doc: Update docs for rbd-pv-key-rotation

This commit updates the key rotation docs with the following changes: - Do not call LuksVerify - Mention specifics of RWX volumes - Rename the file to represent RBD backed volumes Signed-off-by: black-dragon74 <[email protected]>
ceph · Jul 16, 2024 · 999bbfc · 999bbfc
1 parent cab0994
commit 999bbfc
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/docs/design/proposals/pv-key-rotation.md → docs/design/proposals/rbd-pv-key-rotation.md b/docs/design/proposals/pv-key-rotation.md → docs/design/proposals/rbd-pv-key-rotation.md
@@ -4,6 +4,8 @@
 
 Subject of this proposal is to add support for rotation of encryption keys (KEKs) for encrypted volumes in Ceph-CSI.
 
+Support for rotating keys on RWX/ROX volumes is out of scope for now and shall be added later.
+
 ## Document Terminology
 
 - Encryption Key: The passphrase that is used to encrypt and open the device.
@@ -13,7 +15,7 @@ Subject of this proposal is to add support for rotation of encryption keys (KEKs
 
 The proposed solution in this document, is to address the periodic rotation of encryption keys for encrypted volumes.
 
-This document outlines the rotation steps for PVCs backed by RBD and will be updated with other volume types as they are supported.
+This document outlines the rotation steps for PVCs backed by RBD.
 
 ### Implementation Summary
 
@@ -29,13 +31,15 @@ The following new methods are added to `cryptsetup.go` for handling the key rota
 
 ### Implementation Details
 
-The encryption key rotation request will contain with it the volume ID, credentials and secrets.
+The encryption key rotation request will contain with it the volume ID and secrets.
+
+The secrets are used to generate the credentials for authenticating against a ceph cluster.
 
 These values are then used to call `GenVolFromVolID` to get the rbdVolume structure.
 
 The `VolumeEncryption` struct is modified to make `generateNewEncryptionPassphrase` a public member function.
 
-A metadata is set on the RBD image to indicate that the image is being processed for keyrotation. Presence of this metadata will prevent the same image being processed again.
+The `EncryptionKeyRotation` service is registered and implemented on the node-plugin.
 
 The following steps are followed to process the device for key rotation:
 
@@ -45,11 +49,9 @@ The following steps are followed to process the device for key rotation:
 - Add the fetched key to LUKS slot 1, this will serve as a backup of the key.
 - Generate a new key and store it locally. It will be updated in the KMS at later steps.
 - Remove the exsitng key from slot 0 upon verifying that the key in KMS == the key in slot 0.
-- Add new key to slot 0 and then call `LuksVerifyKey` to verify that the slot was successfully updated.
+- Add new key to slot 0.
 - Update the new key in the KMS.
 - Fetch the key again and verify that the key in KMS == the new key we generated.
 - We can now remove the backup key from slot 1.
 
 These order of the above steps guarantees that we always have one key that can unlock the encrypted volume.
-
-The set metadata is removed once the key rotation is complete.