diff --git a/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel index 61d3de84a..65eff3513 100644 --- a/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel +++ b/pkg/forklift-api/webhooks/validating-webhook/admitters/BUILD.bazel @@ -19,6 +19,7 @@ go_library( "//pkg/lib/error", "//pkg/lib/inventory/container", "//pkg/lib/logging", + "//pkg/lib/ref", "//pkg/settings", "//vendor/k8s.io/api/admission/v1beta1", "//vendor/k8s.io/api/core/v1:core", diff --git a/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go b/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go index eb3075d99..cd8b4dc02 100644 --- a/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go +++ b/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go @@ -116,6 +116,38 @@ func (admitter *PlanAdmitter) validateWarmMigrations() error { return nil } +func (admitter *PlanAdmitter) validateLUKS() error { + hasLUKS := false + for _, vm := range admitter.plan.Spec.VMs { + if vm.LUKS.Name != "" { + hasLUKS = true + break + } + } + if !hasLUKS { + return nil + } + + providerType := admitter.sourceProvider.Type() + if providerType != api.VSphere && providerType != api.Ova { + err := liberr.New(fmt.Sprintf("migration of encrypted disks from source provider of type %s is not supported", providerType)) + log.Error(err, "Provider type (non-VSphere & non-OVA) does not support LUKS") + return err + } + + el9, el9Err := admitter.plan.VSphereUsesEl9VirtV2v() + if el9Err != nil { + log.Error(el9Err, "Could not analyze plan, failing") + return el9Err + } + if !el9 { + err := liberr.New("migration of encrypted disks is not supported for warm migrations or migrations to remote providers") + log.Error(err, "Warm migration does not support LUKS") + return err + } + return nil +} + func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse { log.Info("Plan admitter was called") raw := ar.Request.Object.Raw @@ -167,5 +199,10 @@ func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv return util.ToAdmissionResponseError(err) } + err = admitter.validateLUKS() + if err != nil { + return util.ToAdmissionResponseError(err) + } + return util.ToAdmissionResponseAllow() }