Skip to content

Commit

Permalink
rbd: Allow user to disable key rotation
Browse files Browse the repository at this point in the history
This patch allows user to disable automatic
key rotation by annotating StorageCluster
with `keyrotation.csiaddons.openshift.io/enable=false`

Signed-off-by: Niraj Yadav <[email protected]>
  • Loading branch information
black-dragon74 committed Nov 14, 2024
1 parent 201c936 commit 220f333
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 2 deletions.
1 change: 1 addition & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ rules:
- delete
- get
- list
- update
- watch
- apiGroups:
- template.openshift.io
Expand Down
2 changes: 1 addition & 1 deletion controllers/storagecluster/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ var validTopologyLabelKeys = []string{
// +kubebuilder:rbac:groups=ocs.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete
// +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;update;delete;get;list
// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get
// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete
Expand Down
25 changes: 24 additions & 1 deletion controllers/storagecluster/storageclasses.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ const (

//storage class driver name prefix
storageclassDriverNamePrefix = "openshift-storage"
keyRotationEnableAnnotation = "keyrotation.csiaddons.openshift.io/enable"
)

var (
Expand Down Expand Up @@ -198,6 +199,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
}
}

scRecreated := false
existing := &storagev1.StorageClass{}
err := r.Client.Get(context.TODO(), types.NamespacedName{Name: sc.Name, Namespace: sc.Namespace}, existing)

Expand Down Expand Up @@ -232,6 +234,20 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
r.Log.Info("Failed to create StorageClass.", "StorageClass", klog.KRef(sc.Namespace, sc.Name))
return err
}
scRecreated = true
}
if !scRecreated {
// Delete existing key rotation annotation and set it on sc only when it is false
delete(existing.Annotations, keyRotationEnableAnnotation)
if krState := sc.GetAnnotations()[keyRotationEnableAnnotation]; krState == "false" {
util.AddAnnotation(existing, keyRotationEnableAnnotation, krState)
}

err = r.Client.Update(context.TODO(), existing)
if err != nil {
r.Log.Error(err, "Failed to update annotations on the StorageClass.", "StorageClass", klog.KRef(sc.Namespace, existing.Name))
return err
}
}
}
}
Expand Down Expand Up @@ -314,6 +330,9 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S
if initData.Spec.ManagedResources.CephBlockPools.DefaultStorageClass {
scc.storageClass.Annotations[defaultStorageClassAnnotation] = "true"
}
if initData.GetAnnotations()[keyRotationEnableAnnotation] == "false" {
util.AddAnnotation(scc.storageClass, keyRotationEnableAnnotation, "false")
}
return scc
}

Expand All @@ -336,7 +355,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
persistentVolumeReclaimDelete := corev1.PersistentVolumeReclaimDelete
allowVolumeExpansion := true
volumeBindingWaitForFirstConsumer := storagev1.VolumeBindingWaitForFirstConsumer
return StorageClassConfiguration{
scc := StorageClassConfiguration{
storageClass: &storagev1.StorageClass{
ObjectMeta: metav1.ObjectMeta{
Name: util.GenerateNameForNonResilientCephBlockPoolSC(initData),
Expand Down Expand Up @@ -366,6 +385,10 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
},
isClusterExternal: initData.Spec.ExternalStorage.Enable,
}
if initData.GetAnnotations()[keyRotationEnableAnnotation] == "false" {
util.AddAnnotation(scc.storageClass, keyRotationEnableAnnotation, "false")
}
return scc
}

// newCephNFSStorageClassConfiguration generates configuration options for a Ceph NFS StorageClass.
Expand Down
1 change: 1 addition & 0 deletions deploy/csv-templates/ocs-operator.csv.yaml.in
Original file line number Diff line number Diff line change
Expand Up @@ -489,6 +489,7 @@ spec:
- delete
- get
- list
- update
- watch
- apiGroups:
- template.openshift.io
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -498,6 +498,7 @@ spec:
- delete
- get
- list
- update
- watch
- apiGroups:
- template.openshift.io
Expand Down

0 comments on commit 220f333

Please sign in to comment.