mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
rbd: modify copyEncryptionConfig to accept copyOnlyPassphrase arg
During PVC snapshot/clone both kms config and passphrase needs to copied,
while for PVC restore only passphrase needs to be copied to dest rbdvol
since destination storageclass may have another kms config.
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 59b7a26175
)
This commit is contained in:
parent
8938ee81aa
commit
9ae00de979
@ -161,7 +161,7 @@ func (rv *rbdVolume) createCloneFromImage(ctx context.Context, parentVol *rbdVol
|
||||
}
|
||||
|
||||
if parentVol.isEncrypted() {
|
||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage)
|
||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err)
|
||||
}
|
||||
|
@ -1081,7 +1081,7 @@ func cloneFromSnapshot(
|
||||
defer vol.Destroy()
|
||||
|
||||
if rbdVol.isEncrypted() {
|
||||
err = rbdVol.copyEncryptionConfig(&vol.rbdImage)
|
||||
err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false)
|
||||
if err != nil {
|
||||
return nil, status.Error(codes.Internal, err.Error())
|
||||
}
|
||||
@ -1200,7 +1200,7 @@ func (cs *ControllerServer) doSnapshotClone(
|
||||
}()
|
||||
|
||||
if parentVol.isEncrypted() {
|
||||
cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage)
|
||||
cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false)
|
||||
if cryptErr != nil {
|
||||
util.WarningLog(ctx, "failed copy encryption "+
|
||||
"config for %q: %v", cloneRbd, cryptErr)
|
||||
|
@ -121,7 +121,11 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error {
|
||||
// rbdImage to the passed argument. This function re-encrypts the passphrase
|
||||
// from the original, so that both encrypted passphrases (potentially, depends
|
||||
// on the DEKStore) have different contents.
|
||||
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
|
||||
// When copyOnlyPassphrase is set to true, only the passphrase is copied to the
|
||||
// destination rbdImage's VolumeEncryption object which needs to be initialized
|
||||
// beforehand and is possibly different from the source VolumeEncryption
|
||||
// (Usecase: Restoring snapshot into a storageclass with different encryption config).
|
||||
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage, copyOnlyPassphrase bool) error {
|
||||
if ri.VolID == cp.VolID {
|
||||
return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+
|
||||
"set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack())
|
||||
@ -134,9 +138,11 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
|
||||
ri, err)
|
||||
}
|
||||
|
||||
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
|
||||
if errors.Is(err, util.ErrDEKStoreNeeded) {
|
||||
cp.encryption.SetDEKStore(cp)
|
||||
if !copyOnlyPassphrase {
|
||||
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
|
||||
if errors.Is(err, util.ErrDEKStoreNeeded) {
|
||||
cp.encryption.SetDEKStore(cp)
|
||||
}
|
||||
}
|
||||
|
||||
// re-encrypt the plain passphrase for the cloned volume
|
||||
@ -176,7 +182,7 @@ func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error {
|
||||
dest.conn = ri.conn.Copy()
|
||||
}
|
||||
|
||||
return ri.copyEncryptionConfig(dest)
|
||||
return ri.copyEncryptionConfig(dest, false)
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -333,7 +333,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er
|
||||
}
|
||||
|
||||
if parentVol != nil && parentVol.isEncrypted() {
|
||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage)
|
||||
err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
|
||||
if err != nil {
|
||||
util.ErrorLog(ctx, err.Error())
|
||||
|
||||
|
@ -1368,7 +1368,7 @@ func (rv *rbdVolume) cloneRbdImageFromSnapshot(
|
||||
if pSnapOpts.isEncrypted() {
|
||||
pSnapOpts.conn = rv.conn.Copy()
|
||||
|
||||
err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage)
|
||||
err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage, true)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to clone encryption config: %w", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user