
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -119,6 +121,10 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: {{ .Values.configMapName | quote }}
|
name: {{ .Values.configMapName | quote }}
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
{{- if .Values.provisioner.affinity -}}
|
{{- if .Values.provisioner.affinity -}}
|
||||||
affinity:
|
affinity:
|
||||||
{{ toYaml .Values.provisioner.affinity . | indent 8 }}
|
{{ toYaml .Values.provisioner.affinity . | indent 8 }}
|
||||||
|
@ -109,6 +109,8 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
mountPath: /etc/ceph-csi-config/
|
mountPath: /etc/ceph-csi-config/
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
volumes:
|
volumes:
|
||||||
- name: host-dev
|
- name: host-dev
|
||||||
hostPath:
|
hostPath:
|
||||||
@ -129,3 +131,7 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: ceph-csi-config
|
name: ceph-csi-config
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
|
@ -90,6 +90,8 @@ spec:
|
|||||||
- name: mountpoint-dir
|
- name: mountpoint-dir
|
||||||
mountPath: /var/lib/kubelet/pods
|
mountPath: /var/lib/kubelet/pods
|
||||||
mountPropagation: "Bidirectional"
|
mountPropagation: "Bidirectional"
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
mountPath: /tmp/csi/keys
|
||||||
volumes:
|
volumes:
|
||||||
- name: socket-dir
|
- name: socket-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
@ -122,3 +124,7 @@ spec:
|
|||||||
- name: ceph-csi-config
|
- name: ceph-csi-config
|
||||||
configMap:
|
configMap:
|
||||||
name: ceph-csi-config
|
name: ceph-csi-config
|
||||||
|
- name: keys-tmp-dir
|
||||||
|
emptyDir: {
|
||||||
|
medium: "Memory"
|
||||||
|
}
|
||||||
|
@ -41,7 +41,7 @@ func getFscID(monitors string, cr *util.Credentials, fsName string) (int64, erro
|
|||||||
"ceph",
|
"ceph",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"fs", "get", fsName, "--format=json",
|
"fs", "get", fsName, "--format=json",
|
||||||
)
|
)
|
||||||
@ -69,7 +69,7 @@ func getMetadataPool(monitors string, cr *util.Credentials, fsName string) (stri
|
|||||||
"ceph",
|
"ceph",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"fs", "ls", "--format=json",
|
"fs", "ls", "--format=json",
|
||||||
)
|
)
|
||||||
@ -99,7 +99,7 @@ func getFsName(monitors string, cr *util.Credentials, fscID int64) (string, erro
|
|||||||
"ceph",
|
"ceph",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"fs", "dump", "--format=json",
|
"fs", "dump", "--format=json",
|
||||||
)
|
)
|
||||||
|
@ -40,7 +40,7 @@ func deleteCephUserDeprecated(volOptions *volumeOptions, adminCr *util.Credentia
|
|||||||
return execCommandErr("ceph",
|
return execCommandErr("ceph",
|
||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-n", adminID,
|
"-n", adminID,
|
||||||
"--key="+adminCr.Key,
|
"--keyfile="+adminCr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"auth", "rm", userID,
|
"auth", "rm", userID,
|
||||||
)
|
)
|
||||||
|
@ -46,10 +46,11 @@ var (
|
|||||||
|
|
||||||
// createBackingVolume creates the backing subvolume and on any error cleans up any created entities
|
// createBackingVolume creates the backing subvolume and on any error cleans up any created entities
|
||||||
func (cs *ControllerServer) createBackingVolume(volOptions *volumeOptions, vID *volumeIdentifier, secret map[string]string) error {
|
func (cs *ControllerServer) createBackingVolume(volOptions *volumeOptions, vID *volumeIdentifier, secret map[string]string) error {
|
||||||
cr, err := util.GetAdminCredentials(secret)
|
cr, err := util.NewAdminCredentials(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return status.Error(codes.InvalidArgument, err.Error())
|
return status.Error(codes.InvalidArgument, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
if err = createVolume(volOptions, cr, volumeID(vID.FsSubvolName), volOptions.Size); err != nil {
|
if err = createVolume(volOptions, cr, volumeID(vID.FsSubvolName), volOptions.Size); err != nil {
|
||||||
klog.Errorf("failed to create volume %s: %v", volOptions.RequestName, err)
|
klog.Errorf("failed to create volume %s: %v", volOptions.RequestName, err)
|
||||||
@ -168,11 +169,12 @@ func (cs *ControllerServer) deleteVolumeDeprecated(req *csi.DeleteVolumeRequest)
|
|||||||
|
|
||||||
