From ec6703ed583143bb0d7c654e55c3a5fcb5955526 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Fri, 23 Jul 2021 17:23:43 +0200
Subject: [PATCH] rbd: rename encryption metadata keys to enable mirroring

RBD image metadata keys that start with '.rbd' are expected to be
internal to RBD itself and are not mirrored to remote sites. Renaming
the keys (dropping the '.' prefix) and using the new MigrateMetadata()
function now makes the keys available on remote sites too.

Closes: #2219
Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 e2e/rbd_helper.go          |  2 +-
 internal/rbd/encryption.go | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/e2e/rbd_helper.go b/e2e/rbd_helper.go
index 097ed127f..11b1a6c3c 100644
--- a/e2e/rbd_helper.go
+++ b/e2e/rbd_helper.go
@@ -494,7 +494,7 @@ func validateThickImageMetadata(f *framework.Framework, pvc *v1.PersistentVolume
 // - Metadata of the image should be set with the encryption state;
 // - The pvc should be mounted by a pod, so the filesystem type can be fetched.
 func validateEncryptedImage(f *framework.Framework, rbdImageSpec string, app *v1.Pod) error {
-	encryptedState, err := getImageMeta(rbdImageSpec, ".rbd.csi.ceph.com/encrypted", f)
+	encryptedState, err := getImageMeta(rbdImageSpec, "rbd.csi.ceph.com/encrypted", f)
 	if err != nil {
 		return err
 	}
diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
index 47ebbd342..d13656ded 100644
--- a/internal/rbd/encryption.go
+++ b/internal/rbd/encryption.go
@@ -53,16 +53,18 @@ const (
 	rbdImageRequiresEncryption = rbdEncryptionState("requiresEncryption")
 
 	// image metadata key for encryption.
-	encryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
+	encryptionMetaKey    = "rbd.csi.ceph.com/encrypted"
+	oldEncryptionMetaKey = ".rbd.csi.ceph.com/encrypted"
 
 	// metadataDEK is the key in the image metadata where the (encrypted)
 	// DEK is stored.
-	metadataDEK = ".rbd.csi.ceph.com/dek"
+	metadataDEK    = "rbd.csi.ceph.com/dek"
+	oldMetadataDEK = ".rbd.csi.ceph.com/dek"
 )
 
 // checkRbdImageEncrypted verifies if rbd image was encrypted when created.
 func (ri *rbdImage) checkRbdImageEncrypted(ctx context.Context) (rbdEncryptionState, error) {
-	value, err := ri.GetMetadata(encryptionMetaKey)
+	value, err := ri.MigrateMetadata(oldEncryptionMetaKey, encryptionMetaKey, string(rbdImageEncryptionUnknown))
 	if errors.Is(err, librbd.ErrNotFound) {
 		util.DebugLog(ctx, "image %s encrypted state not set", ri)
 
@@ -317,7 +319,7 @@ func (ri *rbdImage) FetchDEK(volumeID string) (string, error) {
 		return "", fmt.Errorf("volume %q can not fetch DEK for %q", ri, volumeID)
 	}
 
-	return ri.GetMetadata(metadataDEK)
+	return ri.MigrateMetadata(oldMetadataDEK, metadataDEK, "")
 }
 
 // RemoveDEK does not need to remove the DEK from the metadata, the image is