Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rbd: correct default encryption type (backport #5087) #5089

Merged
merged 1 commit into from
Jan 17, 2025
Merged

rbd: correct default encryption type (backport #5087) #5089

merged 1 commit into from
Jan 17, 2025

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Jan 17, 2025

Describe what this PR does

Problem: When the encryptionType is not specified in the StorageClass,
the default type (block) is used and stored in OMAP. However, during
OMAP regeneration in a secondary cluster, the default type is incorrectly
set to none. This discrepancy leads to errors during PVC cloning,
with the message: cannot create encrypted volume from unencrypted volume.

Solution: Update the default encryption type to consistently use block
instead of none.

👇 Problem logs

In Secondary cluster -

  • encrypted StorageClass with no encryptionType parameter -
$ k get pv pvc-d5c846ab-7869-42e8-b066-7f80c7b00046 -ojsonpath='{.spec.csi.volumeAttributes}' | jq
{
  "clusterID": "rook-ceph",
  "encrypted": "true",
  "encryptionKMSID": "metadata",
  "imageFeatures": "layering,fast-diff,deep-flatten,exclusive-lock,object-map",
  "imageFormat": "2",
  "imageName": "csi-vol-5dc739ef-ed47-4d42-8527-0511d7824e90",
  "journalPool": "replicapool",
  "pool": "replicapool",
  "storage.kubernetes.io/csiProvisionerIdentity": "1737009185949-7744-rook-ceph.rbd.csi.ceph.com"
}
  • OMAP value for csi.volume.encryptionType is empty
$ rados listomapvals csi.volume.5dc739ef-ed47-4d42-8527-0511d7824e90 -p replicapool
csi.imageid
value (13 bytes) :
00000000  31 63 62 64 63 65 61 30  33 39 30 39 61           |1cbdcea03909a|
0000000d

csi.imagename
value (44 bytes) :
00000000  63 73 69 2d 76 6f 6c 2d  35 64 63 37 33 39 65 66  |csi-vol-5dc739ef|
00000010  2d 65 64 34 37 2d 34 64  34 32 2d 38 35 32 37 2d  |-ed47-4d42-8527-|
00000020  30 35 31 31 64 37 38 32  34 65 39 30              |0511d7824e90|
0000002c

csi.volname
value (40 bytes) :
00000000  70 76 63 2d 64 35 63 38  34 36 61 62 2d 37 38 36  |pvc-d5c846ab-786|
00000010  39 2d 34 32 65 38 2d 62  30 36 36 2d 37 66 38 30  |9-42e8-b066-7f80|
00000020  63 37 62 30 30 30 34 36                           |c7b00046|
00000028

csi.volume.encryptKMS
value (8 bytes) :
00000000  6d 65 74 61 64 61 74 61                           |metadata|
00000008

csi.volume.encryptionType
value (0 bytes) :

csi.volume.owner
value (9 bytes) :
00000000  72 6f 6f 6b 2d 63 65 70  68                       |rook-ceph|
00000009
  • PVC clone fails with -
failed to provision volume with StorageClass "rook-ceph-block-e": rpc error: code = InvalidArgument desc = cannot clone from volume replicapool/csi-vol-5dc739ef-ed47-4d42-8527-0511d7824e90: cannot create encrypted volume from unencrypted volume "replicapool/csi-vol-5dc739ef-ed47-4d42-8527-0511d7824e90"

Future concerns

List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Reviewed the developer guide on Submitting a Pull Request
  • Pending release notes updated with breaking and/or notable changes for the next major release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)
This is an automatic backport of pull request #5087 done by [Mergify](https://mergify.com).

@iPraveenParihar @mergify
rbd: correct default encryption type
310717f 
Problem: When the encryptionType is not specified in the StorageClass,
the default type (block) is used and stored in OMAP. However, during
OMAP regeneration in a secondary cluster, the default type is incorrectly
set to none. This discrepancy leads to errors during PVC cloning,
with the message: `cannot create encrypted volume from unencrypted volume.`

Solution: Update the default encryption type to consistently use
block instead of none.

Signed-off-by: Praveen M <[email protected]>
(cherry picked from commit 0cfb2b0)
@mergify mergify bot added ok-to-test Label to trigger E2E tests component/rbd Issues related to RBD labels Jan 17, 2025
@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/upgrade-tests-cephfs

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/upgrade-tests-rbd

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.29

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.30

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/k8s-e2e-external-storage/1.31

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.30

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e-helm/k8s-1.31

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.30

@ceph-csi-bot
Copy link
Collaborator

/test ci/centos/mini-e2e/k8s-1.31

@ceph-csi-bot ceph-csi-bot removed the ok-to-test Label to trigger E2E tests label Jan 17, 2025
@nixpanic nixpanic requested a review from a team January 17, 2025 11:12
@mergify mergify bot merged commit 4429a99 into release-v3.13 Jan 17, 2025
41 checks passed
@mergify mergify bot deleted the mergify/bp/release-v3.13/pr-5087 branch January 17, 2025 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@black-dragon74 black-dragon74 black-dragon74 approved these changes

@nixpanic nixpanic nixpanic approved these changes

Assignees
No one assigned
Labels
component/rbd Issues related to RBD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ceph-csi-bot @nixpanic @black-dragon74 @iPraveenParihar