<fix>[kvm]: define secret on migrate destination

Resolves: ZSV-11729

Change-Id: I616a776e78666179637976616c776162626c6533

Author: zhong.zhou

compute/src/main/java/org/zstack/compute/vm/devices/DummyEncryptedResourceKeyManager.java

@@ -19,6 +19,14 @@ public void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
         completion.fail(operr("crypto module is not installed, cannot manage resource encryption keys"));
     }
 
+    @Override
+    public void getKey(GetOrCreateResourceKeyContext ctx,
+                       ReturnValueCompletion<ResourceKeyResult> completion) {
+        logger.warn(String.format("crypto module not installed, cannot get resource key for %s[uuid:%s]",
+                ctx.getResourceType(), ctx.getResourceUuid()));
+        completion.fail(operr("crypto module is not installed, cannot manage resource encryption keys"));
+    }
+
     @Override
     public void rollbackCreatedKey(ResourceKeyResult result, Completion completion) {
         completion.success();

header/src/main/java/org/zstack/header/keyprovider/EncryptedResourceKeyManager.java

@@ -26,11 +26,30 @@ public interface EncryptedResourceKeyManager {
     void getOrCreateKey(GetOrCreateResourceKeyContext ctx,
                         ReturnValueCompletion<ResourceKeyResult> completion);
 
+    /**
+     * Load the existing resource encryption key material only.
+     * <p>
+     * Requires an {@code EncryptedResourceKeyRef} row and a usable secret reference already stored
+     * for the resource. Does <strong>not</strong> insert a ref row and does <strong>not</strong> call
+     * key-tool/KMS <em>create</em> APIs.
+     * <p>
+     * The implementation may still call key-tool/KMS <em>get/unwrap</em> for the <strong>existing</strong>
+     * secret ref in order to return the plaintext DEK (for example defining the secret on the destination
+     * host during hot migration). That RPC is read-side materialization, not secret creation.
+     *
+     * @param ctx        same fields as {@link #getOrCreateKey}; identifies resource and provider
+     * @param completion returns {@link ResourceKeyResult} with {@code createdNewKey == false} on success
+     */
+    void getKey(GetOrCreateResourceKeyContext ctx,
+                ReturnValueCompletion<ResourceKeyResult> completion);
+
     /**
      * Roll back a newly created resource key during upper-layer workflow rollback.
      * <p>
-     * If the key record already existed before creation, implementation should restore it
-     * to its previous empty-placeholder state instead of deleting the relationship.
+     * When {@link ResourceKeyResult#isCreatedNewKey()} is true, the implementation deletes the
+     * key-tool secret if one was materialized, then removes the {@code EncryptedResourceKeyRef} row
+     * for the resource (same storage effect as detaching the key provider from the resource).
+     * When {@code createdNewKey} is false (existing secret was reused), this is a no-op.
      */
     void rollbackCreatedKey(ResourceKeyResult result, Completion completion);
 
@@ -91,7 +110,6 @@ class ResourceKeyResult {
         private String dekBase64;
         private String secretRef;
         private boolean createdNewKey;
-        private boolean refExistedBeforeCreate;
 
         public String getResourceUuid() {
             return resourceUuid;
@@ -156,13 +174,5 @@ public boolean isCreatedNewKey() {
         public void setCreatedNewKey(boolean createdNewKey) {
             this.createdNewKey = createdNewKey;
         }
-
-        public boolean isRefExistedBeforeCreate() {
-            return refExistedBeforeCreate;
-        }
-
-        public void setRefExistedBeforeCreate(boolean refExistedBeforeCreate) {
-            this.refExistedBeforeCreate = refExistedBeforeCreate;
-        }
     }
 }

header/src/main/java/org/zstack/header/secret/SecretHostDefineMsg.java

@@ -16,6 +16,8 @@ public class SecretHostDefineMsg extends NeedReplyMessage implements HostMessage
     private String vmUuid;
     private String purpose;
     private Integer keyVersion;
+    private String usageInstance;
+    private String secretUuid;
     private String description;
 
     @Override
@@ -59,6 +61,22 @@ public void setKeyVersion(Integer keyVersion) {
         this.keyVersion = keyVersion;
     }
 
+    public String getUsageInstance() {
+        return usageInstance;
+    }
+
+    public void setUsageInstance(String usageInstance) {
+        this.usageInstance = usageInstance;
+    }
+
+    public String getSecretUuid() {
+        return secretUuid;
+    }
+
+    public void setSecretUuid(String secretUuid) {
+        this.secretUuid = secretUuid;
+    }
+
     public String getDescription() {
         return description;
     }

header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java

@@ -8,6 +8,7 @@ public class SecretHostDeleteMsg extends NeedReplyMessage implements HostMessage
     private String vmUuid;
     private String purpose;
     private Integer keyVersion;
+    private String usageInstance;
 
     @Override
     public String getHostUuid() {
@@ -41,4 +42,12 @@ public Integer getKeyVersion() {
     public void setKeyVersion(Integer keyVersion) {
         this.keyVersion = keyVersion;
     }
+
+    public String getUsageInstance() {
+        return usageInstance;
+    }
+
+    public void setUsageInstance(String usageInstance) {
+        this.usageInstance = usageInstance;
+    }
 }

header/src/main/java/org/zstack/header/secret/SecretHostGetMsg.java

@@ -11,6 +11,7 @@ public class SecretHostGetMsg extends NeedReplyMessage implements HostMessage {
     private String vmUuid;
     private String purpose;
     private Integer keyVersion;
+    private String usageInstance;
 
     @Override
     public String getHostUuid() {
@@ -44,4 +45,12 @@ public Integer getKeyVersion() {
     public void setKeyVersion(Integer keyVersion) {
         this.keyVersion = keyVersion;
     }
+
+    public String getUsageInstance() {
+        return usageInstance;
+    }
+
+    public void setUsageInstance(String usageInstance) {
+        this.usageInstance = usageInstance;
+    }
 }

plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java

@@ -411,8 +411,9 @@ public static class SecretHostDefineCmd extends AgentCommand {
         private String vmUuid;
         private String purpose;
         private Integer keyVersion;
-        private String description;
         private String usageInstance;
+        private String secretUuid;
+        private String description;
 
         public String getEncryptedDek() {
             return encryptedDek;
@@ -446,21 +447,29 @@ public void setKeyVersion(Integer keyVersion) {
             this.keyVersion = keyVersion;
         }
 
-        public String getDescription() {
-            return description;
-        }
-
-        public void setDescription(String description) {
-            this.description = description;
-        }
-
         public String getUsageInstance() {
             return usageInstance;
         }
 
         public void setUsageInstance(String usageInstance) {
             this.usageInstance = usageInstance;
         }
+
+        public String getSecretUuid() {
+            return secretUuid;
+        }
+
+        public void setSecretUuid(String secretUuid) {
+            this.secretUuid = secretUuid;
+        }
+
+        public String getDescription() {
+            return description;
+        }
+
+        public void setDescription(String description) {
+            this.description = description;
+        }
     }
 
     public static class SecretHostDefineResponse extends AgentResponse {