kubevirt / containerized-data-importer / #5959

        log logr.Logger) (bool, error) {

        _, pvcUsesExternalPopulator := pvc.Annotations[cc.AnnExternalPopulation]

        if pvcUsesExternalPopulator {

        waitForFirstConsumerEnabled, err := cc.IsWaitForFirstConsumerEnabled(pvc, r.featureGates)

        if err != nil {

        return (!cc.IsPVCComplete(pvc) || cc.IsMultiStageImportInProgress(pvc)) &&

                        (checkPVC(pvc, cc.AnnEndpoint, log) || checkPVC(pvc, cc.AnnSource, log)) &&

                        shouldHandlePvc(pvc, waitForFirstConsumerEnabled, log),

                nil

func (r *ImportReconciler) Reconcile(_ context.Context, req reconcile.Request) (reconcile.Result, error) {

        log := r.log.WithValues("PVC", req.NamespacedName)

        log.V(1).Info("reconciling Import PVCs")

        // Get the PVC.

        pvc := &corev1.PersistentVolumeClaim{}

        if err := r.client.Get(context.TODO(), req.NamespacedName, pvc); err != nil {

                if k8serrors.IsNotFound(err) {

                        return reconcile.Result{}, nil

                }

        if checkPVC(pvc, cc.AnnEndpoint, log) || checkPVC(pvc, cc.AnnSource, log) {

                if err := cc.UpdatePVCBoundContionFromEvents(pvc, r.client, log); err != nil {

        shouldReconcile, err := r.shouldReconcilePVC(pvc, log)

        if err != nil {

        if !shouldReconcile {

                multiStageImport := metav1.HasAnnotation(pvc.ObjectMeta, cc.AnnCurrentCheckpoint)

                multiStageAlreadyDone := metav1.HasAnnotation(pvc.ObjectMeta, cc.AnnMultiStageImportDone)

                log.V(3).Info("Should not reconcile this PVC",

                        "pvc.annotation.phase.complete", cc.IsPVCComplete(pvc),

                        "pvc.annotations.endpoint", checkPVC(pvc, cc.AnnEndpoint, log),

                        "pvc.annotations.source", checkPVC(pvc, cc.AnnSource, log),

                        "isBound", isBound(pvc, log), "isMultistage", multiStageImport, "multiStageDone", multiStageAlreadyDone)

                return reconcile.Result{}, nil

        }

        return r.reconcilePvc(pvc, log)

func (r *ImportReconciler) findImporterPod(pvc *corev1.PersistentVolumeClaim, log logr.Logger) (*corev1.Pod, error) {

        podName := getImportPodNameFromPvc(pvc)

        pod := &corev1.Pod{}

        if err := r.client.Get(context.TODO(), types.NamespacedName{Name: podName, Namespace: pvc.GetNamespace()}, pod); err != nil {

                if !k8serrors.IsNotFound(err) {

                return nil, nil

        if !metav1.IsControlledBy(pod, pvc) && !cc.IsImageStream(pvc) {

                return nil, errors.Errorf("Pod is not owned by PVC")

        }

        log.V(1).Info("Pod is owned by PVC", pod.Name, pvc.Name)

        return pod, nil

func (r *ImportReconciler) reconcilePvc(pvc *corev1.PersistentVolumeClaim, log logr.Logger) (reconcile.Result, error) {

        // See if we have a pod associated with the PVC, we know the PVC has the needed annotations.

        pod, err := r.findImporterPod(pvc, log)

        if err != nil {

                return reconcile.Result{}, err

        }

        if pod == nil {

                if cc.IsPVCComplete(pvc) {

                } else if pvc.Annotations[cc.AnnImportFatalError] == "true" {

                } else if pvc.DeletionTimestamp == nil {

                        podsUsingPVC, err := cc.GetPodsUsingPVCs(context.TODO(), r.client, pvc.Namespace, sets.New(pvc.Name), false)

                        if err != nil {

                        if len(podsUsingPVC) > 0 {

                                for _, pod := range podsUsingPVC {

                                        r.log.V(1).Info("can't create import pod, pvc in use by other pod",

                                                "namespace", pvc.Namespace, "name", pvc.Name, "pod", pod.Name)

                                        r.recorder.Eventf(pvc, corev1.EventTypeWarning, ImportTargetInUse,

                                                "pod %s/%s using PersistentVolumeClaim %s", pod.Namespace, pod.Name, pvc.Name)

                                }

                                return reconcile.Result{Requeue: true}, nil

                        if _, ok := pvc.Annotations[cc.AnnImportPod]; ok {

                                // Create importer pod, make sure the PVC owns it.

