ceph · mergify · Mar 12, 2024 · Mar 4, 2024
diff --git a/internal/cephfs/controllerserver.go b/internal/cephfs/controllerserver.go
@@ -77,7 +77,7 @@ func (cs *ControllerServer) createBackingVolume(
 		&volOptions.SubVolume, volOptions.ClusterID, cs.ClusterName, cs.SetMetadata)
 
 	if sID != nil {
-		err = parentVolOpt.CopyEncryptionConfig(volOptions, sID.SnapshotID, vID.VolumeID)
+		err = parentVolOpt.CopyEncryptionConfig(ctx, volOptions, sID.SnapshotID, vID.VolumeID)
 		if err != nil {
 			return status.Error(codes.Internal, err.Error())
 		}
@@ -86,7 +86,7 @@ func (cs *ControllerServer) createBackingVolume(
 	}
 
 	if parentVolOpt != nil {
-		err = parentVolOpt.CopyEncryptionConfig(volOptions, pvID.VolumeID, vID.VolumeID)
+		err = parentVolOpt.CopyEncryptionConfig(ctx, volOptions, pvID.VolumeID, vID.VolumeID)
 		if err != nil {
 			return status.Error(codes.Internal, err.Error())
 		}
@@ -596,7 +596,7 @@ func (cs *ControllerServer) cleanUpBackingVolume(
 		// GetSecret enabled KMS the DEKs are stored by
 		// fscrypt on the volume that is going to be deleted anyway.
 		log.DebugLog(ctx, "going to remove DEK for integrated store %q (fscrypt)", volOptions.Encryption.GetID())
-		if err := volOptions.Encryption.RemoveDEK(volID.VolumeID); err != nil {
+		if err := volOptions.Encryption.RemoveDEK(ctx, volID.VolumeID); err != nil {
 			log.WarningLog(ctx, "failed to clean the passphrase for volume %q (file encryption): %s",
 				volOptions.VolID, err)
 		}
@@ -907,7 +907,7 @@ func (cs *ControllerServer) CreateSnapshot(
 	// Use same encryption KMS than source volume and copy the passphrase. The passphrase becomes
 	// available under the snapshot id for CreateVolume to use this snap as a backing volume
 	snapVolOptions := store.VolumeOptions{}
-	err = parentVolOptions.CopyEncryptionConfig(&snapVolOptions, sourceVolID, sID.SnapshotID)
+	err = parentVolOptions.CopyEncryptionConfig(ctx, &snapVolOptions, sourceVolID, sID.SnapshotID)
 	if err != nil {
 		return nil, status.Error(codes.Internal, err.Error())
 	}

diff --git a/internal/cephfs/store/volumeoptions.go b/internal/cephfs/store/volumeoptions.go
@@ -901,7 +901,7 @@ func IsEncrypted(ctx context.Context, volOptions map[string]string) (bool, error
 
 // CopyEncryptionConfig copies passphrases and initializes a fresh
 // Encryption struct if necessary from (vo, vID) to (cp, cpVID).
-func (vo *VolumeOptions) CopyEncryptionConfig(cp *VolumeOptions, vID, cpVID string) error {
+func (vo *VolumeOptions) CopyEncryptionConfig(ctx context.Context, cp *VolumeOptions, vID, cpVID string) error {
 	var err error
 
 	if !vo.IsEncrypted() {
@@ -916,21 +916,21 @@ func (vo *VolumeOptions) CopyEncryptionConfig(cp *VolumeOptions, vID, cpVID stri
 	if cp.Encryption == nil {
 		cp.Encryption, err = util.NewVolumeEncryption(vo.Encryption.GetID(), vo.Encryption.KMS)
 		if errors.Is(err, util.ErrDEKStoreNeeded) {
-			_, err := vo.Encryption.KMS.GetSecret("")
+			_, err := vo.Encryption.KMS.GetSecret(ctx, "")
 			if errors.Is(err, kmsapi.ErrGetSecretUnsupported) {
 				return err
 			}
 		}
 	}
 
 	if vo.Encryption.KMS.RequiresDEKStore() == kmsapi.DEKStoreIntegrated {
-		passphrase, err := vo.Encryption.GetCryptoPassphrase(vID)
+		passphrase, err := vo.Encryption.GetCryptoPassphrase(ctx, vID)
 		if err != nil {
 			return fmt.Errorf("failed to fetch passphrase for %q (%+v): %w",
 				vID, vo, err)
 		}
 
