From cffec0b3f32d73b9688530bedbcdda152d0692e7 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Thu, 25 Feb 2021 17:26:05 +0100
Subject: [PATCH] rbd: configure the DEKStore if the configuration suggests to
 use metadata

NewVolumeEncryption() will return an indication that an alternative
DEKStore needs to be configured in case the KMS does not support it.

setKMS() will also set the DEKStore if needed, so renaming it to
configureEncryption() makes things clearer.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 internal/rbd/encryption.go | 14 +++++++++++---
 internal/rbd/rbd_util.go   |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 9f2b4dbfe..183781ee8 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -192,7 +192,7 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
 		return nil
 	}
 
-	err = rv.setKMS(volOptions["encryptionKMSID"], credentials)
+	err = rv.configureEncryption(volOptions["encryptionKMSID"], credentials)
 	if err != nil {
 		return fmt.Errorf("invalid encryption kms configuration: %w", err)
 	}
@@ -200,13 +200,21 @@ func (rv *rbdVolume) initKMS(ctx context.Context, volOptions, credentials map[st
 	return nil
 }
 
-func (rv *rbdVolume) setKMS(kmsID string, credentials map[string]string) error {
+// configureEncryption sets up the VolumeEncryption for this rbdVolume. Once
+// configured, use isEncrypted() to see if the volume supports encryption.
+func (rv *rbdVolume) configureEncryption(kmsID string, credentials map[string]string) error {
 	kms, err := util.GetKMS(rv.Owner, kmsID, credentials)
 	if err != nil {
 		return err
 	}
 
-	rv.encryption = &util.VolumeEncryption{KMS: kms}
+	rv.encryption, err = util.NewVolumeEncryption(kms)
+
+	// if the KMS can not store the DEK itself, we'll store it in the
+	// metadata of the RBD image itself
+	if errors.Is(err, util.ErrDEKStoreNeeded) {
+		rv.encryption.SetDEKStore(rv)
+	}
 
 	return nil
 }
diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go
index 88149e5b0..4cef4ccea 100644
--- a/internal/rbd/rbd_util.go
+++ b/internal/rbd/rbd_util.go
@@ -833,7 +833,7 @@ func genVolFromVolID(ctx context.Context, volumeID string, cr *util.Credentials,
 	rbdVol.Owner = imageAttributes.Owner
 
 	if imageAttributes.KmsID != "" {
-		err = rbdVol.setKMS(imageAttributes.KmsID, secrets)
+		err = rbdVol.configureEncryption(imageAttributes.KmsID, secrets)
 		if err != nil {
 			return rbdVol, err
 		}