                                if err := r.createImporterPod(pvc); err != nil {

                        } else {

                                // Create importer pod Name and store in PVC?

                                if err := r.initPvcPodName(pvc, log); err != nil {

        } else {

                if pvc.DeletionTimestamp != nil {

                } else {

                        // Copy import proxy ConfigMap (if exists) from cdi namespace to the import namespace

                        if err := r.copyImportProxyConfigMap(pvc, pod); err != nil {

                        if err := r.updatePvcFromPod(pvc, pod, log); err != nil {

        if !cc.IsPVCComplete(pvc) {

                // We are not done yet, force a re-reconcile in 2 seconds to get an update.

                log.V(1).Info("Force Reconcile pvc import not finished", "pvc.Name", pvc.Name)

                return reconcile.Result{RequeueAfter: 2 * time.Second}, nil

        }

        return reconcile.Result{}, nil

func (r *ImportReconciler) copyImportProxyConfigMap(pvc *corev1.PersistentVolumeClaim, pod *corev1.Pod) error {

        cdiConfig := &cdiv1.CDIConfig{}

        if err := r.client.Get(context.TODO(), types.NamespacedName{Name: common.ConfigName}, cdiConfig); err != nil {

        cmName, err := GetImportProxyConfig(cdiConfig, common.ImportProxyConfigMapName)

        if err != nil || cmName == "" {

                return nil

        }

func (r *ImportReconciler) initPvcPodName(pvc *corev1.PersistentVolumeClaim, log logr.Logger) error {

        currentPvcCopy := pvc.DeepCopyObject()

        log.V(1).Info("Init pod name on PVC")

        anno := pvc.GetAnnotations()

        anno[cc.AnnImportPod] = createImportPodNameFromPvc(pvc)

        requiresScratch := r.requiresScratchSpace(pvc)

        if requiresScratch {

        if !reflect.DeepEqual(currentPvcCopy, pvc) {

                if err := r.updatePVC(pvc, log); err != nil {

                log.V(1).Info("Updated PVC", "pvc.anno.AnnImportPod", anno[cc.AnnImportPod])

        return nil

func (r *ImportReconciler) updatePvcFromPod(pvc *corev1.PersistentVolumeClaim, pod *corev1.Pod, log logr.Logger) error {

        // Keep a copy of the original for comparison later.

        currentPvcCopy := pvc.DeepCopyObject()

        log.V(1).Info("Updating PVC from pod")

        anno := pvc.GetAnnotations()

        termMsg, err := parseTerminationMessage(pod)

        if err != nil {

                log.V(3).Info("Ignoring failure to parse termination message", "error", err.Error())

        }

        setAnnotationsFromPodWithPrefix(anno, pod, termMsg, cc.AnnRunningCondition)

        // Handle fatal errors reported via termination message even when the container exited with code 0.

        // In this branch we intentionally override the actual Pod phase (Succeeded) and mark the PVC as Failed + fatal

        // to stop retries; this keeps DV status aligned with the fatal outcome rather than the Pod phase.

