mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
rbd: rename encryption metadata keys to enable mirroring
RBD image metadata keys that start with '.rbd' are expected to be internal to RBD itself and are not mirrored to remote sites. Renaming the keys (dropping the '.' prefix) and using the new MigrateMetadata() function now makes the keys available on remote sites too. Closes: #2219 Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
607129171d
commit
ec6703ed58
@ -494,7 +494,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
|
|||||||
// - Metadata of the image should be set with the encryption state;
|
// - Metadata of the image should be set with the encryption state;
|
||||||
// - The pvc should be mounted by a pod, so the filesystem type can be fetched.
|
// - The pvc should be mounted by a pod, so the filesystem type can be fetched.
|
||||||
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
|
func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
|
||||||
encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
|
encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -53,16 +53,18 @@ const (
|
|||||||
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
|
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
|
||||||
|
|
||||||
// image metadata key for encryption.
|
// image metadata key for encryption.
|
||||||
encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
|
encryptionMetaKey = "rbd.csi.ceph.com/encrypted"
|
||||||
|
oldEncryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
|
||||||
|
|
||||||
// metadataDEK is the key in the image metadata where the (encrypted)
|
// metadataDEK is the key in the image metadata where the (encrypted)
|
||||||
// DEK is stored.
|
// DEK is stored.
|
||||||
metadataDEK = ".rbd.csi.ceph.com/dek"
|
metadataDEK = "rbd.csi.ceph.com/dek"
|
||||||
|
oldMetadataDEK = ".rbd.csi.ceph.com/dek"
|
||||||
)
|
)
|
||||||
|
|
||||||
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
|
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
|
||||||
func (ri *rbdImage) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
|
func (ri *rbdImage) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
|
||||||
value, err := ri.GetMetadata(encryptionMetaKey)
|
value, err := ri.MigrateMetadata(oldEncryptionMetaKey, encryptionMetaKey, string(rbdImageEncryptionUnknown))
|
||||||
if errors.Is(err, librbd.ErrNotFound) {
|
if errors.Is(err, librbd.ErrNotFound) {
|
||||||
util.DebugLog(ctx, "image %s encrypted state not set", ri)
|
util.DebugLog(ctx, "image %s encrypted state not set", ri)
|
||||||
|
|
||||||
@ -317,7 +319,7 @@ func (ri *rbdImage) FetchDEK(volumeID string) (string, error) {
|
|||||||
return "", fmt.Errorf("volume %q can not fetch DEK for %q", ri, volumeID)
|
return "", fmt.Errorf("volume %q can not fetch DEK for %q", ri, volumeID)
|
||||||
}
|
}
|
||||||
|
|
||||||
return ri.GetMetadata(metadataDEK)
|
return ri.MigrateMetadata(oldMetadataDEK, metadataDEK, "")
|
||||||
}
|
}
|
||||||
|
|
||||||
// RemoveDEK does not need to remove the DEK from the metadata, the image is
|
// RemoveDEK does not need to remove the DEK from the metadata, the image is
|
||||||
|
Loading…
Reference in New Issue
Block a user