diff --git a/internal/rbd/clone.go b/internal/rbd/clone.go index 68fc34b3f..3b91e47be 100644 --- a/internal/rbd/clone.go +++ b/internal/rbd/clone.go @@ -161,7 +161,7 @@ func (rv *rbdVolume) createCloneFromImage(ctx context.Context, parentVol *rbdVol } if parentVol.isEncrypted() { - err = parentVol.copyEncryptionConfig(&rv.rbdImage) + err = parentVol.copyEncryptionConfig(&rv.rbdImage, false) if err != nil { return fmt.Errorf("failed to copy encryption config for %q: %w", rv, err) } diff --git a/internal/rbd/controllerserver.go b/internal/rbd/controllerserver.go index 0cc6c2e2e..8dd8e77d0 100644 --- a/internal/rbd/controllerserver.go +++ b/internal/rbd/controllerserver.go @@ -1105,7 +1105,7 @@ func cloneFromSnapshot( defer vol.Destroy() if rbdVol.isEncrypted() { - err = rbdVol.copyEncryptionConfig(&vol.rbdImage) + err = rbdVol.copyEncryptionConfig(&vol.rbdImage, false) if err != nil { return nil, status.Error(codes.Internal, err.Error()) } @@ -1224,7 +1224,7 @@ func (cs *ControllerServer) doSnapshotClone( }() if parentVol.isEncrypted() { - cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage) + cryptErr := parentVol.copyEncryptionConfig(&cloneRbd.rbdImage, false) if cryptErr != nil { log.WarningLog(ctx, "failed copy encryption "+ "config for %q: %v", cloneRbd, cryptErr) diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index c28aa532c..217fe4cfd 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -123,7 +123,11 @@ func (ri *rbdImage) setupEncryption(ctx context.Context) error { // rbdImage to the passed argument. This function re-encrypts the passphrase // from the original, so that both encrypted passphrases (potentially, depends // on the DEKStore) have different contents. -func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error { +// When copyOnlyPassphrase is set to true, only the passphrase is copied to the +// destination rbdImage's VolumeEncryption object which needs to be initialized +// beforehand and is possibly different from the source VolumeEncryption +// (Usecase: Restoring snapshot into a storageclass with different encryption config). +func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage, copyOnlyPassphrase bool) error { if ri.VolID == cp.VolID { return fmt.Errorf("BUG: %q and %q have the same VolID (%s) "+ "set!? Call stack: %s", ri, cp, ri.VolID, util.CallStack()) @@ -136,9 +140,11 @@ func (ri *rbdImage) copyEncryptionConfig(cp *rbdImage) error { ri, err) } - cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS) - if errors.Is(err, util.ErrDEKStoreNeeded) { - cp.encryption.SetDEKStore(cp) + if !copyOnlyPassphrase { + cp.encryption, err = util.NewVolumeEncryption(ri.encryption.GetID(), ri.encryption.KMS) + if errors.Is(err, util.ErrDEKStoreNeeded) { + cp.encryption.SetDEKStore(cp) + } } // re-encrypt the plain passphrase for the cloned volume @@ -178,7 +184,7 @@ func (ri *rbdImage) repairEncryptionConfig(dest *rbdImage) error { dest.conn = ri.conn.Copy() } - return ri.copyEncryptionConfig(dest) + return ri.copyEncryptionConfig(dest, false) } return nil diff --git a/internal/rbd/rbd_journal.go b/internal/rbd/rbd_journal.go index a61257d77..5e8cc1f7a 100644 --- a/internal/rbd/rbd_journal.go +++ b/internal/rbd/rbd_journal.go @@ -334,7 +334,7 @@ func (rv *rbdVolume) Exists(ctx context.Context, parentVol *rbdVolume) (bool, er } if parentVol != nil && parentVol.isEncrypted() { - err = parentVol.copyEncryptionConfig(&rv.rbdImage) + err = parentVol.copyEncryptionConfig(&rv.rbdImage, false) if err != nil { log.ErrorLog(ctx, err.Error()) diff --git a/internal/rbd/rbd_util.go b/internal/rbd/rbd_util.go index 07defa2e1..0cc663c54 100644 --- a/internal/rbd/rbd_util.go +++ b/internal/rbd/rbd_util.go @@ -1400,7 +1400,7 @@ func (rv *rbdVolume) cloneRbdImageFromSnapshot( if pSnapOpts.isEncrypted() { pSnapOpts.conn = rv.conn.Copy() - err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage) + err = pSnapOpts.copyEncryptionConfig(&rv.rbdImage, true) if err != nil { return fmt.Errorf("failed to clone encryption config: %w", err) }