        // Check for "checksum mismatch" which is the error message from ErrChecksumMismatch.

        if termMsg != nil && termMsg.Message != nil && strings.Contains(*termMsg.Message, "checksum mismatch") {

        scratchSpaceRequired := termMsg != nil && termMsg.ScratchSpaceRequired != nil && *termMsg.ScratchSpaceRequired

        if scratchSpaceRequired {

                log.V(1).Info("Pod requires scratch space, terminating pod, and restarting with scratch space", "pod.Name", pod.Name)

        }

        podModificationsNeeded := scratchSpaceRequired

        if statuses := pod.Status.ContainerStatuses; len(statuses) > 0 {

                if isOOMKilled(statuses[0]) {

                        log.V(1).Info("Pod died of an OOM, deleting pod, and restarting with qemu cache mode=none if storage supports it", "pod.Name", pod.Name)

                        podModificationsNeeded = true

                        anno[cc.AnnRequiresDirectIO] = "true"

                }

                if terminated := statuses[0].State.Terminated; terminated != nil && terminated.ExitCode > 0 {

                        log.Info("Pod termination code", "pod.Name", pod.Name, "ExitCode", terminated.ExitCode)

                        r.recorder.Event(pvc, corev1.EventTypeWarning, ErrImportFailedPVC, terminated.Message)

                }

        if anno[cc.AnnCurrentCheckpoint] != "" {

        anno[cc.AnnImportPod] = pod.Name

        if !podModificationsNeeded && anno[cc.AnnImportFatalError] != "true" {

                // No scratch space required, update the phase based on the pod. If we require scratch space we don't want to update the

                // phase, because the pod might terminate cleanly and mistakenly mark the import complete.

                anno[cc.AnnPodPhase] = string(pod.Status.Phase)

        }

        anno[cc.AnnPodSchedulable] = "true"

        if phase, ok := anno[cc.AnnPodPhase]; ok && phase == string(corev1.PodPending) {

                for _, cond := range pod.Status.Conditions {

        for _, ev := range pod.Spec.Containers[0].Env {

                if ev.Name == common.CacheMode && ev.Value == common.CacheModeTryNone {

        if pod.Status.Phase == corev1.PodPending && r.requiresScratchSpace(pvc) {

                if err := r.createScratchPvcForPod(pvc, pod); err != nil {

        } else {

                // No scratch space, or scratch space is bound, remove annotation

                delete(anno, cc.AnnBoundCondition)

                delete(anno, cc.AnnBoundConditionMessage)

                delete(anno, cc.AnnBoundConditionReason)

        }

        if pvc.GetLabels() == nil {

                pvc.SetLabels(make(map[string]string, 0))

        }

        if !checkIfLabelExists(pvc, common.CDILabelKey, common.CDILabelValue) {

                pvc.GetLabels()[common.CDILabelKey] = common.CDILabelValue

        }

        if cc.IsPVCComplete(pvc) {

                pvc.SetLabels(addLabelsFromTerminationMessage(pvc.GetLabels(), termMsg))

        }

        if !reflect.DeepEqual(currentPvcCopy, pvc) {

                if err := r.updatePVC(pvc, log); err != nil {

                log.V(1).Info("Updated PVC", "pvc.anno.Phase", anno[cc.AnnPodPhase], "pvc.anno.Restarts", anno[cc.AnnPodRestarts])

        if anno[cc.AnnImportFatalError] == "true" {

        if cc.IsPVCComplete(pvc) || podModificationsNeeded {

                if !podModificationsNeeded {

                        r.recorder.Event(pvc, corev1.EventTypeNormal, ImportSucceededPVC, "Import Successful")

                        log.V(1).Info("Import completed successfully")

                }

                if cc.ShouldDeletePod(pvc) {

                        log.V(1).Info("Deleting pod", "pod.Name", pod.Name)

                        if err := r.cleanup(pvc, pod, log); err != nil {

        return nil

func (r *ImportReconciler) cleanup(pvc *corev1.PersistentVolumeClaim, pod *corev1.Pod, log logr.Logger) error {

        if err := r.client.Delete(context.TODO(), pod); cc.IgnoreNotFound(err) != nil {

        if cc.HasFinalizer(pvc, importPodImageStreamFinalizer) {

        return nil

func (r *ImportReconciler) updatePVC(pvc *corev1.PersistentVolumeClaim, log logr.Logger) error {

        if err := r.client.Update(context.TODO(), pvc); err != nil {

        return nil

func (r *ImportReconciler) createImporterPod(pvc *corev1.PersistentVolumeClaim) error {

