mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 02:33:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: introduce VolumeEncryption type

Browse Source 
Prepare for grouping encryption related functions together. The main
rbdVolume object should not be cluttered with KMS or DEK procedures.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-02-22 16:25:35 +01:00
committed by mergify[bot]
parent aa52afff09
commit d4076d6216
8 changed files with 61 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/util/crypto.go
View File

@ -51,6 +51,22 @@ const (
defaultConfigMapToRead = "csi-kms-connection-details"
)
type VolumeEncryption struct {
KMS EncryptionKMS
}
// NewVolumeEncryption creates a new instance of VolumeEncryption.
func NewVolumeEncryption(kms EncryptionKMS) (*VolumeEncryption, error) {
ve := &VolumeEncryption{KMS: kms}
return ve, nil
}
// Destroy frees any resources that the VolumeEncryption instance allocated.
func (ve *VolumeEncryption) Destroy() {
ve.KMS.Destroy()
}
// EncryptionKMS provides external Key Management System for encryption
// passphrases storage.
type EncryptionKMS interface {

17
internal/util/secretskms.go
View File

@ -18,7 +18,6 @@ package util
import (
"errors"
"fmt"
)
const (
@ -27,10 +26,6 @@ const (
// Default KMS type
defaultKMSType = "default"
// kmsTypeSecretsMetadata is the SecretsKMS with per-volume encryption,
// where the DEK is stored in the metadata of the volume itself.
kmsTypeSecretsMetadata = "metadata"
)
// SecretsKMS is default KMS implementation that means no KMS is in use.
@ -59,19 +54,19 @@ func (kms SecretsKMS) Destroy() {
// nothing to do
}
// FetchDEK returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) FetchDEK(key string) (string, error) {
// GetPassphrase returns passphrase from Kubernetes secrets.
func (kms SecretsKMS) GetPassphrase(key string) (string, error) {
return kms.passphrase, nil
}
// StoreDEK does nothing, as there is no passphrase per key (volume), so
// SavePassphrase does nothing, as there is no passphrase per key (volume), so
// no need to store is anywhere.
func (kms SecretsKMS) StoreDEK(key, value string) error {
func (kms SecretsKMS) SavePassphrase(key, value string) error {
return nil
}
// RemoveDEK is doing nothing as no new passphrases are saved with
// DeletePassphrase is doing nothing as no new passphrases are saved with
// SecretsKMS.
func (kms SecretsKMS) RemoveDEK(key string) error {
func (kms SecretsKMS) DeletePassphrase(key string) error {
return nil
}