-		err = cp.Encryption.StoreCryptoPassphrase(cpVID, passphrase)
+		err = cp.Encryption.StoreCryptoPassphrase(ctx, cpVID, passphrase)
 		if err != nil {
 			return fmt.Errorf("failed to store passphrase for %q (%+v): %w",
 				cpVID, cp, err)
@@ -962,7 +962,7 @@ func (vo *VolumeOptions) ConfigureEncryption(
 		// store. Since not all "metadata" KMS support
 		// GetSecret, test for support here. Postpone any
 		// other error handling
-		_, err := vo.Encryption.KMS.GetSecret("")
+		_, err := vo.Encryption.KMS.GetSecret(ctx, "")
 		if errors.Is(err, kmsapi.ErrGetSecretUnsupported) {
 			return err
 		}

diff --git a/internal/kms/aws_metadata.go b/internal/kms/aws_metadata.go
@@ -183,7 +183,7 @@ func (kms *awsMetadataKMS) getService() (*awsKMS.KMS, error) {
 }
 
 // EncryptDEK uses the Amazon KMS and the configured CMK to encrypt the DEK.
-func (kms *awsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
+func (kms *awsMetadataKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
 	svc, err := kms.getService()
 	if err != nil {
 		return "", fmt.Errorf("could not get KMS service: %w", err)
@@ -205,7 +205,7 @@ func (kms *awsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error)
 }
 
 // DecryptDEK uses the Amazon KMS and the configured CMK to decrypt the DEK.
-func (kms *awsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
+func (kms *awsMetadataKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
 	svc, err := kms.getService()
 	if err != nil {
 		return "", fmt.Errorf("could not get KMS service: %w", err)
@@ -227,6 +227,6 @@ func (kms *awsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, er
 	return string(result.Plaintext), nil
 }
 
-func (kms *awsMetadataKMS) GetSecret(volumeID string) (string, error) {
+func (kms *awsMetadataKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
 	return "", ErrGetSecretUnsupported
 }
diff --git a/internal/kms/aws_sts_metadata.go b/internal/kms/aws_sts_metadata.go
@@ -193,7 +193,7 @@ func (as *awsSTSMetadataKMS) getServiceWithSTS() (*awsKMS.KMS, error) {
 }
 
 // EncryptDEK uses the Amazon KMS and the configured CMK to encrypt the DEK.
-func (as *awsSTSMetadataKMS) EncryptDEK(_, plainDEK string) (string, error) {
+func (as *awsSTSMetadataKMS) EncryptDEK(ctx context.Context, _, plainDEK string) (string, error) {
 	svc, err := as.getServiceWithSTS()
 	if err != nil {
 		return "", fmt.Errorf("failed to get KMS service: %w", err)
@@ -213,7 +213,7 @@ func (as *awsSTSMetadataKMS) EncryptDEK(_, plainDEK string) (string, error) {
 }
 
 // DecryptDEK uses the Amazon KMS and the configured CMK to decrypt the DEK.
-func (as *awsSTSMetadataKMS) DecryptDEK(_, encryptedDEK string) (string, error) {
+func (as *awsSTSMetadataKMS) DecryptDEK(ctx context.Context, _, encryptedDEK string) (string, error) {
 	svc, err := as.getServiceWithSTS()
 	if err != nil {
 		return "", fmt.Errorf("failed to get KMS service: %w", err)

diff --git a/internal/kms/keyprotect.go b/internal/kms/keyprotect.go
@@ -204,14 +204,14 @@ func (kms *keyProtectKMS) getService() error {
 }
 
