deckhouse
diff --git a/‎images/snapshot-controller/pkg/common-controller/snapshot_controller.go‎
Lines changed: 194 additions & 6 deletions b/‎images/snapshot-controller/pkg/common-controller/snapshot_controller.go‎
Lines changed: 194 additions & 6 deletions
diff --git a/‎images/snapshot-controller/pkg/common-controller/snapshot_controller_base.go‎
Lines changed: 28 additions & 0 deletions b/‎images/snapshot-controller/pkg/common-controller/snapshot_controller_base.go‎
Lines changed: 28 additions & 0 deletions
@@ -563,6 +563,33 @@ func (ctrl *csiSnapshotCommonController) syncUnreadySnapshot(snapshot *crdv1.Vol
 	}
 
 	// snapshot.Spec.Source.VolumeSnapshotContentName == nil - dynamically creating snapshot
+	// CRITICAL: Check for Deckhouse-managed BEFORE attempting to create VSC
+	// This ensures VSC is created by Deckhouse controller, not snapshot-controller
+	_, deckhouseManaged := snapshot.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManaged {
+		klog.V(5).Infof("syncUnreadySnapshot[%s]: VolumeSnapshot is managed by Deckhouse, waiting for VSC to be created externally", uniqueSnapshotName)
+		// For Deckhouse-managed VS, we wait for VSC to be created by Deckhouse controller
+		// Check if VSC exists with matching labels/annotations
+		contentObj, err := ctrl.getDynamicallyProvisionedContentFromStore(snapshot)
+		if err != nil {
+			return err
+		}
+		if contentObj == nil {
+			// VSC not created yet, wait
+			return fmt.Errorf("Deckhouse-managed VolumeSnapshot %s waiting for VolumeSnapshotContent to be created", uniqueSnapshotName)
+		}
+		// VSC exists, bind and update status
+		// Note: For Deckhouse-managed VSC, snapshotHandle may be nil - this is OK
+		newSnapshot, err := ctrl.bindandUpdateVolumeSnapshot(contentObj, snapshot)
+		if err != nil {
+			klog.V(4).Infof("bindandUpdateVolumeSnapshot[%s]: failed to bind content [%s] to snapshot %v", uniqueSnapshotName, contentObj.Name, err)
+			return err
+		}
+		klog.V(5).Infof("bindandUpdateVolumeSnapshot %v", newSnapshot)
+		return nil
+	}
+
+	// For non-Deckhouse snapshots, proceed with normal dynamic provisioning
 	klog.V(5).Infof("getDynamicallyProvisionedContentFromStore for snapshot %s", uniqueSnapshotName)
 	contentObj, err := ctrl.getDynamicallyProvisionedContentFromStore(snapshot)
 	if err != nil {
@@ -572,10 +599,14 @@ func (ctrl *csiSnapshotCommonController) syncUnreadySnapshot(snapshot *crdv1.Vol
 
 	if contentObj != nil {
 		klog.V(5).Infof("Found VolumeSnapshotContent object %s for snapshot %s", contentObj.Name, uniqueSnapshotName)
-		if contentObj.Spec.Source.SnapshotHandle != nil {
+		// Check if VSC is Deckhouse-managed - skip snapshotHandle validation
+		_, deckhouseManagedVSC := contentObj.Annotations[utils.AnnDeckhouseManaged]
+		if !deckhouseManagedVSC && contentObj.Spec.Source.SnapshotHandle != nil {
+			// For non-Deckhouse snapshots, snapshotHandle should not be set for dynamic provisioning
 			ctrl.updateSnapshotErrorStatusWithEvent(snapshot, true, v1.EventTypeWarning, "SnapshotHandleSet", fmt.Sprintf("Snapshot handle should not be set in content %s for dynamic provisioning", uniqueSnapshotName))
 			return fmt.Errorf("snapshotHandle should not be set in the content for dynamic provisioning for snapshot %s", uniqueSnapshotName)
 		}
+		// For Deckhouse-managed VSC, snapshotHandle is nil - this is expected and OK
 		newSnapshot, err := ctrl.bindandUpdateVolumeSnapshot(contentObj, snapshot)
 		if err != nil {
 			klog.V(4).Infof("bindandUpdateVolumeSnapshot[%s]: failed to bind content [%s] to snapshot %v", uniqueSnapshotName, contentObj.Name, err)
@@ -586,6 +617,7 @@ func (ctrl *csiSnapshotCommonController) syncUnreadySnapshot(snapshot *crdv1.Vol
 	}
 
