API: validate LUKS

When importing from vSphere or OVA and using EL8 virt-v2v (warm migration), LUKS encryption is not supported. In case the plan is set with LUKS secret, fail to validate such plan. Signed-off-by: Liran Rotenberg <[email protected]>
kubev2v · May 23, 2024 · 8c3b642 · 8c3b642
1 parent 96b9f0c
commit 8c3b642
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel
@@ -19,6 +19,7 @@ go_library(
         "//pkg/lib/error",
         "//pkg/lib/inventory/container",
         "//pkg/lib/logging",
+        "//pkg/lib/ref",
         "//pkg/settings",
         "//vendor/k8s.io/api/admission/v1beta1",
         "//vendor/k8s.io/api/core/v1:core",

diff --git a/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go b/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go
@@ -116,6 +116,38 @@ func (admitter *PlanAdmitter) validateWarmMigrations() error {
 	return nil
 }
 
+func (admitter *PlanAdmitter) validateLUKS() error {
+	hasLUKS := false
+	for _, vm := range admitter.plan.Spec.VMs {
+		if vm.LUKS.Name != "" {
+			hasLUKS = true
+			break
+		}
+	}
+	if !hasLUKS {
+		return nil
+	}
+
+	providerType := admitter.sourceProvider.Type()
+	if providerType != api.VSphere && providerType != api.Ova {
+		err := liberr.New(fmt.Sprintf("migration of encrypted disks from source provider of type %s is not supported", providerType))
+		log.Error(err, "Provider type (non-VSphere & non-OVA) does not support LUKS")
+		return err
+	}
+
+	el9, el9Err := admitter.plan.VSphereUsesEl9VirtV2v()
+	if el9Err != nil {
+		log.Error(el9Err, "Could not analyze plan, failing")
+		return el9Err
+	}
+	if !el9 {
+		err := liberr.New("migration of encrypted disks is not supported for warm migrations or migrations to remote providers")
+		log.Error(err, "Warm migration does not support LUKS")
+		return err
+	}
+	return nil
+}
+
 func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse {
 	log.Info("Plan admitter was called")
 	raw := ar.Request.Object.Raw
@@ -167,5 +199,10 @@ func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv
 		return util.ToAdmissionResponseError(err)
 	}
 
+	err = admitter.validateLUKS()
+	if err != nil {
+		return util.ToAdmissionResponseError(err)
+	}
+
 	return util.ToAdmissionResponseAllow()
 }