 // EncryptDEK uses the KeyProtect KMS and the configured CRK to encrypt the DEK.
-func (kms *keyProtectKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
+func (kms *keyProtectKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
 	if err := kms.getService(); err != nil {
 		return "", fmt.Errorf("could not get KMS service: %w", err)
 	}
 
 	dekByteSlice := []byte(plainDEK)
 	aadVolID := []string{volumeID}
-	result, err := kms.client.Wrap(context.TODO(), kms.customerRootKey, dekByteSlice, &aadVolID)
+	result, err := kms.client.Wrap(ctx, kms.customerRootKey, dekByteSlice, &aadVolID)
 	if err != nil {
 		return "", fmt.Errorf("failed to wrap the DEK: %w", err)
 	}
@@ -223,7 +223,7 @@ func (kms *keyProtectKMS) EncryptDEK(volumeID, plainDEK string) (string, error)
 }
 
 // DecryptDEK uses the Key protect KMS and the configured CRK to decrypt the DEK.
-func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
+func (kms *keyProtectKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
 	if err := kms.getService(); err != nil {
 		return "", fmt.Errorf("could not get KMS service: %w", err)
 	}
@@ -235,14 +235,14 @@ func (kms *keyProtectKMS) DecryptDEK(volumeID, encryptedDEK string) (string, err
 	}
 
 	aadVolID := []string{volumeID}
-	result, err := kms.client.Unwrap(context.TODO(), kms.customerRootKey, ciphertextBlob, &aadVolID)
+	result, err := kms.client.Unwrap(ctx, kms.customerRootKey, ciphertextBlob, &aadVolID)
 	if err != nil {
 		return "", fmt.Errorf("failed to unwrap the DEK: %w", err)
 	}
 
 	return string(result), nil
 }
 
-func (kms *keyProtectKMS) GetSecret(volumeID string) (string, error) {
+func (kms *keyProtectKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
 	return "", ErrGetSecretUnsupported
 }
diff --git a/internal/kms/kmip.go b/internal/kms/kmip.go
@@ -180,7 +180,7 @@ func initKMIPKMS(args ProviderInitArgs) (EncryptionKMS, error) {
 }
 
 // EncryptDEK uses the KMIP encrypt operation to encrypt the DEK.
-func (kms *kmipKMS) EncryptDEK(_, plainDEK string) (string, error) {
+func (kms *kmipKMS) EncryptDEK(ctx context.Context, _, plainDEK string) (string, error) {
 	conn, err := kms.connect()
 	if err != nil {
 		return "", err
@@ -236,7 +236,7 @@ func (kms *kmipKMS) EncryptDEK(_, plainDEK string) (string, error) {
 }
 
 // DecryptDEK uses the KMIP decrypt operation  to decrypt the DEK.
-func (kms *kmipKMS) DecryptDEK(_, encryptedDEK string) (string, error) {
+func (kms *kmipKMS) DecryptDEK(ctx context.Context, _, encryptedDEK string) (string, error) {
 	conn, err := kms.connect()
 	if err != nil {
 		return "", err
@@ -500,7 +500,7 @@ func (kms *kmipKMS) verifyResponse(
 	return &batchItem, nil
 }
 
-func (kms *kmipKMS) GetSecret(volumeID string) (string, error) {
+func (kms *kmipKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
 	return "", ErrGetSecretUnsupported
 }
 

diff --git a/internal/kms/kms.go b/internal/kms/kms.go
@@ -331,18 +331,18 @@ type EncryptionKMS interface {
 	// EncryptDEK provides a way for a KMS to encrypt a DEK. In case the
 	// encryption is done transparently inside the KMS service, the
 	// function can return an unencrypted value.
-	EncryptDEK(volumeID, plainDEK string) (string, error)
+	EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error)
 
 	// DecryptDEK provides a way for a KMS to decrypt a DEK. In case the
 	// encryption is done transparently inside the KMS service, the
 	// function does not need to do anything except return the encyptedDEK
 	// as it was received.
-	DecryptDEK(volumeID, encyptedDEK string) (string, error)
+	DecryptDEK(ctx context.Context, volumeID, encyptedDEK string) (string, error)
 
 	// GetSecret allows external key management systems to
 	// retrieve keys used in EncryptDEK / DecryptDEK to use them
 	// directly. Example: fscrypt uses this to unlock raw protectors
-	GetSecret(volumeID string) (string, error)
+	GetSecret(ctx context.Context, volumeID string) (string, error)
 }
 
