Merge pull request #2817 from black-dragon74/kr-disable-rbd

rbd: Allow user to disable key rotation
red-hat-storage · Nov 14, 2024 · a568b2a · a568b2a
2 parents 3f01d01 + b8a742e
commit a568b2a
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 2 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -318,6 +318,7 @@ rules:
   - delete
   - get
   - list
+  - update
   - watch
 - apiGroups:
   - template.openshift.io

diff --git a/controllers/defaults/defaults.go b/controllers/defaults/defaults.go
@@ -19,6 +19,11 @@ const (
 	// KubeMinorTopologySpreadConstraints is the minimum minor kube version to support TSC
 	// used along with KubeMajorTSC for version comparison
 	KubeMinorTopologySpreadConstraints = "19"
+	// This annotation is used by both StorageCluster and StorageClass to specify whether
+	// the key rotation feature is enabled. Users can add this annotation to StorageCluster
+	// with a value of "false" to disable key rotation. When present, this annotation is then
+	// propagated to the associated StorageClasses.
+	KeyRotationEnableAnnotation = "keyrotation.csiaddons.openshift.io/enable"
 )
 
 var (

diff --git a/controllers/storagecluster/reconcile.go b/controllers/storagecluster/reconcile.go
@@ -116,7 +116,7 @@ var validTopologyLabelKeys = []string{
 // +kubebuilder:rbac:groups=ocs.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;update;delete;get;list
 // +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete

diff --git a/controllers/storagecluster/storageclasses.go b/controllers/storagecluster/storageclasses.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
+	"github.com/red-hat-storage/ocs-operator/v4/controllers/defaults"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/platform"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
 	cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
@@ -198,6 +199,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 			}
 		}
 
+		scRecreated := false
 		existing := &storagev1.StorageClass{}
 		err := r.Client.Get(context.TODO(), types.NamespacedName{Name: sc.Name, Namespace: sc.Namespace}, existing)
 
@@ -232,6 +234,20 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 					r.Log.Info("Failed to create StorageClass.", "StorageClass", klog.KRef(sc.Namespace, sc.Name))
 					return err
 				}
+				scRecreated = true
+			}
+			if !scRecreated {
+				// Delete existing key rotation annotation and set it on sc only when it is false
+				delete(existing.Annotations, defaults.KeyRotationEnableAnnotation)
+				if krState := sc.GetAnnotations()[defaults.KeyRotationEnableAnnotation]; krState == "false" {
+					util.AddAnnotation(existing, defaults.KeyRotationEnableAnnotation, krState)
+				}
+
+				err = r.Client.Update(context.TODO(), existing)
+				if err != nil {
+					r.Log.Error(err, "Failed to update annotations on the StorageClass.", "StorageClass", klog.KRef(sc.Namespace, existing.Name))
+					return err
+				}
 			}
 		}
 	}
@@ -314,6 +330,9 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S
 	if initData.Spec.ManagedResources.CephBlockPools.DefaultStorageClass {
 		scc.storageClass.Annotations[defaultStorageClassAnnotation] = "true"
 	}
+	if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" {
+		util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false")
+	}
 	return scc
 }
 
@@ -336,7 +355,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
 	persistentVolumeReclaimDelete := corev1.PersistentVolumeReclaimDelete
 	allowVolumeExpansion := true
 	volumeBindingWaitForFirstConsumer := storagev1.VolumeBindingWaitForFirstConsumer
-	return StorageClassConfiguration{
+	scc := StorageClassConfiguration{
 		storageClass: &storagev1.StorageClass{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: util.GenerateNameForNonResilientCephBlockPoolSC(initData),
@@ -366,6 +385,10 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
 		},
 		isClusterExternal: initData.Spec.ExternalStorage.Enable,
 	}
+	if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" {
+		util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false")
+	}
+	return scc
 }
 
 // newCephNFSStorageClassConfiguration generates configuration options for a Ceph NFS StorageClass.

diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in
@@ -489,6 +489,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - template.openshift.io

diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -498,6 +498,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - template.openshift.io