mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-12-18 11:00:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: add DEKStore interface

Browse Source 
DEKStore is a new interface that will be used for Storing and Fetching
DEKs. The existing implementations for KMS already function as a
DEKStore, and will be updated to match the interface.

By splitting KMS and DEKStore into two components, the encryption
configuration for volumes becomes more modular. This makes it possible
to implement a DEKStore where the encrypted DEK for a volume is stored
in the metadata of the volume (RBD image).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-12 14:23:17 +01:00 committed by mergify[bot]
parent d4076d6216
commit ee033da8e9
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
internal/util/crypto.go
View File

@ -20,6 +20,7 @@ import (
"context" "context"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
@ -51,6 +52,18 @@ const (
defaultConfigMapToRead = "csi-kms-connection-details" defaultConfigMapToRead = "csi-kms-connection-details"
) )
var (
// ErrDEKStoreNotFound is an error that is returned when the DEKStore
// has not been configured for the volumeID in the KMS instance.
ErrDEKStoreNotFound = errors.New("DEKStore not found")
// ErrDEKStoreNeeded is an indication that gets returned with
// NewVolumeEncryption when the KMS does not include support for the
// DEKStore interface.
ErrDEKStoreNeeded = errors.New("DEKStore required, use " +
"VolumeEncryption.SetDEKStore()")
)
type VolumeEncryption struct { type VolumeEncryption struct {
KMS EncryptionKMS KMS EncryptionKMS
} }
@ -75,6 +88,38 @@ type EncryptionKMS interface {
SavePassphrase(key, value string) error SavePassphrase(key, value string) error
DeletePassphrase(key string) error DeletePassphrase(key string) error
GetID() string GetID() string
// requiresDEKStore returns the DEKStoreType that is needed to be
// configure for the KMS. Nothing needs to be done when this function
// returns DEKStoreIntegrated, otherwise you will need to configure an
// alternative storage for the DEKs.
requiresDEKStore() DEKStoreType
}
// DEKStoreType describes what DEKStore needs to be configured when using a
// particular KMS. A KMS might support different DEKStores depending on its
// configuration.
type DEKStoreType string
const (
// DEKStoreIntegrated indicates that the KMS itself supports storing
// DEKs.
DEKStoreIntegrated = DEKStoreType("")
// DEKStoreMetadata indicates that the KMS should be configured to
// store the DEK in the metadata of the volume.
DEKStoreMetadata = DEKStoreType("metadata")
)
// DEKStore allows KMS instances to implement a modular backend for DEK
// storage. This can be used to store the DEK in a different location, in case
// the KMS can not store passphrases for volumes.
type DEKStore interface {
// StoreDEK saves the DEK in the configured store.
StoreDEK(volumeID string, dek string) error
// FetchDEK reads the DEK from the configured store and returns it.
FetchDEK(volumeID string) (string, error)
// RemoveDEK deletes the DEK from the configured store.
RemoveDEK(volumeID string) error
} }
// GetKMS returns an instance of Key Management System. // GetKMS returns an instance of Key Management System.