Update precedence for schedule by black-dragon74 · Pull Request #677 · csi-addons/kubernetes-csi-addons

black-dragon74 · 2024-09-18T14:15:51Z

This patch updates the schedule parsing logic in the following manner:

A new configmap key is added: schedule-precedence. Valid values are: sc-only.
Default is the current implementation we have, that considers the schedule in order of PVC > NS > SC.
sc-first is the new DS specific flag that only considers SCs as source of truth for schedule.
The default if no configmap is present the default will be the current implementation.

This change aims to put the control of managing RS/KR operations to the Storage Admins.

If an application has specific needs, the Admin can grant the necessary RBACs so that the app owner
can modify the schedule on RS/KR CronJobs. One would achive it in the following manner.

Edit the RS/KR CronJob with annotation from csiaddons.openshift.io/state=managed to csiaddons.openshift.io/state=unmanaged
Edit the RS/KR CronJob and update the schedule field.

Once a CronJob has state set to unmanaged, the application owner is in control of the operations.

black-dragon74 · 2024-09-18T14:22:23Z

Info

It was decided to have the precedence like this so that it is easier for the admin to update the schedule on all the PVCs by just updating it on NS or SC. Without it the admin would need to update it on per PVC basis.

Since we do not have a controller that watches NS changes yet, updates to NS would not trigger a reconcile, but if a schedule is present on NS, it will be read and used while reconciling SC or PVC.

Testing

Using precedence: sc-first

❯ oc get pvc
NAME      STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS      VOLUMEATTRIBUTESCLASS   AGE
rbd-pvc   Bound    pvc-9e86fef5-8882-4b0d-83ab-238633614272   1Gi        RWO            rook-ceph-block   <unset>                 3s

// Add annotation to the SC
❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/schedule=*/20 * * * *" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

LOGS:
2024-10-08T13:02:59.979Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "4f050e1b-7907-4d66-93e9-cc764f8b2ff4", "SchedulePrecedence": "sc-first"}
2024-10-08T13:02:59.980Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "4f050e1b-7907-4d66-93e9-cc764f8b2ff4", "KeyRotationSchedule": "*/20 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/cronjob\":\"rbd-pvc-1728392579\",\"keyrotation.csiaddons.openshift.io/schedule\":\"*/20 * * * *\"}}}"}
2024-10-08T13:03:00.057Z        INFO    KubeAPIWarningLogger    unknown field "spec.jobTemplate.metadata.creationTimestamp"
2024-10-08T13:03:00.058Z        INFO    successfully created new encryptionkeyrotationcronjob   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "4f050e1b-7907-4d66-93e9-cc764f8b2ff4", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:00.058Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "4f050e1b-7907-4d66-93e9-cc764f8b2ff4", "KeyRotationSchedule": "*/20 * * * *", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:00.058Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "4f050e1b-7907-4d66-93e9-cc764f8b2ff4", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:00.061Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "bcf874b2-c117-4a36-9ea5-c92dcb63214d", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:00.098Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728392579","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728392579", "reconcileID": "78e6b433-d4a4-4dcd-b577-05ff3b7593da", "now": "2024-10-08T13:03:00.098Z", "nextRun": "2024-10-08T13:20:00.000Z"}
2024-10-08T13:03:00.106Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "bcf874b2-c117-4a36-9ea5-c92dcb63214d", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:00.106Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "bcf874b2-c117-4a36-9ea5-c92dcb63214d", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:00.114Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "1bd0fa1e-d559-4b39-b7f1-3903085a1de6", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:00.114Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728392579","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728392579", "reconcileID": "0a91a6ea-29eb-461d-9f80-27d95ff55471", "now": "2024-10-08T13:03:00.114Z", "nextRun": "2024-10-08T13:20:00.000Z"}
2024-10-08T13:03:00.125Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "1bd0fa1e-d559-4b39-b7f1-3903085a1de6", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:00.125Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "1bd0fa1e-d559-4b39-b7f1-3903085a1de6", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/20 * * * *\"}}}"}
2024-10-08T13:03:00.133Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "1bd0fa1e-d559-4b39-b7f1-3903085a1de6", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:00.133Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "1bd0fa1e-d559-4b39-b7f1-3903085a1de6", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728392579   */20 * * * *                                     6s

// Update shcedule on PVC, it should be overwritten by the value of SC's annotation
❯ oc annotate pvc/rbd-pvc "keyrotation.csiaddons.openshift.io/schedule=*/15 * * * *" --overwrite
persistentvolumeclaim/rbd-pvc annotated

