<fix>[kms]: add delete secret for vm

zhijian.liu · zhijian.liu · commit f1c6817a6511 · 2026-04-09T18:33:49.000+08:00
Resolves: ZSV-11630
diff --git a/conf/springConfigXml/Kvm.xml b/conf/springConfigXml/Kvm.xml
@@ -256,6 +256,7 @@
         <zstack:plugin>
             <zstack:extension interface="org.zstack.kvm.KVMStartVmExtensionPoint" />
             <zstack:extension interface="org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint" />
+            <zstack:extension interface="org.zstack.header.vm.VmAfterExpungeExtensionPoint" />
         </zstack:plugin>
     </bean>
 
diff --git a/header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java b/header/src/main/java/org/zstack/header/secret/SecretHostDeleteMsg.java
@@ -0,0 +1,48 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.host.HostMessage;
+import org.zstack.header.message.NeedReplyMessage;
+
+/**
+ * Request to delete existing secret on KVM host by vmUuid/purpose/keyVersion.
+ * keyVersion can be null, then agent may remove all matched versions for the vm+purpose.
+ */
+public class SecretHostDeleteMsg extends NeedReplyMessage implements HostMessage {
+    private String hostUuid;
+    private String vmUuid;
+    private String purpose;
+    private Integer keyVersion;
+
+    @Override
+    public String getHostUuid() {
+        return hostUuid;
+    }
+
+    public void setHostUuid(String hostUuid) {
+        this.hostUuid = hostUuid;
+    }
+
+    public String getVmUuid() {
+        return vmUuid;
+    }
+
+    public void setVmUuid(String vmUuid) {
+        this.vmUuid = vmUuid;
+    }
+
+    public String getPurpose() {
+        return purpose;
+    }
+
+    public void setPurpose(String purpose) {
+        this.purpose = purpose;
+    }
+
+    public Integer getKeyVersion() {
+        return keyVersion;
+    }
+
+    public void setKeyVersion(Integer keyVersion) {
+        this.keyVersion = keyVersion;
+    }
+}
diff --git a/header/src/main/java/org/zstack/header/secret/SecretHostDeleteReply.java b/header/src/main/java/org/zstack/header/secret/SecretHostDeleteReply.java
@@ -0,0 +1,7 @@
+package org.zstack.header.secret;
+
+import org.zstack.header.message.MessageReply;
+
+/** Reply for SecretHostDeleteMsg. */
+public class SecretHostDeleteReply extends MessageReply {
+}
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java b/plugin/kvm/src/main/java/org/zstack/kvm/KVMAgentCommands.java
@@ -508,6 +508,39 @@ public void setSecretUuid(String secretUuid) {
         }
     }
 
+    public static class SecretHostDeleteCmd extends AgentCommand {
+        private String vmUuid;
+        private String purpose;
+        private Integer keyVersion;
+
+        public String getVmUuid() {
+            return vmUuid;
+        }
+
+        public void setVmUuid(String vmUuid) {
+            this.vmUuid = vmUuid;
+        }
+
+        public String getPurpose() {
+            return purpose;
+        }
+
+        public void setPurpose(String purpose) {
+            this.purpose = purpose;
+        }
+
+        public Integer getKeyVersion() {
+            return keyVersion;
+        }
+
+        public void setKeyVersion(Integer keyVersion) {
+            this.keyVersion = keyVersion;
+        }
+    }
+
+    public static class SecretHostDeleteResponse extends AgentResponse {
+    }
+
     public static class PingCmd extends AgentCommand {
         public String hostUuid;
         public Map<String, Object> configs;
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/KVMConstant.java b/plugin/kvm/src/main/java/org/zstack/kvm/KVMConstant.java
@@ -131,6 +131,7 @@ public interface KVMConstant {
     String KVM_VERIFY_ENVELOPE_KEY_PATH = "/host/key/envelope/checkEnvelopeKey";
     String KVM_GET_SECRET_PATH = "/host/key/envelope/getSecret";
     String KVM_ENSURE_SECRET_PATH = "/host/key/envelope/ensureSecret";
+    String KVM_DELETE_SECRET_PATH = "/host/key/envelope/deleteSecret";
 