// Deleting a volume requires admin credentials
|
// Deleting a volume requires admin credentials
|
||||||
|
|
||||||
cr, err := util.GetAdminCredentials(secrets)
|
cr, err := util.NewAdminCredentials(secrets)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to retrieve admin credentials: %v", err)
|
klog.Errorf("failed to retrieve admin credentials: %v", err)
|
||||||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
idLk := volumeIDLocker.Lock(string(volID))
|
idLk := volumeIDLocker.Lock(string(volID))
|
||||||
defer volumeIDLocker.Unlock(idLk, string(volID))
|
defer volumeIDLocker.Unlock(idLk, string(volID))
|
||||||
@ -225,11 +227,12 @@ func (cs *ControllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVol
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Deleting a volume requires admin credentials
|
// Deleting a volume requires admin credentials
|
||||||
cr, err := util.GetAdminCredentials(secrets)
|
cr, err := util.NewAdminCredentials(secrets)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to retrieve admin credentials: %v", err)
|
klog.Errorf("failed to retrieve admin credentials: %v", err)
|
||||||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
// lock out parallel delete and create requests against the same volume name as we
|
// lock out parallel delete and create requests against the same volume name as we
|
||||||
// cleanup the subvolume and associated omaps for the same
|
// cleanup the subvolume and associated omaps for the same
|
||||||
|
@ -49,10 +49,11 @@ func checkVolExists(volOptions *volumeOptions, secret map[string]string) (*volum
|
|||||||
vid volumeIdentifier
|
vid volumeIdentifier
|
||||||
)
|
)
|
||||||
|
|
||||||
cr, err := util.GetAdminCredentials(secret)
|
cr, err := util.NewAdminCredentials(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
imageUUID, err := volJournal.CheckReservation(volOptions.Monitors, cr,
|
imageUUID, err := volJournal.CheckReservation(volOptions.Monitors, cr,
|
||||||
volOptions.MetadataPool, volOptions.RequestName, "")
|
volOptions.MetadataPool, volOptions.RequestName, "")
|
||||||
@ -86,10 +87,11 @@ func checkVolExists(volOptions *volumeOptions, secret map[string]string) (*volum
|
|||||||
|
|
||||||
// undoVolReservation is a helper routine to undo a name reservation for a CSI VolumeName
|
// undoVolReservation is a helper routine to undo a name reservation for a CSI VolumeName
|
||||||
func undoVolReservation(volOptions *volumeOptions, vid volumeIdentifier, secret map[string]string) error {
|
func undoVolReservation(volOptions *volumeOptions, vid volumeIdentifier, secret map[string]string) error {
|
||||||
cr, err := util.GetAdminCredentials(secret)
|
cr, err := util.NewAdminCredentials(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
err = volJournal.UndoReservation(volOptions.Monitors, cr, volOptions.MetadataPool,
|
err = volJournal.UndoReservation(volOptions.Monitors, cr, volOptions.MetadataPool,
|
||||||
vid.FsSubvolName, volOptions.RequestName)
|
vid.FsSubvolName, volOptions.RequestName)
|
||||||
@ -105,10 +107,11 @@ func reserveVol(volOptions *volumeOptions, secret map[string]string) (*volumeIde
|
|||||||
vid volumeIdentifier
|
vid volumeIdentifier
|
||||||
)
|
)
|
||||||
|
|
||||||
cr, err := util.GetAdminCredentials(secret)
|
cr, err := util.NewAdminCredentials(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
imageUUID, err := volJournal.ReserveName(volOptions.Monitors, cr,
|
imageUUID, err := volJournal.ReserveName(volOptions.Monitors, cr,
|
||||||
volOptions.MetadataPool, volOptions.RequestName, "")
|
volOptions.MetadataPool, volOptions.RequestName, "")
|
||||||
|
@ -95,20 +95,22 @@ func mountOneCacheEntry(volOptions *volumeOptions, vid *volumeIdentifier, me *vo
|
|||||||
volID := vid.VolumeID
|
volID := vid.VolumeID
|
||||||
|
|
||||||
if volOptions.ProvisionVolume {
|
if volOptions.ProvisionVolume {
|
||||||
cr, err = util.GetAdminCredentials(decodeCredentials(me.Secrets))
|
cr, err = util.NewAdminCredentials(decodeCredentials(me.Secrets))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
volOptions.RootPath, err = getVolumeRootPathCeph(volOptions, cr, volumeID(vid.FsSubvolName))
|
volOptions.RootPath, err = getVolumeRootPathCeph(volOptions, cr, volumeID(vid.FsSubvolName))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
