Handle stale LUKS mappers for NVMe

This commit enhances Trident's CSI node stage and unstage operations to handle stale mapper devices for LUKS-encrypted NVMe devices.

Author: jwebster7

frontend/csi/node_helpers/kubernetes/plugin.go

@@ -1,4 +1,4 @@
-// Copyright 2022 NetApp, Inc. All Rights Reserved.
+// Copyright 2025 NetApp, Inc. All Rights Reserved.
 
 package kubernetes
 
@@ -214,13 +214,13 @@ func (h *helper) RemovePublishedPath(ctx context.Context, volumeID, pathToRemove
 
 	volTrackingInfo, err := h.ReadTrackingInfo(ctx, volumeID)
 	if err != nil {
-		return fmt.Errorf("failed to read the tracking file; %v", err)
+		return fmt.Errorf("failed to read the tracking file; %w", err)
 	}
 
 	delete(volTrackingInfo.PublishedPaths, pathToRemove)
 
 	if err := h.WriteTrackingInfo(ctx, volumeID, volTrackingInfo); err != nil {
-		return fmt.Errorf("failed to update the tracking file; %v", err)
+		return fmt.Errorf("failed to update the tracking file; %w", err)
 	}
 
 	h.publishedPaths[volumeID] = volTrackingInfo.PublishedPaths

frontend/csi/node_server.go

@@ -638,12 +638,12 @@ func (p *Plugin) nodeExpandVolume(
 	devicePath := publishInfo.DevicePath
 	if convert.ToBool(publishInfo.LUKSEncryption) {
 		if !luks.IsLegacyDevicePath(devicePath) {
-			devicePath, err = p.devices.GetLUKSDeviceForMultipathDevice(devicePath)
+			devicePath, err = p.devices.GetLUKSDevicePathForVolume(ctx, volumeId)
 			if err != nil {
 				Logc(ctx).WithFields(LogFields{
 					"volumeId":      volumeId,
 					"publishedPath": publishInfo.DevicePath,
-				}).WithError(err).Error("Failed to get LUKS device path from device path.")
+				}).WithError(err).Error("Failed to get LUKS device path for volume.")
 				return status.Error(codes.Internal, err.Error())
 			}
 		}
@@ -1465,15 +1465,18 @@ func (p *Plugin) nodeUnstageFCPVolume(
 					publishInfo.DevicePath = dmPath
 				}
 			} else {
-				// If not using luks legacy device path we need to find the LUKS mapper device
-				luksMapperPath, err = p.devices.GetLUKSDeviceForMultipathDevice(publishInfo.DevicePath)
+				// If not using luks legacy device path we need to find the LUKS mapper device.
+				luksMapperPath, err = p.devices.GetLUKSDevicePathForVolume(ctx, req.GetVolumeId())
 				if err != nil {
-					if !errors.IsNotFoundError(err) {
-						Logc(ctx).WithFields(fields).WithError(err).Warn(
-							"Could not determine LUKS device path from multipath device. " +
-								"Continuing with device removal.")
+					// If the LUKS device is not found, the functional difference is negligible to unstage.
+					// But it may be useful to log at different levels for observability.
+					log := Logc(ctx).WithFields(fields).WithError(err)
+					if errors.IsNotFoundError(err) {
+						log.Warn("Failed to get LUKS device path for volume.")
+					} else {
+						log.Debug("Could not determine LUKS device path for volume.")
 					}
-					Logc(ctx).WithFields(fields).Info("No LUKS device path found from multipath device.")
+					log.Debug("Continuing with device removal.")
 				}
 			}
 			err = p.devices.EnsureLUKSDeviceClosedWithMaxWaitLimit(ctx, luksMapperPath)
@@ -1516,11 +1519,10 @@ func (p *Plugin) nodeUnstageFCPVolume(
 			"multipathDevice": deviceInfo.MultipathDevice,
 		}
 
