diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 37b26d8457..08ee59544a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -318,6 +318,7 @@ rules: - delete - get - list + - update - watch - apiGroups: - template.openshift.io diff --git a/controllers/defaults/defaults.go b/controllers/defaults/defaults.go index 6a6842d03e..faa8383d5e 100644 --- a/controllers/defaults/defaults.go +++ b/controllers/defaults/defaults.go @@ -19,6 +19,11 @@ const ( // KubeMinorTopologySpreadConstraints is the minimum minor kube version to support TSC // used along with KubeMajorTSC for version comparison KubeMinorTopologySpreadConstraints = "19" + // This annotation is used by both StorageCluster and StorageClass to specify whether + // the key rotation feature is enabled. Users can add this annotation to StorageCluster + // with a value of "false" to disable key rotation. When present, this annotation is then + // propagated to the associated StorageClasses. + KeyRotationEnableAnnotation = "keyrotation.csiaddons.openshift.io/enable" ) var ( diff --git a/controllers/storagecluster/reconcile.go b/controllers/storagecluster/reconcile.go index 8d89f44655..5ecd8d8350 100644 --- a/controllers/storagecluster/reconcile.go +++ b/controllers/storagecluster/reconcile.go @@ -116,7 +116,7 @@ var validTopologyLabelKeys = []string{ // +kubebuilder:rbac:groups=ocs.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete -// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list +// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;update;delete;get;list // +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete diff --git a/controllers/storagecluster/storageclasses.go b/controllers/storagecluster/storageclasses.go index c708130a25..c54a6634a5 100644 --- a/controllers/storagecluster/storageclasses.go +++ b/controllers/storagecluster/storageclasses.go @@ -8,6 +8,7 @@ import ( "strings" ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1" + "github.com/red-hat-storage/ocs-operator/v4/controllers/defaults" "github.com/red-hat-storage/ocs-operator/v4/controllers/platform" "github.com/red-hat-storage/ocs-operator/v4/controllers/util" cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1" @@ -198,6 +199,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi } } + scRecreated := false existing := &storagev1.StorageClass{} err := r.Client.Get(context.TODO(), types.NamespacedName{Name: sc.Name, Namespace: sc.Namespace}, existing) @@ -232,6 +234,20 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi r.Log.Info("Failed to create StorageClass.", "StorageClass", klog.KRef(sc.Namespace, sc.Name)) return err } + scRecreated = true + } + if !scRecreated { + // Delete existing key rotation annotation and set it on sc only when it is false + delete(existing.Annotations, defaults.KeyRotationEnableAnnotation) + if krState := sc.GetAnnotations()[defaults.KeyRotationEnableAnnotation]; krState == "false" { + util.AddAnnotation(existing, defaults.KeyRotationEnableAnnotation, krState) + } + + err = r.Client.Update(context.TODO(), existing) + if err != nil { + r.Log.Error(err, "Failed to update annotations on the StorageClass.", "StorageClass", klog.KRef(sc.Namespace, existing.Name)) + return err + } } } } @@ -314,6 +330,9 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S if initData.Spec.ManagedResources.CephBlockPools.DefaultStorageClass { scc.storageClass.Annotations[defaultStorageClassAnnotation] = "true" } + if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" { + util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false") + } return scc } @@ -336,7 +355,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora persistentVolumeReclaimDelete := corev1.PersistentVolumeReclaimDelete allowVolumeExpansion := true volumeBindingWaitForFirstConsumer := storagev1.VolumeBindingWaitForFirstConsumer - return StorageClassConfiguration{ + scc := StorageClassConfiguration{ storageClass: &storagev1.StorageClass{ ObjectMeta: metav1.ObjectMeta{ Name: util.GenerateNameForNonResilientCephBlockPoolSC(initData), @@ -366,6 +385,10 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora }, isClusterExternal: initData.Spec.ExternalStorage.Enable, } + if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" { + util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false") + } + return scc } // newCephNFSStorageClassConfiguration generates configuration options for a Ceph NFS StorageClass. diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in index 34a4148d4b..ffa68ff072 100644 --- a/deploy/csv-templates/ocs-operator.csv.yaml.in +++ b/deploy/csv-templates/ocs-operator.csv.yaml.in @@ -489,6 +489,7 @@ spec: - delete - get - list + - update - watch - apiGroups: - template.openshift.io diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index f2e60e68ce..30a1d7cab1 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -498,6 +498,7 @@ spec: - delete - get - list + - update - watch - apiGroups: - template.openshift.io