mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
rbd: modify copyEncryptionConfig to accept copyOnlyPassphrase arg
During PVC snapshot/clone both kms config and passphrase needs to copied, while for PVC restore only passphrase needs to be copied to dest rbdvol since destination storageclass may have another kms config. Signed-off-by: Rakshith R <rar@redhat.com>
This commit is contained in:
parent
3c9d7e3cd5
commit
59b7a26175
@ -161,7 +161,7 @@ func (rv *rbdVolume) createCloneFromImage(ctx context.Context, parentVol *rbdVol
|
|||||||
}
|
}
|
||||||
|
|
||||||
if parentVol.isEncrypted() {
|
if parentVol.isEncrypted() {
|
||||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage)
|
err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err)
|
return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err)
|
||||||
}
|
}
|
||||||
|
@ -1105,7 +1105,7 @@ func cloneFromSnapshot(
|
|||||||
defer vol.Destroy()
|
defer vol.Destroy()
|
||||||
|
|
||||||
if rbdVol.isEncrypted() {
|
if rbdVol.isEncrypted() {
|
||||||
err = rbdVol.copyEncryptionConfig(&vol.rbdImage)
|
err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, status.Error(codes.Internal, err.Error())
|
return nil, status.Error(codes.Internal, err.Error())
|
||||||
}
|
}
|
||||||
@ -1224,7 +1224,7 @@ func (cs *ControllerServer) doSnapshotClone(
|
|||||||
}()
|
}()
|
||||||
|
|
||||||
if parentVol.isEncrypted() {
|
if parentVol.isEncrypted() {
|
||||||
cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage)
|
cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false)
|
||||||
if cryptErr != nil {
|
if cryptErr != nil {
|
||||||
log.WarningLog(ctx, "failed copy encryption "+
|
log.WarningLog(ctx, "failed copy encryption "+
|
||||||
"config for %q: %v", cloneRbd, cryptErr)
|
"config for %q: %v", cloneRbd, cryptErr)
|
||||||
|
@ -123,7 +123,11 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error {
|
|||||||
// rbdImage to the passed argument. This function re-encrypts the passphrase
|
// rbdImage to the passed argument. This function re-encrypts the passphrase
|
||||||
// from the original, so that both encrypted passphrases (potentially, depends
|
// from the original, so that both encrypted passphrases (potentially, depends
|
||||||
// on the DEKStore) have different contents.
|
// on the DEKStore) have different contents.
|
||||||
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
|
// When copyOnlyPassphrase is set to true, only the passphrase is copied to the
|
||||||
|
// destination rbdImage's VolumeEncryption object which needs to be initialized
|
||||||
|
// beforehand and is possibly different from the source VolumeEncryption
|
||||||
|
// (Usecase: Restoring snapshot into a storageclass with different encryption config).
|
||||||
|
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage, copyOnlyPassphrase bool) error {
|
||||||
if ri.VolID == cp.VolID {
|
if ri.VolID == cp.VolID {
|
||||||
return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+
|
return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+
|
||||||
"set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack())
|
"set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack())
|
||||||
@ -136,10 +140,12 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
|
|||||||
ri, err)
|
ri, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !copyOnlyPassphrase {
|
||||||
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
|
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
|
||||||
if errors.Is(err, util.ErrDEKStoreNeeded) {
|
if errors.Is(err, util.ErrDEKStoreNeeded) {
|
||||||
cp.encryption.SetDEKStore(cp)
|
cp.encryption.SetDEKStore(cp)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// re-encrypt the plain passphrase for the cloned volume
|
// re-encrypt the plain passphrase for the cloned volume
|
||||||
err = cp.encryption.StoreCryptoPassphrase(cp.VolID, passphrase)
|
err = cp.encryption.StoreCryptoPassphrase(cp.VolID, passphrase)
|
||||||
@ -178,7 +184,7 @@ func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error {
|
|||||||
dest.conn = ri.conn.Copy()
|
dest.conn = ri.conn.Copy()
|
||||||
}
|
}
|
||||||
|
|
||||||
return ri.copyEncryptionConfig(dest)
|
return ri.copyEncryptionConfig(dest, false)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -334,7 +334,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er
|
|||||||
}
|
}
|
||||||
|
|
||||||
if parentVol != nil && parentVol.isEncrypted() {
|
if parentVol != nil && parentVol.isEncrypted() {
|
||||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage)
|
err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.ErrorLog(ctx, err.Error())
|
log.ErrorLog(ctx, err.Error())
|
||||||
|
|
||||||
|
@ -1400,7 +1400,7 @@ func (rv *rbdVolume) cloneRbdImageFromSnapshot(
|
|||||||
if pSnapOpts.isEncrypted() {
|
if pSnapOpts.isEncrypted() {
|
||||||
pSnapOpts.conn = rv.conn.Copy()
|
pSnapOpts.conn = rv.conn.Copy()
|
||||||
|
|
||||||
err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage)
|
err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to clone encryption config: %w", err)
|
return fmt.Errorf("failed to clone encryption config: %w", err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user