Disables LUKS passphrase tracking to avoid controller lock

reederc42 · web-flow · commit 3ccc6c8638b6 · 2026-04-09T14:02:29.000-07:00
diff --git a/frontend/csi/utils.go b/frontend/csi/utils.go
@@ -258,8 +258,8 @@ func performProtocolSpecificReconciliation(ctx context.Context, trackingInfo *mo
 // of any possibly in use passphrases. If forceUpdate is true, the Trident controller will be notified of the current
 // passphrase name, regardless of a rotation.
 func ensureLUKSVolumePassphrase(
-	ctx context.Context, restClient controllerAPI.TridentController, luksDevice luks.Device,
-	volumeId string, secrets map[string]string, forceUpdate bool,
+	ctx context.Context, _ controllerAPI.TridentController, luksDevice luks.Device,
+	volumeId string, secrets map[string]string, _ bool,
 ) error {
 	luksPassphraseName, luksPassphrase, previousLUKSPassphraseName,
 		previousLUKSPassphrase := luks.GetLUKSPassphrasesFromSecretMap(secrets)
@@ -279,13 +279,14 @@ func ensureLUKSVolumePassphrase(
 		Logc(ctx).WithFields(LogFields{
 			"volume": volumeId,
 		}).Debugf("Current LUKS passphrase name '%s'.", luksPassphraseName)
-		if forceUpdate {
-			luksPassphraseNames := []string{luksPassphraseName}
-			err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
-			if err != nil {
-				return fmt.Errorf("could not update current passphrase name for LUKS volume; %v", err)
-			}
-		}
+		// Disabled in all supported versions until 26.06.0. Users must track LUKS passphrases for volumes.
+		// if forceUpdate {
+		// 	luksPassphraseNames := []string{luksPassphraseName}
+		// 	err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
+		// 	if err != nil {
+		// 		return fmt.Errorf("could not update current passphrase name for LUKS volume; %v", err)
+		// 	}
+		// }
 		return nil
 	}
 
@@ -307,12 +308,13 @@ func ensureLUKSVolumePassphrase(
 		"volume": volumeId,
 	}).Debugf("Current LUKS passphrase name '%s'.", previousLUKSPassphraseName)
 
+	// Disabled in all supported versions until 26.06.0. Users must track LUKS passphrases for volumes.
 	// Send up current and previous passphrase names, if rotation fails
-	luksPassphraseNames := []string{luksPassphraseName, previousLUKSPassphraseName}
-	err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
-	if err != nil {
-		return fmt.Errorf("could not update passphrase names for LUKS volume, skipping passphrase rotation; %v", err)
-	}
+	// luksPassphraseNames := []string{luksPassphraseName, previousLUKSPassphraseName}
+	// err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
+	// if err != nil {
+	// 	return fmt.Errorf("could not update passphrase names for LUKS volume, skipping passphrase rotation; %v", err)
+	// }
 
 	// Rotate
 	Logc(ctx).WithFields(LogFields{
@@ -331,16 +333,18 @@ func ensureLUKSVolumePassphrase(
 	}
 	Logc(ctx).Infof("Rotated LUKS passphrase")
 
-	isCurrent, err := luksDevice.CheckPassphrase(ctx, luksPassphrase)
-	if err != nil {
-		return fmt.Errorf("could not check current passphrase for LUKS volume; %v", err)
-	} else if isCurrent {
-		// Send only current passphrase up
-		luksPassphraseNames = []string{luksPassphraseName}
-		err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
-		if err != nil {
-			return fmt.Errorf("could not update passphrase names for LUKS volume after rotation; %v", err)
-		}
-	}
+	// isCurrent, err := luksDevice.CheckPassphrase(ctx, luksPassphrase)
+	// if err != nil {
+	// 	return fmt.Errorf("could not check current passphrase for LUKS volume; %v", err)
+	// Disabled in all supported versions until 26.06.0. Users must track LUKS passphrases for volumes.
+	// } else if isCurrent {
+	// 	// Send only current passphrase up
+	// 	luksPassphraseNames = []string{luksPassphraseName}
+	// 	err = restClient.UpdateVolumeLUKSPassphraseNames(ctx, volumeId, luksPassphraseNames)
+	// 	if err != nil {
+	// 		return fmt.Errorf("could not update passphrase names for LUKS volume after rotation; %v", err)
+	// 	}
+	// }
+	// }
 	return nil
 }
diff --git a/frontend/csi/utils_test.go b/frontend/csi/utils_test.go
@@ -135,7 +135,6 @@ func TestEnsureLUKSVolumePassphrase(t *testing.T) {
 		"luks-passphrase":      "passphraseA",
 	}
 	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"A"}).Return(nil)
 	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, true)
 	assert.NoError(t, err)
 	mockCtrl.Finish()
@@ -153,10 +152,7 @@ func TestEnsureLUKSVolumePassphrase(t *testing.T) {
 	}
 	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(false, nil)
 	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B", "A"}).Return(nil)
 	mockLUKSDevice.EXPECT().RotatePassphrase(gomock.Any(), "test-vol", "passphraseA", "passphraseB").Return(nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B"}).Return(nil)
 	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, false)
 	assert.NoError(t, err)
 	mockCtrl.Finish()
@@ -196,24 +192,6 @@ func TestEnsureLUKSVolumePassphrase_Error(t *testing.T) {
 	assert.Error(t, err)
 	mockCtrl.Finish()
 
