Skip to content

Add option to disable KeyRotation#659

Merged
mergify[bot] merged 2 commits into
csi-addons:mainfrom
black-dragon74:add-disable-keyrotation
Nov 4, 2024
Merged

Add option to disable KeyRotation#659
mergify[bot] merged 2 commits into
csi-addons:mainfrom
black-dragon74:add-disable-keyrotation

Conversation

@black-dragon74

@black-dragon74 black-dragon74 commented Sep 3, 2024
edited
Loading

Copy link
Copy Markdown
Member

This patch adds the option to disable the keyrotation
by annotating the storageclasses, namespaces or PVCs
with: keyrotation.csiaddons-opneshift.io/enable: false

@black-dragon74

black-dragon74 commented Sep 3, 2024
edited
Loading

Copy link
Copy Markdown
Member Author

Testing

Using RBACs

// Logs: Set suspend to true
2024-10-29T10:27:02.132Z        INFO    encryptionkeyrotationcronjob is suspended, skipping scheduling  {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730197551","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730197551", "reconcileID": "08e25193-6666-4c6c-bd51-322bdc89fd2b"}

// Logs: Set suspend back to false
2024-10-29T10:27:17.789Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730197551","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730197551", "reconcileID": "711f0dd6-a245-48f6-a9d8-21bc5c5be4b8", "now": "2024-10-29T10:27:17.789Z", "nextRun": "2024-10-29T10:30:00.000Z"}

Using annotations

Disable key rotation

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1730200402   */22 * * * *                                     6s

❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/enable=false" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
No resources found in rook-ceph namespace.
Logs:
2024-10-29T11:13:35.066Z        INFO    EncryptionKeyRotationCronJob is disabled by annotation, exiting reconcile       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402"}
2024-10-29T11:13:35.067Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402", "SchedulePrecedence": "sc-only"}
2024-10-29T11:13:35.067Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402"}
2024-10-29T11:13:35.067Z        INFO    encryptionkeyrotationcronjob resource not found {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730200402","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730200402", "reconcileID": "b301917b-02fd-477b-b3dc-2b82a921cb3b"}

Enable key rotation

❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/enable=true" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1730200430   */22 * * * *                                     3
Logs:
2024-10-29T11:13:50.058Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "SchedulePrecedence": "sc-only"}
2024-10-29T11:13:50.058Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "KeyRotationSchedule": "*/22 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/cronjob\":\"rbd-pvc-1730200430\",\"keyrotation.csiaddons.openshift.io/schedule\":\"*/22 * * * *\"}}}"}
2024-10-29T11:13:50.077Z        INFO    successfully created new encryptionkeyrotationcronjob   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "KeyRotationSchedule": "*/22 * * * *"}

Madhu-1
Madhu-1 reviewed Sep 3, 2024
View reviewed changes
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go
Madhu-1
Madhu-1 reviewed Sep 16, 2024
View reviewed changes
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
@black-dragon74 black-dragon74 force-pushed the add-disable-keyrotation branch 2 times, most recently from 03c777a to b457994 Compare September 17, 2024 11:56
nixpanic
nixpanic requested changes Oct 15, 2024
View reviewed changes
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
@nixpanic

nixpanic commented Oct 15, 2024

Copy link
Copy Markdown
Member

Also don't forget to add the new annotation to the documentation!

@black-dragon74 black-dragon74 force-pushed the add-disable-keyrotation branch 2 times, most recently from 726852e to cd47c4e Compare October 24, 2024 09:41
iPraveenParihar
iPraveenParihar reviewed Oct 29, 2024
View reviewed changes
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go
iPraveenParihar
iPraveenParihar reviewed Oct 29, 2024
View reviewed changes
Comment thread internal/controller/csiaddons/persistentvolumeclaim_controller.go Outdated
@black-dragon74 black-dragon74 force-pushed the add-disable-keyrotation branch 2 times, most recently from af0d57d to 8323b96 Compare October 29, 2024 09:35
@black-dragon74 black-dragon74 force-pushed the add-disable-keyrotation branch from 8323b96 to b450029 Compare October 29, 2024 11:25
@iPraveenParihar

iPraveenParihar commented Oct 29, 2024

Copy link
Copy Markdown
Member

LGTM, @black-dragon74 please add doc for disable option.

@black-dragon74 black-dragon74 force-pushed the add-disable-keyrotation branch 2 times, most recently from 99e723c to 27be7bc Compare October 30, 2024 05:45
Madhu-1
Madhu-1 reviewed Oct 30, 2024
View reviewed changes

@Madhu-1 Madhu-1 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Madhu-1

Madhu-1 commented Oct 30, 2024

Copy link
Copy Markdown
Member

@nixpanic PTAL

nixpanic
nixpanic approved these changes Nov 1, 2024
View reviewed changes

@nixpanic nixpanic left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Madhu-1

Madhu-1 commented Nov 4, 2024

Copy link
Copy Markdown
Member

@Mergifyio rebase

@black-dragon74 @Madhu-1
Add option to disable KeyRotation
36db15b 
This commit adds the option to disable the keyrotation
by annotating the storageclasses, namespaces or PVCs
with:`keyrotation.csiaddons-opneshift.io/enable: false`

Signed-off-by: Niraj Yadav <niryadav@redhat.com>
@black-dragon74 @Madhu-1
update docs for disabling key rotation
54fb0a8 
Signed-off-by: Niraj Yadav <niryadav@redhat.com>
@mergify

mergify Bot commented Nov 4, 2024

Copy link
Copy Markdown

rebase

✅ Branch has been successfully rebased

@Madhu-1 Madhu-1 force-pushed the add-disable-keyrotation branch from 27be7bc to 54fb0a8 Compare November 4, 2024 06:54
@mergify mergify Bot merged commit 8762dfa into csi-addons:main Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nixpanic nixpanic nixpanic approved these changes

@Madhu-1 Madhu-1 Madhu-1 approved these changes

@Rakshith-R Rakshith-R Awaiting requested review from Rakshith-R

@yati1998 yati1998 Awaiting requested review from yati1998

@iPraveenParihar iPraveenParihar Awaiting requested review from iPraveenParihar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@black-dragon74 @nixpanic @iPraveenParihar @Madhu-1