kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-08-23 08:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change sealedvolume CRD to add more fields to the partition

Browse Source 
We use those field to identify which partition is requested. On the
client side, the label is not available when the partition is encrypted.
We allow the client to request the passphrase for a partition using the
partition name (e.g. /dev/sdb1) or the UUID (as returned by blkid).

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis 2022-11-09 12:45:02 +02:00
parent a3df62df03
commit 7a07d5c45b
No known key found for this signature in database
GPG Key ID: 286DCAFD2C97DDE3
4 changed files with 58 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/v1alpha1/sealedvolume_types.go
View File

@ -26,10 +26,20 @@ import (
// SealedVolumeSpec defines the desired state of SealedVolume // SealedVolumeSpec defines the desired state of SealedVolume
type SealedVolumeSpec struct { type SealedVolumeSpec struct {
TPMHash string `json:"TPMHash,omitempty"` TPMHash string `json:"TPMHash,omitempty"`
Passphrase map[string]*SecretSpec `json:"partitionSecrets,omitempty"` Partitions []PartitionSpec `json:"partitions,omitempty"`
Quarantined bool `json:"quarantined,omitempty"` Quarantined bool `json:"quarantined,omitempty"`
} }
// PartitionSpec defines a Partition. A partition can be identified using
// any of the fields: Label, DeviceName, UUID. The Secret defines the secret
// which decrypts the partition.
type PartitionSpec struct {
Label string `json:"label"`
DeviceName string `json:"deviceName"`
UUID string `json:"uuid"`
Secret *SecretSpec `json:"secret"`
}
type SecretSpec struct { type SecretSpec struct {
Name string `json:"name,omitempty"` Name string `json:"name,omitempty"`
Path string `json:"path,omitempty"` Path string `json:"path,omitempty"`

34
api/v1alpha1/zz_generated.deepcopy.go
View File

@ -25,6 +25,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
*out = *in
out.Secret = in.Secret
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionSpec.
func (in *PartitionSpec) DeepCopy() *PartitionSpec {
if in == nil {
return nil
}
out := new(PartitionSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SealedVolume) DeepCopyInto(out *SealedVolume) { func (in *SealedVolume) DeepCopyInto(out *SealedVolume) {
*out = *in *out = *in
@ -87,20 +103,10 @@ func (in *SealedVolumeList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) { func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
*out = *in *out = *in
if in.Passphrase != nil { if in.Partitions != nil {
in, out := &in.Passphrase, &out.Passphrase in, out := &in.Partitions, &out.Partitions
*out = make(map[string]*SecretSpec, len(*in)) *out = make([]PartitionSpec, len(*in))
for key, val := range *in { copy(*out, *in)
var outVal *SecretSpec
if val == nil {
(*out)[key] = nil
} else {
in, out := &val, &outVal
*out = new(SecretSpec)
**out = **in
}
(*out)[key] = outVal
}
} }
} }

21
config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
View File

@ -37,15 +37,32 @@ spec:
properties: properties:
TPMHash: TPMHash:
type: string type: string
partitionSecrets: partitions:
additionalProperties: items:
description: 'PartitionSpec defines a Partition. A partition can
be identified using any of the fields: Label, DeviceName, UUID.
The Secret defines the secret which decrypts the partition.'
properties:
deviceName:
type: string
label:
type: string
secret:
properties: properties:
name: name:
type: string type: string
path: path:
type: string type: string
type: object type: object
uuid:
type: string
required:
- deviceName
- label
- secret
- uuid
type: object type: object
type: array
quarantined: quarantined:
type: boolean type: boolean
type: object type: object

7
pkg/challenger/challenger.go
View File

@ -92,12 +92,11 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
var passsecret *keyserverv1alpha1.SecretSpec var passsecret *keyserverv1alpha1.SecretSpec
for _, v := range volumeList.Items { for _, v := range volumeList.Items {
if hashEncoded == v.Spec.TPMHash { if hashEncoded == v.Spec.TPMHash {
for l, secretRef := range v.Spec.Passphrase { for _, p := range v.Spec.Partitions {
// TODO: Try the rest of the data (name, mountpoint) if label is not found if p.Label == label || p.DeviceName == name || p.UUID == uuid {
if l == label {
found = true found = true
volume = v volume = v
passsecret = secretRef passsecret = p.Secret
} }
} }
} }