feat(backingimage): backing image clone and encryption support

ref: longhorn/longhorn 7051

Signed-off-by: Jack Lin <[email protected]>

Author: ChanYiLin

api/backingimage.go

@@ -52,7 +52,7 @@ func (s *Server) BackingImageCreate(rw http.ResponseWriter, req *http.Request) e
 		return err
 	}
 
-	bi, err := s.m.CreateBackingImage(input.Name, input.ExpectedChecksum, input.SourceType, input.Parameters)
+	bi, err := s.m.CreateBackingImage(input.Name, input.ExpectedChecksum, input.SourceType, input.Parameters, input.Secret, input.SecretNamespace)
 	if err != nil {
 		return errors.Wrapf(err, "failed to create backing image %v from source type %v with parameters %+v", input.Name, input.SourceType, input.Parameters)
 	}

api/backupbackingimage.go

@@ -40,8 +40,14 @@ func (s *Server) BackupBackingImageDelete(w http.ResponseWriter, req *http.Reque
 }
 
 func (s *Server) BackupBackingImageRestore(w http.ResponseWriter, req *http.Request) error {
+	var input BackingImageRestoreInput
+	apiContext := api.GetApiContext(req)
+	if err := apiContext.Read(&input); err != nil {
+		return err
+	}
+
 	backupBackingImageName := mux.Vars(req)["name"]
-	if err := s.m.RestoreBackupBackingImage(backupBackingImageName); err != nil {
+	if err := s.m.RestoreBackupBackingImage(backupBackingImageName, input.Secret, input.SecretNamespace); err != nil {
 		return errors.Wrapf(err, "failed to restore backup backing image '%s'", backupBackingImageName)
 	}
 	return nil

api/model.go

@@ -268,13 +268,21 @@ type BackingImage struct {
 	Size              int64                                          `json:"size"`
 	CurrentChecksum   string                                         `json:"currentChecksum"`
 
+	Secret          string `json:"secret"`
+	SecretNamespace string `json:"secretNamespace"`
+
 	DeletionTimestamp string `json:"deletionTimestamp"`
 }
 
 type BackingImageCleanupInput struct {
 	Disks []string `json:"disks"`
 }
 
+type BackingImageRestoreInput struct {
+	Secret          string `json:"secret"`
+	SecretNamespace string `json:"secretNamespace"`
+}
+
 type AttachInput struct {
 	HostID          string `json:"hostId"`
 	DisableFrontend bool   `json:"disableFrontend"`
@@ -668,6 +676,7 @@ func NewSchema() *client.Schemas {
 
 	schemas.AddType("backingImageDiskFileStatus", longhorn.BackingImageDiskFileStatus{})
 	schemas.AddType("backingImageCleanupInput", BackingImageCleanupInput{})
+	schemas.AddType("backingImageRestoreInput", BackingImageRestoreInput{})
 
 	attachmentSchema(schemas.AddType("attachment", Attachment{}))
 	volumeAttachmentSchema(schemas.AddType("volumeAttachment", VolumeAttachment{}))
@@ -798,7 +807,9 @@ func backupBackingImageSchema(backupBackingImage *client.Schema) {
 	backupBackingImage.ResourceMethods = []string{"GET", "DELETE"}
 
 	backupBackingImage.ResourceActions = map[string]client.Action{
-		"backupBackingImageRestore": {},
+		"backupBackingImageRestore": {
+			Input: "backingImageRestoreInput",
+		},
 	}
 }
 
@@ -2004,6 +2015,9 @@ func toBackingImageResource(bi *longhorn.BackingImage, apiContext *api.ApiContex
 		Size:              bi.Status.Size,
 		CurrentChecksum:   bi.Status.Checksum,
 
