mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
rbd: rename encryption metadata keys to enable mirroring
RBD image metadata keys that start with '.rbd' are expected to be internal to RBD itself and are not mirrored to remote sites. Renaming the keys (dropping the '.' prefix) and using the new MigrateMetadata() function now makes the keys available on remote sites too. Closes: #2219 Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
607129171d
commit
ec6703ed58
@ -494,7 +494,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
|
||||
// - Metadata of the image should be set with the encryption state;
|
||||
// - The pvc should be mounted by a pod, so the filesystem type can be fetched.
|
||||
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
|
||||
encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
|
||||
encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -53,16 +53,18 @@ const (
|
||||
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
|
||||
|
||||
// image metadata key for encryption.
|
||||
encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
|
||||
encryptionMetaKey = "rbd.csi.ceph.com/encrypted"
|
||||
oldEncryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
|
||||
|
||||
// metadataDEK is the key in the image metadata where the (encrypted)
|
||||
// DEK is stored.
|
||||
metadataDEK = ".rbd.csi.ceph.com/dek"
|
||||
metadataDEK = "rbd.csi.ceph.com/dek"
|
||||
oldMetadataDEK = ".rbd.csi.ceph.com/dek"
|
||||
)
|
||||
|
||||
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
|
||||
func (ri *rbdImage) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
|
||||
value, err := ri.GetMetadata(encryptionMetaKey)
|
||||
value, err := ri.MigrateMetadata(oldEncryptionMetaKey, encryptionMetaKey, string(rbdImageEncryptionUnknown))
|
||||
if errors.Is(err, librbd.ErrNotFound) {
|
||||
util.DebugLog(ctx, "image %s encrypted state not set", ri)
|
||||
|
||||
@ -317,7 +319,7 @@ func (ri *rbdImage) FetchDEK(volumeID string) (string, error) {
|
||||
return "", fmt.Errorf("volume %q can not fetch DEK for %q", ri, volumeID)
|
||||
}
|
||||
|
||||
return ri.GetMetadata(metadataDEK)
|
||||
return ri.MigrateMetadata(oldMetadataDEK, metadataDEK, "")
|
||||
}
|
||||
|
||||
// RemoveDEK does not need to remove the DEK from the metadata, the image is
|
||||
|
Loading…
Reference in New Issue
Block a user