From d7a388b95b41fe4b00e3f533d37b0e957fb3a8ca Mon Sep 17 00:00:00 2001
From: Liran Rotenberg <lrotenbe@redhat.com>
Date: Wed, 29 May 2024 12:11:20 +0300
Subject: [PATCH] Add a check to the LUKS secret existence

Instead of the plan keep being running and the conversion pod try to
init, we can query and check the secret existence for LUKS keys before.
In the case it's doesn't exist, fail the migration properly. If it does
exist, post it on the target namespace for the conversion pod.

Signed-off-by: Liran Rotenberg <lrotenbe@redhat.com>
---
 pkg/controller/plan/kubevirt.go | 45 ++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/pkg/controller/plan/kubevirt.go b/pkg/controller/plan/kubevirt.go
index c8266ee34..e36b4326d 100644
--- a/pkg/controller/plan/kubevirt.go
+++ b/pkg/controller/plan/kubevirt.go
@@ -75,6 +75,8 @@ const (
 	kVM = "vmID"
 	// App label
 	kApp = "forklift.app"
+	// LUKS
+	kLUKS = "isLUKS"
 )
 
 // User
@@ -521,7 +523,7 @@ func (r *KubeVirt) DeleteVM(vm *plan.VMStatus) (err error) {
 }
 
 func (r *KubeVirt) DataVolumes(vm *plan.VMStatus) (dataVolumes []cdi.DataVolume, err error) {
-	secret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref))
+	secret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref), false)
 	if err != nil {
 		return
 	}
@@ -538,7 +540,7 @@ func (r *KubeVirt) DataVolumes(vm *plan.VMStatus) (dataVolumes []cdi.DataVolume,
 }
 
 func (r *KubeVirt) PopulatorVolumes(vmRef ref.Ref) (pvcs []*core.PersistentVolumeClaim, err error) {
-	secret, err := r.ensureSecret(vmRef, r.copyDataFromProviderSecret)
+	secret, err := r.ensureSecret(vmRef, r.copyDataFromProviderSecret, false)
 	if err != nil {
 		err = liberr.Wrap(err)
 		return
@@ -779,7 +781,7 @@ func (r *KubeVirt) getListOptionsNamespaced() (listOptions *client.ListOptions)
 
 // Ensure the guest conversion (virt-v2v) pod exists on the destination.
 func (r *KubeVirt) EnsureGuestConversionPod(vm *plan.VMStatus, vmCr *VirtualMachine, pvcs []*core.PersistentVolumeClaim) (err error) {
-	v2vSecret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref))
+	v2vSecret, err := r.ensureSecret(vm.Ref, r.secretDataSetterForCDI(vm.Ref), false)
 	if err != nil {
 		return
 	}
@@ -1760,11 +1762,16 @@ func (r *KubeVirt) podVolumeMounts(vmVolumes []cnv.Volume, configMap *core.Confi
 		},
 	})
 	if vm.LUKS.Name != "" {
+		secret, erro := r.ensureSecret(vm.Ref, r.secretLUKS(vm.LUKS.Name, r.Plan.Namespace), true)
+		if erro != nil {
+			err = liberr.Wrap(erro)
+			return
+		}
 		volumes = append(volumes, core.Volume{
 			Name: "luks",
 			VolumeSource: core.VolumeSource{
 				Secret: &core.SecretVolumeSource{
-					SecretName: vm.LUKS.Name,
+					SecretName: secret.Name,
 				},
 			},
 		})
@@ -1956,24 +1963,40 @@ func (r *KubeVirt) secretDataSetterForCDI(vmRef ref.Ref) func(*core.Secret) erro
 	}
 }
 
+func (r *KubeVirt) secretLUKS(name, namespace string) func(*core.Secret) error {
+	return func(secret *core.Secret) error {
+		sourceSecret := &core.Secret{}
+		err := r.Client.Get(context.TODO(), client.ObjectKey{Name: name, Namespace: namespace}, sourceSecret)
+		if err != nil {
+			return err
+		}
+		secret.Data = sourceSecret.Data
+		return nil
+	}
+}
+
 // Ensure the credential secret for the data transfer exists on the destination.
-func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret) error) (secret *core.Secret, err error) {
+func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret) error, isLUKS bool) (secret *core.Secret, err error) {
 	_, err = r.Source.Inventory.VM(&vmRef)
 	if err != nil {
 		return
 	}
 
-	newSecret, err := r.secret(vmRef, setSecretData)
+	newSecret, err := r.secret(vmRef, setSecretData, isLUKS)
 	if err != nil {
 		return
 	}
 
 	list := &core.SecretList{}
+	secretLabels := r.vmLabels(vmRef)
+	if isLUKS {
+		secretLabels[kLUKS] = "true"
+	}
 	err = r.Destination.Client.List(
 		context.TODO(),
 		list,
 		&client.ListOptions{
-			LabelSelector: labels.SelectorFromSet(r.vmLabels(vmRef)),
+			LabelSelector: labels.SelectorFromSet(secretLabels),
 			Namespace:     r.Plan.Spec.TargetNamespace,
 		},
 	)
@@ -2018,10 +2041,14 @@ func (r *KubeVirt) ensureSecret(vmRef ref.Ref, setSecretData func(*core.Secret)
 }
 
 // Build the credential secret for the data transfer (CDI importer / popoulator pod).
-func (r *KubeVirt) secret(vmRef ref.Ref, setSecretData func(*core.Secret) error) (secret *core.Secret, err error) {
+func (r *KubeVirt) secret(vmRef ref.Ref, setSecretData func(*core.Secret) error, isLUKS bool) (secret *core.Secret, err error) {
+	labels := r.vmLabels(vmRef)
+	if isLUKS {
+		labels[kLUKS] = "true"
+	}
 	secret = &core.Secret{
 		ObjectMeta: meta.ObjectMeta{
-			Labels:    r.vmLabels(vmRef),
+			Labels:    labels,
 			Namespace: r.Plan.Spec.TargetNamespace,
 			GenerateName: strings.Join(
 				[]string{