|
| 1 | +// SPDX-License-Identifier: Apache-2.0 |
| 2 | + |
| 3 | +/* |
| 4 | +Copyright 2026 Cozystack contributors. |
| 5 | +
|
| 6 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 7 | +you may not use this file except in compliance with the License. |
| 8 | +You may obtain a copy of the License at |
| 9 | +
|
| 10 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 11 | +
|
| 12 | +Unless required by applicable law or agreed to in writing, software |
| 13 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 14 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 15 | +See the License for the specific language governing permissions and |
| 16 | +limitations under the License. |
| 17 | +*/ |
| 18 | + |
| 19 | +// Package passphrase centralises access to the cluster master |
| 20 | +// passphrase Secret — the value `linstor encryption |
| 21 | +// create-passphrase` stamps (POST /v1/encryption/passphrase, served |
| 22 | +// by pkg/rest/encryption.go) and the LUKS layer consumes. |
| 23 | +// |
| 24 | +// Bug 023: before this package, the Secret was written by the REST |
| 25 | +// layer but never read outside it — the LUKS RD-create gate and the |
| 26 | +// satellite-facing dispatch chain only consulted the legacy |
| 27 | +// plaintext controller property `DrbdOptions/EncryptPassphrase`, so |
| 28 | +// the upstream-standard `encryption create-passphrase` → |
| 29 | +// `rd create --layer-list ...,luks,...` flow dead-ended with a hint |
| 30 | +// telling operators to put a PLAINTEXT passphrase into a controller |
| 31 | +// prop. Both the REST gate (pkg/rest) and the satellite-side |
| 32 | +// dispatch (pkg/satellite/controllers) now resolve the passphrase |
| 33 | +// through this single implementation. |
| 34 | +package passphrase |
| 35 | + |
| 36 | +import ( |
| 37 | + "context" |
| 38 | + |
| 39 | + "github.com/cockroachdb/errors" |
| 40 | + corev1 "k8s.io/api/core/v1" |
| 41 | + apierrors "k8s.io/apimachinery/pkg/api/errors" |
| 42 | + "sigs.k8s.io/controller-runtime/pkg/client" |
| 43 | + |
| 44 | + blockstoriov1alpha1 "github.com/cozystack/blockstor/api/v1alpha1" |
| 45 | +) |
| 46 | + |
| 47 | +// DefaultSecretName is the Secret the controller falls back to when |
| 48 | +// ControllerConfig.Spec.PassphraseSecretRef is unset. Operators |
| 49 | +// override via the ControllerConfig CRD. |
| 50 | +const DefaultSecretName = "blockstor-cluster-passphrase" |
| 51 | + |
| 52 | +// SecretKey is the data key inside the Secret carrying the cluster |
| 53 | +// passphrase. Matches the upstream-LINSTOR-on-k8s convention so |
| 54 | +// existing Secret YAML manifests continue to work. |
| 55 | +const SecretKey = "passphrase" |
| 56 | + |
| 57 | +// PropKeyCanonical is upstream LINSTOR's cluster-scope master-key |
| 58 | +// property name (`linstor controller set-property |
| 59 | +// DrbdOptions/EncryptPassphrase <pass>`). Bug 023: this LEGACY path |
| 60 | +// stores the passphrase in PLAINTEXT on the ControllerConfig CRD — |
| 61 | +// kept working for backward compatibility, but the Secret written |
| 62 | +// by `encryption create-passphrase` is the primary mechanism. |
| 63 | +const PropKeyCanonical = "DrbdOptions/EncryptPassphrase" |
| 64 | + |
| 65 | +// PropKeyLegacy is the early-Phase-9 per-RD alias the dispatcher |
| 66 | +// still alias-reads (Bug 265 history, pkg/dispatcher). Deprecated. |
| 67 | +const PropKeyLegacy = "DrbdOptions/Encryption/passphrase" |
| 68 | + |
| 69 | +// SecretName resolves the passphrase Secret's name from the |
| 70 | +// singleton ControllerConfig, falling back to DefaultSecretName when |
| 71 | +// the ControllerConfig is absent or doesn't pin a reference. The |
| 72 | +// fallback lets operators get a working cluster without first |
| 73 | +// applying a ControllerConfig CRD. |
| 74 | +func SecretName(ctx context.Context, reader client.Reader) (string, error) { |
| 75 | + var ctrlConfig blockstoriov1alpha1.ControllerConfig |
| 76 | + |
| 77 | + err := reader.Get(ctx, client.ObjectKey{Name: blockstoriov1alpha1.ControllerConfigName}, &ctrlConfig) |
| 78 | + if err != nil { |
| 79 | + if apierrors.IsNotFound(err) { |
| 80 | + return DefaultSecretName, nil |
| 81 | + } |
| 82 | + |
| 83 | + return "", errors.Wrap(err, "get ControllerConfig") |
| 84 | + } |
| 85 | + |
| 86 | + if ctrlConfig.Spec.PassphraseSecretRef != nil && ctrlConfig.Spec.PassphraseSecretRef.Name != "" { |
| 87 | + return ctrlConfig.Spec.PassphraseSecretRef.Name, nil |
| 88 | + } |
| 89 | + |
| 90 | + return DefaultSecretName, nil |
| 91 | +} |
| 92 | + |
| 93 | +// Read returns the cluster master passphrase from the encryption |
| 94 | +// Secret in the given namespace. Empty string (not an error) means |
| 95 | +// "not yet set" — the Secret is missing or carries an empty value; |
| 96 | +// that's the explicit signal the create/enter handshake relies on. |
| 97 | +func Read(ctx context.Context, reader client.Reader, namespace string) (string, error) { |
| 98 | + name, err := SecretName(ctx, reader) |
| 99 | + if err != nil { |
| 100 | + return "", err |
| 101 | + } |
| 102 | + |
| 103 | + var sec corev1.Secret |
| 104 | + |
| 105 | + err = reader.Get(ctx, client.ObjectKey{Namespace: namespace, Name: name}, &sec) |
| 106 | + if err != nil { |
| 107 | + if apierrors.IsNotFound(err) { |
| 108 | + return "", nil |
| 109 | + } |
| 110 | + |
| 111 | + return "", errors.Wrap(err, "get passphrase Secret") |
| 112 | + } |
| 113 | + |
| 114 | + return string(sec.Data[SecretKey]), nil |
| 115 | +} |
0 commit comments