Add support for PVCs in captured blueprints (kubernetes-sigs#3449)

Author: xing-yang

cmd/syncer/main.go

@@ -379,7 +379,7 @@ func initSyncerComponents(ctx context.Context, clusterFlavor cnstypes.CnsCluster
 		}()
 
 		if clusterFlavor == cnstypes.CnsClusterFlavorWorkload &&
-			commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK) {
+			commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.BYOKEncryptionCapability) {
 			// Start BYOK Operator for Supervisor clusters.
 			go func() {
 				defer func() {

manifests/supervisorcluster/1.28/cns-csi.yaml

@@ -505,7 +505,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
 kind: ConfigMap
 metadata:
   name: csi-feature-states

manifests/supervisorcluster/1.29/cns-csi.yaml

@@ -569,7 +569,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"

manifests/supervisorcluster/1.30/cns-csi.yaml

@@ -569,7 +569,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"

manifests/supervisorcluster/1.31/cns-csi.yaml

@@ -569,7 +569,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"

manifests/supervisorcluster/1.32/cns-csi.yaml

@@ -569,7 +569,6 @@ data:
   "vdpp-on-stretched-supervisor": "true"
   "cns-unregister-volume": "false"
   "workload-domain-isolation": "false"
-  "WCP_VMService_BYOK": "true"
   "sv-pvc-snapshot-protection-finalizer": "false"
   "file-volume-with-vm-service": "false"
   "csi-transaction-support": "false"

pkg/csi/service/common/constants.go

@@ -437,8 +437,8 @@ const (
 	MultipleClustersPerVsphereZone = "supports_multiple_clusters_per_zone"
 	// VPCCapabilitySupervisor is a supervisor capability indicating if VPC FSS is enabled
 	VPCCapabilitySupervisor = "VPC_Supported"
-	// WCP_VMService_BYOK_FSS enables Bring Your Own Key (BYOK) capabilities.
-	WCP_VMService_BYOK = "WCP_VMService_BYOK"
+	// supports_BYOK_encryption enables Bring Your Own Key (BYOK) encryption capabilities.
+	BYOKEncryptionCapability = "supports_BYOK_encryption"
 	// SVPVCSnapshotProtectionFinalizer is FSS that controls add/remove
 	// CNS finalizer on supervisor PVC/Snapshots from PVCSI
 	SVPVCSnapshotProtectionFinalizer = "sv-pvc-snapshot-protection-finalizer"

pkg/csi/service/wcp/controller.go

@@ -189,7 +189,7 @@ func (c *controller) Init(config *cnsconfig.Config, version string) error {
 
 	var cryptoClient crypto.Client
 
-	if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK) {
+	if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.BYOKEncryptionCapability) {
 		var err error
 		if cryptoClient, err = crypto.NewClientWithDefaultConfig(ctx); err != nil {
 			return logger.LogNewErrorf(log, "failed to create an instance of crypto client. err=%v", err)
@@ -811,7 +811,7 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 	}
 
 	var cryptoKeyID *common.CryptoKeyID
-	isByokEnabled := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK)
+	isByokEnabled := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.BYOKEncryptionCapability)
 	if isByokEnabled {
 		if encClass, err := c.manager.CryptoClient.GetEncryptionClassForPVC(
 			ctx,

pkg/syncer/admissionhandler/admissionhandler.go

@@ -148,7 +148,7 @@ func StartWebhookServer(ctx context.Context, enableWebhookClientCertVerification
 	if clusterFlavor == cnstypes.CnsClusterFlavorWorkload {
 		featureGateTKGSHaEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.TKGsHA)
 		featureGateBlockVolumeSnapshotEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.BlockVolumeSnapshot)
-		featureGateByokEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.WCP_VMService_BYOK)
+		featureGateByokEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.BYOKEncryptionCapability)
 		featureIsSharedDiskEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx, common.SharedDiskFss)
 		featureFileVolumesWithVmServiceEnabled = containerOrchestratorUtility.IsFSSEnabled(ctx,
 			common.FileVolumesWithVmService)

pkg/syncer/cnsoperator/controller/cnsregistervolume/cnsregistervolume_controller.go

@@ -43,6 +43,7 @@ import (
 
 	clientConfig "sigs.k8s.io/controller-runtime/pkg/client/config"
 