     /** HTTP timeout in seconds for envelope key sync (verify/create/rotate/get) to agent. */
     long ENVELOPE_KEY_HTTP_TIMEOUT_SEC = 5L;
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java b/plugin/kvm/src/main/java/org/zstack/kvm/KVMHost.java
@@ -57,6 +57,8 @@
 import org.zstack.header.host.MigrateVmOnHypervisorMsg.StorageMigrationPolicy;
 import org.zstack.header.secret.SecretHostDefineMsg;
 import org.zstack.header.secret.SecretHostDefineReply;
+import org.zstack.header.secret.SecretHostDeleteMsg;
+import org.zstack.header.secret.SecretHostDeleteReply;
 import org.zstack.header.secret.SecretHostGetMsg;
 import org.zstack.header.secret.SecretHostGetReply;
 import org.zstack.header.message.APIMessage;
@@ -756,6 +758,8 @@ protected void handleLocalMessage(Message msg) {
             handle((SecretHostGetMsg) msg);
         } else if (msg instanceof SecretHostDefineMsg) {
             handle((SecretHostDefineMsg) msg);
+        } else if (msg instanceof SecretHostDeleteMsg) {
+            handle((SecretHostDeleteMsg) msg);
         } else {
             super.handleLocalMessage(msg);
         }
@@ -5465,6 +5469,42 @@ public Class<KVMAgentCommands.SecretHostDefineResponse> getReturnClass() {
         }, TimeUnit.SECONDS, KVMConstant.ENVELOPE_KEY_HTTP_TIMEOUT_SEC);
     }
 
+    private void handle(SecretHostDeleteMsg msg) {
+        SecretHostDeleteReply reply = new SecretHostDeleteReply();
+        if (StringUtils.isBlank(msg.getVmUuid()) || StringUtils.isBlank(msg.getPurpose())) {
+            reply.setError(operr("vmUuid and purpose are required for delete secret"));
+            bus.reply(msg, reply);
+            return;
+        }
+
+        String url = buildUrl(KVMConstant.KVM_DELETE_SECRET_PATH);
+        KVMAgentCommands.SecretHostDeleteCmd cmd = new KVMAgentCommands.SecretHostDeleteCmd();
+        cmd.setVmUuid(msg.getVmUuid());
+        cmd.setPurpose(msg.getPurpose());
+        cmd.setKeyVersion(msg.getKeyVersion());
+
+        restf.asyncJsonPost(url, cmd, new JsonAsyncRESTCallback<KVMAgentCommands.SecretHostDeleteResponse>(msg, reply) {
+            @Override
+            public void fail(ErrorCode err) {
+                reply.setError(err != null ? err : operr("delete secret on agent failed"));
+                bus.reply(msg, reply);
+            }
+
+            @Override
+            public void success(KVMAgentCommands.SecretHostDeleteResponse rsp) {
+                if (rsp == null || !rsp.isSuccess()) {
+                    reply.setError(buildSecretAgentError(rsp, "delete secret failed"));
+                }
+                bus.reply(msg, reply);
+            }
+
+            @Override
+            public Class<KVMAgentCommands.SecretHostDeleteResponse> getReturnClass() {
+                return KVMAgentCommands.SecretHostDeleteResponse.class;
+            }
+        }, TimeUnit.SECONDS, KVMConstant.ENVELOPE_KEY_HTTP_TIMEOUT_SEC);
+    }
+
     private ErrorCode buildSecretAgentError(KVMAgentCommands.AgentResponse rsp, String defaultMessage) {
         if (rsp != null && rsp.getError() != null) {
             ErrorCode err = new ErrorCode();
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java b/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmExtensions.java
@@ -2,7 +2,6 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.zstack.compute.vm.VmGlobalConfig;
 import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend;
 import org.zstack.compute.vm.devices.TpmEncryptedResourceKeyBackend.CloneEncryptedResourceKeyContext;
 import org.zstack.core.Platform;
@@ -21,11 +20,13 @@
 import org.zstack.header.core.workflow.FlowTrigger;
 import org.zstack.header.core.workflow.NoRollbackFlow;
 import org.zstack.header.errorcode.ErrorCode;
+import org.zstack.header.core.NoErrorCompletion;
 import org.zstack.header.host.HostConstant;
 import org.zstack.header.message.MessageReply;
 import org.zstack.header.keyprovider.EncryptedResourceKeyManager;
 import org.zstack.header.keyprovider.EncryptedResourceKeyManager.GetOrCreateResourceKeyContext;
 import org.zstack.header.keyprovider.EncryptedResourceKeyManager.ResourceKeyResult;
+import org.zstack.header.secret.SecretHostDeleteMsg;
 import org.zstack.header.secret.SecretHostDefineMsg;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO;
 import org.zstack.header.storage.snapshot.group.VolumeSnapshotGroupVO_;
@@ -35,11 +36,17 @@
 import org.zstack.header.tpm.entity.TpmSpec;
 import org.zstack.header.tpm.entity.TpmVO;
 import org.zstack.header.tpm.entity.TpmVO_;
+import org.zstack.header.vm.HaStartVmInstanceMsg;
 import org.zstack.header.vm.PreVmInstantiateResourceExtensionPoint;
+import org.zstack.header.vm.VmAfterExpungeExtensionPoint;
+import org.zstack.header.vm.VmInstanceInventory;
+import org.zstack.header.vm.VmInstanceMigrateExtensionPoint;
 import org.zstack.header.vm.VmInstanceSpec;
 import org.zstack.header.vm.VmInstantiateResourceException;
 import org.zstack.header.vm.additions.VmHostBackupFileVO;
 import org.zstack.header.vm.additions.VmHostBackupFileVO_;
+import org.zstack.header.vm.VmInstanceVO;
+import org.zstack.header.vm.VmInstanceVO_;
 import org.zstack.header.vm.additions.VmHostFileType;
 import org.zstack.header.vm.additions.VmHostFileVO;
 import org.zstack.header.vm.additions.VmHostFileVO_;
@@ -60,7 +67,9 @@
 import static org.zstack.core.Platform.operr;
 