-	// ////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Negative case: Sending pre-rotation passphrases to trident controller fails
-	mockCtrl = gomock.NewController(t)
-	mockClient = mockControllerAPI.NewMockTridentController(mockCtrl)
-	mockLUKSDevice = mock_luks.NewMockDevice(mockCtrl)
-	secrets = map[string]string{
-		"luks-passphrase-name":          "B",
-		"luks-passphrase":               "passphraseB",
-		"previous-luks-passphrase-name": "A",
-		"previous-luks-passphrase":      "passphraseA",
-	}
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(false, nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B", "A"}).Return(fmt.Errorf("test error"))
-	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, false)
-	assert.Error(t, err)
-	mockCtrl.Finish()
-
 	// ////////////////////////////////////////////////////////////////////////////////////////////////////////////
 	// Negative case: Passphrase rotation fails
 	mockCtrl = gomock.NewController(t)
@@ -227,52 +205,10 @@ func TestEnsureLUKSVolumePassphrase_Error(t *testing.T) {
 	}
 	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(false, nil)
 	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B", "A"}).Return(nil)
 	mockLUKSDevice.EXPECT().RotatePassphrase(gomock.Any(), "test-vol", "passphraseA", "passphraseB").Return(fmt.Errorf("test error"))
 	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, false)
 	assert.Error(t, err)
 	mockCtrl.Finish()
-
-	// ////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Negative case: Verifying passphrase rotation fails
-	mockCtrl = gomock.NewController(t)
-	mockClient = mockControllerAPI.NewMockTridentController(mockCtrl)
-	mockLUKSDevice = mock_luks.NewMockDevice(mockCtrl)
-	secrets = map[string]string{
-		"luks-passphrase-name":          "B",
-		"luks-passphrase":               "passphraseB",
-		"previous-luks-passphrase-name": "A",
-		"previous-luks-passphrase":      "passphraseA",
-	}
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(false, nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B", "A"}).Return(nil)
-	mockLUKSDevice.EXPECT().RotatePassphrase(gomock.Any(), "test-vol", "passphraseA", "passphraseB").Return(nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(true, fmt.Errorf("test error"))
-	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, false)
-	assert.Error(t, err)
-	mockCtrl.Finish()
-
-	// ////////////////////////////////////////////////////////////////////////////////////////////////////////////
-	// Negative case: Sending post-rotation passphrases to trident controller fails
-	mockCtrl = gomock.NewController(t)
-	mockClient = mockControllerAPI.NewMockTridentController(mockCtrl)
-	mockLUKSDevice = mock_luks.NewMockDevice(mockCtrl)
-	secrets = map[string]string{
-		"luks-passphrase-name":          "B",
-		"luks-passphrase":               "passphraseB",
-		"previous-luks-passphrase-name": "A",
-		"previous-luks-passphrase":      "passphraseA",
-	}
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(false, nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseA").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B", "A"}).Return(nil)
-	mockLUKSDevice.EXPECT().RotatePassphrase(gomock.Any(), "test-vol", "passphraseA", "passphraseB").Return(nil)
-	mockLUKSDevice.EXPECT().CheckPassphrase(gomock.Any(), "passphraseB").Return(true, nil)
-	mockClient.EXPECT().UpdateVolumeLUKSPassphraseNames(gomock.Any(), "test-vol", []string{"B"}).Return(fmt.Errorf("test error"))
-	err = ensureLUKSVolumePassphrase(context.TODO(), mockClient, mockLUKSDevice, "test-vol", secrets, false)
-	assert.Error(t, err)
-	mockCtrl.Finish()
 }
 
 func TestEnsureLUKSVolumePassphrase_InvalidSecret(t *testing.T) {
