diff --git a/internal/rbd/clone.go b/internal/rbd/clone.go index 7788d4add..712a57c2f 100644 --- a/internal/rbd/clone.go +++ b/internal/rbd/clone.go @@ -144,11 +144,9 @@ func (rv *rbdVolume) createCloneFromImage(ctx context.Context, parentVol *rbdVol return err } - if parentVol.isEncrypted() { - err = parentVol.copyEncryptionConfig(&rv.rbdImage, false) - if err != nil { - return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err) - } + err = parentVol.copyEncryptionConfig(&rv.rbdImage, true) + if err != nil { + return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err) } err = j.StoreImageID(ctx, rv.JournalPool, rv.ReservedID, rv.ImageID) @@ -216,5 +214,10 @@ func (rv *rbdVolume) doSnapClone(ctx context.Context, parentVol *rbdVolume) erro return errClone } + err = parentVol.copyEncryptionConfig(&rv.rbdImage, true) + if err != nil { + return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err) + } + return nil } diff --git a/internal/rbd/controllerserver.go b/internal/rbd/controllerserver.go index 315e18710..bbfde3f64 100644 --- a/internal/rbd/controllerserver.go +++ b/internal/rbd/controllerserver.go @@ -19,6 +19,7 @@ package rbd import ( "context" "errors" + "fmt" csicommon "github.com/ceph/ceph-csi/internal/csi-common" "github.com/ceph/ceph-csi/internal/util" @@ -591,6 +592,11 @@ func (cs *ControllerServer) createVolumeFromSnapshot( log.DebugLog(ctx, "create volume %s from snapshot %s", rbdVol, rbdSnap) + err = parentVol.copyEncryptionConfig(&rbdVol.rbdImage, true) + if err != nil { + return fmt.Errorf("failed to copy encryption config for %q: %w", rbdVol, err) + } + // resize the volume if the size is different // expand the image if the requested size is greater than the current size err = rbdVol.expand() @@ -1104,11 +1110,9 @@ func cloneFromSnapshot( } defer vol.Destroy() - if rbdVol.isEncrypted() { - err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false) - if err != nil { - return nil, status.Error(codes.Internal, err.Error()) - } + err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false) + if err != nil { + return nil, status.Error(codes.Internal, err.Error()) } err = vol.flattenRbdImage(ctx, false, rbdHardMaxCloneDepth, rbdSoftMaxCloneDepth) @@ -1207,14 +1211,12 @@ func (cs *ControllerServer) doSnapshotClone( } }() - if parentVol.isEncrypted() { - cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false) - if cryptErr != nil { - log.WarningLog(ctx, "failed copy encryption "+ - "config for %q: %v", cloneRbd, cryptErr) + err = parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false) + if err != nil { + log.ErrorLog(ctx, "failed to copy encryption "+ + "config for %q: %v", cloneRbd, err) - return nil, err - } + return nil, err } err = cloneRbd.createSnapshot(ctx, rbdSnap) diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index 2255f1020..9d22bf060 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -120,14 +120,20 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error { } // copyEncryptionConfig copies the VolumeEncryption object from the source -// rbdImage to the passed argument. This function re-encrypts the passphrase -// from the original, so that both encrypted passphrases (potentially, depends -// on the DEKStore) have different contents. +// rbdImage to the passed argument if the source rbdImage is encrypted. +// This function re-encrypts the passphrase from the original, so that +// both encrypted passphrases (potentially, depends on the DEKStore) have +// different contents. // When copyOnlyPassphrase is set to true, only the passphrase is copied to the // destination rbdImage's VolumeEncryption object which needs to be initialized // beforehand and is possibly different from the source VolumeEncryption // (Usecase: Restoring snapshot into a storageclass with different encryption config). func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage, copyOnlyPassphrase bool) error { + // nothing to do if parent image is not encrypted. + if !ri.isEncrypted() { + return nil + } + if ri.VolID == cp.VolID { return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+ "set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack()) @@ -184,7 +190,7 @@ func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error { dest.conn = ri.conn.Copy() } - return ri.copyEncryptionConfig(dest, false) + return ri.copyEncryptionConfig(dest, true) } return nil diff --git a/internal/rbd/rbd_journal.go b/internal/rbd/rbd_journal.go index dba2ddab7..dc3c0b920 100644 --- a/internal/rbd/rbd_journal.go +++ b/internal/rbd/rbd_journal.go @@ -324,8 +324,8 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er return false, err } - if parentVol != nil && parentVol.isEncrypted() { - err = parentVol.copyEncryptionConfig(&rv.rbdImage, false) + if parentVol != nil { + err = parentVol.copyEncryptionConfig(&rv.rbdImage, true) if err != nil { log.ErrorLog(ctx, err.Error()) diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go index a7c5804e3..e6e4e08c1 100644 --- a/internal/rbd/rbd_util.go +++ b/internal/rbd/rbd_util.go @@ -1366,15 +1366,6 @@ func (rv *rbdVolume) cloneRbdImageFromSnapshot( } }() - if pSnapOpts.isEncrypted() { - pSnapOpts.conn = rv.conn.Copy() - - err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage, true) - if err != nil { - return fmt.Errorf("failed to clone encryption config: %w", err) - } - } - // get image latest information err = rv.getImageInfo() if err != nil {