mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
rbd: extract kmsID from volumeAttributes in RegenerateJournal()
This commit adds functionality of extracting encryption kmsID, owner from volumeAttributes in RegenerateJournal() and adds utility functions ParseEncryptionOpts and FetchEncryptionKMSID. Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
parent
b960e3633a
commit
f05ac2b25d
@ -20,7 +20,6 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strconv"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/ceph/ceph-csi/internal/util"
|
"github.com/ceph/ceph-csi/internal/util"
|
||||||
@ -242,10 +241,27 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
|
func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
|
||||||
|
kmsID, err := ri.ParseEncryptionOpts(ctx, volOptions)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
} else if kmsID == "" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
err = ri.configureEncryption(kmsID, credentials)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ParseEncryptionOpts returns kmsID and sets Owner attribute.
|
||||||
|
func (ri *rbdImage) ParseEncryptionOpts(ctx context.Context, volOptions map[string]string) (string, error) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
ok bool
|
ok bool
|
||||||
encrypted string
|
encrypted, kmsID string
|
||||||
)
|
)
|
||||||
|
|
||||||
// if the KMS is of type VaultToken, additional metadata is needed
|
// if the KMS is of type VaultToken, additional metadata is needed
|
||||||
@ -259,23 +275,14 @@ func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[str
|
|||||||
|
|
||||||
encrypted, ok = volOptions["encrypted"]
|
encrypted, ok = volOptions["encrypted"]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil
|
return "", nil
|
||||||
}
|
}
|
||||||
|
kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"])
|
||||||
isEncrypted, err := strconv.ParseBool(encrypted)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf(
|
return "", err
|
||||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
|
||||||
} else if !isEncrypted {
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err = ri.configureEncryption(volOptions["encryptionKMSID"], credentials)
|
return kmsID, nil
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// configureEncryption sets up the VolumeEncryption for this rbdImage. Once
|
// configureEncryption sets up the VolumeEncryption for this rbdImage. Once
|
||||||
|
@ -523,7 +523,7 @@ func undoVolReservation(ctx context.Context, rbdVol *rbdVolume, cr *util.Credent
|
|||||||
|
|
||||||
// RegenerateJournal performs below operations
|
// RegenerateJournal performs below operations
|
||||||
// Extract parameters journalPool, pool from volumeAttributes
|
// Extract parameters journalPool, pool from volumeAttributes
|
||||||
// Extract optional parameter volumeNamePrefix from volumeAttributes
|
// Extract optional parameters volumeNamePrefix, kmsID, owner from volumeAttributes
|
||||||
// Extract information from volumeID
|
// Extract information from volumeID
|
||||||
// Get pool ID from pool name
|
// Get pool ID from pool name
|
||||||
// Extract uuid from volumeID
|
// Extract uuid from volumeID
|
||||||
@ -540,6 +540,8 @@ func RegenerateJournal(
|
|||||||
options map[string]string
|
options map[string]string
|
||||||
vi util.CSIIdentifier
|
vi util.CSIIdentifier
|
||||||
rbdVol *rbdVolume
|
rbdVol *rbdVolume
|
||||||
|
kmsID string
|
||||||
|
err error
|
||||||
ok bool
|
ok bool
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -547,12 +549,17 @@ func RegenerateJournal(
|
|||||||
rbdVol = &rbdVolume{}
|
rbdVol = &rbdVolume{}
|
||||||
rbdVol.VolID = volumeID
|
rbdVol.VolID = volumeID
|
||||||
|
|
||||||
err := vi.DecomposeCSIID(rbdVol.VolID)
|
err = vi.DecomposeCSIID(rbdVol.VolID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("%w: error decoding volume ID (%s) (%s)",
|
return "", fmt.Errorf("%w: error decoding volume ID (%s) (%s)",
|
||||||
ErrInvalidVolID, err, rbdVol.VolID)
|
ErrInvalidVolID, err, rbdVol.VolID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
kmsID, err = rbdVol.ParseEncryptionOpts(ctx, volumeAttributes)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
// TODO check clusterID mapping exists
|
// TODO check clusterID mapping exists
|
||||||
rbdVol.ClusterID = vi.ClusterID
|
rbdVol.ClusterID = vi.ClusterID
|
||||||
options["clusterID"] = rbdVol.ClusterID
|
options["clusterID"] = rbdVol.ClusterID
|
||||||
@ -590,7 +597,6 @@ func RegenerateJournal(
|
|||||||
rbdVol.RequestName = requestName
|
rbdVol.RequestName = requestName
|
||||||
rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"]
|
rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"]
|
||||||
|
|
||||||
kmsID := ""
|
|
||||||
imageData, err := j.CheckReservation(
|
imageData, err := j.CheckReservation(
|
||||||
ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID)
|
ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -23,6 +23,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"path"
|
"path"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -60,6 +61,25 @@ type VolumeEncryption struct {
|
|||||||
id string
|
id string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// FetchEncryptionKMSID returns non-empty kmsID if 'encrypted' parameter is evaluated as true.
|
||||||
|
func FetchEncryptionKMSID(encrypted, kmsID string) (string, error) {
|
||||||
|
isEncrypted, err := strconv.ParseBool(encrypted)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf(
|
||||||
|
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\"): %w",
|
||||||
|
encrypted, err)
|
||||||
|
}
|
||||||
|
if !isEncrypted {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if kmsID == "" {
|
||||||
|
kmsID = defaultKMSType
|
||||||
|
}
|
||||||
|
|
||||||
|
return kmsID, nil
|
||||||
|
}
|
||||||
|
|
||||||
// NewVolumeEncryption creates a new instance of VolumeEncryption and
|
// NewVolumeEncryption creates a new instance of VolumeEncryption and
|
||||||
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
|
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
|
||||||
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
|
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
|
||||||
|
Loading…
Reference in New Issue
Block a user