 public class KvmTpmExtensions implements KVMStartVmExtensionPoint,
-        PreVmInstantiateResourceExtensionPoint {
+        PreVmInstantiateResourceExtensionPoint,
+        VmInstanceMigrateExtensionPoint,
+        VmAfterExpungeExtensionPoint {
     private static final CLogger logger = Utils.getLogger(KvmTpmExtensions.class);
 
     @Autowired
@@ -122,6 +131,16 @@ public void beforeStartVmOnKvm(KVMHostInventory host, VmInstanceSpec spec, KVMAg
 
     @Override
     public void startVmOnKvmSuccess(KVMHostInventory host, VmInstanceSpec spec) {
+        if (spec.getMessage() instanceof HaStartVmInstanceMsg) {
+            String vmUuid = spec.getVmInventory() == null ? null : spec.getVmInventory().getUuid();
+            String srcHostUuid = spec.getVmInventory() == null ? null : spec.getVmInventory().getLastHostUuid();
+            Integer keyVersion = findTpmKeyVersionByVmUuid(vmUuid);
+            boolean vmIsOnDestHost = isVmCurrentlyOnExpectedHost(vmUuid, host.getUuid());
+            if (vmIsOnDestHost && StringUtils.isNotBlank(srcHostUuid) && !host.getUuid().equals(srcHostUuid)) {
+                deleteHostSecretBestEffort(srcHostUuid, vmUuid, keyVersion,
+                        "ha-start-success");
+            }
+        }
         clearRollbackInfo(spec);
     }
 
@@ -229,10 +248,11 @@ public void rollback(FlowRollback trigger, Map data) {
 
             @Override
             public boolean skip(Map data) {
-                boolean shouldSkip = VmGlobalConfig.ALLOWED_TPM_VM_WITHOUT_KMS.value(Boolean.class)
-                        && StringUtils.isBlank(context.providerUuid);
+                boolean shouldSkip = StringUtils.isBlank(context.providerUuid);
                 if (shouldSkip) {
-                    logger.info("skip create-dek: allowed.tpm.vm.without.kms is enabled and no KMS provider bound");
+                    logger.info(String.format(
+                            "skip ensure-resource-key-ref for tpm[uuid:%s] due to missing key provider binding, try host secret first",
+                            context.tpmUuid));
                 }
                 return shouldSkip;
             }
@@ -253,7 +273,6 @@ public void run(FlowTrigger trigger, Map data) {
                 keyCtx.setResourceUuid(context.tpmUuid);
                 keyCtx.setResourceType(TpmVO.class.getSimpleName());
                 keyCtx.setKeyProviderUuid(context.providerUuid);
-                keyCtx.setKeyProviderName(context.providerName);
                 keyCtx.setPurpose("vtpm");
 
