mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 02:50:30 +00:00
rbd: extract kmsID from volumeAttributes in RegenerateJournal()
This commit adds functionality of extracting encryption kmsID, owner from volumeAttributes in RegenerateJournal() and adds utility functions ParseEncryptionOpts and FetchEncryptionKMSID. Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
parent
b960e3633a
commit
f05ac2b25d
@ -20,7 +20,6 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/ceph/ceph-csi/internal/util"
|
||||
@ -242,10 +241,27 @@ func (rv *rbdVolume) openEncryptedDevice(ctx context.Context, devicePath string)
|
||||
}
|
||||
|
||||
func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[string]string) error {
|
||||
kmsID, err := ri.ParseEncryptionOpts(ctx, volOptions)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if kmsID == "" {
|
||||
return nil
|
||||
}
|
||||
|
||||
err = ri.configureEncryption(kmsID, credentials)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// ParseEncryptionOpts returns kmsID and sets Owner attribute.
|
||||
func (ri *rbdImage) ParseEncryptionOpts(ctx context.Context, volOptions map[string]string) (string, error) {
|
||||
var (
|
||||
err error
|
||||
ok bool
|
||||
encrypted string
|
||||
encrypted, kmsID string
|
||||
)
|
||||
|
||||
// if the KMS is of type VaultToken, additional metadata is needed
|
||||
@ -259,23 +275,14 @@ func (ri *rbdImage) initKMS(ctx context.Context, volOptions, credentials map[str
|
||||
|
||||
encrypted, ok = volOptions["encrypted"]
|
||||
if !ok {
|
||||
return nil
|
||||
return "", nil
|
||||
}
|
||||
|
||||
isEncrypted, err := strconv.ParseBool(encrypted)
|
||||
kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"])
|
||||
if err != nil {
|
||||
return fmt.Errorf(
|
||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\")", encrypted)
|
||||
} else if !isEncrypted {
|
||||
return nil
|
||||
return "", err
|
||||
}
|
||||
|
||||
err = ri.configureEncryption(volOptions["encryptionKMSID"], credentials)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid encryption kms configuration: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
return kmsID, nil
|
||||
}
|
||||
|
||||
// configureEncryption sets up the VolumeEncryption for this rbdImage. Once
|
||||
|
@ -523,7 +523,7 @@ func undoVolReservation(ctx context.Context, rbdVol *rbdVolume, cr *util.Credent
|
||||
|
||||
// RegenerateJournal performs below operations
|
||||
// Extract parameters journalPool, pool from volumeAttributes
|
||||
// Extract optional parameter volumeNamePrefix from volumeAttributes
|
||||
// Extract optional parameters volumeNamePrefix, kmsID, owner from volumeAttributes
|
||||
// Extract information from volumeID
|
||||
// Get pool ID from pool name
|
||||
// Extract uuid from volumeID
|
||||
@ -540,6 +540,8 @@ func RegenerateJournal(
|
||||
options map[string]string
|
||||
vi util.CSIIdentifier
|
||||
rbdVol *rbdVolume
|
||||
kmsID string
|
||||
err error
|
||||
ok bool
|
||||
)
|
||||
|
||||
@ -547,12 +549,17 @@ func RegenerateJournal(
|
||||
rbdVol = &rbdVolume{}
|
||||
rbdVol.VolID = volumeID
|
||||
|
||||
err := vi.DecomposeCSIID(rbdVol.VolID)
|
||||
err = vi.DecomposeCSIID(rbdVol.VolID)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("%w: error decoding volume ID (%s) (%s)",
|
||||
ErrInvalidVolID, err, rbdVol.VolID)
|
||||
}
|
||||
|
||||
kmsID, err = rbdVol.ParseEncryptionOpts(ctx, volumeAttributes)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
// TODO check clusterID mapping exists
|
||||
rbdVol.ClusterID = vi.ClusterID
|
||||
options["clusterID"] = rbdVol.ClusterID
|
||||
@ -590,7 +597,6 @@ func RegenerateJournal(
|
||||
rbdVol.RequestName = requestName
|
||||
rbdVol.NamePrefix = volumeAttributes["volumeNamePrefix"]
|
||||
|
||||
kmsID := ""
|
||||
imageData, err := j.CheckReservation(
|
||||
ctx, rbdVol.JournalPool, rbdVol.RequestName, rbdVol.NamePrefix, "", kmsID)
|
||||
if err != nil {
|
||||
|
@ -23,6 +23,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
)
|
||||
|
||||
@ -60,6 +61,25 @@ type VolumeEncryption struct {
|
||||
id string
|
||||
}
|
||||
|
||||
// FetchEncryptionKMSID returns non-empty kmsID if 'encrypted' parameter is evaluated as true.
|
||||
func FetchEncryptionKMSID(encrypted, kmsID string) (string, error) {
|
||||
isEncrypted, err := strconv.ParseBool(encrypted)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf(
|
||||
"invalid value set in 'encrypted': %s (should be \"true\" or \"false\"): %w",
|
||||
encrypted, err)
|
||||
}
|
||||
if !isEncrypted {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
if kmsID == "" {
|
||||
kmsID = defaultKMSType
|
||||
}
|
||||
|
||||
return kmsID, nil
|
||||
}
|
||||
|
||||
// NewVolumeEncryption creates a new instance of VolumeEncryption and
|
||||
// configures the DEKStore. If the KMS does not provide a DEKStore interface,
|
||||
// the VolumeEncryption will be created *and* a ErrDEKStoreNeeded is returned.
|
||||
|
Loading…
Reference in New Issue
Block a user