+		Secret:          bi.Spec.Secret,
+		SecretNamespace: bi.Spec.SecretNamespace,
+
 		DeletionTimestamp: deletionTimestamp,
 	}
 	res.Actions = map[string]string{

client/generated_backing_image.go

@@ -19,6 +19,10 @@ type BackingImage struct {
 
 	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
 
+	Secret string `json:"secret,omitempty" yaml:"secret,omitempty"`
+
+	SecretNamespace string `json:"secretNamespace,omitempty" yaml:"secretNamespace,omitempty"`
+
 	Size int64 `json:"size,omitempty" yaml:"size,omitempty"`
 
 	SourceType string `json:"sourceType,omitempty" yaml:"source_type,omitempty"`

client/generated_backing_image_restore_input.go

@@ -0,0 +1,81 @@
+package client
+
+const (
+	BACKING_IMAGE_RESTORE_INPUT_TYPE = "backingImageRestoreInput"
+)
+
+type BackingImageRestoreInput struct {
+	Resource `yaml:"-"`
+
+	Secret string `json:"secret,omitempty" yaml:"secret,omitempty"`
+
+	SecretNamespace string `json:"secretNamespace,omitempty" yaml:"secret_namespace,omitempty"`
+}
+
+type BackingImageRestoreInputCollection struct {
+	Collection
+	Data   []BackingImageRestoreInput `json:"data,omitempty"`
+	client *BackingImageRestoreInputClient
+}
+
+type BackingImageRestoreInputClient struct {
+	rancherClient *RancherClient
+}
+
+type BackingImageRestoreInputOperations interface {
+	List(opts *ListOpts) (*BackingImageRestoreInputCollection, error)
+	Create(opts *BackingImageRestoreInput) (*BackingImageRestoreInput, error)
+	Update(existing *BackingImageRestoreInput, updates interface{}) (*BackingImageRestoreInput, error)
+	ById(id string) (*BackingImageRestoreInput, error)
+	Delete(container *BackingImageRestoreInput) error
+}
+
+func newBackingImageRestoreInputClient(rancherClient *RancherClient) *BackingImageRestoreInputClient {
+	return &BackingImageRestoreInputClient{
+		rancherClient: rancherClient,
+	}
+}
+
+func (c *BackingImageRestoreInputClient) Create(container *BackingImageRestoreInput) (*BackingImageRestoreInput, error) {
+	resp := &BackingImageRestoreInput{}
+	err := c.rancherClient.doCreate(BACKING_IMAGE_RESTORE_INPUT_TYPE, container, resp)
+	return resp, err
+}
+
+func (c *BackingImageRestoreInputClient) Update(existing *BackingImageRestoreInput, updates interface{}) (*BackingImageRestoreInput, error) {
+	resp := &BackingImageRestoreInput{}
+	err := c.rancherClient.doUpdate(BACKING_IMAGE_RESTORE_INPUT_TYPE, &existing.Resource, updates, resp)
+	return resp, err
+}
+
+func (c *BackingImageRestoreInputClient) List(opts *ListOpts) (*BackingImageRestoreInputCollection, error) {
+	resp := &BackingImageRestoreInputCollection{}
+	err := c.rancherClient.doList(BACKING_IMAGE_RESTORE_INPUT_TYPE, opts, resp)
+	resp.client = c
+	return resp, err
+}
+
+func (cc *BackingImageRestoreInputCollection) Next() (*BackingImageRestoreInputCollection, error) {
+	if cc != nil && cc.Pagination != nil && cc.Pagination.Next != "" {
+		resp := &BackingImageRestoreInputCollection{}
+		err := cc.client.rancherClient.doNext(cc.Pagination.Next, resp)
+		resp.client = cc.client
+		return resp, err
+	}
+	return nil, nil
+}
+
+func (c *BackingImageRestoreInputClient) ById(id string) (*BackingImageRestoreInput, error) {
+	resp := &BackingImageRestoreInput{}
+	err := c.rancherClient.doById(BACKING_IMAGE_RESTORE_INPUT_TYPE, id, resp)
+	if apiError, ok := err.(*ApiError); ok {
+		if apiError.StatusCode == 404 {
+			return nil, nil
+		}
+	}
+	return resp, err
+}
+
+func (c *BackingImageRestoreInputClient) Delete(container *BackingImageRestoreInput) error {
+	return c.rancherClient.doResourceDelete(BACKING_IMAGE_RESTORE_INPUT_TYPE, &container.Resource)
+}

