rbd: move encryption function to encryption.go

This adds internal/rbd/encryption.go which will be used to include other
encryption functionality to support additional KMS related functions. It
will work together with the shared API from internal/util/kms.go.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-15 08:26:35 +01:00 committed by mergify[bot]
parent dc81e001cf
commit ee79b22c97
3 changed files with 80 additions and 49 deletions

View File

@ -1137,24 +1137,3 @@ func (cs *ControllerServer) ControllerExpandVolume(ctx context.Context, req *csi
NodeExpansionRequired: nodeExpansion, NodeExpansionRequired: nodeExpansion,
}, nil }, nil
} }
// setupEncryption configures the metadata of the RBD image for encryption:
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
return err
}
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
"image %s: %s", rv.String(), err)
return err
}
return nil
}

View File

@ -0,0 +1,80 @@
/*
Copyright 2021 The Ceph-CSI Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package rbd
import (
"context"
"fmt"
"strings"
"github.com/ceph/ceph-csi/internal/util"
)
type rbdEncryptionState string
const (
// Encryption statuses for RbdImage
rbdImageEncryptionUnknown = rbdEncryptionState("")
rbdImageEncrypted = rbdEncryptionState("encrypted")
rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
// image metadata key for encryption
encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
)
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
func (rv *rbdVolume) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
value, err := rv.GetMetadata(encryptionMetaKey)
if err != nil {
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv, err)
return rbdImageEncryptionUnknown, err
}
encrypted := rbdEncryptionState(strings.TrimSpace(value))
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv, encrypted)
return encrypted, nil
}
func (rv *rbdVolume) ensureEncryptionMetadataSet(status rbdEncryptionState) error {
err := rv.SetMetadata(encryptionMetaKey, string(status))
if err != nil {
return fmt.Errorf("failed to save encryption status for %s: %w", rv, err)
}
return nil
}
// setupEncryption configures the metadata of the RBD image for encryption:
// - the Data-Encryption-Key (DEK) will be generated stored for use by the KMS;
// - the RBD image will be marked to support encryption in its metadata.
func (rv *rbdVolume) setupEncryption(ctx context.Context) error {
err := util.StoreNewCryptoPassphrase(rv.VolID, rv.KMS)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption passphrase for "+
"image %s: %s", rv.String(), err)
return err
}
err = rv.ensureEncryptionMetadataSet(rbdImageRequiresEncryption)
if err != nil {
util.ErrorLog(ctx, "failed to save encryption status, deleting "+
"image %s: %s", rv.String(), err)
return err
}
return nil
}

View File

@ -53,12 +53,6 @@ const (
rbdTaskRemoveCmdInvalidString1 = "no valid command found" rbdTaskRemoveCmdInvalidString1 = "no valid command found"
rbdTaskRemoveCmdInvalidString2 = "Error EINVAL: invalid command" rbdTaskRemoveCmdInvalidString2 = "Error EINVAL: invalid command"
rbdTaskRemoveCmdAccessDeniedMessage = "Error EACCES:" rbdTaskRemoveCmdAccessDeniedMessage = "Error EACCES:"
// Encryption statuses for RbdImage
rbdImageEncrypted = "encrypted"
rbdImageRequiresEncryption = "requiresEncryption"
// image metadata key for encryption
encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
) )
// rbdVolume represents a CSI volume and its RBD image specifics. // rbdVolume represents a CSI volume and its RBD image specifics.
@ -1195,28 +1189,6 @@ func (rv *rbdVolume) SetMetadata(key, value string) error {
return image.SetMetadata(key, value) return image.SetMetadata(key, value)
} }
// checkRbdImageEncrypted verifies if rbd image was encrypted when created.
func (rv *rbdVolume) checkRbdImageEncrypted(ctx context.Context) (string, error) {
value, err := rv.GetMetadata(encryptionMetaKey)
if err != nil {
util.ErrorLog(ctx, "checking image %s encrypted state metadata failed: %s", rv, err)
return "", err
}
encrypted := strings.TrimSpace(value)
util.DebugLog(ctx, "image %s encrypted state metadata reports %q", rv, encrypted)
return encrypted, nil
}
func (rv *rbdVolume) ensureEncryptionMetadataSet(status string) error {
err := rv.SetMetadata(encryptionMetaKey, status)
if err != nil {
return fmt.Errorf("failed to save encryption status for %s: %w", rv, err)
}
return nil
}
func (rv *rbdVolume) listSnapshots() ([]librbd.SnapInfo, error) { func (rv *rbdVolume) listSnapshots() ([]librbd.SnapInfo, error) {
image, err := rv.open() image, err := rv.open()
if err != nil { if err != nil {