 // DEKStoreType describes what DEKStore needs to be configured when using a
@@ -364,11 +364,11 @@ const (
 // the KMS can not store passphrases for volumes.
 type DEKStore interface {
 	// StoreDEK saves the DEK in the configured store.
-	StoreDEK(volumeID string, dek string) error
+	StoreDEK(ctx context.Context, volumeID string, dek string) error
 	// FetchDEK reads the DEK from the configured store and returns it.
-	FetchDEK(volumeID string) (string, error)
+	FetchDEK(ctx context.Context, volumeID string) (string, error)
 	// RemoveDEK deletes the DEK from the configured store.
-	RemoveDEK(volumeID string) error
+	RemoveDEK(ctx context.Context, volumeID string) error
 }
 
 // integratedDEK is a DEKStore that can not be configured. Either the KMS does
@@ -380,15 +380,15 @@ func (i integratedDEK) RequiresDEKStore() DEKStoreType {
 	return DEKStoreIntegrated
 }
 
-func (i integratedDEK) EncryptDEK(volumeID, plainDEK string) (string, error) {
+func (i integratedDEK) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
 	return plainDEK, nil
 }
 
-func (i integratedDEK) DecryptDEK(volumeID, encyptedDEK string) (string, error) {
+func (i integratedDEK) DecryptDEK(ctx context.Context, volumeID, encyptedDEK string) (string, error) {
 	return encyptedDEK, nil
 }
 
-func (i integratedDEK) GetSecret(volumeID string) (string, error) {
+func (i integratedDEK) GetSecret(ctx context.Context, volumeID string) (string, error) {
 	return "", ErrGetSecretIntegrated
 }
 

diff --git a/internal/kms/secretskms.go b/internal/kms/secretskms.go
@@ -78,19 +78,19 @@ func (kms secretsKMS) Destroy() {
 }
 
 // FetchDEK returns passphrase from Kubernetes secrets.
-func (kms secretsKMS) FetchDEK(key string) (string, error) {
+func (kms secretsKMS) FetchDEK(ctx context.Context, key string) (string, error) {
 	return kms.passphrase, nil
 }
 
 // StoreDEK does nothing, as there is no passphrase per key (volume), so
 // no need to store is anywhere.
-func (kms secretsKMS) StoreDEK(key, value string) error {
+func (kms secretsKMS) StoreDEK(ctx context.Context, key, value string) error {
 	return nil
 }
 
 // RemoveDEK is doing nothing as no new passphrases are saved with
 // secretsKMS.
-func (kms secretsKMS) RemoveDEK(key string) error {
+func (kms secretsKMS) RemoveDEK(ctx context.Context, key string) error {
 	return nil
 }
 
@@ -206,9 +206,9 @@ type encryptedMetedataDEK struct {
 // the secretsKMS and the volumeID.
 // The resulting encryptedDEK contains a JSON with the encrypted DEK and the
 // nonce that was used for encrypting.
-func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, error) {
+func (kms secretsMetadataKMS) EncryptDEK(ctx context.Context, volumeID, plainDEK string) (string, error) {
 	// use the passphrase from the secretKMS
-	passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
+	passphrase, err := kms.secretsKMS.FetchDEK(ctx, volumeID)
 	if err != nil {
 		return "", fmt.Errorf("failed to get passphrase: %w", err)
 	}
@@ -236,9 +236,9 @@ func (kms secretsMetadataKMS) EncryptDEK(volumeID, plainDEK string) (string, err
 
 // DecryptDEK takes the JSON formatted `encryptedMetadataDEK` contents, and it
 // fetches secretKMS passphrase to decrypt the DEK.
-func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string, error) {
+func (kms secretsMetadataKMS) DecryptDEK(ctx context.Context, volumeID, encryptedDEK string) (string, error) {
 	// use the passphrase from the secretKMS
-	passphrase, err := kms.secretsKMS.FetchDEK(volumeID)
+	passphrase, err := kms.secretsKMS.FetchDEK(ctx, volumeID)
 	if err != nil {
 		return "", fmt.Errorf("failed to get passphrase: %w", err)
 	}
@@ -263,9 +263,9 @@ func (kms secretsMetadataKMS) DecryptDEK(volumeID, encryptedDEK string) (string,
 	return string(dek), nil
 }
 
