rbd: repair encryption config in case it is missing

It is possible that when a provisioner restarts after a snapshot was cloned, but before the newly restored image had its encryption metadata set, the new image is not marked as encrypted. This will prevent attaching/mounting the image, as the encryption key will not be fetched, or is not available in the DEKStore. By actively repairing the encryption configuration when needed, this problem should be addressed. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-11-17 20:00:23 +00:00 · 2021-04-09 10:36:42 +02:00 · 2021-04-09 10:36:42 +02:00 · b1d05a1840
commit b1d05a1840
parent 1482105309
2 changed files with 26 additions and 0 deletions
--- a/internal/rbd/controllerserver.go
+++ b/internal/rbd/controllerserver.go
@ -266,6 +266,11 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 			if err != nil {
 				return nil, err
 			}
+
+			err = rbdSnap.repairEncryptionConfig(&rbdVol.rbdImage)
+			if err != nil {
+				return nil, err
+			}
 		}

 		return buildCreateVolumeResponse(req, rbdVol), nil
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@ -150,6 +150,27 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error {
 	return nil
 }

+// repairEncryptionConfig checks the encryption state of the current rbdImage,
+// and makes sure that the destination rbdImage has the same configuration.
+func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error {
+	if !ri.isEncrypted() {
+		return nil
+	}
+
+	// if ri is encrypted, copy its configuration in case it is missing
+	if !dest.isEncrypted() {
+		// dest needs to be connected to the cluster, otherwise it will
+		// not be possible to write any metadata
+		if dest.conn == nil {
+			dest.conn = ri.conn.Copy()
+		}
+
+		return ri.copyEncryptionConfig(dest)
+	}
+
+	return nil
+}
+
 func (ri *rbdImage) encryptDevice(ctx context.Context, devicePath string) error {
 	passphrase, err := ri.encryption.GetCryptoPassphrase(ri.VolID)
 	if err != nil {