client/generated_client.go

@@ -57,6 +57,7 @@ type RancherClient struct {
 	InstanceManager                        InstanceManagerOperations
 	BackingImageDiskFileStatus             BackingImageDiskFileStatusOperations
 	BackingImageCleanupInput               BackingImageCleanupInputOperations
+	BackingImageRestoreInput               BackingImageRestoreInputOperations
 	Attachment                             AttachmentOperations
 	VolumeAttachment                       VolumeAttachmentOperations
 	Volume                                 VolumeOperations
@@ -138,6 +139,7 @@ func constructClient(rancherBaseClient *RancherBaseClientImpl) *RancherClient {
 	client.InstanceManager = newInstanceManagerClient(client)
 	client.BackingImageDiskFileStatus = newBackingImageDiskFileStatusClient(client)
 	client.BackingImageCleanupInput = newBackingImageCleanupInputClient(client)
+	client.BackingImageRestoreInput = newBackingImageRestoreInputClient(client)
 	client.Attachment = newAttachmentClient(client)
 	client.VolumeAttachment = newVolumeAttachmentClient(client)
 	client.Volume = newVolumeClient(client)

controller/backing_image_controller.go

@@ -401,6 +401,15 @@ func (bic *BackingImageController) handleBackingImageDataSource(bi *longhorn.Bac
 			if err != nil {
 				return err
 			}
+
+			// For clone, we choose the same node and disk as the source backing image
+			if bi.Spec.SourceType == longhorn.BackingImageDataSourceTypeClone {
+				readyNode, readyDiskName, err = bic.findReadyNodeAndDiskForClone(bi)
+				if err != nil {
+					return nil
+				}
+			}
+
 			foundReadyDisk = true
 			readyNodeID = readyNode.Name
 			readyDiskUUID = readyNode.Status.DiskStatus[readyDiskName].DiskUUID
@@ -532,6 +541,15 @@ func (bic *BackingImageController) handleBackingImageDataSource(bi *longhorn.Bac
 			if err != nil {
 				return err
 			}
+
+			// For clone, we choose the same node and disk as the source backing image
+			if bi.Spec.SourceType == longhorn.BackingImageDataSourceTypeClone {
+				readyNode, readyDiskName, err = bic.findReadyNodeAndDiskForClone(bi)
+				if err != nil {
+					return nil
+				}
+			}
+
 			bids.Spec.NodeID = readyNode.Name
 			bids.Spec.DiskUUID = readyNode.Status.DiskStatus[readyDiskName].DiskUUID
 			bids.Spec.DiskPath = readyNode.Spec.Disks[readyDiskName].Path
@@ -854,3 +872,17 @@ func (bic *BackingImageController) enqueueBackingImageForReplica(obj interface{}
 func (bic *BackingImageController) isResponsibleFor(bi *longhorn.BackingImage) bool {
 	return isControllerResponsibleFor(bic.controllerID, bic.ds, bi.Name, "", bi.Status.OwnerID)
 }
+
+// For cloning, we choose the same node and disk as the source backing image
+func (bic *BackingImageController) findReadyNodeAndDiskForClone(bi *longhorn.BackingImage) (*longhorn.Node, string, error) {
+	sourceBackingImageName := bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterBackingImage]
+	sourceBackingImage, err := bic.ds.GetBackingImageRO(sourceBackingImageName)
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to get source backing image %v during cloning", sourceBackingImageName)
+	}
+	readyNode, readyDiskName, err := bic.ds.GetOneBackingImageReadyNodeDisk(sourceBackingImage)
+	if err != nil {
+		return nil, "", fmt.Errorf("failed to find one ready source backing image %v during cloning", sourceBackingImageName)
+	}
+	return readyNode, readyDiskName, nil
+}

controller/backing_image_data_source_controller.go

@@ -405,6 +405,17 @@ func (c *BackingImageDataSourceController) syncBackingImage(bids *longhorn.Backi
 		}
 	}
 