+	clientset "k8s.io/client-go/kubernetes"
 	apis "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator"
 	cnsregistervolumev1alpha1 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator/cnsregistervolume/v1alpha1"
 	storagepolicyusagev1alpha2 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator/storagepolicy/v1alpha2"
@@ -557,53 +558,65 @@ func (r *ReconcileCnsRegisterVolume) Reconcile(ctx context.Context,
 		setInstanceError(ctx, r, instance, "Duplicate Request")
 		return reconcile.Result{RequeueAfter: timeout}, nil
 	}
-	// Create PVC mapping to above created PV.
-	log.Infof("Creating PVC: %s", instance.Spec.PvcName)
-	pvcSpec, err := getPersistentVolumeClaimSpec(ctx, instance.Spec.PvcName, instance.Namespace, capacityInMb,
-		storageClassName, accessMode, pvName, datastoreAccessibleTopology, instance)
+
+	// Check if PVC already exists and has valid DataSourceRef
+	pvc, err := checkExistingPVCDataSourceRef(ctx, k8sclient, instance.Spec.PvcName, instance.Namespace)
 	if err != nil {
-		msg := fmt.Sprintf("Failed to create spec for PVC: %q. Error: %v", instance.Spec.PvcName, err)
-		log.Errorf(msg)
-		setInstanceError(ctx, r, instance, msg)
+		log.Errorf("Failed to check existing PVC %s/%s with DataSourceRef: %+v", instance.Namespace,
+			instance.Spec.PvcName, err)
+		setInstanceError(ctx, r, instance, fmt.Sprintf("Failed to check existing PVC %s/%s with DataSourceRef: %+v",
+			instance.Namespace, instance.Spec.PvcName, err))
 		return reconcile.Result{RequeueAfter: timeout}, nil
 	}
-	log.Debugf("PVC spec is: %+v", pvcSpec)
-	pvc, err := k8sclient.CoreV1().PersistentVolumeClaims(instance.Namespace).Create(ctx,
-		pvcSpec, metav1.CreateOptions{})
-	if err != nil {
-		if apierrors.IsAlreadyExists(err) {
-			log.Infof("PVC: %s already exists", instance.Spec.PvcName)
-			pvc, err = k8sclient.CoreV1().PersistentVolumeClaims(instance.Namespace).Get(ctx,
-				instance.Spec.PvcName, metav1.GetOptions{})
+
+	if pvc != nil {
+		log.Infof("PVC: %s already exists", instance.Spec.PvcName)
+		if pvc.Status.Phase == v1.ClaimBound && pvc.Spec.VolumeName != pvName {
+			// This is handle cases where PVC with this name already exists and
+			// is bound. This happens when a new CnsRegisterVolume instance is
+			// created to import a new volume with PVC name which is already
+			// created and is bound.
+			msg := fmt.Sprintf("Another PVC: %s already exists in namespace: %s which is Bound to a different PV",
+				instance.Spec.PvcName, instance.Namespace)
+			log.Errorf(msg)
+			setInstanceError(ctx, r, instance, msg)
+			// Untag the CNS volume which was created previously.
+			_, err = common.DeleteVolumeUtil(ctx, r.volumeManager, volumeID, false)
 			if err != nil {
-				msg := fmt.Sprintf("Failed to get PVC: %s on namespace: %s", instance.Spec.PvcName, instance.Namespace)
-				log.Errorf(msg)
-				setInstanceError(ctx, r, instance, msg)
-				return reconcile.Result{RequeueAfter: timeout}, nil
-			}
-			if pvc.Status.Phase == v1.ClaimBound && pvc.Spec.VolumeName != pvName {
-				// This is handle cases where PVC with this name already exists and
-				// is bound. This happens when a new CnsRegisterVolume instance is
-				// created to import a new volume with PVC name which is already
-				// created and is bound.
-				msg := fmt.Sprintf("Another PVC: %s already exists in namespace: %s which is Bound to a different PV",
-					instance.Spec.PvcName, instance.Namespace)
-				log.Errorf(msg)
-				setInstanceError(ctx, r, instance, msg)
-				// Untag the CNS volume which was created previously.
-				_, err = common.DeleteVolumeUtil(ctx, r.volumeManager, volumeID, false)
+				log.Errorf("Failed to untag CNS volume: %s with error: %+v", volumeID, err)
+			} else {
+				// Delete PV created above.
+				err = k8sclient.CoreV1().PersistentVolumes().Delete(ctx, pvName, *metav1.NewDeleteOptions(0))
 				if err != nil {
-					log.Errorf("Failed to untag CNS volume: %s with error: %+v", volumeID, err)
-				} else {
-					// Delete PV created above.
-					err = k8sclient.CoreV1().PersistentVolumes().Delete(ctx, pvName, *metav1.NewDeleteOptions(0))
-					if err != nil {
-						log.Errorf("Failed to delete PV: %s with error: %+v", pvName, err)
-					}
+					log.Errorf("Failed to delete PV: %s with error: %+v", pvName, err)
 				}
-				return reconcile.Result{RequeueAfter: timeout}, nil
 			}
-		} else {
+			return reconcile.Result{RequeueAfter: timeout}, nil
+		}
+
+		if pvc.Spec.DataSourceRef != nil {
+			apiGroup := ""
+			if pvc.Spec.DataSourceRef.APIGroup != nil {
+				apiGroup = *pvc.Spec.DataSourceRef.APIGroup
+			}
+			log.Infof("PVC %s in namespace %s has valid DataSourceRef with apiGroup: %s, kind: %s, name: %s",
+				pvc.Name, pvc.Namespace, apiGroup, pvc.Spec.DataSourceRef.Kind, pvc.Spec.DataSourceRef.Name)
+		}
+	} else {
+		// Create PVC mapping to above created PV.
+		log.Infof("Creating PVC: %s", instance.Spec.PvcName)
+		pvcSpec, err := getPersistentVolumeClaimSpec(ctx, instance.Spec.PvcName, instance.Namespace, capacityInMb,
+			storageClassName, accessMode, pvName, datastoreAccessibleTopology, instance)
+		if err != nil {
+			msg := fmt.Sprintf("Failed to create spec for PVC: %q. Error: %v", instance.Spec.PvcName, err)
+			log.Errorf(msg)
+			setInstanceError(ctx, r, instance, msg)
+			return reconcile.Result{RequeueAfter: timeout}, nil
+		}
+		log.Debugf("PVC spec is: %+v", pvcSpec)
+		pvc, err = k8sclient.CoreV1().PersistentVolumeClaims(instance.Namespace).Create(ctx,
+			pvcSpec, metav1.CreateOptions{})
+		if err != nil {
 			log.Errorf("Failed to create PVC with spec: %+v. Error: %+v", pvcSpec, err)
 			setInstanceError(ctx, r, instance,
 				fmt.Sprintf("Failed to create PVC: %s for volume with err: %+v", instance.Spec.PvcName, err))
@@ -615,9 +628,9 @@ func (r *ReconcileCnsRegisterVolume) Reconcile(ctx context.Context,
 			setInstanceError(ctx, r, instance,
 				fmt.Sprintf("Delete PV %s failed with error: %+v", pvName, err))
 			return reconcile.Result{RequeueAfter: timeout}, nil
+		} else {
+			log.Infof("PVC: %s is created successfully", instance.Spec.PvcName)
 		}
-	} else {
-		log.Infof("PVC: %s is created successfully", instance.Spec.PvcName)
 	}
 	// Watch for PVC to be bound.
 	isBound, err := isPVCBound(ctx, k8sclient, pvc, time.Duration(1*time.Minute))
@@ -742,6 +755,59 @@ func (r *ReconcileCnsRegisterVolume) Reconcile(ctx context.Context,
 	return reconcile.Result{}, nil
 }
 