 	// If we reach here, it is a dynamically provisioned snapshot, and the volumeSnapshotContent object is not yet created.
+	// Create VSC for non-Deckhouse snapshots only
 	if snapshot.Spec.Source.PersistentVolumeClaimName == nil {
 		ctrl.updateSnapshotErrorStatusWithEvent(snapshot, true, v1.EventTypeWarning, "SnapshotPVCSourceMissing", fmt.Sprintf("PVC source for snapshot %s is missing", uniqueSnapshotName))
 		return fmt.Errorf("expected PVC source for snapshot %s but got nil", uniqueSnapshotName)
@@ -666,6 +698,12 @@ func (ctrl *csiSnapshotCommonController) getPreprovisionedContentFromStore(snaps
 // A content is considered to be a pre-provisioned one if its Spec.Source.SnapshotHandle
 // is not nil, or a dynamically provisioned one if its Spec.Source.VolumeHandle is not nil.
 func (ctrl *csiSnapshotCommonController) getDynamicallyProvisionedContentFromStore(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshotContent, error) {
+	// For Deckhouse-managed snapshots, search by annotations/labels instead of fixed name
+	_, deckhouseManaged := snapshot.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManaged {
+		return ctrl.findDeckhouseContentForSnapshot(snapshot)
+	}
+	
 	contentName := utils.GetDynamicSnapshotContentNameForSnapshot(snapshot)
 	content, err := ctrl.getContentFromStore(contentName)
 	if err != nil {
@@ -735,6 +773,13 @@ func (ctrl *csiSnapshotCommonController) createSnapshotContent(snapshot *crdv1.V
 		return nil, fmt.Errorf("failed to get input parameters to create snapshot %s: %q", snapshot.Name, err)
 	}
 
+	// CRITICAL: Double-check that this is not Deckhouse-managed
+	// Even though getCreateSnapshotInput should return nil class, ensure we don't create VSC
+	_, deckhouseManaged := snapshot.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManaged {
+		return nil, fmt.Errorf("createSnapshotContent called for Deckhouse-managed snapshot %s - this should not happen", utils.SnapshotKey(snapshot))
+	}
+
 	// Create VolumeSnapshotContent in the database
 	if volume.Spec.CSI == nil {
 		return nil, fmt.Errorf("cannot find CSI PersistentVolumeSource for volume %s", volume.Name)
@@ -753,11 +798,20 @@ func (ctrl *csiSnapshotCommonController) createSnapshotContent(snapshot *crdv1.V
 			Source: crdv1.VolumeSnapshotContentSource{
 				VolumeHandle: &volume.Spec.CSI.VolumeHandle,
 			},
-			VolumeSnapshotClassName: &(class.Name),
-			DeletionPolicy:          class.DeletionPolicy,
-			Driver:                  class.Driver,
 		},
 	}
+	
+	// Set SnapshotClass fields only if class is not nil (not Deckhouse-managed)
+	// CRITICAL: If class is nil, do NOT set default - this prevents fallback
+	if class != nil {
+		snapshotContent.Spec.VolumeSnapshotClassName = &(class.Name)
+		snapshotContent.Spec.DeletionPolicy = class.DeletionPolicy
+		snapshotContent.Spec.Driver = class.Driver
+	} else {
+		// class is nil - this should not happen for non-Deckhouse snapshots
+		// but if it does, fail explicitly rather than using default
+		return nil, fmt.Errorf("createSnapshotContent: no SnapshotClass available for snapshot %s", utils.SnapshotKey(snapshot))
+	}
 
