rbd: modify copyEncryptionConfig to accept copyOnlyPassphrase arg

During PVC snapshot/clone both kms config and passphrase needs to copied,
while for PVC restore only passphrase needs to be copied to dest rbdvol
since destination storageclass may have another kms config.

Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 59b7a26175)
This commit is contained in:
Rakshith R 2021-09-28 10:36:20 +05:30 committed by mergify[bot]
parent 8938ee81aa
commit 9ae00de979
5 changed files with 16 additions and 10 deletions

View File

@ -161,7 +161,7 @@ func (rv *rbdVolume) createCloneFromImage(ctx context.Context, parentVol *rbdVol
} }
if parentVol.isEncrypted() { if parentVol.isEncrypted() {
err = parentVol.copyEncryptionConfig(&rv.rbdImage) err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
if err != nil { if err != nil {
return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err) return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err)
} }

View File

@ -1081,7 +1081,7 @@ func cloneFromSnapshot(
defer vol.Destroy() defer vol.Destroy()
if rbdVol.isEncrypted() { if rbdVol.isEncrypted() {
err = rbdVol.copyEncryptionConfig(&vol.rbdImage) err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false)
if err != nil { if err != nil {
return nil, status.Error(codes.Internal, err.Error()) return nil, status.Error(codes.Internal, err.Error())
} }
@ -1200,7 +1200,7 @@ func (cs *ControllerServer) doSnapshotClone(
}() }()
if parentVol.isEncrypted() { if parentVol.isEncrypted() {
cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage) cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false)
if cryptErr != nil { if cryptErr != nil {
util.WarningLog(ctx, "failed copy encryption "+ util.WarningLog(ctx, "failed copy encryption "+
"config for %q: %v", cloneRbd, cryptErr) "config for %q: %v", cloneRbd, cryptErr)

View File

@ -121,7 +121,11 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error {
// rbdImage to the passed argument. This function re-encrypts the passphrase // rbdImage to the passed argument. This function re-encrypts the passphrase
// from the original, so that both encrypted passphrases (potentially, depends // from the original, so that both encrypted passphrases (potentially, depends
// on the DEKStore) have different contents. // on the DEKStore) have different contents.
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error { // When copyOnlyPassphrase is set to true, only the passphrase is copied to the
// destination rbdImage's VolumeEncryption object which needs to be initialized
// beforehand and is possibly different from the source VolumeEncryption
// (Usecase: Restoring snapshot into a storageclass with different encryption config).
func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage, copyOnlyPassphrase bool) error {
if ri.VolID == cp.VolID { if ri.VolID == cp.VolID {
return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+ return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+
"set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack()) "set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack())
@ -134,10 +138,12 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
ri, err) ri, err)
} }
if !copyOnlyPassphrase {
cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS) cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS)
if errors.Is(err, util.ErrDEKStoreNeeded) { if errors.Is(err, util.ErrDEKStoreNeeded) {
cp.encryption.SetDEKStore(cp) cp.encryption.SetDEKStore(cp)
} }
}
// re-encrypt the plain passphrase for the cloned volume // re-encrypt the plain passphrase for the cloned volume
err = cp.encryption.StoreCryptoPassphrase(cp.VolID, passphrase) err = cp.encryption.StoreCryptoPassphrase(cp.VolID, passphrase)
@ -176,7 +182,7 @@ func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error {
dest.conn = ri.conn.Copy() dest.conn = ri.conn.Copy()
} }
return ri.copyEncryptionConfig(dest) return ri.copyEncryptionConfig(dest, false)
} }
return nil return nil

View File

@ -333,7 +333,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er
} }
if parentVol != nil && parentVol.isEncrypted() { if parentVol != nil && parentVol.isEncrypted() {
err = parentVol.copyEncryptionConfig(&rv.rbdImage) err = parentVol.copyEncryptionConfig(&rv.rbdImage, false)
if err != nil { if err != nil {
util.ErrorLog(ctx, err.Error()) util.ErrorLog(ctx, err.Error())

View File

@ -1368,7 +1368,7 @@ func (rv *rbdVolume) cloneRbdImageFromSnapshot(
if pSnapOpts.isEncrypted() { if pSnapOpts.isEncrypted() {
pSnapOpts.conn = rv.conn.Copy() pSnapOpts.conn = rv.conn.Copy()
err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage) err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage, true)
if err != nil { if err != nil {
return fmt.Errorf("failed to clone encryption config: %w", err) return fmt.Errorf("failed to clone encryption config: %w", err)
} }