+	// Only copy the secret to spec if it is to encrypt other backing image
+	// because we use spec secret to check if it is encrypted.
+	if isEncryptionRequire(bi) {
+		if bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterSecret] != "" {
+			bi.Spec.Secret = bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterSecret]
+		}
+		if bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterSecretNamespace] != "" {
+			bi.Spec.SecretNamespace = bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterSecretNamespace]
+		}
+	}
+
 	return nil
 }
 
@@ -669,7 +680,11 @@ func (c *BackingImageDataSourceController) generateBackingImageDataSourcePodMani
 		"--source-type", string(bids.Spec.SourceType),
 	}
 
-	if err := c.prepareRunningParameters(bids); err != nil {
+	bids.Status.RunningParameters = bids.Spec.Parameters
+	if err := c.prepareRunningParametersForClone(bids); err != nil {
+		return nil, err
+	}
+	if err := c.prepareRunningParametersForExport(bids); err != nil {
 		return nil, err
 	}
 	for key, value := range bids.Status.RunningParameters {
@@ -679,6 +694,21 @@ func (c *BackingImageDataSourceController) generateBackingImageDataSourcePodMani
 		cmd = append(cmd, "--checksum", bids.Spec.Checksum)
 	}
 
+	if bids.Spec.SourceType == longhorn.BackingImageDataSourceTypeClone && secretExists(bids) {
+
+		credential, err := c.ds.GetEncryptionSecret(
+			bids.Spec.Parameters[longhorn.DataSourceTypeCloneParameterSecretNamespace],
+			bids.Spec.Parameters[longhorn.DataSourceTypeCloneParameterSecret],
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		for key, value := range credential {
+			cmd = append(cmd, "--credential", fmt.Sprintf("%s=%s", key, value))
+		}
+	}
+
 	if bids.Spec.SourceType == longhorn.BackingImageDataSourceTypeRestore {
 		var credential map[string]string
 		backupTarget, err := c.ds.GetBackupTargetRO(types.DefaultBackupTargetName)
@@ -745,6 +775,14 @@ func (c *BackingImageDataSourceController) generateBackingImageDataSourcePodMani
 							Name:      "disk-path",
 							MountPath: bimtypes.DiskPathInContainer,
 						},
+						{
+							Name:      "host-dev",
+							MountPath: "/dev",
+						},
+						{
+							Name:      "host-proc",
+							MountPath: "/host/proc", // we use this to enter the host namespace
+						},
 					},
 					Env: []corev1.EnvVar{
 						{
@@ -770,6 +808,22 @@ func (c *BackingImageDataSourceController) generateBackingImageDataSourcePodMani
 						},
 					},
 				},
+				{
+					Name: "host-dev",
+					VolumeSource: corev1.VolumeSource{
+						HostPath: &corev1.HostPathVolumeSource{
+							Path: "/dev",
+						},
+					},
+				},
+				{
+					Name: "host-proc",
+					VolumeSource: corev1.VolumeSource{
+						HostPath: &corev1.HostPathVolumeSource{
+							Path: "/proc",
+						},
+					},
+				},
 			},
 			NodeName:      bids.Spec.NodeID,
 			RestartPolicy: corev1.RestartPolicyNever,
@@ -802,8 +856,21 @@ func (c *BackingImageDataSourceController) generateBackingImageDataSourcePodMani
 	return podSpec, nil
 }
 