LOGS:
2024-10-08T13:03:54.045Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc22796-743d-4c26-b7ce-d00ce87837d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:54.076Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc22796-743d-4c26-b7ce-d00ce87837d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:54.076Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc22796-743d-4c26-b7ce-d00ce87837d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/20 * * * *\"}}}"}
2024-10-08T13:03:54.094Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc22796-743d-4c26-b7ce-d00ce87837d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:54.094Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc22796-743d-4c26-b7ce-d00ce87837d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:54.096Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "d80eefba-858d-4b2c-ac81-051d157b7a0f", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:54.109Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "d80eefba-858d-4b2c-ac81-051d157b7a0f", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}
2024-10-08T13:03:54.110Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "d80eefba-858d-4b2c-ac81-051d157b7a0f", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/20 * * * *\"}}}"}
2024-10-08T13:03:54.120Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "d80eefba-858d-4b2c-ac81-051d157b7a0f", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *", "SchedulePrecedence": "sc-first"}
2024-10-08T13:03:54.120Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "d80eefba-858d-4b2c-ac81-051d157b7a0f", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579", "KeyRotationSchedule": "*/20 * * * *"}

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728392579   */20 * * * *                                     55s       // */15 was not applied

// Mark the CronJob for exclusion
❯ oc annotate encryptionkeyrotationcronjob/rbd-pvc-1728392579 "keyrotation.csiaddons.openshift.io/exclude=true" --overwrite
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728392579 annotated

// Annotate the SC, the new schedule should not reflect on CronJob
❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/schedule=*/21 * * * *" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

LOGS:
2024-10-08T13:05:59.654Z        INFO    EncryptionKeyRotationCronJob is managed by the application owner, exiting reconcile     {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "39943113-5966-4cfc-a9ca-b24fa1e6b1d7", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728392579"}

// Edit the schedule manually, it should stay
❯ oc edit encryptionkeyrotationcronjob/rbd-pvc-1728392579
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728392579 edited

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728392579   */22 * * * *                                     4m16s     // The schedule is not overwritten

// Remove the exclusion annotation
❯ oc annotate encryptionkeyrotationcronjob/rbd-pvc-1728392579 "keyrotation.csiaddons.openshift.io/exclude-" --overwrite
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728392579 annotated

// Annotate the SC, the schedule should now reflect on the CronJob
❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/schedule=*/25 * * * *" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728392579   */25 * * * *                                     5m58s

Using Precedence: pvc-first

// Annotate the SC
❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/schedule=*/25 * * * *" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */25 * * * *                                     14s

// Logs
2024-10-08T13:30:08.778Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "fcde44ec-6b2e-48e9-be9c-2ff31236c9b5", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.778Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "fcde44ec-6b2e-48e9-be9c-2ff31236c9b5", "KeyRotationSchedule": "*/25 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/cronjob\":\"rbd-pvc-1728394208\",\"keyrotation.csiaddons.openshift.io/schedule\":\"*/25 * * * *\"}}}"}
2024-10-08T13:30:08.806Z        INFO    successfully created new encryptionkeyrotationcronjob   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "fcde44ec-6b2e-48e9-be9c-2ff31236c9b5", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.806Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "fcde44ec-6b2e-48e9-be9c-2ff31236c9b5", "KeyRotationSchedule": "*/25 * * * *", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.806Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "fcde44ec-6b2e-48e9-be9c-2ff31236c9b5", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.809Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "809eb196-0033-40ad-aa43-fa79cb2ff176", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.829Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "5748b8bf-61e3-4d45-bce8-ecbcc92303af", "now": "2024-10-08T13:30:08.829Z", "nextRun": "2024-10-08T13:50:00.000Z"}
2024-10-08T13:30:08.830Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "809eb196-0033-40ad-aa43-fa79cb2ff176", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.830Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "809eb196-0033-40ad-aa43-fa79cb2ff176", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.830Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "b44fd3a0-7127-42ea-9915-332ae0e81e24", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.843Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "56c72f8f-9241-4609-8416-b14a700fe527", "now": "2024-10-08T13:30:08.843Z", "nextRun": "2024-10-08T13:50:00.000Z"}
2024-10-08T13:30:08.848Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "b44fd3a0-7127-42ea-9915-332ae0e81e24", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.848Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "b44fd3a0-7127-42ea-9915-332ae0e81e24", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/25 * * * *\"}}}"}
2024-10-08T13:30:08.855Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "b44fd3a0-7127-42ea-9915-332ae0e81e24", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.855Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "b44fd3a0-7127-42ea-9915-332ae0e81e24", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.856Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc3d55d-79af-4fc9-8f07-833a354dc805", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.863Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc3d55d-79af-4fc9-8f07-833a354dc805", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *"}
2024-10-08T13:30:08.863Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc3d55d-79af-4fc9-8f07-833a354dc805", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/25 * * * *\"}}}"}
2024-10-08T13:30:08.871Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc3d55d-79af-4fc9-8f07-833a354dc805", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:08.871Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "9cc3d55d-79af-4fc9-8f07-833a354dc805", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/25 * * * *"}

