rbd: Unexport SecretsMetadataKMS struct

This commit unexport SecretsMetadataKMS struct from KMS
implementation

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit is contained in:
Humble Chirammal 2022-01-24 18:30:25 +05:30 committed by mergify[bot]
parent 3f18d6e4b4
commit c8a3b9352e

View File

@ -36,7 +36,7 @@ const (
// Encryption passphrase location in K8s secrets. // Encryption passphrase location in K8s secrets.
encryptionPassphraseKey = "encryptionPassphrase" encryptionPassphraseKey = "encryptionPassphrase"
// kmsTypeSecretsMetadata is the SecretsKMS with per-volume encryption, // kmsTypeSecretsMetadata is the secretKMS with per-volume encryption,
// where the DEK is stored in the metadata of the volume itself. // where the DEK is stored in the metadata of the volume itself.
kmsTypeSecretsMetadata = "metadata" kmsTypeSecretsMetadata = "metadata"
@ -94,10 +94,10 @@ func (kms SecretsKMS) RemoveDEK(key string) error {
return nil return nil
} }
// SecretsMetadataKMS is a KMS based on the SecretsKMS, but stores the // secretsMetadataKMS is a KMS based on the secretKMS, but stores the
// Data-Encryption-Key (DEK) in the metadata of the volume. // Data-Encryption-Key (DEK) in the metadata of the volume.
type SecretsMetadataKMS struct { type secretsMetadataKMS struct {
SecretsKMS secretKMS
} }
var _ = RegisterProvider(Provider{ var _ = RegisterProvider(Provider{
@ -105,12 +105,12 @@ var _ = RegisterProvider(Provider{
Initializer: initSecretsMetadataKMS, Initializer: initSecretsMetadataKMS,
}) })
// initSecretsMetadataKMS initializes a SecretsMetadataKMS that wraps a SecretsKMS, // initSecretsMetadataKMS initializes a secretsMetadataKMS that wraps a secretKMS,
// so that the passphrase from the user provided or StorageClass secrets can be used // so that the passphrase from the user provided or StorageClass secrets can be used
// for encrypting/decrypting DEKs that are stored in a detached DEKStore. // for encrypting/decrypting DEKs that are stored in a detached DEKStore.
func initSecretsMetadataKMS(args ProviderInitArgs) (EncryptionKMS, error) { func initSecretsMetadataKMS(args ProviderInitArgs) (EncryptionKMS, error) {
var ( var (
smKMS SecretsMetadataKMS smKMS secretsMetadataKMS
encryptionPassphrase string encryptionPassphrase string
ok bool ok bool
err error err error
@ -136,7 +136,7 @@ func initSecretsMetadataKMS(args ProviderInitArgs) (EncryptionKMS, error) {
} }
// fetchEncryptionPassphrase fetches encryptionPassphrase from user provided secret. // fetchEncryptionPassphrase fetches encryptionPassphrase from user provided secret.
func (kms SecretsMetadataKMS) fetchEncryptionPassphrase( func (kms secretsMetadataKMS) fetchEncryptionPassphrase(
config map[string]interface{}, config map[string]interface{},
defaultNamespace string) (string, error) { defaultNamespace string) (string, error) {
var ( var (
@ -182,11 +182,11 @@ func (kms SecretsMetadataKMS) fetchEncryptionPassphrase(
} }
// Destroy frees all used resources. // Destroy frees all used resources.
func (kms SecretsMetadataKMS) Destroy() { func (kms secretsMetadataKMS) Destroy() {
kms.SecretsKMS.Destroy() kms.secretKMS.Destroy()
} }
func (kms SecretsMetadataKMS) RequiresDEKStore() DEKStoreType { func (kms secretsMetadataKMS) RequiresDEKStore() dekStoreType {
return DEKStoreMetadata return DEKStoreMetadata
} }
@ -205,9 +205,9 @@ type encryptedMetedataDEK struct {
// the SecretsKMS and the volumeID. // the SecretsKMS and the volumeID.
// The resulting encryptedDEK contains a JSON with the encrypted DEK and the // The resulting encryptedDEK contains a JSON with the encrypted DEK and the
// nonce that was used for encrypting. // nonce that was used for encrypting.
func (kms SecretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) { func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
// use the passphrase from the SecretsKMS // use the passphrase from the secretKMS
passphrase, err := kms.SecretsKMS.FetchDEK(volumeID) passphrase, err := kms.secretKMS.FetchDEK(volumeID)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to get passphrase: %w", err) return "", fmt.Errorf("failed to get passphrase: %w", err)
} }
@ -234,10 +234,10 @@ func (kms SecretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, err
} }
// DecryptDEK takes the JSON formatted `encryptedMetadataDEK` contents, and it // DecryptDEK takes the JSON formatted `encryptedMetadataDEK` contents, and it
// fetches SecretsKMS passphrase to decrypt the DEK. // fetches secretKMS passphrase to decrypt the DEK.
func (kms SecretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) { func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
// use the passphrase from the SecretsKMS // use the passphrase from the secretKMS
passphrase, err := kms.SecretsKMS.FetchDEK(volumeID) passphrase, err := kms.secretKMS.FetchDEK(volumeID)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to get passphrase: %w", err) return "", fmt.Errorf("failed to get passphrase: %w", err)
} }