-func (kms secretsMetadataKMS) GetSecret(volumeID string) (string, error) {
+func (kms secretsMetadataKMS) GetSecret(ctx context.Context, volumeID string) (string, error) {
 	// use the passphrase from the secretKMS
-	return kms.secretsKMS.FetchDEK(volumeID)
+	return kms.secretsKMS.FetchDEK(ctx, volumeID)
 }
 
 // generateCipher returns a AEAD cipher based on a passphrase and salt

diff --git a/internal/kms/secretskms_test.go b/internal/kms/secretskms_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kms
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -103,19 +104,21 @@ func TestWorkflowSecretsMetadataKMS(t *testing.T) {
 	// plainDEK is the (LUKS) passphrase for the volume
 	plainDEK := "usually created with generateNewEncryptionPassphrase()"
 
-	encryptedDEK, err := kms.EncryptDEK(volumeID, plainDEK)
+	ctx := context.TODO()
+
+	encryptedDEK, err := kms.EncryptDEK(ctx, volumeID, plainDEK)
 	assert.NoError(t, err)
 	assert.NotEqual(t, "", encryptedDEK)
 	assert.NotEqual(t, plainDEK, encryptedDEK)
 
 	// with an incorrect volumeID, decrypting should fail
-	decryptedDEK, err := kms.DecryptDEK("incorrect-volumeID", encryptedDEK)
+	decryptedDEK, err := kms.DecryptDEK(ctx, "incorrect-volumeID", encryptedDEK)
 	assert.Error(t, err)
 	assert.Equal(t, "", decryptedDEK)
 	assert.NotEqual(t, plainDEK, decryptedDEK)
 
 	// with the right volumeID, decrypting should return the plainDEK
-	decryptedDEK, err = kms.DecryptDEK(volumeID, encryptedDEK)
+	decryptedDEK, err = kms.DecryptDEK(ctx, volumeID, encryptedDEK)
 	assert.NoError(t, err)
 	assert.NotEqual(t, "", decryptedDEK)
 	assert.Equal(t, plainDEK, decryptedDEK)

diff --git a/internal/kms/vault.go b/internal/kms/vault.go
@@ -17,6 +17,7 @@ limitations under the License.
 package kms
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -395,7 +396,7 @@ func initVaultKMS(args ProviderInitArgs) (EncryptionKMS, error) {
 
 // FetchDEK returns passphrase from Vault. The passphrase is stored in a
 // data.data.passphrase structure.
-func (kms *vaultKMS) FetchDEK(key string) (string, error) {
+func (kms *vaultKMS) FetchDEK(ctx context.Context, key string) (string, error) {
 	// Since the second return variable loss.Version is not used, there it is ignored.
 	s, _, err := kms.secrets.GetSecret(filepath.Join(kms.vaultPassphrasePath, key), kms.keyContext)
 	if err != nil {
@@ -415,7 +416,7 @@ func (kms *vaultKMS) FetchDEK(key string) (string, error) {
 }
 
 // StoreDEK saves new passphrase in Vault.
-func (kms *vaultKMS) StoreDEK(key, value string) error {
+func (kms *vaultKMS) StoreDEK(ctx context.Context, key, value string) error {
 	data := map[string]interface{}{
 		"data": map[string]string{
 			"passphrase": value,
@@ -433,7 +434,7 @@ func (kms *vaultKMS) StoreDEK(key, value string) error {
 }
 
 // RemoveDEK deletes passphrase from Vault.
-func (kms *vaultKMS) RemoveDEK(key string) error {
+func (kms *vaultKMS) RemoveDEK(ctx context.Context, key string) error {
 	pathKey := filepath.Join(kms.vaultPassphrasePath, key)
 	err := kms.secrets.DeleteSecret(pathKey, kms.getDeleteKeyContext())
 	if err != nil {