From f08182e2fcf07cbc16dedbeaa2cb6d012f41c897 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 2 Dec 2020 15:44:16 +0100 Subject: [PATCH] rbd: pass Owner to GetKMS() Signed-off-by: Niels de Vos --- internal/rbd/rbd_util.go | 4 ++-- internal/util/crypto.go | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go index 17e72eaa0..142e9a3c8 100644 --- a/internal/rbd/rbd_util.go +++ b/internal/rbd/rbd_util.go @@ -740,7 +740,7 @@ func genVolFromVolID(ctx context.Context, volumeID string, cr *util.Credentials, if imageAttributes.KmsID != "" { rbdVol.Encrypted = true - rbdVol.KMS, err = util.GetKMS(imageAttributes.KmsID, secrets) + rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, imageAttributes.KmsID, secrets) if err != nil { return rbdVol, err } @@ -838,7 +838,7 @@ func genVolFromVolumeOptions(ctx context.Context, volOptions, credentials map[st // deliberately ignore if parsing failed as GetKMS will return default // implementation of kmsID is empty kmsID := volOptions["encryptionKMSID"] - rbdVol.KMS, err = util.GetKMS(kmsID, credentials) + rbdVol.KMS, err = util.GetKMS(rbdVol.Owner, kmsID, credentials) if err != nil { return nil, fmt.Errorf("invalid encryption kms configuration: %w", err) } diff --git a/internal/util/crypto.go b/internal/util/crypto.go index 29c5553d0..04057ac74 100644 --- a/internal/util/crypto.go +++ b/internal/util/crypto.go @@ -97,7 +97,13 @@ func (kms SecretsKMS) GetID() string { } // GetKMS returns an instance of Key Management System. -func GetKMS(kmsID string, secrets map[string]string) (EncryptionKMS, error) { +// +// - tenant is the owner of the Volume, used to fetch the Vault Token from the +// Kubernetes Namespace where the PVC lives +// - kmsID is the service name of the KMS configuration +// - secrets contain additional details, like TLS certificates to connect to +// the KMS +func GetKMS(tenant, kmsID string, secrets map[string]string) (EncryptionKMS, error) { if kmsID == "" || kmsID == defaultKMSType { return initSecretsKMS(secrets) }