rbd: extract kmsID from volumeAttributes in RegenerateJournal()

This commit adds functionality of extracting encryption kmsID, owner from volumeAttributes in RegenerateJournal() and adds utility functions ParseEncryptionOpts and FetchEncryptionKMSID. Signed-off-by: Rakshith R <rar@redhat.com>
2024-09-19 15:09:56 +00:00 · 2021-07-16 15:37:56 +05:30 · 2021-07-16 15:37:56 +05:30 · f05ac2b25d
commit f05ac2b25d
parent b960e3633a
3 changed files with 53 additions and 20 deletions
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strconv"
 	"strings"

 	"github.com/ceph/ceph-csi/internal/util"
@ -242,10 +241,27 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
 }

 func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
+	kmsID, err := ri.ParseEncryptionOpts(ctx, volOptions)
+	if err != nil {
+		return err
+	} else if kmsID == "" {
+		return nil
+	}
+
+	err = ri.configureEncryption(kmsID, credentials)
+	if err != nil {
+		return fmt.Errorf("invalid encryption kms configuration: %w", err)
+	}
+
+	return nil
+}
+
+// ParseEncryptionOpts returns kmsID and sets Owner attribute.
+func (ri *rbdImage) ParseEncryptionOpts(ctx context.Context, volOptions map[string]string) (string, error) {
 	var (
 		err              error
 		ok               bool
-		encrypted string
+		encrypted, kmsID string
 	)

 	// if the KMS is of type VaultToken, additional metadata is needed
@ -259,23 +275,14 @@ func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[str

 	encrypted, ok = volOptions["encrypted"]
 	if !ok {
-		return nil
+		return "", nil
 	}
-
-	isEncrypted, err := strconv.ParseBool(encrypted)
+	kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"])
 	if err != nil {
-		return fmt.Errorf(
-			"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
-	} else if !isEncrypted {
-		return nil
+		return "", err
 	}

-	err = ri.configureEncryption(volOptions["encryptionKMSID"], credentials)
-	if err != nil {
-		return fmt.Errorf("invalid encryption kms configuration: %w", err)
-	}
-
-	return nil
+	return kmsID, nil
 }

 // configureEncryption sets up the VolumeEncryption for this rbdImage. Once
--- a/internal/rbd/rbd_journal.go
+++ b/internal/rbd/rbd_journal.go
@ -523,7 +523,7 @@ func undoVolReservation(ctx context.Context, rbdVol *rbdVolume, cr *util.Credent

 // RegenerateJournal performs below operations
 // Extract parameters journalPool, pool from volumeAttributes
-// Extract optional parameter volumeNamePrefix from volumeAttributes
+// Extract optional parameters volumeNamePrefix, kmsID, owner from volumeAttributes
 // Extract information from volumeID
 // Get pool ID from pool name
 // Extract uuid from volumeID
@ -540,6 +540,8 @@ func RegenerateJournal(
 		options map[string]string
 		vi      util.CSIIdentifier
 		rbdVol  *rbdVolume
+		kmsID   string
+		err     error
 		ok      bool
 	)

@ -547,12 +549,17 @@ func RegenerateJournal(
 	rbdVol = &rbdVolume{}
 	rbdVol.VolID = volumeID

-	err := vi.DecomposeCSIID(rbdVol.VolID)
+	err = vi.DecomposeCSIID(rbdVol.VolID)
 	if err != nil {
 		return "", fmt.Errorf("%w: error decoding volume ID (%s) (%s)",
 			ErrInvalidVolID, err, rbdVol.VolID)
 	}

+	kmsID, err = rbdVol.ParseEncryptionOpts(ctx, volumeAttributes)
+	if err != nil {
+		return "", err
+	}
+
 	// TODO check clusterID mapping exists
 	rbdVol.ClusterID = vi.ClusterID
 	options["clusterID"] = rbdVol.ClusterID
@ -590,7 +597,6 @@ func RegenerateJournal(
 	rbdVol.RequestName = requestName
 	rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"]

-	kmsID := ""
 	imageData, err := j.CheckReservation(
 		ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID)
 	if err != nil {
--- a/internal/util/crypto.go
+++ b/internal/util/crypto.go
@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"path"
+	"strconv"
 	"strings"
 )

@ -60,6 +61,25 @@ type VolumeEncryption struct {
 	id string
 }

+// FetchEncryptionKMSID returns non-empty kmsID if 'encrypted' parameter is evaluated as true.
+func FetchEncryptionKMSID(encrypted, kmsID string) (string, error) {
+	isEncrypted, err := strconv.ParseBool(encrypted)
+	if err != nil {
+		return "", fmt.Errorf(
+			"invalid value set in 'encrypted': %s (should be \"true\" or \"false\"): %w",
+			encrypted, err)
+	}
+	if !isEncrypted {
+		return "", nil
+	}
+
+	if kmsID == "" {
+		kmsID = defaultKMSType
+	}
+
+	return kmsID, nil
+}
+
 // NewVolumeEncryption creates a new instance of VolumeEncryption and
 // configures the DEKStore. If the KMS does not provide a DEKStore interface,
 // the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.