cr, err = util.GetUserCredentials(decodeCredentials(me.Secrets))
|
cr, err = util.NewUserCredentials(decodeCredentials(me.Secrets))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
}
|
}
|
||||||
|
|
||||||
err = cleanupMountPoint(me.StagingPath)
|
err = cleanupMountPoint(me.StagingPath)
|
||||||
|
@ -44,30 +44,25 @@ var (
|
|||||||
|
|
||||||
func getCredentialsForVolume(volOptions *volumeOptions, req *csi.NodeStageVolumeRequest) (*util.Credentials, error) {
|
func getCredentialsForVolume(volOptions *volumeOptions, req *csi.NodeStageVolumeRequest) (*util.Credentials, error) {
|
||||||
var (
|
var (
|
||||||
|
err error
|
||||||
cr *util.Credentials
|
cr *util.Credentials
|
||||||
secrets = req.GetSecrets()
|
secrets = req.GetSecrets()
|
||||||
)
|
)
|
||||||
|
|
||||||
if volOptions.ProvisionVolume {
|
if volOptions.ProvisionVolume {
|
||||||
// The volume is provisioned dynamically, get the credentials directly from Ceph
|
// The volume is provisioned dynamically, use passed in admin credentials
|
||||||
|
|
||||||
// First, get admin credentials - those are needed for retrieving the user credentials
|
cr, err = util.NewAdminCredentials(secrets)
|
||||||
|
|
||||||
adminCr, err := util.GetAdminCredentials(secrets)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to get admin credentials from node stage secrets: %v", err)
|
return nil, fmt.Errorf("failed to get admin credentials from node stage secrets: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
cr = adminCr
|
|
||||||
} else {
|
} else {
|
||||||
// The volume is pre-made, credentials are in node stage secrets
|
// The volume is pre-made, credentials are in node stage secrets
|
||||||
|
|
||||||
userCr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err = util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to get user credentials from node stage secrets: %v", err)
|
return nil, fmt.Errorf("failed to get user credentials from node stage secrets: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
cr = userCr
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return cr, nil
|
return cr, nil
|
||||||
@ -150,6 +145,7 @@ func (*NodeServer) mount(volOptions *volumeOptions, req *csi.NodeStageVolumeRequ
|
|||||||
klog.Errorf("failed to get ceph credentials for volume %s: %v", volID, err)
|
klog.Errorf("failed to get ceph credentials for volume %s: %v", volID, err)
|
||||||
return status.Error(codes.Internal, err.Error())
|
return status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
m, err := newMounter(volOptions)
|
m, err := newMounter(volOptions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -64,7 +64,7 @@ func getVolumeRootPathCeph(volOptions *volumeOptions, cr *util.Credentials, volI
|
|||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"-n", cephEntityClientPrefix+cr.ID,
|
"-n", cephEntityClientPrefix+cr.ID,
|
||||||
"--key="+cr.Key)
|
"--keyfile="+cr.KeyFile)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to get the rootpath for the vol %s(%s)", string(volID), err)
|
klog.Errorf("failed to get the rootpath for the vol %s(%s)", string(volID), err)
|
||||||
@ -90,7 +90,7 @@ func createVolume(volOptions *volumeOptions, cr *util.Credentials, volID volumeI
|
|||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"-n", cephEntityClientPrefix+cr.ID,
|
"-n", cephEntityClientPrefix+cr.ID,
|
||||||
"--key="+cr.Key)
|
"--keyfile="+cr.KeyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to create subvolume group csi, for the vol %s(%s)", string(volID), err)
|
klog.Errorf("failed to create subvolume group csi, for the vol %s(%s)", string(volID), err)
|
||||||
return err
|
return err
|
||||||
@ -111,7 +111,7 @@ func createVolume(volOptions *volumeOptions, cr *util.Credentials, volID volumeI
|
|||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"-n", cephEntityClientPrefix+cr.ID,
|
"-n", cephEntityClientPrefix+cr.ID,
|
||||||
"--key="+cr.Key)
|
"--keyfile="+cr.KeyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to create subvolume %s(%s) in fs %s", string(volID), err, volOptions.FsName)
|
klog.Errorf("failed to create subvolume %s(%s) in fs %s", string(volID), err, volOptions.FsName)
|
||||||
return err
|
return err
|
||||||