        r.log.V(1).Info("Creating importer POD for PVC", "pvc.Name", pvc.Name)

        var scratchPvcName *string

        var vddkImageName *string

        var vddkExtraArgs *string

        var vddkNodeSelector map[string]string

        var err error

        requiresScratch := r.requiresScratchSpace(pvc)

        if requiresScratch {

        if cc.GetSource(pvc) == cc.SourceVDDK {

                r.log.V(1).Info("Pod requires VDDK sidecar for VMware transfer")

                anno := pvc.GetAnnotations()

                if imageName, ok := anno[cc.AnnVddkInitImageURL]; ok {

                        vddkImageName = &imageName

                } else {

                        if vddkImageName, err = r.getVddkImageName(); err != nil {

                                r.log.V(1).Error(err, "failed to get VDDK image name from configmap")

                        }

                if vddkImageName == nil {

                        message := fmt.Sprintf("waiting for %s configmap or %s annotation for VDDK image", common.VddkConfigMap, cc.AnnVddkInitImageURL)

                        anno[cc.AnnBoundCondition] = "false"

                        anno[cc.AnnBoundConditionMessage] = message

                        anno[cc.AnnBoundConditionReason] = common.AwaitingVDDK

                        if err := r.updatePVC(pvc, r.log); err != nil {

                        return errors.New(message)

                if extraArgs, ok := anno[cc.AnnVddkExtraArgs]; ok && extraArgs != "" {

                        r.log.V(1).Info("Mounting extra VDDK args ConfigMap to importer pod", "ConfigMap", extraArgs)

                        vddkExtraArgs = &extraArgs

                        vddkNodeSelector, err = r.getVddkNodeSelector(pvc.Namespace, extraArgs)

                        if err != nil {

                                return err

                        }

        podEnvVar, err := r.createImportEnvVar(pvc)

        if err != nil {

        podArgs := &importerPodArgs{

                image:              r.image,

                verbose:            r.verbose,

                pullPolicy:         r.pullPolicy,

                podEnvVar:          podEnvVar,

                pvc:                pvc,

                scratchPvcName:     scratchPvcName,

                vddkImageName:      vddkImageName,

                vddkExtraArgs:      vddkExtraArgs,

                vddkNodeSelector:   vddkNodeSelector,

                priorityClassName:  cc.GetPriorityClass(pvc),

                serviceAccountName: cc.GetPodServiceAccount(pvc),

        }

        pod, err := createImporterPod(context.TODO(), r.log, r.client, podArgs, r.installerLabels)

        // Check if pod has failed and, in that case, record an event with the error

        if podErr := cc.HandleFailedPod(err, pvc.Annotations[cc.AnnImportPod], pvc, r.recorder, r.client); podErr != nil {

        r.log.V(1).Info("Created POD", "pod.Name", pod.Name)

        // If importing from image stream, add finalizer. Note we don't watch the importer pod in this case,

        // so to prevent a deadlock we add finalizer only if the pod is not retained after completion.

        if cc.IsImageStream(pvc) && pvc.GetAnnotations()[cc.AnnPodRetainAfterCompletion] != "true" {

        if requiresScratch {

        return nil

func (r *ImportReconciler) createImportEnvVar(pvc *corev1.PersistentVolumeClaim) (*importPodEnvVar, error) {

        podEnvVar := &importPodEnvVar{}

        podEnvVar.source = cc.GetSource(pvc)

        podEnvVar.contentType = string(cc.GetPVCContentType(pvc))

        var err error

        if podEnvVar.source != cc.SourceNone {

                podEnvVar.ep, err = cc.GetEndpoint(pvc)

                if err != nil {

                podEnvVar.secretName = r.getSecretName(pvc)

                if podEnvVar.secretName == "" {

                        r.log.V(2).Info("no secret will be supplied to endpoint", "endPoint", podEnvVar.ep)