-		luksMapperPath, err = p.devices.GetLUKSDeviceForMultipathDevice(deviceInfo.MultipathDevice)
+		luksMapperPath, err = p.devices.GetLUKSDevicePathForVolume(ctx, req.GetVolumeId())
 		if err != nil {
 			if !errors.IsNotFoundError(err) {
-				Logc(ctx).WithFields(fields).
-					WithError(err).Error("Failed to get LUKS device path from multipath device.")
+				Logc(ctx).WithFields(fields).WithError(err).Error("Failed to get LUKS device path from multipath device.")
 				return err
 			}
 			Logc(ctx).WithFields(fields).Info("No LUKS device path found from multipath device.")
@@ -1969,7 +1971,7 @@ func (p *Plugin) nodeUnstageISCSIVolume(
 		if convert.ToBool(publishInfo.LUKSEncryption) {
 			var err error
 			var luksMapperPath string
-			fields := LogFields{"device": publishInfo.DevicePath}
+			fields := LogFields{"device": publishInfo.DevicePath, "volume": req.GetVolumeId()}
 			// Set device path to dm device to correctly verify legacy volumes.
 			if luks.IsLegacyDevicePath(publishInfo.DevicePath) {
 				luksMapperPath = publishInfo.DevicePath
@@ -1983,17 +1985,22 @@ func (p *Plugin) nodeUnstageISCSIVolume(
 					publishInfo.DevicePath = dmPath
 				}
 			} else {
-				// If not using luks legacy device path we need to find the LUKS mapper device
-				luksMapperPath, err = p.devices.GetLUKSDeviceForMultipathDevice(publishInfo.DevicePath)
+				// Use the volume ID to get the LUKS mapper path.
+				// This should always work if the mapper is still present.
+				luksMapperPath, err = p.devices.GetLUKSDevicePathForVolume(ctx, req.GetVolumeId())
 				if err != nil {
-					if !errors.IsNotFoundError(err) {
-						Logc(ctx).WithFields(fields).WithError(err).Warn(
-							"Could not determine LUKS device path from multipath device. " +
-								"Continuing with device removal.")
+					// If the LUKS device is not found, the functional difference is negligible to unstage.
+					// But it may be useful to log at different levels for observability.
+					log := Logc(ctx).WithFields(fields).WithError(err)
+					if errors.IsNotFoundError(err) {
+						log.Warn("Failed to get LUKS device path for volume.")
+					} else {
+						log.Debug("Could not determine LUKS device path for volume.")
 					}
-					Logc(ctx).WithFields(fields).Info("No LUKS device path found from multipath device.")
+					log.Debug("Continuing with device removal.")
 				}
 			}
+
 			err = p.devices.EnsureLUKSDeviceClosedWithMaxWaitLimit(ctx, luksMapperPath)
 			if err != nil {
 				Logc(ctx).WithError(err).Debug("Unable to remove LUKS device. Continuing with tracking file removal.")
@@ -2044,7 +2051,7 @@ func (p *Plugin) nodeUnstageISCSIVolume(
 			"multipathDevice": deviceInfo.MultipathDevice,
 		}
 
-		luksMapperPath, err = p.devices.GetLUKSDeviceForMultipathDevice(deviceInfo.MultipathDevice)
+		luksMapperPath, err = p.devices.GetLUKSDevicePathForVolume(ctx, req.GetVolumeId())
 		if err != nil {
 			if !errors.IsNotFoundError(err) {
 				Logc(ctx).WithFields(fields).WithError(err).Error("Failed to get LUKS device path from multipath device.")
@@ -3043,7 +3050,7 @@ func (p *Plugin) nodeUnstageNVMeVolume(
 		return nil, fmt.Errorf("failed to get NVMe device; %v", err)
 	}
 
-	var devicePath string
+	devicePath := publishInfo.DevicePath
 	if nvmeDev != nil {
 		devicePath = nvmeDev.GetPath()
 	}
@@ -3056,10 +3063,19 @@ func (p *Plugin) nodeUnstageNVMeVolume(
 			"publishedPath": publishInfo.DevicePath,
 		}
 