@ -198,7 +198,7 @@ func purgeVolume(volID volumeID, cr *util.Credentials, volOptions *volumeOptions
|
|||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"-n", cephEntityClientPrefix+cr.ID,
|
"-n", cephEntityClientPrefix+cr.ID,
|
||||||
"--key="+cr.Key)
|
"--keyfile="+cr.KeyFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to purge subvolume %s(%s) in fs %s", string(volID), err, volOptions.FsName)
|
klog.Errorf("failed to purge subvolume %s(%s) in fs %s", string(volID), err, volOptions.FsName)
|
||||||
return err
|
return err
|
||||||
|
@ -119,7 +119,7 @@ func mountFuse(mountPoint string, cr *util.Credentials, volOptions *volumeOption
|
|||||||
mountPoint,
|
mountPoint,
|
||||||
"-m", volOptions.Monitors,
|
"-m", volOptions.Monitors,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"-n", cephEntityClientPrefix + cr.ID, "--key=" + cr.Key,
|
"-n", cephEntityClientPrefix + cr.ID, "--keyfile=" + cr.KeyFile,
|
||||||
"-r", volOptions.RootPath,
|
"-r", volOptions.RootPath,
|
||||||
"-o", "nonempty",
|
"-o", "nonempty",
|
||||||
}
|
}
|
||||||
@ -176,7 +176,7 @@ func mountKernel(mountPoint string, cr *util.Credentials, volOptions *volumeOpti
|
|||||||
fmt.Sprintf("%s:%s", volOptions.Monitors, volOptions.RootPath),
|
fmt.Sprintf("%s:%s", volOptions.Monitors, volOptions.RootPath),
|
||||||
mountPoint,
|
mountPoint,
|
||||||
}
|
}
|
||||||
optionsStr := fmt.Sprintf("name=%s,secret=%s", cr.ID, cr.Key)
|
optionsStr := fmt.Sprintf("name=%s,secretfile=%s", cr.ID, cr.KeyFile)
|
||||||
if volOptions.FsName != "" {
|
if volOptions.FsName != "" {
|
||||||
optionsStr += fmt.Sprintf(",mds_namespace=%s", volOptions.FsName)
|
optionsStr += fmt.Sprintf(",mds_namespace=%s", volOptions.FsName)
|
||||||
}
|
}
|
||||||
|
@ -149,10 +149,11 @@ func newVolumeOptions(requestName string, size int64, volOptions, secret map[str
|
|||||||
opts.RequestName = requestName
|
opts.RequestName = requestName
|
||||||
opts.Size = size
|
opts.Size = size
|
||||||
|
|
||||||
cr, err := util.GetAdminCredentials(secret)
|
cr, err := util.NewAdminCredentials(secret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
opts.FscID, err = getFscID(opts.Monitors, cr, opts.FsName)
|
opts.FscID, err = getFscID(opts.Monitors, cr, opts.FsName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -194,10 +195,11 @@ func newVolumeOptionsFromVolID(volID string, volOpt, secrets map[string]string)
|
|||||||
return nil, nil, errors.Wrapf(err, "failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
|
return nil, nil, errors.Wrapf(err, "failed to fetch monitor list using clusterID (%s)", vi.ClusterID)
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetAdminCredentials(secrets)
|
cr, err := util.NewAdminCredentials(secrets)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
volOptions.FsName, err = getFsName(volOptions.Monitors, cr, volOptions.FscID)
|
volOptions.FsName, err = getFsName(volOptions.Monitors, cr, volOptions.FscID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -112,10 +112,11 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
rbdVol, err := cs.parseVolCreateRequest(req)
|
rbdVol, err := cs.parseVolCreateRequest(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -179,10 +180,11 @@ func (cs *ControllerServer) createBackingImage(rbdVol *rbdVolume, req *csi.Creat
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return status.Error(codes.Internal, err.Error())
|
return status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
err = createImage(rbdVol, volSizeMiB, cr)
|
err = createImage(rbdVol, volSizeMiB, cr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -206,10 +208,11 @@ func (cs *ControllerServer) checkSnapshot(req *csi.CreateVolumeRequest, rbdVol *
|
|||||||
return status.Error(codes.InvalidArgument, "volume Snapshot ID cannot be empty")
|
return status.Error(codes.InvalidArgument, "volume Snapshot ID cannot be empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return status.Error(codes.Internal, err.Error())
|
return status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
rbdSnap := &rbdSnapshot{}
|
rbdSnap := &rbdSnapshot{}
|
||||||
if err = genSnapFromSnapID(rbdSnap, snapshotID, cr); err != nil {
|
if err = genSnapFromSnapID(rbdSnap, snapshotID, cr); err != nil {
|
||||||
@ -279,10 +282,11 @@ func (cs *ControllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVol
