From 7d024f0a860e67f2f561bd0019060f7cb5b0da1d Mon Sep 17 00:00:00 2001
From: Liran Rotenberg <lrotenbe@redhat.com>
Date: Wed, 29 May 2024 12:11:20 +0300
Subject: [PATCH] Add a check to the LUKS secret existence

Instead of the plan keep being running and the conversion pod try to
init, we can query and check the secret existence for LUKS keys before.
In the case it's doesn't exist, fail the migration properly. If it does
exist, post it on the target namespace for the conversion pod.

Signed-off-by: Liran Rotenberg <lrotenbe@redhat.com>
---
 pkg/controller/plan/kubevirt.go | 45 ++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/pkg/controller/plan/kubevirt.go b/pkg/controller/plan/kubevirt.go
index 846c3c74d..905ba0a76 100644
--- a/pkg/controller/plan/kubevirt.go
+++ b/pkg/controller/plan/kubevirt.go
@@ -75,6 +75,8 @@ const (
 	kVM = "vmID"
 	// App label
 	kApp = "forklift.app"
+	// LUKS
+	kLUKS = "isLUKS"
 )
 
 // User
@@ -521,7 +523,7 @@ func (r *KubeVirt) DeleteVM(vm *plan.VMStatus) (err error) {
 }
 
 func (r *KubeVirt) DataVolumes(vm *plan.VMStatus) (dataVolumes []cdi.DataVolume, err error) {
-	secret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref))
+	secret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref), false)
 	if err != nil {
 		return
 	}
@@ -538,7 +540,7 @@ func (r *KubeVirt) DataVolumes(vm *plan.VMStatus) (dataVolumes []cdi.DataVolume,
 }
 
 func (r *KubeVirt) PopulatorVolumes(vmRef ref.Ref) (pvcs []*core.PersistentVolumeClaim, err error) {
-	secret, err := r.ensureSecret(vmRef, r.copyDataFromProviderSecret)
+	secret, err := r.ensureSecret(vmRef, r.copyDataFromProviderSecret, false)
 	if err != nil {
 		err = liberr.Wrap(err)
 		return
@@ -779,7 +781,7 @@ func (r *KubeVirt) getListOptionsNamespaced() (listOptions *client.ListOptions)
 
 // Ensure the guest conversion (virt-v2v) pod exists on the destination.
 func (r *KubeVirt) EnsureGuestConversionPod(vm *plan.VMStatus, vmCr *VirtualMachine, pvcs []*core.PersistentVolumeClaim) (err error) {
-	v2vSecret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref))
+	v2vSecret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref), false)
 	if err != nil {
 		return
 	}
@@ -1762,11 +1764,16 @@ func (r *KubeVirt) podVolumeMounts(vmVolumes []cnv.Volume, configMap *core.Confi
 		},
 	})
 	if vm.LUKS.Name != "" {
+		secret, erro := r.ensureSecret(vm.Ref, r.secretLUKS(vm.LUKS.Name, r.Plan.Namespace), true)
+		if erro != nil {
+			err = liberr.Wrap(erro)
+			return
+		}
 		volumes = append(volumes, core.Volume{
 			Name: "luks",
 			VolumeSource: core.VolumeSource{
 				Secret: &core.SecretVolumeSource{
-					SecretName: vm.LUKS.Name,
+					SecretName: secret.Name,
 				},
 			},
 		})
@@ -1958,24 +1965,40 @@ func (r *KubeVirt) secretDataSetterForCDI(vmRef ref.Ref) func(*core.Secret) erro
 	}
 }
 
+func (r *KubeVirt) secretLUKS(name, namespace string) func(*core.Secret) error {
+	return func(secret *core.Secret) error {
+		sourceSecret := &core.Secret{}
+		err := r.Client.Get(context.TODO(), client.ObjectKey{Name: name, Namespace: namespace}, sourceSecret)
+		if err != nil {
+			return err
+		}
+		secret.Data = sourceSecret.Data
+		return nil
+	}
+}
+
 // Ensure the credential secret for the data transfer exists on the destination.
-func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret) error) (secret *core.Secret, err error) {
+func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret) error, isLUKS bool) (secret *core.Secret, err error) {
 	_, err = r.Source.Inventory.VM(&vmRef)
 	if err != nil {
 		return
 	}
 
-	newSecret, err := r.secret(vmRef, setSecretData)
+	newSecret, err := r.secret(vmRef, setSecretData, isLUKS)
 	if err != nil {
 		return
 	}
 
 	list := &core.SecretList{}
+	secretLabels := r.vmLabels(vmRef)
+	if isLUKS {
+		secretLabels[kLUKS] = "true"
+	}
 	err = r.Destination.Client.List(
 		context.TODO(),
 		list,
 		&client.ListOptions{
-			LabelSelector: labels.SelectorFromSet(r.vmLabels(vmRef)),
+			LabelSelector: labels.SelectorFromSet(secretLabels),
 			Namespace:     r.Plan.Spec.TargetNamespace,
 		},
 	)
@@ -2020,10 +2043,14 @@ func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret)
 }
 
 // Build the credential secret for the data transfer (CDI importer / popoulator pod).
-func (r *KubeVirt) secret(vmRef ref.Ref, setSecretData func(*core.Secret) error) (secret *core.Secret, err error) {
+func (r *KubeVirt) secret(vmRef ref.Ref, setSecretData func(*core.Secret) error, isLUKS bool) (secret *core.Secret, err error) {
+	labels := r.vmLabels(vmRef)
+	if isLUKS {
+		labels[kLUKS] = "true"
+	}
 	secret = &core.Secret{
 		ObjectMeta: meta.ObjectMeta{
-			Labels:    r.vmLabels(vmRef),
+			Labels:    labels,
 			Namespace: r.Plan.Spec.TargetNamespace,
 			GenerateName: strings.Join(
 				[]string{