-func (c *BackingImageDataSourceController) prepareRunningParameters(bids *longhorn.BackingImageDataSource) error {
-	bids.Status.RunningParameters = bids.Spec.Parameters
+func (c *BackingImageDataSourceController) prepareRunningParametersForClone(bids *longhorn.BackingImageDataSource) error {
+	if bids.Spec.SourceType != longhorn.BackingImageDataSourceTypeClone {
+		return nil
+	}
+
+	sourceBackingImageName := bids.Spec.Parameters[longhorn.DataSourceTypeCloneParameterBackingImage]
+	sourceBackingImage, err := c.ds.GetBackingImageRO(sourceBackingImageName)
+	if err != nil {
+		return err
+	}
+	bids.Status.RunningParameters[longhorn.DataSourceTypeCloneParameterBackingImageUUID] = sourceBackingImage.Status.UUID
+	return nil
+}
+
+func (c *BackingImageDataSourceController) prepareRunningParametersForExport(bids *longhorn.BackingImageDataSource) error {
 	if bids.Spec.SourceType != longhorn.BackingImageDataSourceTypeExportFromVolume {
 		return nil
 	}
@@ -1173,3 +1240,13 @@ func (m *BackingImageDataSourceMonitor) sync() {
 func (c *BackingImageDataSourceController) isResponsibleFor(bids *longhorn.BackingImageDataSource) bool {
 	return isControllerResponsibleFor(c.controllerID, c.ds, bids.Name, bids.Spec.NodeID, bids.Status.OwnerID)
 }
+
+func isEncryptionRequire(bi *longhorn.BackingImage) bool {
+	encryptionType := bimtypes.EncryptionType(bi.Spec.SourceParameters[longhorn.DataSourceTypeCloneParameterEncryption])
+	return bi.Spec.SourceType == longhorn.BackingImageDataSourceTypeClone && encryptionType == bimtypes.EncryptionTypeEncrypt
+}
+
+func secretExists(bids *longhorn.BackingImageDataSource) bool {
+	return bids.Spec.Parameters[longhorn.DataSourceTypeCloneParameterSecretNamespace] != "" &&
+		bids.Spec.Parameters[longhorn.DataSourceTypeCloneParameterSecret] != ""
+}

controller/share_manager_controller.go

@@ -25,7 +25,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 
-	"github.com/longhorn/longhorn-manager/csi"
 	"github.com/longhorn/longhorn-manager/csi/crypto"
 	"github.com/longhorn/longhorn-manager/datastore"
 	"github.com/longhorn/longhorn-manager/engineapi"
@@ -906,16 +905,16 @@ func (c *ShareManagerController) createShareManagerPod(sm *longhorn.ShareManager
 			return nil, err
 		}
 
-		cryptoKey = string(secret.Data[csi.CryptoKeyValue])
+		cryptoKey = string(secret.Data[types.CryptoKeyValue])
 		if len(cryptoKey) == 0 {
-			return nil, fmt.Errorf("missing %v in secret for encrypted RWX volume %v", csi.CryptoKeyValue, volume.Name)
+			return nil, fmt.Errorf("missing %v in secret for encrypted RWX volume %v", types.CryptoKeyValue, volume.Name)
 		}
 		cryptoParams = crypto.NewEncryptParams(
-			string(secret.Data[csi.CryptoKeyProvider]),
-			string(secret.Data[csi.CryptoKeyCipher]),
-			string(secret.Data[csi.CryptoKeyHash]),
-			string(secret.Data[csi.CryptoKeySize]),
-			string(secret.Data[csi.CryptoPBKDF]))
+			string(secret.Data[types.CryptoKeyProvider]),
+			string(secret.Data[types.CryptoKeyCipher]),
+			string(secret.Data[types.CryptoKeyHash]),
+			string(secret.Data[types.CryptoKeySize]),
+			string(secret.Data[types.CryptoPBKDF]))
 	}
 
 	manifest := c.createPodManifest(sm, annotations, tolerations, affinity, imagePullPolicy, nil, registrySecret,