Change sealedvolume CRD to add more fields to the partition

We use those field to identify which partition is requested. On the client side, the label is not available when the partition is encrypted. We allow the client to request the passphrase for a partition using the partition name (e.g. /dev/sdb1) or the UUID (as returned by blkid). Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
2025-05-11 09:55:21 +00:00 · 2022-11-09 12:45:02 +02:00 · 2022-11-09 12:45:02 +02:00 · 7a07d5c45b
commit 7a07d5c45b
parent a3df62df03
4 changed files with 58 additions and 26 deletions
--- a/api/v1alpha1/sealedvolume_types.go
+++ b/api/v1alpha1/sealedvolume_types.go
@ -25,9 +25,19 @@ import (

 // SealedVolumeSpec defines the desired state of SealedVolume
 type SealedVolumeSpec struct {
-	TPMHash     string                 `json:"TPMHash,omitempty"`
-	Passphrase  map[string]*SecretSpec `json:"partitionSecrets,omitempty"`
-	Quarantined bool                   `json:"quarantined,omitempty"`
+	TPMHash     string          `json:"TPMHash,omitempty"`
+	Partitions  []PartitionSpec `json:"partitions,omitempty"`
+	Quarantined bool            `json:"quarantined,omitempty"`
+}
+
+// PartitionSpec defines a Partition. A partition can be identified using
+// any of the fields: Label, DeviceName, UUID. The Secret defines the secret
+// which decrypts the partition.
+type PartitionSpec struct {
+	Label      string      `json:"label"`
+	DeviceName string      `json:"deviceName"`
+	UUID       string      `json:"uuid"`
+	Secret     *SecretSpec `json:"secret"`
 }

 type SecretSpec struct {
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -25,6 +25,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
+	*out = *in
+	out.Secret = in.Secret
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionSpec.
+func (in *PartitionSpec) DeepCopy() *PartitionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PartitionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SealedVolume) DeepCopyInto(out *SealedVolume) {
 	*out = *in
@ -87,20 +103,10 @@ func (in *SealedVolumeList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
 	*out = *in
-	if in.Passphrase != nil {
-		in, out := &in.Passphrase, &out.Passphrase
-		*out = make(map[string]*SecretSpec, len(*in))
-		for key, val := range *in {
-			var outVal *SecretSpec
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(SecretSpec)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
+	if in.Partitions != nil {
+		in, out := &in.Partitions, &out.Partitions
+		*out = make([]PartitionSpec, len(*in))
+		copy(*out, *in)
 	}
 }

--- a/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
+++ b/config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
@ -37,15 +37,32 @@ spec:
            properties:
              TPMHash:
                type: string
-              partitionSecrets:
-                additionalProperties:
+              partitions:
+                items:
+                  description: 'PartitionSpec defines a Partition. A partition can
+                    be identified using any of the fields: Label, DeviceName, UUID.
+                    The Secret defines the secret which decrypts the partition.'
                  properties:
-                    name:
+                    deviceName:
                      type: string
-                    path:
+                    label:
                      type: string
+                    secret:
+                      properties:
+                        name:
+                          type: string
+                        path:
+                          type: string
+                      type: object
+                    uuid:
+                      type: string
+                  required:
+                  - deviceName
+                  - label
+                  - secret
+                  - uuid
                  type: object
-                type: object
+                type: array
              quarantined:
                type: boolean
            type: object
--- a/pkg/challenger/challenger.go
+++ b/pkg/challenger/challenger.go
@ -92,12 +92,11 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
 			var passsecret *keyserverv1alpha1.SecretSpec
 			for _, v := range volumeList.Items {
 				if hashEncoded == v.Spec.TPMHash {
-					for l, secretRef := range v.Spec.Passphrase {
-						// TODO: Try the rest of the data (name, mountpoint) if label is not found
-						if l == label {
+					for _, p := range v.Spec.Partitions {
+						if p.Label == label || p.DeviceName == name || p.UUID == uuid {
 							found = true
 							volume = v
-							passsecret = secretRef
+							passsecret = p.Secret
 						}
 					}
 				}