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
// For now the image get unconditionally deleted, but here retention policy can be checked
|
// For now the image get unconditionally deleted, but here retention policy can be checked
|
||||||
volumeID := req.GetVolumeId()
|
volumeID := req.GetVolumeId()
|
||||||
@ -381,10 +385,11 @@ func (cs *ControllerServer) CreateSnapshot(ctx context.Context, req *csi.CreateS
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
// Fetch source volume information
|
// Fetch source volume information
|
||||||
rbdVol := new(rbdVolume)
|
rbdVol := new(rbdVolume)
|
||||||
@ -533,10 +538,11 @@ func (cs *ControllerServer) DeleteSnapshot(ctx context.Context, req *csi.DeleteS
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
snapshotID := req.GetSnapshotId()
|
snapshotID := req.GetSnapshotId()
|
||||||
if snapshotID == "" {
|
if snapshotID == "" {
|
||||||
|
@ -62,10 +62,11 @@ func (ns *NodeServer) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol
|
|||||||
|
|
||||||
volID := req.GetVolumeId()
|
volID := req.GetVolumeId()
|
||||||
|
|
||||||
cr, err := util.GetUserCredentials(req.GetSecrets())
|
cr, err := util.NewUserCredentials(req.GetSecrets())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
|
defer cr.DeleteCredentials()
|
||||||
|
|
||||||
isLegacyVolume := false
|
isLegacyVolume := false
|
||||||
volName, err := getVolumeName(req.GetVolumeId())
|
volName, err := getVolumeName(req.GetVolumeId())
|
||||||
|
@ -277,7 +277,7 @@ func createPath(volOpt *rbdVolume, cr *util.Credentials) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
output, err := execCommand(cmdName, []string{
|
output, err := execCommand(cmdName, []string{
|
||||||
"map", imagePath, "--id", cr.ID, "-m", volOpt.Monitors, "--key=" + cr.Key})
|
"map", imagePath, "--id", cr.ID, "-m", volOpt.Monitors, "--keyfile=" + cr.KeyFile})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Warningf("rbd: map error %v, rbd output: %s", err, string(output))
|
klog.Warningf("rbd: map error %v, rbd output: %s", err, string(output))
|
||||||
return "", fmt.Errorf("rbd: map failed %v, rbd output: %s", err, string(output))
|
return "", fmt.Errorf("rbd: map failed %v, rbd output: %s", err, string(output))
|
||||||
|
@ -116,7 +116,7 @@ func createImage(pOpts *rbdVolume, volSz int64, cr *util.Credentials) error {
|
|||||||
} else {
|
} else {
|
||||||
klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s", image, volSzMiB, pOpts.ImageFormat, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s", image, volSzMiB, pOpts.ImageFormat, pOpts.Monitors, pOpts.Pool)
|
||||||
}
|
}
|
||||||
args := []string{"create", image, "--size", volSzMiB, "--pool", pOpts.Pool, "--id", cr.ID, "-m", pOpts.Monitors, "--key=" + cr.Key, "--image-format", pOpts.ImageFormat}
|
args := []string{"create", image, "--size", volSzMiB, "--pool", pOpts.Pool, "--id", cr.ID, "-m", pOpts.Monitors, "--keyfile=" + cr.KeyFile, "--image-format", pOpts.ImageFormat}
|
||||||
if pOpts.ImageFormat == rbdImageFormat2 {
|
if pOpts.ImageFormat == rbdImageFormat2 {
|
||||||
args = append(args, "--image-feature", pOpts.ImageFeatures)
|
args = append(args, "--image-feature", pOpts.ImageFeatures)
|
||||||
}
|
}
|
||||||
@ -138,7 +138,7 @@ func rbdStatus(pOpts *rbdVolume, cr *util.Credentials) (bool, string, error) {
|
|||||||
image := pOpts.RbdImageName
|
image := pOpts.RbdImageName
|
||||||
|
|
||||||
klog.V(4).Infof("rbd: status %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: status %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"status", image, "--pool", pOpts.Pool, "-m", pOpts.Monitors, "--id", cr.ID, "--key=" + cr.Key}
|
args := []string{"status", image, "--pool", pOpts.Pool, "-m", pOpts.Monitors, "--id", cr.ID, "--keyfile=" + cr.KeyFile}
|
||||||
cmd, err := execCommand("rbd", args)
|
cmd, err := execCommand("rbd", args)
|
||||||
output = string(cmd)
|
output = string(cmd)
|
||||||
|
|
||||||
@ -179,7 +179,7 @@ func deleteImage(pOpts *rbdVolume, cr *util.Credentials) error {
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: rm %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: rm %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"rm", image, "--pool", pOpts.Pool, "--id", cr.ID, "-m", pOpts.Monitors,
