mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-14 02:43:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: introduce VolumeEncryption type

Browse Source 
Prepare for grouping encryption related functions together. The main
rbdVolume object should not be cluttered with KMS or DEK procedures.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-02-22 16:25:35 +01:00
committed by mergify[bot]
parent aa52afff09
commit d4076d6216
8 changed files with 61 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
internal/rbd/encryption.go
View File

@ -81,11 +81,16 @@ func (rv *rbdVolume) ensureEncryptionMetadataSet(status rbdEncryptionState) erro
return nil
}
// isEncrypted returns `true` if the rbdVolume is (or needs to be) encrypted.
func (rv *rbdVolume) isEncrypted() bool {
return rv.encryption != nil
}
// setupEncryption configures the metadata of the RBD image for encryption:
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.KMS)
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.encryption.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
@ -103,7 +108,7 @@ func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
}
func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.KMS)
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to get crypto passphrase for %s: %v",
rv.String(), err)
@ -126,7 +131,7 @@ func (rv *rbdVolume) encryptDevice(ctx context.Context, devicePath string) error
}
func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) (string, error) {
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.KMS)
passphrase, err := util.GetCryptoPassphrase(rv.VolID, rv.encryption.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to get passphrase for encrypted device %s: %v",
rv.String(), err)
@ -175,21 +180,29 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
return nil
}
rv.Encrypted, err = strconv.ParseBool(encrypted)
isEncrypted, err := strconv.ParseBool(encrypted)
if err != nil {
return fmt.Errorf(
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
} else if !rv.Encrypted {
} else if !isEncrypted {
return nil
}
// deliberately ignore if parsing failed as GetKMS will return default
// implementation of kmsID is empty
kmsID := volOptions["encryptionKMSID"]
rv.KMS, err = util.GetKMS(rv.Owner, kmsID, credentials)
err = rv.setKMS(volOptions["encryptionKMSID"], credentials)
if err != nil {
return fmt.Errorf("invalid encryption kms configuration: %w", err)
}
return nil
}
func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {
kms, err := util.GetKMS(rv.Owner, kmsID, credentials)
if err != nil {
return err
}
rv.encryption = &util.VolumeEncryption{KMS: kms}
return nil
}