 	if ctrl.enableDistributedSnapshotting {
 		nodeName, err := ctrl.getManagedByNode(volume)
@@ -824,6 +878,26 @@ func (ctrl *csiSnapshotCommonController) createSnapshotContent(snapshot *crdv1.V
 func (ctrl *csiSnapshotCommonController) getCreateSnapshotInput(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshotClass, *v1.PersistentVolume, string, *v1.SecretReference, error) {
 	className := snapshot.Spec.VolumeSnapshotClassName
 	klog.V(5).Infof("getCreateSnapshotInput [%s]", snapshot.Name)
+	
+	// NOTE: This Deckhouse-managed check is defensive programming.
+	// In practice, Deckhouse-managed snapshots are handled earlier in syncUnreadySnapshot(),
+	// so createSnapshotContent() should never be called for them. This check serves as
+	// a safety net in case createSnapshotContent() is called from elsewhere.
+	_, deckhouseManaged := snapshot.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManaged {
+		klog.V(5).Infof("getCreateSnapshotInput [%s]: Deckhouse-managed, skipping SnapshotClass", snapshot.Name)
+		// For Deckhouse-managed snapshots, we don't need SnapshotClass
+		// Return nil class, but we still need volume for content creation
+		volume, err := ctrl.getVolumeFromVolumeSnapshot(snapshot)
+		if err != nil {
+			klog.Errorf("getCreateSnapshotInput failed to get PersistentVolume object [%s]: Error: [%#v]", snapshot.Name, err)
+			return nil, nil, "", nil, err
+		}
+		contentName := utils.GetDynamicSnapshotContentNameForSnapshot(snapshot)
+		// Return nil class for Deckhouse-managed snapshots
+		return nil, volume, contentName, nil, nil
+	}
+	
 	var class *crdv1.VolumeSnapshotClass
 	var err error
 	if className != nil {
@@ -1141,6 +1215,19 @@ func (ctrl *csiSnapshotCommonController) checkandBindSnapshotContent(snapshot *c
 // This routine sets snapshot.Spec.Source.VolumeSnapshotContentName
 func (ctrl *csiSnapshotCommonController) bindandUpdateVolumeSnapshot(snapshotContent *crdv1.VolumeSnapshotContent, snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshot, error) {
 	klog.V(5).Infof("bindandUpdateVolumeSnapshot for snapshot [%s]: snapshotContent [%s]", snapshot.Name, snapshotContent.Name)
+	
+	// CRITICAL: For Deckhouse-managed VSC, snapshotHandle is nil - this is expected
+	// Never treat missing snapshotHandle as error for Deckhouse-managed objects
+	_, deckhouseManagedVSC := snapshotContent.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManagedVSC {
+		// Ensure snapshotHandle is nil (it should be already, but make it explicit)
+		if snapshotContent.Status != nil && snapshotContent.Status.SnapshotHandle != nil {
+			// This shouldn't happen, but if it does, clear it
+			klog.V(4).Infof("bindandUpdateVolumeSnapshot[%s]: Deckhouse-managed VSC has snapshotHandle, clearing it", snapshot.Name)
+			snapshotContent.Status.SnapshotHandle = nil
+		}
+	}
+	
 	snapshotObj, err := ctrl.clientset.SnapshotV1().VolumeSnapshots(snapshot.Namespace).Get(context.TODO(), snapshot.Name, metav1.GetOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("error get snapshot %s from api server: %v", utils.SnapshotKey(snapshot), err)
@@ -1222,6 +1309,12 @@ func (ctrl *csiSnapshotCommonController) updateSnapshotStatus(snapshot *crdv1.Vo
 	if content.Status != nil && content.Status.ReadyToUse != nil {
 		readyToUse = *content.Status.ReadyToUse
 	}
+	// For Deckhouse-managed VSC, ReadyToUse should be true even without snapshotHandle
+	// This ensures proper mirroring from VSC to VS
+	_, deckhouseManagedVSC := content.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManagedVSC && content.Status != nil && content.Status.ReadyToUse != nil && *content.Status.ReadyToUse {
+		readyToUse = true
+	}
 	var volumeSnapshotErr *crdv1.VolumeSnapshotError
 	if content.Status != nil && content.Status.Error != nil {
 		volumeSnapshotErr = content.Status.Error.DeepCopy()
@@ -1254,6 +1347,20 @@ func (ctrl *csiSnapshotCommonController) updateSnapshotStatus(snapshot *crdv1.Vo
 	if err != nil {
 		return nil, fmt.Errorf("error get snapshot %s from api server: %v", utils.SnapshotKey(snapshot), err)
 	}
+	
+	// Add Deckhouse proxy label if VSC is Deckhouse-managed
+	// deckhouseManagedVSC already declared above, reuse it
+	labelsUpdated := false
+	if deckhouseManagedVSC {
+		if snapshotObj.Labels == nil {
+			snapshotObj.Labels = make(map[string]string)
+			labelsUpdated = true
+		}
+		if snapshotObj.Labels[utils.LabelDeckhouseProxy] != "true" {
+			snapshotObj.Labels[utils.LabelDeckhouseProxy] = "true"
+			labelsUpdated = true
+		}
+	}
 
 	var newStatus *crdv1.VolumeSnapshotStatus
 	updated := false
@@ -1306,9 +1413,13 @@ func (ctrl *csiSnapshotCommonController) updateSnapshotStatus(snapshot *crdv1.Vo
 		}
 	}
 