// Annotate the PVC
❯ oc annotate pvc/rbd-pvc "keyrotation.csiaddons.openshift.io/schedule=*/26 * * * *" --overwrite
persistentvolumeclaim/rbd-pvc annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */26 * * * *                                     44s

// Logs
2024-10-08T13:30:45.953Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "69f4b3cb-87bf-428c-9f63-4f2062996568", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:30:45.970Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "69f4b3cb-87bf-428c-9f63-4f2062996568", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/26 * * * *"}
2024-10-08T13:30:45.970Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "69f4b3cb-87bf-428c-9f63-4f2062996568", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/26 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/26 * * * *\"}}}"}
2024-10-08T13:30:45.981Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "a73844b1-25e1-4896-8467-c53a4427f2c2", "now": "2024-10-08T13:30:45.981Z", "nextRun": "2024-10-08T13:52:00.000Z"}


// Update schedule on SC, should have no effect on the PVC schedule
❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/schedule=*/22 * * * *" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */26 * * * *                                     80s

// Logs
2024-10-08T13:31:26.773Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a1e0d4c8-670b-413e-a145-d28f3528f0d2", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:31:26.786Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a1e0d4c8-670b-413e-a145-d28f3528f0d2", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/26 * * * *"}
2024-10-08T13:31:26.786Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a1e0d4c8-670b-413e-a145-d28f3528f0d2", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/26 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/26 * * * *\"}}}"}


// Add the exclude annotation
❯ oc annotate encryptionkeyrotationcronjob/rbd-pvc-1728394208 "keyrotation.csiaddons.openshift.io/exclude=true" --overwrite
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728394208 annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */26 * * * *                                     2m7s

// Logs
2024-10-08T13:31:52.823Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "33d9c552-fc61-4229-9f50-6c1f808869d5", "now": "2024-10-08T13:31:52.823Z", "nextRun": "2024-10-08T13:52:00.000Z"}


// Update the schedule manually on the CronJOb now
❯ oc edit encryptionkeyrotationcronjob/rbd-pvc-1728394208
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728394208 edited

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */19 * * * *                                     2m33s

// Logs
2024-10-08T13:32:39.362Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "8835ccfe-c7d3-4667-be51-bb34c79c37bb", "now": "2024-10-08T13:32:39.362Z", "nextRun": "2024-10-08T13:38:00.000Z"}


// Update the PVC schedule, should have no effect on cronjob schedule
❯ oc annotate pvc/rbd-pvc "keyrotation.csiaddons.openshift.io/schedule=*/18 * * * *" --overwrite
persistentvolumeclaim/rbd-pvc annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */19 * * * *                                     3m18s

// Logs
2024-10-08T13:33:24.640Z        INFO    EncryptionKeyRotationCronJob is managed by the application owner, exiting reconcile     {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "7b154e75-04af-409e-8fdd-191d84faca83", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208"}

// Remove the exclude annotation
❯ oc annotate encryptionkeyrotationcronjob/rbd-pvc-1728394208 "keyrotation.csiaddons.openshift.io/exclude-" --overwrite
encryptionkeyrotationcronjob.csiaddons.openshift.io/rbd-pvc-1728394208 annotated

// Logs
2024-10-08T13:33:52.335Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "83d6fecf-2c6d-4dd0-ad92-b22cb6d4fb78", "now": "2024-10-08T13:33:52.335Z", "nextRun": "2024-10-08T13:38:00.000Z"}


// Update the pvc scheudle now, it should update on cronjob as well
❯ oc annotate pvc/rbd-pvc "keyrotation.csiaddons.openshift.io/schedule=*/17 * * * *" --overwrite
persistentvolumeclaim/rbd-pvc annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1728394208   */17 * * * *                      19s            4m11s

