diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index d13656ded..a0d1c0b83 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -20,7 +20,6 @@ import ( "context" "errors" "fmt" - "strconv" "strings" "github.com/ceph/ceph-csi/internal/util" @@ -242,10 +241,27 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string) } func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error { + kmsID, err := ri.ParseEncryptionOpts(ctx, volOptions) + if err != nil { + return err + } else if kmsID == "" { + return nil + } + + err = ri.configureEncryption(kmsID, credentials) + if err != nil { + return fmt.Errorf("invalid encryption kms configuration: %w", err) + } + + return nil +} + +// ParseEncryptionOpts returns kmsID and sets Owner attribute. +func (ri *rbdImage) ParseEncryptionOpts(ctx context.Context, volOptions map[string]string) (string, error) { var ( - err error - ok bool - encrypted string + err error + ok bool + encrypted, kmsID string ) // if the KMS is of type VaultToken, additional metadata is needed @@ -259,23 +275,14 @@ func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[str encrypted, ok = volOptions["encrypted"] if !ok { - return nil + return "", nil } - - isEncrypted, err := strconv.ParseBool(encrypted) + kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"]) if err != nil { - return fmt.Errorf( - "invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted) - } else if !isEncrypted { - return nil + return "", err } - err = ri.configureEncryption(volOptions["encryptionKMSID"], credentials) - if err != nil { - return fmt.Errorf("invalid encryption kms configuration: %w", err) - } - - return nil + return kmsID, nil } // configureEncryption sets up the VolumeEncryption for this rbdImage. Once diff --git a/internal/rbd/rbd_journal.go b/internal/rbd/rbd_journal.go index d2b485443..6987723ad 100644 --- a/internal/rbd/rbd_journal.go +++ b/internal/rbd/rbd_journal.go @@ -523,7 +523,7 @@ func undoVolReservation(ctx context.Context, rbdVol *rbdVolume, cr *util.Credent // RegenerateJournal performs below operations // Extract parameters journalPool, pool from volumeAttributes -// Extract optional parameter volumeNamePrefix from volumeAttributes +// Extract optional parameters volumeNamePrefix, kmsID, owner from volumeAttributes // Extract information from volumeID // Get pool ID from pool name // Extract uuid from volumeID @@ -540,6 +540,8 @@ func RegenerateJournal( options map[string]string vi util.CSIIdentifier rbdVol *rbdVolume + kmsID string + err error ok bool ) @@ -547,12 +549,17 @@ func RegenerateJournal( rbdVol = &rbdVolume{} rbdVol.VolID = volumeID - err := vi.DecomposeCSIID(rbdVol.VolID) + err = vi.DecomposeCSIID(rbdVol.VolID) if err != nil { return "", fmt.Errorf("%w: error decoding volume ID (%s) (%s)", ErrInvalidVolID, err, rbdVol.VolID) } + kmsID, err = rbdVol.ParseEncryptionOpts(ctx, volumeAttributes) + if err != nil { + return "", err + } + // TODO check clusterID mapping exists rbdVol.ClusterID = vi.ClusterID options["clusterID"] = rbdVol.ClusterID @@ -590,7 +597,6 @@ func RegenerateJournal( rbdVol.RequestName = requestName rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"] - kmsID := "" imageData, err := j.CheckReservation( ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID) if err != nil { diff --git a/internal/util/crypto.go b/internal/util/crypto.go index c9e64352b..acd0666b6 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -23,6 +23,7 @@ import ( "errors" "fmt" "path" + "strconv" "strings" ) @@ -60,6 +61,25 @@ type VolumeEncryption struct { id string } +// FetchEncryptionKMSID returns non-empty kmsID if 'encrypted' parameter is evaluated as true. +func FetchEncryptionKMSID(encrypted, kmsID string) (string, error) { + isEncrypted, err := strconv.ParseBool(encrypted) + if err != nil { + return "", fmt.Errorf( + "invalid value set in 'encrypted': %s (should be \"true\" or \"false\"): %w", + encrypted, err) + } + if !isEncrypted { + return "", nil + } + + if kmsID == "" { + kmsID = defaultKMSType + } + + return kmsID, nil +} + // NewVolumeEncryption creates a new instance of VolumeEncryption and // configures the DEKStore. If the KMS does not provide a DEKStore interface, // the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.