|
args := []string{"rm", image, "--pool", pOpts.Pool, "--id", cr.ID, "-m", pOpts.Monitors,
|
||||||
"--key=" + cr.Key}
|
"--keyfile=" + cr.KeyFile}
|
||||||
output, err = execCommand("rbd", args)
|
output, err = execCommand("rbd", args)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("failed to delete rbd image: %v, command output: %s", err, string(output))
|
klog.Errorf("failed to delete rbd image: %v, command output: %s", err, string(output))
|
||||||
@ -486,7 +486,7 @@ func protectSnapshot(pOpts *rbdSnapshot, cr *util.Credentials) error {
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: snap protect %s using mon %s, pool %s ", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: snap protect %s using mon %s, pool %s ", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"snap", "protect", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
args := []string{"snap", "protect", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
||||||
cr.ID, "-m", pOpts.Monitors, "--key=" + cr.Key}
|
cr.ID, "-m", pOpts.Monitors, "--keyfile=" + cr.KeyFile}
|
||||||
|
|
||||||
output, err := execCommand("rbd", args)
|
output, err := execCommand("rbd", args)
|
||||||
|
|
||||||
@ -505,7 +505,7 @@ func createSnapshot(pOpts *rbdSnapshot, cr *util.Credentials) error {
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: snap create %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: snap create %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"snap", "create", "--pool", pOpts.Pool, "--snap", snapName, image,
|
args := []string{"snap", "create", "--pool", pOpts.Pool, "--snap", snapName, image,
|
||||||
"--id", cr.ID, "-m", pOpts.Monitors, "--key=" + cr.Key}
|
"--id", cr.ID, "-m", pOpts.Monitors, "--keyfile=" + cr.KeyFile}
|
||||||
|
|
||||||
output, err := execCommand("rbd", args)
|
output, err := execCommand("rbd", args)
|
||||||
|
|
||||||
@ -524,7 +524,7 @@ func unprotectSnapshot(pOpts *rbdSnapshot, cr *util.Credentials) error {
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: snap unprotect %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: snap unprotect %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"snap", "unprotect", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
args := []string{"snap", "unprotect", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
||||||
cr.ID, "-m", pOpts.Monitors, "--key=" + cr.Key}
|
cr.ID, "-m", pOpts.Monitors, "--keyfile=" + cr.KeyFile}
|
||||||
|
|
||||||
output, err := execCommand("rbd", args)
|
output, err := execCommand("rbd", args)
|
||||||
|
|
||||||
@ -543,7 +543,7 @@ func deleteSnapshot(pOpts *rbdSnapshot, cr *util.Credentials) error {
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: snap rm %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
klog.V(4).Infof("rbd: snap rm %s using mon %s, pool %s", image, pOpts.Monitors, pOpts.Pool)
|
||||||
args := []string{"snap", "rm", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
args := []string{"snap", "rm", "--pool", pOpts.Pool, "--snap", snapName, image, "--id",
|
||||||
cr.ID, "-m", pOpts.Monitors, "--key=" + cr.Key}
|
cr.ID, "-m", pOpts.Monitors, "--keyfile=" + cr.KeyFile}
|
||||||
|
|
||||||
output, err := execCommand("rbd", args)
|
output, err := execCommand("rbd", args)
|
||||||
|
|
||||||
@ -567,7 +567,7 @@ func restoreSnapshot(pVolOpts *rbdVolume, pSnapOpts *rbdSnapshot, cr *util.Crede
|
|||||||
|
|
||||||
klog.V(4).Infof("rbd: clone %s using mon %s, pool %s", image, pVolOpts.Monitors, pVolOpts.Pool)
|
klog.V(4).Infof("rbd: clone %s using mon %s, pool %s", image, pVolOpts.Monitors, pVolOpts.Pool)
|
||||||
args := []string{"clone", pSnapOpts.Pool + "/" + pSnapOpts.RbdImageName + "@" + snapName,
|
args := []string{"clone", pSnapOpts.Pool + "/" + pSnapOpts.RbdImageName + "@" + snapName,
|
||||||
pVolOpts.Pool + "/" + image, "--id", cr.ID, "-m", pVolOpts.Monitors, "--key=" + cr.Key}
|
pVolOpts.Pool + "/" + image, "--id", cr.ID, "-m", pVolOpts.Monitors, "--keyfile=" + cr.KeyFile}
|
||||||
|
|
||||||
output, err := execCommand("rbd", args)
|
output, err := execCommand("rbd", args)
|
||||||
|
|
||||||
@ -624,7 +624,7 @@ func getImageInfo(monitors string, cr *util.Credentials, poolName, imageName str
|
|||||||
"rbd",
|
