mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-14 02:43:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: extract kmsID from volumeAttributes in RegenerateJournal()

Browse Source 
This commit adds functionality of extracting encryption kmsID,
owner from volumeAttributes in RegenerateJournal() and adds utility
functions ParseEncryptionOpts and FetchEncryptionKMSID.

Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
Rakshith R
2021-07-16 15:37:56 +05:30
committed by mergify[bot]
parent b960e3633a
commit f05ac2b25d
3 changed files with 53 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
internal/rbd/encryption.go
View File

@ -20,7 +20,6 @@ import (
"context"
"errors"
"fmt"
"strconv"
"strings"
"github.com/ceph/ceph-csi/internal/util"
@ -242,10 +241,27 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
}
func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
kmsID, err := ri.ParseEncryptionOpts(ctx, volOptions)
if err != nil {
return err
} else if kmsID == "" {
return nil
}
err = ri.configureEncryption(kmsID, credentials)
if err != nil {
return fmt.Errorf("invalid encryption kms configuration: %w", err)
}
return nil
}
// ParseEncryptionOpts returns kmsID and sets Owner attribute.
func (ri *rbdImage) ParseEncryptionOpts(ctx context.Context, volOptions map[string]string) (string, error) {
var (
err error
ok bool
encrypted string
err error
ok bool
encrypted, kmsID string
)
// if the KMS is of type VaultToken, additional metadata is needed
@ -259,23 +275,14 @@ func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[str
encrypted, ok = volOptions["encrypted"]
if !ok {
return nil
return "", nil
}
isEncrypted, err := strconv.ParseBool(encrypted)
kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"])
if err != nil {
return fmt.Errorf(
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
} else if !isEncrypted {
return nil
return "", err
}
err = ri.configureEncryption(volOptions["encryptionKMSID"], credentials)
if err != nil {
return fmt.Errorf("invalid encryption kms configuration: %w", err)
}
return nil
return kmsID, nil
}
// configureEncryption sets up the VolumeEncryption for this rbdImage. Once