                }

                cdiConfig := &cdiv1.CDIConfig{}

                err = r.client.Get(context.TODO(), types.NamespacedName{Name: common.ConfigName}, cdiConfig)

                if err != nil {

                podEnvVar.certConfigMap, err = r.getCertConfigMap(pvc)

                if err != nil {

                podEnvVar.insecureTLS, err = r.isInsecureTLS(pvc, cdiConfig)

                if err != nil {

                podEnvVar.diskID = getValueFromAnnotation(pvc, cc.AnnDiskID)

                podEnvVar.backingFile = getValueFromAnnotation(pvc, cc.AnnBackingFile)

                podEnvVar.uuid = getValueFromAnnotation(pvc, cc.AnnUUID)

                podEnvVar.thumbprint = getValueFromAnnotation(pvc, cc.AnnThumbprint)

                podEnvVar.previousCheckpoint = getValueFromAnnotation(pvc, cc.AnnPreviousCheckpoint)

                podEnvVar.currentCheckpoint = getValueFromAnnotation(pvc, cc.AnnCurrentCheckpoint)

                podEnvVar.finalCheckpoint = getValueFromAnnotation(pvc, cc.AnnFinalCheckpoint)

                podEnvVar.registryImageArchitecture = getValueFromAnnotation(pvc, cc.AnnRegistryImageArchitecture)

                podEnvVar.checksum = getValueFromAnnotation(pvc, cc.AnnChecksum)

                for annotation, value := range pvc.Annotations {

                        if strings.HasPrefix(annotation, cc.AnnExtraHeaders) {

                        if strings.HasPrefix(annotation, cc.AnnSecretExtraHeaders) {

                var field string

                if field, err = GetImportProxyConfig(cdiConfig, common.ImportProxyHTTP); err != nil {

                        r.log.V(3).Info("no proxy http url will be supplied:", "error", err.Error())

                }

                podEnvVar.httpProxy = field

                if field, err = GetImportProxyConfig(cdiConfig, common.ImportProxyHTTPS); err != nil {

                        r.log.V(3).Info("no proxy https url will be supplied:", "error", err.Error())

                }

                podEnvVar.httpsProxy = field

                if field, err = GetImportProxyConfig(cdiConfig, common.ImportProxyNoProxy); err != nil {

                        r.log.V(3).Info("the noProxy field will not be supplied:", "error", err.Error())

                }

                podEnvVar.noProxy = field

                if field, err = GetImportProxyConfig(cdiConfig, common.ImportProxyConfigMapName); err != nil {

                        r.log.V(3).Info("no proxy CA certiticate will be supplied:", "error", err.Error())

                }

                podEnvVar.certConfigMapProxy = field

        fsOverhead, err := GetFilesystemOverhead(context.TODO(), r.client, pvc)

        if err != nil {

        podEnvVar.filesystemOverhead = string(fsOverhead)

        if preallocation, err := strconv.ParseBool(getValueFromAnnotation(pvc, cc.AnnPreallocationRequested)); err == nil {

        podEnvVar.imageSize, err = cc.GetRequestedImageSize(pvc)

        if err != nil {

        if v, ok := pvc.Annotations[cc.AnnRequiresDirectIO]; ok && v == "true" {

                podEnvVar.cacheMode = common.CacheModeTryNone

        }

        return podEnvVar, nil

func (r *ImportReconciler) isInsecureTLS(pvc *corev1.PersistentVolumeClaim, cdiConfig *cdiv1.CDIConfig) (bool, error) {

        // Check if insecureSkipVerify annotation is set (only applicable for ImageIO sources)

        source, sourceOk := pvc.Annotations[cc.AnnSource]

        if sourceOk && source == cc.SourceImageio {

        ep, ok := pvc.Annotations[cc.AnnEndpoint]

        if !ok || ep == "" {

                return false, nil

        }

        return IsInsecureTLS(ep, cdiConfig, r.log)

func IsInsecureTLS(ep string, cdiConfig *cdiv1.CDIConfig, log logr.Logger) (bool, error) {

        url, err := url.Parse(ep)

        if err != nil {

        if url.Scheme != "docker" {

                return false, nil

        }

        for _, value := range cdiConfig.Spec.InsecureRegistries {

                log.V(1).Info("Checking host against value", "host", url.Host, "value", value)