+// checkExistingPVCDataSourceRef checks if a PVC already exists and validates its DataSourceRef.
+// Returns the PVC if it exists with no DataSourceRef or it exists with a supported DataSourceRef.
+// If PVC exists but has an unsupported DataSourceRef, return (nil, error).
+// If PVC does not exist, return (nil, nil) so that it will be created later.
+func checkExistingPVCDataSourceRef(ctx context.Context, k8sclient clientset.Interface,
+	pvcName, namespace string) (*v1.PersistentVolumeClaim, error) {
+	log := logger.GetLogger(ctx)
+
+	// Try to get the existing PVC
+	existingPVC, err := k8sclient.CoreV1().PersistentVolumeClaims(namespace).Get(ctx, pvcName, metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// PVC doesn't exist, return nil (we'll create a new one)
+			return nil, nil
+		}
+		// Some other error occurred
+		return nil, fmt.Errorf("failed to check existing PVC %s in namespace %s: %+v", pvcName, namespace, err)
+	}
+
+	// PVC exists, check if it has DataSourceRef
+	if existingPVC.Spec.DataSourceRef == nil {
+		log.Infof("Existing PVC %s in namespace %s has no DataSourceRef, can reuse", pvcName, namespace)
+		return existingPVC, nil
+	}
+
+	// Check if DataSourceRef matches supported types
+	apiGroup := ""
+	if existingPVC.Spec.DataSourceRef.APIGroup != nil {
+		apiGroup = *existingPVC.Spec.DataSourceRef.APIGroup
+	}
+
+	for _, supportedType := range supportedDataSourceTypes {
+		if supportedType.apiGroup == apiGroup && supportedType.kind == existingPVC.Spec.DataSourceRef.Kind {
+			log.Infof("Existing PVC %s in namespace %s has valid DataSourceRef (apiGroup: %s, kind: %s), can reuse",
+				pvcName, namespace, apiGroup, existingPVC.Spec.DataSourceRef.Kind)
+			return existingPVC, nil
+		}
+	}
+
+	// Check if DataSourceRef is VolumeSnapshot
+	if existingPVC.Spec.DataSourceRef.Kind == "VolumeSnapshot" &&
+		existingPVC.Spec.DataSourceRef.APIGroup != nil &&
+		*existingPVC.Spec.DataSourceRef.APIGroup == "snapshot.storage.k8s.io" {
+		log.Infof("WARNING: Existing PVC %s in namespace %s has valid VolumeSnapshot DataSourceRef, "+
+			"however, it is not supported for CNSRegisterVolume", pvcName, namespace)
+	}
+
+	// DataSourceRef is not supported
+	return nil, fmt.Errorf("existing PVC %s in namespace %s has unsupported DataSourceRef for CNSRegisterVolume. "+
+		"APIGroup: %s, Kind: %s is not supported. Supported types: %+v",
+		pvcName, namespace, apiGroup, existingPVC.Spec.DataSourceRef.Kind, supportedDataSourceTypes)
+}
+
 // validateCnsRegisterVolumeSpec validates the input params of
 // CnsRegisterVolume instance.
 func validateCnsRegisterVolumeSpec(ctx context.Context, instance *cnsregistervolumev1alpha1.CnsRegisterVolume) error {