-	if updated {
+	if updated || labelsUpdated {
 		snapshotClone := snapshotObj.DeepCopy()
 		snapshotClone.Status = newStatus
+		// Update labels if needed
+		if labelsUpdated {
+			snapshotClone.Labels = snapshotObj.Labels
+		}
 
 		// We need to record metrics before updating the status due to a bug causing cache entries after a failed UpdateStatus call.
 		// Must meet the following criteria to emit a successful CreateSnapshot status
@@ -1332,7 +1443,13 @@ func (ctrl *csiSnapshotCommonController) updateSnapshotStatus(snapshot *crdv1.Vo
 			ctrl.eventRecorder.Event(snapshot, v1.EventTypeNormal, "SnapshotReady", msg)
 		}
 
-		newSnapshotObj, err := ctrl.clientset.SnapshotV1().VolumeSnapshots(snapshotClone.Namespace).UpdateStatus(context.TODO(), snapshotClone, metav1.UpdateOptions{})
+		// If labels need to be updated, use Update instead of UpdateStatus
+		var newSnapshotObj *crdv1.VolumeSnapshot
+		if labelsUpdated {
+			newSnapshotObj, err = ctrl.clientset.SnapshotV1().VolumeSnapshots(snapshotClone.Namespace).Update(context.TODO(), snapshotClone, metav1.UpdateOptions{})
+		} else {
+			newSnapshotObj, err = ctrl.clientset.SnapshotV1().VolumeSnapshots(snapshotClone.Namespace).UpdateStatus(context.TODO(), snapshotClone, metav1.UpdateOptions{})
+		}
 		if err != nil {
 			return nil, newControllerUpdateError(utils.SnapshotKey(snapshot), err.Error())
 		}
@@ -1343,6 +1460,77 @@ func (ctrl *csiSnapshotCommonController) updateSnapshotStatus(snapshot *crdv1.Vo
 	return snapshotObj, nil
 }
 