"rbd",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"--format="+"json",
|
"--format="+"json",
|
||||||
"info", poolName+"/"+imageName)
|
"info", poolName+"/"+imageName)
|
||||||
@ -673,7 +673,7 @@ func getSnapInfo(monitors string, cr *util.Credentials, poolName, imageName, sna
|
|||||||
"rbd",
|
"rbd",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", util.CephConfigPath,
|
"-c", util.CephConfigPath,
|
||||||
"--format="+"json",
|
"--format="+"json",
|
||||||
"snap", "ls", poolName+"/"+imageName)
|
"snap", "ls", poolName+"/"+imageName)
|
||||||
|
@ -63,7 +63,7 @@ func getPools(monitors string, cr *Credentials) ([]cephStoragePoolSummary, error
|
|||||||
"ceph",
|
"ceph",
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key="+cr.Key,
|
"--keyfile="+cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-f", "json",
|
"-f", "json",
|
||||||
"osd", "lspools")
|
"osd", "lspools")
|
||||||
@ -122,7 +122,7 @@ func SetOMapKeyValue(monitors string, cr *Credentials, poolName, namespace, oMap
|
|||||||
args := []string{
|
args := []string{
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key=" + cr.Key,
|
"--keyfile=" + cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-p", poolName,
|
"-p", poolName,
|
||||||
"setomapval", oMapName, oMapKey, keyValue,
|
"setomapval", oMapName, oMapKey, keyValue,
|
||||||
@ -157,7 +157,7 @@ func GetOMapValue(monitors string, cr *Credentials, poolName, namespace, oMapNam
|
|||||||
args := []string{
|
args := []string{
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key=" + cr.Key,
|
"--keyfile=" + cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-p", poolName,
|
"-p", poolName,
|
||||||
"getomapval", oMapName, oMapKey, tmpFile.Name(),
|
"getomapval", oMapName, oMapKey, tmpFile.Name(),
|
||||||
@ -199,7 +199,7 @@ func RemoveOMapKey(monitors string, cr *Credentials, poolName, namespace, oMapNa
|
|||||||
args := []string{
|
args := []string{
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key=" + cr.Key,
|
"--keyfile=" + cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-p", poolName,
|
"-p", poolName,
|
||||||
"rmomapkey", oMapName, oMapKey,
|
"rmomapkey", oMapName, oMapKey,
|
||||||
@ -227,7 +227,7 @@ func CreateObject(monitors string, cr *Credentials, poolName, namespace, objectN
|
|||||||
args := []string{
|
args := []string{
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key=" + cr.Key,
|
"--keyfile=" + cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-p", poolName,
|
"-p", poolName,
|
||||||
"create", objectName,
|
"create", objectName,
|
||||||
@ -257,7 +257,7 @@ func RemoveObject(monitors string, cr *Credentials, poolName, namespace, oMapNam
|
|||||||
args := []string{
|
args := []string{
|
||||||
"-m", monitors,
|
"-m", monitors,
|
||||||
"--id", cr.ID,
|
"--id", cr.ID,
|
||||||
"--key=" + cr.Key,
|
"--keyfile=" + cr.KeyFile,
|
||||||
"-c", CephConfigPath,
|
"-c", CephConfigPath,
|
||||||
"-p", poolName,
|
"-p", poolName,
|
||||||
"rm", oMapName,
|
"rm", oMapName,
|
||||||
|
@ -18,22 +18,54 @@ package util
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
credUserID = "userID"
|
credUserID = "userID"
|
||||||
credUserKey = "userKey"
|
credUserKey = "userKey"
|
||||||
credAdminID = "adminID"
|
credAdminID = "adminID"
|
||||||
credAdminKey = "adminKey"
|
credAdminKey = "adminKey"
|
||||||
credMonitors = "monitors"
|
credMonitors = "monitors"
|
||||||
|
tmpKeyFileLocation = "/tmp/csi/keys"
|
||||||
|
tmpKeyFileNamePrefix = "keyfile-"
|
||||||
)
|
)
|
||||||
|
|
||||||
type Credentials struct {
|
type Credentials struct {
|
||||||
ID string
|
ID string
|
||||||
Key string
|
KeyFile string
|
||||||
}
|
}
|
||||||
|
|
||||||
func getCredentials(idField, keyField string, secrets map[string]string) (*Credentials, error) {
|
func storeKey(key string) (string, error) {
|
||||||
|
tmpfile, err := ioutil.TempFile(tmpKeyFileLocation, tmpKeyFileNamePrefix)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("error creating a temporary keyfile (%s)", err)
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
if err != nil {
|
||||||
|
os.Remove(tmpfile.Name())
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
if _, err = tmpfile.Write([]byte(key)); err != nil {
|
||||||
|
return "", fmt.Errorf("error writing key to temporary keyfile (%s)", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