                 resourceKeyManager.getOrCreateKey(keyCtx, new ReturnValueCompletion<ResourceKeyResult>(trigger) {
@@ -488,4 +507,91 @@ private String findSourceTpmUuidFromSnapshotTpmBackupFile(String tpmBackupFileUu
                 .select(TpmVO_.uuid)
                 .findValue();
     }
+
+    @Override
+    public void afterMigrateVm(VmInstanceInventory inv, String srcHostUuid, NoErrorCompletion completion) {
+        String vmUuid = inv == null ? null : inv.getUuid();
+        String destHostUuid = inv == null ? null : inv.getHostUuid();
+        if (StringUtils.isBlank(vmUuid) || StringUtils.isBlank(srcHostUuid) || srcHostUuid.equals(destHostUuid)) {
+            completion.done();
+            return;
+        }
+
+        if (!isVmCurrentlyOnExpectedHost(vmUuid, destHostUuid)) {
+            completion.done();
+            return;
+        }
+
+        Integer keyVersion = findTpmKeyVersionByVmUuid(vmUuid);
+        deleteHostSecretBestEffort(srcHostUuid, vmUuid, keyVersion, "after-migrate");
+        completion.done();
+    }
+
+    @Override
+    public void vmAfterExpunge(VmInstanceInventory vm) {
+        String vmUuid = vm.getUuid();
+        Integer keyVersion = findTpmKeyVersionByVmUuid(vmUuid);
+
+        java.util.Set<String> hostUuids = new java.util.HashSet<>();
+        if (StringUtils.isNotBlank(vm.getHostUuid())) {
+            hostUuids.add(vm.getHostUuid());
+        }
+        if (StringUtils.isNotBlank(vm.getLastHostUuid())) {
+            hostUuids.add(vm.getLastHostUuid());
+        }
+
+        if (hostUuids.isEmpty()) {
+            return;
+        }
+
+        for (String hostUuid : hostUuids) {
+            deleteHostSecretBestEffort(hostUuid, vmUuid, keyVersion, "expunge");
+        }
+    }
+
+    private Integer findTpmKeyVersionByVmUuid(String vmUuid) {
+        if (StringUtils.isBlank(vmUuid)) {
+            return null;
+        }
+        String tpmUuid = Q.New(TpmVO.class)
+                .eq(TpmVO_.vmInstanceUuid, vmUuid)
+                .select(TpmVO_.uuid)
+                .findValue();
+        return tpmUuid == null ? null : resourceKeyBackend.findKeyVersionByTpm(tpmUuid);
+    }
+
+    private boolean isVmCurrentlyOnExpectedHost(String vmUuid, String expectedHostUuid) {
+        if (StringUtils.isBlank(vmUuid) || StringUtils.isBlank(expectedHostUuid)) {
+            return false;
+        }
+
+        String currentHostUuid = Q.New(VmInstanceVO.class)
+                .select(VmInstanceVO_.hostUuid)
+                .eq(VmInstanceVO_.uuid, vmUuid)
+                .findValue();
+        return expectedHostUuid.equals(currentHostUuid);
+    }
+
+    private void deleteHostSecretBestEffort(String hostUuid, String vmUuid, Integer keyVersion, String reason) {
+        if (StringUtils.isBlank(hostUuid) || StringUtils.isBlank(vmUuid)) {
+            return;
+        }
+
+        SecretHostDeleteMsg dmsg = new SecretHostDeleteMsg();
+        dmsg.setHostUuid(hostUuid);
+        dmsg.setVmUuid(vmUuid);
+        dmsg.setPurpose("vtpm");
+        dmsg.setKeyVersion(keyVersion);
+        bus.makeTargetServiceIdByResourceUuid(dmsg, HostConstant.SERVICE_ID, hostUuid);
+        bus.send(dmsg, new CloudBusCallBack(null) {
+            @Override
+            public void run(MessageReply reply) {
+                if (!reply.isSuccess()) {
+                    logger.warn(String.format(
+                            "best-effort delete host secret failed on %s for vm[uuid:%s], host[uuid:%s]: %s",
+                            reason, vmUuid, hostUuid, reply.getError().getDetails()));
+                }
+            }
+        });
+    }
 }
diff --git a/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java b/plugin/kvm/src/main/java/org/zstack/kvm/tpm/KvmTpmManager.java