                if value == url.Host {

                        return true, nil

                }

        return false, nil

func (r *ImportReconciler) getCertConfigMap(pvc *corev1.PersistentVolumeClaim) (string, error) {

        value, ok := pvc.Annotations[cc.AnnCertConfigMap]

        if !ok || value == "" {

                return "", nil

        }

        configMap := &corev1.ConfigMap{}

        if err := r.uncachedClient.Get(context.TODO(), types.NamespacedName{Name: value, Namespace: pvc.Namespace}, configMap); err != nil {

                if k8serrors.IsNotFound(err) {

                        r.log.V(1).Info("Configmap does not exist, pod will not start until it does", "configMapName", value)

                        return value, nil

                }

        return value, nil

func (r *ImportReconciler) getSecretName(pvc *corev1.PersistentVolumeClaim) string {

        ns := pvc.Namespace

        name, found := pvc.Annotations[cc.AnnSecret]

        if !found || name == "" {

                msg := "getEndpointSecret: "

                if !found {

                        msg += fmt.Sprintf("annotation %q is missing in pvc \"%s/%s\"", cc.AnnSecret, ns, pvc.Name)

                } else {

                r.log.V(2).Info(msg)

                return "" // importer pod will not contain secret credentials

        return name

func (r *ImportReconciler) requiresScratchSpace(pvc *corev1.PersistentVolumeClaim) bool {

        scratchRequired := false

        contentType := cc.GetPVCContentType(pvc)

        // All archive requires scratch space.

        if contentType == cdiv1.DataVolumeArchive {

        } else {

                switch cc.GetSource(pvc) {

                case cc.SourceRegistry:

                        scratchRequired = pvc.Annotations[cc.AnnRegistryImportMethod] != string(cdiv1.RegistryPullNode)

        value, ok := pvc.Annotations[cc.AnnRequiresScratch]

        if ok {

                boolVal, _ := strconv.ParseBool(value)

                scratchRequired = scratchRequired || boolVal

        }

        return scratchRequired

func (r *ImportReconciler) createScratchPvcForPod(pvc *corev1.PersistentVolumeClaim, pod *corev1.Pod) error {

        scratchPvc := &corev1.PersistentVolumeClaim{}

        scratchPVCName, exists := getScratchNameFromPod(pod)

        if !exists {

        anno := pvc.GetAnnotations()

        err := r.client.Get(context.TODO(), types.NamespacedName{Namespace: pvc.GetNamespace(), Name: scratchPVCName}, scratchPvc)

        if cc.IgnoreNotFound(err) != nil {

        if k8serrors.IsNotFound(err) {

                r.log.V(1).Info("Creating scratch space for POD and PVC", "pod.Name", pod.Name, "pvc.Name", pvc.Name)

                storageClassName := GetScratchPvcStorageClass(r.client, pvc)

                // Scratch PVC doesn't exist yet, create it. Determine which storage class to use.

                _, err = createScratchPersistentVolumeClaim(r.client, pvc, pod, scratchPVCName, storageClassName, r.installerLabels, r.recorder)

                if err != nil {

                anno[cc.AnnBoundCondition] = "false"

                anno[cc.AnnBoundConditionMessage] = "Creating scratch space"

                anno[cc.AnnBoundConditionReason] = creatingScratch

        anno[cc.AnnRequiresScratch] = "false"

        return nil

func (r *ImportReconciler) getVddkImageName() (*string, error) {

        namespace := util.GetNamespace()

        cm := &corev1.ConfigMap{}

        err := r.uncachedClient.Get(context.TODO(), types.NamespacedName{Name: common.VddkConfigMap, Namespace: namespace}, cm)

        if k8serrors.IsNotFound(err) {

                return nil, errors.Errorf("No %s ConfigMap present in namespace %s", common.VddkConfigMap, namespace)

        }

        image, found := cm.Data[common.VddkConfigDataKey]

        if found {

                msg := fmt.Sprintf("Found %s ConfigMap in namespace %s, VDDK image path is: ", common.VddkConfigMap, namespace)

                r.log.V(1).Info(msg, common.VddkConfigDataKey, image)

                return &image, nil

        }