From 220f3334e52791d0caee99911a0c1ba03baf0c82 Mon Sep 17 00:00:00 2001 From: Niraj Yadav Date: Mon, 4 Nov 2024 15:35:31 +0530 Subject: [PATCH] rbd: Allow user to disable key rotation This patch allows user to disable automatic key rotation by annotating StorageCluster with `keyrotation.csiaddons.openshift.io/enable=false` Signed-off-by: Niraj Yadav --- config/rbac/role.yaml | 1 + controllers/storagecluster/reconcile.go | 2 +- controllers/storagecluster/storageclasses.go | 25 ++++++++++++++++++- deploy/csv-templates/ocs-operator.csv.yaml.in | 1 + .../ocs-operator.clusterserviceversion.yaml | 1 + 5 files changed, 28 insertions(+), 2 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 37b26d8457..08ee59544a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -318,6 +318,7 @@ rules: - delete - get - list + - update - watch - apiGroups: - template.openshift.io diff --git a/controllers/storagecluster/reconcile.go b/controllers/storagecluster/reconcile.go index 8d89f44655..5ecd8d8350 100644 --- a/controllers/storagecluster/reconcile.go +++ b/controllers/storagecluster/reconcile.go @@ -116,7 +116,7 @@ var validTopologyLabelKeys = []string{ // +kubebuilder:rbac:groups=ocs.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete -// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list +// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;update;delete;get;list // +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete diff --git a/controllers/storagecluster/storageclasses.go b/controllers/storagecluster/storageclasses.go index c708130a25..151f3449e3 100644 --- a/controllers/storagecluster/storageclasses.go +++ b/controllers/storagecluster/storageclasses.go @@ -27,6 +27,7 @@ const ( //storage class driver name prefix storageclassDriverNamePrefix = "openshift-storage" + keyRotationEnableAnnotation = "keyrotation.csiaddons.openshift.io/enable" ) var ( @@ -198,6 +199,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi } } + scRecreated := false existing := &storagev1.StorageClass{} err := r.Client.Get(context.TODO(), types.NamespacedName{Name: sc.Name, Namespace: sc.Namespace}, existing) @@ -232,6 +234,20 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi r.Log.Info("Failed to create StorageClass.", "StorageClass", klog.KRef(sc.Namespace, sc.Name)) return err } + scRecreated = true + } + if !scRecreated { + // Delete existing key rotation annotation and set it on sc only when it is false + delete(existing.Annotations, keyRotationEnableAnnotation) + if krState := sc.GetAnnotations()[keyRotationEnableAnnotation]; krState == "false" { + util.AddAnnotation(existing, keyRotationEnableAnnotation, krState) + } + + err = r.Client.Update(context.TODO(), existing) + if err != nil { + r.Log.Error(err, "Failed to update annotations on the StorageClass.", "StorageClass", klog.KRef(sc.Namespace, existing.Name)) + return err + } } } } @@ -314,6 +330,9 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S if initData.Spec.ManagedResources.CephBlockPools.DefaultStorageClass { scc.storageClass.Annotations[defaultStorageClassAnnotation] = "true" } + if initData.GetAnnotations()[keyRotationEnableAnnotation] == "false" { + util.AddAnnotation(scc.storageClass, keyRotationEnableAnnotation, "false") + } return scc } @@ -336,7 +355,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora persistentVolumeReclaimDelete := corev1.PersistentVolumeReclaimDelete allowVolumeExpansion := true volumeBindingWaitForFirstConsumer := storagev1.VolumeBindingWaitForFirstConsumer - return StorageClassConfiguration{ + scc := StorageClassConfiguration{ storageClass: &storagev1.StorageClass{ ObjectMeta: metav1.ObjectMeta{ Name: util.GenerateNameForNonResilientCephBlockPoolSC(initData), @@ -366,6 +385,10 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora }, isClusterExternal: initData.Spec.ExternalStorage.Enable, } + if initData.GetAnnotations()[keyRotationEnableAnnotation] == "false" { + util.AddAnnotation(scc.storageClass, keyRotationEnableAnnotation, "false") + } + return scc } // newCephNFSStorageClassConfiguration generates configuration options for a Ceph NFS StorageClass. diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in index 34a4148d4b..ffa68ff072 100644 --- a/deploy/csv-templates/ocs-operator.csv.yaml.in +++ b/deploy/csv-templates/ocs-operator.csv.yaml.in @@ -489,6 +489,7 @@ spec: - delete - get - list + - update - watch - apiGroups: - template.openshift.io diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index f2e60e68ce..30a1d7cab1 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -498,6 +498,7 @@ spec: - delete - get - list + - update - watch - apiGroups: - template.openshift.io