+// findDeckhouseContentForSnapshot finds VolumeSnapshotContent for Deckhouse-managed VolumeSnapshot
+// by searching through annotations, labels, or owner references
+func (ctrl *csiSnapshotCommonController) findDeckhouseContentForSnapshot(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshotContent, error) {
+	klog.V(5).Infof("findDeckhouseContentForSnapshot[%s]: searching for Deckhouse-managed VSC", utils.SnapshotKey(snapshot))
+	
+	// Get all VolumeSnapshotContents
+	allContents, err := ctrl.contentLister.List(labels.Everything())
+	if err != nil {
+		return nil, fmt.Errorf("failed to list VolumeSnapshotContents: %v", err)
+	}
+	
+	// Search by annotation AnnDeckhouseSourceSnapshotContent (if set on VS)
+	if sfcName, ok := snapshot.Annotations[utils.AnnDeckhouseSourceSnapshotContent]; ok {
+		for _, content := range allContents {
+			if content.Annotations != nil {
+				if contentSFCName, ok := content.Annotations[utils.AnnDeckhouseSourceSnapshotContent]; ok && contentSFCName == sfcName {
+					// Check if content is Deckhouse-managed
+					if _, managed := content.Annotations[utils.AnnDeckhouseManaged]; managed {
+						// Verify it points to this snapshot
+						ref := content.Spec.VolumeSnapshotRef
+						if ref.Name == snapshot.Name && ref.Namespace == snapshot.Namespace {
+							klog.V(5).Infof("findDeckhouseContentForSnapshot[%s]: found VSC %s by SFC annotation", utils.SnapshotKey(snapshot), content.Name)
+							return content, nil
+						}
+					}
+				}
+			}
+		}
+	}
+	
+	// Search by PVC annotation/label
+	if snapshot.Spec.Source.PersistentVolumeClaimName != nil {
+		pvcName := *snapshot.Spec.Source.PersistentVolumeClaimName
+		for _, content := range allContents {
+			if content.Annotations != nil {
+				if contentPVCName, ok := content.Annotations[utils.AnnDeckhouseSourcePVC]; ok && contentPVCName == pvcName {
+					// Check if content is Deckhouse-managed
+					if _, managed := content.Annotations[utils.AnnDeckhouseManaged]; managed {
+						// Verify it points to this snapshot
+						ref := content.Spec.VolumeSnapshotRef
+						if ref.Name == snapshot.Name && ref.Namespace == snapshot.Namespace {
+							klog.V(5).Infof("findDeckhouseContentForSnapshot[%s]: found VSC %s by PVC annotation", utils.SnapshotKey(snapshot), content.Name)
+							return content, nil
+						}
+					}
+				}
+			}
+		}
+	}
+	
+	// Search by owner reference (if VS has ownerRef to VSC)
+	for _, ownerRef := range snapshot.OwnerReferences {
+		if ownerRef.Kind == "VolumeSnapshotContent" {
+			content, err := ctrl.getContentFromStore(ownerRef.Name)
+			if err == nil && content != nil {
+				// Verify it's Deckhouse-managed and points to this snapshot
+				if _, managed := content.Annotations[utils.AnnDeckhouseManaged]; managed {
+					ref := content.Spec.VolumeSnapshotRef
+					if ref.Name == snapshot.Name && ref.Namespace == snapshot.Namespace {
+						klog.V(5).Infof("findDeckhouseContentForSnapshot[%s]: found VSC %s by owner reference", utils.SnapshotKey(snapshot), content.Name)
+						return content, nil
+					}
+				}
+			}
+		}
+	}
+	
+	klog.V(5).Infof("findDeckhouseContentForSnapshot[%s]: no matching Deckhouse-managed VSC found", utils.SnapshotKey(snapshot))
+	return nil, nil
+}
+
 func (ctrl *csiSnapshotCommonController) getVolumeFromVolumeSnapshot(snapshot *crdv1.VolumeSnapshot) (*v1.PersistentVolume, error) {
 	pvc, err := ctrl.getClaimFromVolumeSnapshot(snapshot)
 	if err != nil {
 
@@ -497,6 +497,34 @@ func (ctrl *csiSnapshotCommonController) syncContentByKey(key string) error {
 // On error, it must return the original snapshot, not nil, because the caller syncContentByKey
 // needs to check snapshot's timestamp.
 func (ctrl *csiSnapshotCommonController) checkAndUpdateSnapshotClass(snapshot *crdv1.VolumeSnapshot) (*crdv1.VolumeSnapshot, error) {
+	// CRITICAL: Skip SnapshotClass resolution for Deckhouse-managed snapshots
+	// Deckhouse creates VSC directly, no SnapshotClass needed
+	// This prevents fallback to default SnapshotClass
+	_, deckhouseManaged := snapshot.Annotations[utils.AnnDeckhouseManaged]
+	if deckhouseManaged {
+		klog.V(5).Infof("checkAndUpdateSnapshotClass [%s]: Deckhouse-managed, skipping SnapshotClass resolution", snapshot.Name)
+		// Ensure VolumeSnapshotClassName is nil to prevent any fallback
+		if snapshot.Spec.VolumeSnapshotClassName != nil {
+			snapshotClone := snapshot.DeepCopy()
+			snapshotClone.Spec.VolumeSnapshotClassName = nil
+			patches := []utils.PatchOp{
+				{
+					Op:    "replace",
+					Path:  "/spec/volumeSnapshotClassName",
+					Value: nil,
+				},
+			}
+			newSnapshot, err := utils.PatchVolumeSnapshot(snapshotClone, patches, ctrl.clientset)
+			if err != nil {
+				klog.V(4).Infof("checkAndUpdateSnapshotClass [%s]: failed to clear VolumeSnapshotClassName: %v", snapshot.Name, err)
+				// Don't fail, just return original snapshot
+				return snapshot, nil
+			}
+			return newSnapshot, nil
+		}
+		return snapshot, nil
+	}
+	
 	className := snapshot.Spec.VolumeSnapshotClassName
 	var class *crdv1.VolumeSnapshotClass
 	var err error