mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-17 20:00:23 +00:00
rbd: configure the DEKStore if the configuration suggests to use metadata
NewVolumeEncryption() will return an indication that an alternative DEKStore needs to be configured in case the KMS does not support it. setKMS() will also set the DEKStore if needed, so renaming it to configureEncryption() makes things clearer. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
e4431edaf9
commit
cffec0b3f3
@ -192,7 +192,7 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
|
||||
return nil
|
||||
}
|
||||
|
||||
err = rv.setKMS(volOptions["encryptionKMSID"], credentials)
|
||||
err = rv.configureEncryption(volOptions["encryptionKMSID"], credentials)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||
}
|
||||
@ -200,13 +200,21 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
|
||||
return nil
|
||||
}
|
||||
|
||||
func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {
|
||||
// configureEncryption sets up the VolumeEncryption for this rbdVolume. Once
|
||||
// configured, use isEncrypted() to see if the volume supports encryption.
|
||||
func (rv *rbdVolume) configureEncryption(kmsID string, credentials map[string]string) error {
|
||||
kms, err := util.GetKMS(rv.Owner, kmsID, credentials)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
rv.encryption = &util.VolumeEncryption{KMS: kms}
|
||||
rv.encryption, err = util.NewVolumeEncryption(kms)
|
||||
|
||||
// if the KMS can not store the DEK itself, we'll store it in the
|
||||
// metadata of the RBD image itself
|
||||
if errors.Is(err, util.ErrDEKStoreNeeded) {
|
||||
rv.encryption.SetDEKStore(rv)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
@ -833,7 +833,7 @@ func genVolFromVolID(ctx context.Context, volumeID string, cr *util.Credentials,
|
||||
rbdVol.Owner = imageAttributes.Owner
|
||||
|
||||
if imageAttributes.KmsID != "" {
|
||||
err = rbdVol.setKMS(imageAttributes.KmsID, secrets)
|
||||
err = rbdVol.configureEncryption(imageAttributes.KmsID, secrets)
|
||||
if err != nil {
|
||||
return rbdVol, err
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user