keyFile := tmpfile.Name()
|
||||||
|
if keyFile == "" {
|
||||||
|
err = fmt.Errorf("error reading temporary filename for key (%s)", err)
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = tmpfile.Close(); err != nil {
|
||||||
|
return "", fmt.Errorf("error closing temporary filename (%s)", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return keyFile, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func newCredentialsFromSecret(idField, keyField string, secrets map[string]string) (*Credentials, error) {
|
||||||
var (
|
var (
|
||||||
c = &Credentials{}
|
c = &Credentials{}
|
||||||
ok bool
|
ok bool
|
||||||
@ -43,19 +75,41 @@ func getCredentials(idField, keyField string, secrets map[string]string) (*Crede
|
|||||||
return nil, fmt.Errorf("missing ID field '%s' in secrets", idField)
|
return nil, fmt.Errorf("missing ID field '%s' in secrets", idField)
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.Key, ok = secrets[keyField]; !ok {
|
key := secrets[keyField]
|
||||||
|
if key == "" {
|
||||||
return nil, fmt.Errorf("missing key field '%s' in secrets", keyField)
|
return nil, fmt.Errorf("missing key field '%s' in secrets", keyField)
|
||||||
}
|
}
|
||||||
|
|
||||||
return c, nil
|
keyFile, err := storeKey(key)
|
||||||
|
if err == nil {
|
||||||
|
c.KeyFile = keyFile
|
||||||
|
}
|
||||||
|
|
||||||
|
return c, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetUserCredentials(secrets map[string]string) (*Credentials, error) {
|
func (cr *Credentials) DeleteCredentials() {
|
||||||
return getCredentials(credUserID, credUserKey, secrets)
|
os.Remove(cr.KeyFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetAdminCredentials(secrets map[string]string) (*Credentials, error) {
|
func NewUserCredentials(secrets map[string]string) (*Credentials, error) {
|
||||||
return getCredentials(credAdminID, credAdminKey, secrets)
|
return newCredentialsFromSecret(credUserID, credUserKey, secrets)
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewAdminCredentials(secrets map[string]string) (*Credentials, error) {
|
||||||
|
return newCredentialsFromSecret(credAdminID, credAdminKey, secrets)
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewCredentials(id, key string) (*Credentials, error) {
|
||||||
|
var c = &Credentials{}
|
||||||
|
|
||||||
|
c.ID = id
|
||||||
|
keyFile, err := storeKey(key)
|
||||||
|
if err == nil {
|
||||||
|
c.KeyFile = keyFile
|
||||||
|
}
|
||||||
|
|
||||||
|
return c, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetMonValFromSecret(secrets map[string]string) (string, error) {
|
func GetMonValFromSecret(secrets map[string]string) (string, error) {
|
||||||
|
@ -22,15 +22,17 @@ import (
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
keyArg = "--key="
|
keyArg = "--key="
|
||||||
|
keyFileArg = "--keyfile="
|
||||||
secretArg = "secret="
|
secretArg = "secret="
|
||||||
optionsArgSeparator = ','
|
optionsArgSeparator = ','
|
||||||
strippedKey = "--key=***stripped***"
|
strippedKey = "--key=***stripped***"
|
||||||
|
strippedKeyFile = "--keyfile=***stripped***"
|
||||||
strippedSecret = "secret=***stripped***"
|
strippedSecret = "secret=***stripped***"
|
||||||
)
|
)
|
||||||
|
|
||||||
// StripSecretInArgs strips values of either "--key" or "secret=".
|
// StripSecretInArgs strips values of either "--key"/"--keyfile" or "secret=".
|
||||||
// `args` is left unchanged.
|
// `args` is left unchanged.
|
||||||
// Expects only one occurrence of either "--key" or "secret=".
|
// Expects only one occurrence of either "--key"/"--keyfile" or "secret=".
|
||||||
func StripSecretInArgs(args []string) []string {
|
func StripSecretInArgs(args []string) []string {
|
||||||
out := make([]string, len(args))
|
out := make([]string, len(args))
|
||||||
copy(out, args)
|
copy(out, args)
|
||||||
@ -48,6 +50,11 @@ func stripKey(out []string) bool {
|
|||||||
out[i] = strippedKey
|
out[i] = strippedKey
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if strings.HasPrefix(out[i], keyFileArg) {
|
||||||
|
out[i] = strippedKeyFile
|
||||||
|
return true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return false
|
return false
|
||||||
|
Loading…
Reference in New Issue
Block a user