-		luksMapperPath, err = p.devices.GetLUKSDeviceForMultipathDevice(devicePath)
+		// Use the volume ID to get the LUKS mapper path.
+		// This should always work if the mapper is still present.
+		luksMapperPath, err = p.devices.GetLUKSDevicePathForVolume(ctx, req.GetVolumeId())
 		if err != nil {
-			Logc(ctx).WithFields(fields).WithError(err).Debug("Failed to get LUKS device path from device path. " +
-				"Device may already be removed.")
+			// If the LUKS device is not found, the functional difference is negligible to unstage.
+			// But it may be useful to log at different levels for observability.
+			log := Logc(ctx).WithFields(fields).WithError(err)
+			if errors.IsNotFoundError(err) {
+				log.Warn("Failed to get LUKS device path for volume.")
+			} else {
+				log.Debug("Could not determine LUKS device path for volume.")
+			}
+			log.Debug("Continuing with device removal.")
 		}
 
 		if luksMapperPath != "" {

frontend/csi/node_server_test.go

@@ -2114,7 +2114,8 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).Return(nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosed(gomock.Any(), mockDevicePath).Return(nil)
 				mockDeviceClient.EXPECT().RemoveMultipathDeviceMappingWithRetries(gomock.Any(), gomock.Any(),
@@ -2148,7 +2149,6 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 
 				mockISCSIClient.EXPECT().TargetHasMountedDevice(gomock.Any(), gomock.Any()).Return(false, nil)
 				mockISCSIClient.EXPECT().SafeToLogOut(gomock.Any(), gomock.Any(), gomock.Any()).Return(true)
-
 				mockISCSIClient.EXPECT().RemovePortalsFromSession(gomock.Any(), gomock.Any(), gomock.Any())
 				mockISCSIClient.EXPECT().Logout(gomock.Any(), gomock.Any(), gomock.Any())
 				mockISCSIClient.EXPECT().PrepareDeviceForRemoval(gomock.Any(), gomock.Any(), gomock.Any(),
@@ -2160,7 +2160,7 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).
 					Return(nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosed(gomock.Any(), mockDevicePath).Return(nil)
@@ -2204,8 +2204,7 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).
 					Return(fmt.Errorf("mock error"))
 				return mockDeviceClient
@@ -2223,7 +2222,7 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).
 					Return(nil)
 				mockDeviceClient.EXPECT().RemoveMultipathDeviceMappingWithRetries(gomock.Any(), gomock.Any(),
@@ -2296,7 +2295,8 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 				return mockDeviceClient
 			},
 		},
-		"SAN: iSCSI unstage: GetLUKSDeviceForMultipathDevice error": {
+		// mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
+		"SAN: iSCSI unstage: GetLUKSDevicePathForVolume error": {
 			assertError: assert.Error,
 			request:     NewNodeUnstageVolumeRequestBuilder().Build(),
 			publishInfo: NewVolumePublishInfoBuilder(TypeiSCSIVolumePublishInfo).WithLUKSEncryption("true").Build(),
@@ -2315,8 +2315,8 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return("", fmt.Errorf(
-					"mock error"))
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(),
+					gomock.Any()).Return(mockDevicePath, errors.New("mock error"))
 				return mockDeviceClient
 			},
 		},
@@ -2335,7 +2335,7 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).
 					Return(nil)
 				return mockDeviceClient
@@ -2368,7 +2368,7 @@ func TestNodeUnstageISCSIVolume(t *testing.T) {
 			},
 			getDeviceClient: func() devices.Devices {
 				mockDeviceClient := mock_devices.NewMockDevices(gomock.NewController(t))
-				mockDeviceClient.EXPECT().GetLUKSDeviceForMultipathDevice(gomock.Any()).Return(mockDevicePath, nil)
+				mockDeviceClient.EXPECT().GetLUKSDevicePathForVolume(gomock.Any(), gomock.Any()).Return(mockDevicePath, nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosedWithMaxWaitLimit(gomock.Any(), mockDevicePath).
 					Return(nil)
 				mockDeviceClient.EXPECT().EnsureLUKSDeviceClosed(gomock.Any(), mockDevicePath).Return(nil)

frontend/csi/volume_publish_manager.go

@@ -151,7 +151,7 @@ func (v *VolumePublishManager) readTrackingInfo(
 	err := jsonRW.ReadJSONFile(ctx, &volumeTrackingInfo, path.Join(v.volumeTrackingInfoPath, filename),
 		"volume tracking info")
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to read tracking info for volume %s: %w", volumeID, err)
 	}
 
