From abcddd74640f04289d3f64600a14ee367cce823e Mon Sep 17 00:00:00 2001 From: Liran Rotenberg Date: Sun, 10 Dec 2023 18:48:40 +0200 Subject: [PATCH] API: validate LUKS When importing from vSphere or OVA and using EL8 virt-v2v (warm migration), LUKS encryption is not supported. In case the plan is set with LUKS secret, fail to validate such plan. Signed-off-by: Liran Rotenberg --- .../admitters/plan-admitter.go | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go b/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go index eb3075d99..cd8b4dc02 100644 --- a/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go +++ b/pkg/forklift-api/webhooks/validating-webhook/admitters/plan-admitter.go @@ -116,6 +116,38 @@ func (admitter *PlanAdmitter) validateWarmMigrations() error { return nil } +func (admitter *PlanAdmitter) validateLUKS() error { + hasLUKS := false + for _, vm := range admitter.plan.Spec.VMs { + if vm.LUKS.Name != "" { + hasLUKS = true + break + } + } + if !hasLUKS { + return nil + } + + providerType := admitter.sourceProvider.Type() + if providerType != api.VSphere && providerType != api.Ova { + err := liberr.New(fmt.Sprintf("migration of encrypted disks from source provider of type %s is not supported", providerType)) + log.Error(err, "Provider type (non-VSphere & non-OVA) does not support LUKS") + return err + } + + el9, el9Err := admitter.plan.VSphereUsesEl9VirtV2v() + if el9Err != nil { + log.Error(el9Err, "Could not analyze plan, failing") + return el9Err + } + if !el9 { + err := liberr.New("migration of encrypted disks is not supported for warm migrations or migrations to remote providers") + log.Error(err, "Warm migration does not support LUKS") + return err + } + return nil +} + func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv1.AdmissionResponse { log.Info("Plan admitter was called") raw := ar.Request.Object.Raw @@ -167,5 +199,10 @@ func (admitter *PlanAdmitter) Admit(ar *admissionv1.AdmissionReview) *admissionv return util.ToAdmissionResponseError(err) } + err = admitter.validateLUKS() + if err != nil { + return util.ToAdmissionResponseError(err) + } + return util.ToAdmissionResponseAllow() }