 	Logc(ctx).WithField("volumeTrackingInfo", volumeTrackingInfo).Debug("Volume tracking info found.")

frontend/csi/volume_publish_manager_test.go

@@ -1,4 +1,4 @@
-// Copyright 2024 NetApp, Inc. All Rights Reserved.
+// Copyright 2025 NetApp, Inc. All Rights Reserved.
 
 package csi
 
@@ -79,10 +79,10 @@ func TestWriteTrackingInfo(t *testing.T) {
 	assert.NoError(t, err, "no error expected when write succeeds")
 
 	mockJSONUtils.EXPECT().WriteJSONFile(gomock.Any(), trackInfo, "tmp-"+fName, "volume tracking info").
-		Return(errors.New("foo"))
+		Return(errors.InvalidJSONError("foo"))
 	err = v.WriteTrackingInfo(ctx, volId, trackInfo)
 	assert.Error(t, err, "error expected when write tracking info fails")
-	assert.Equal(t, "foo", err.Error(), "expected actual error we threw")
+	assert.True(t, errors.IsInvalidJSONError(err), "expected actual error we threw")
 }
 
 func TestReadTrackingInfo(t *testing.T) {
@@ -111,15 +111,17 @@ func TestReadTrackingInfo(t *testing.T) {
 	mockJSONUtils.EXPECT().ReadJSONFile(gomock.Any(), emptyTrackInfo, fName, "volume tracking info").
 		SetArg(1, *trackInfo).Return(nil)
 	trackInfo, err := v.ReadTrackingInfo(context.Background(), volId)
+	assert.NoError(t, err, "no error expected when write succeed")
+	assert.NotNil(t, trackInfo, "expected a valid tracking info")
 	assert.Equal(t, fsType, trackInfo.FilesystemType, "tracking file did not have expected value in it")
-	assert.NoError(t, err, "tracking file should have been written")
 
 	emptyTrackInfo = &models.VolumeTrackingInfo{}
 	mockJSONUtils.EXPECT().ReadJSONFile(gomock.Any(), emptyTrackInfo, fName,
-		"volume tracking info").Return(errors.New("foo"))
-	_, err = v.ReadTrackingInfo(context.Background(), volId)
+		"volume tracking info").Return(errors.NotFoundError("not found"))
+	trackInfo, err = v.ReadTrackingInfo(context.Background(), volId)
 	assert.Error(t, err, "expected error when reading the file results in an error")
-	assert.Equal(t, "foo", err.Error(), "expected the error we threw in the mock")
+	assert.Nil(t, trackInfo, "expected nil tracking info")
+	assert.True(t, errors.IsNotFoundError(err), "expected not found error")
 }
 
 func TestListVolumeTrackingInfo_FailsToGetVolumeTrackingFiles(t *testing.T) {
@@ -255,10 +257,10 @@ func TestDeleteTrackingInfo(t *testing.T) {
 	err := v.DeleteTrackingInfo(context.Background(), volName)
 	assert.NoError(t, err, "expected no error deleting the tracking info")
 
-	mockFilesytesm.EXPECT().DeleteFile(gomock.Any(), gomock.Any(), gomock.Any()).Return("", errors.New("foo"))
+	mockFilesytesm.EXPECT().DeleteFile(gomock.Any(), gomock.Any(), gomock.Any()).Return("", errors.InvalidJSONError("foo"))
 	err = v.DeleteTrackingInfo(context.Background(), volName)
 	assert.Error(t, err, "expected error if delete tracking info fails")
-	assert.Equal(t, "foo", err.Error(), "expected the error we threw")
+	assert.True(t, errors.IsInvalidJSONError(err), "expected the error we threw")
 }
 
 func TestUpgradeVolumeTrackingFile(t *testing.T) {