// Logs
2024-10-08T13:34:17.378Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "860ed599-e5d7-40e0-9a54-6639edcec020", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "SchedulePrecedence": "pvc-first"}
2024-10-08T13:34:17.395Z        INFO    successfully updated encryptionkeyrotationcronjob       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "860ed599-e5d7-40e0-9a54-6639edcec020", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/17 * * * *"}
2024-10-08T13:34:17.395Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "860ed599-e5d7-40e0-9a54-6639edcec020", "EncryptionKeyrotationCronJobName": "rbd-pvc-1728394208", "KeyRotationSchedule": "*/17 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/schedule\":\"*/17 * * * *\"}}}"}
2024-10-08T13:34:17.431Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1728394208","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1728394208", "reconcileID": "32764d25-3673-4e05-8c77-be29e0da6b13", "now": "2024-10-08T13:34:17.431Z", "nextRun": "2024-10-08T13:51:00.000Z"}

Regards

Rakshith-R

This patch enhances the parsing logic of the schedule within annotations to establish the following precedence: NS > SC > PVC.

This adjustment applies to both key rotation and reclaim space processes.

The schedule indicated in the PVC annotations will consistently reflect the value of the highest precedence.

Any manual modifications to this schedule will be overwritten.

Where was this decided ?

nixpanic · 2024-10-02T16:39:07Z

As we had a meeting about this, it would be good to include a summary of the discussion in this PR.

From what I remember, we want to prevent users (non admins) from interfering with space reclaim, which needs:

an option to disable using annotations on PVCs and Namespaces
an option for admins to allow users to create (or modify) the ReclaimSpaceJob/ReclaimSpaceCronJob in their namespace
backwards compatible, so an optional setting in the ConfigMap for the operator, default to current behavior

... did I forget something?

Rakshith-R · 2024-10-10T09:27:27Z

+		// DS flag, read only from the SC
+		if schedule = r.getScheduleFromSC(ctx, pvc, logger, annotationKey); schedule != "" {
+			return schedule, nil
+		}


The option should be SC-only instead pvc-first/sc-first?

This would make is a lot simpler.

@black-dragon74 @Madhu-1 ?

I agree. Having one mode of operation is always better... But it was the general consensus to preserve the existing (current) functionality.

I agree. Having one mode of operation is always better... But it was the general consensus to preserve the existing (current) functionality.

I meant SC-only option which toggles between pvc>ns>sc and only sc annotation.

Ah, right. Makes sense :)

// DS flag, read only from the SC

This comment should be present. The option can be used by all users.

IG you meant shouldn't be present? Removed it.

Rakshith-R · 2024-10-10T09:30:03Z

+		if _, ok := krcJob.GetAnnotations()[krcJobExcludeAnnotation]; ok {
+			logger.Info("EncryptionKeyRotationCronJob has exclude annotation set, exiting reconcile")
+			return nil
+		}


Have you considered using suspend functionality https://github.com/csi-addons/kubernetes-csi-addons/blob/main/api/csiaddons/v1alpha1/reclaimspacecronjob_types.go#L59-L62 instead of exclude annotation ?

Yes. The /exclude annotation serves the purpose of not overwriting the user modifications in a next reconcile. It is a way for the user to tell the reconciler that he/she wants to have control over the CR. Without it the suspend value would be reset (to false) in a subsequent reconcile.

@black-dragon74, instead of /exclude annotation can we just update suspend field from existing CronJob when updating the CronJob?

kubernetes-csi-addons/internal/controller/csiaddons/persistentvolumeclaim_controller.go

Lines 629 to 647 in 598d50f

if rsCronJob != nil {

newRSCronJob := constructRSCronJob(rsCronJob.Name, req.Namespace, schedule, pvc.Name)

if reflect.DeepEqual(newRSCronJob.Spec, rsCronJob.Spec) {

logger.Info("No change in reclaimSpaceCronJob.Spec, exiting reconcile")

return ctrl.Result{}, nil

}

// update rsCronJob spec

rsCronJob.Spec = newRSCronJob.Spec

err = r.Client.Update(ctx, rsCronJob)

if err != nil {

logger.Error(err, "Failed to update reclaimSpaceCronJob")

return ctrl.Result{}, err

}

logger.Info("Successfully updated reclaimSpaceCronJob")

return ctrl.Result{}, nil

}

If a user edits a CronJob and adds the suspend field to its spec, it will stop the CronJob controller from executing related operations (like creating new Jobs). However, this won’t prevent the PersistentVolume (PV) controller from updating or recreating the CronJob resource if it notices a difference between the current spec and the expected one.

This is where the /exclude option comes in. If this option is present, the PV controller will ignore the CronJob spec assertion, allowing the user's changes to persist. The CronJob controller can then reconcile the resource based on the updated spec. This is particularly useful in cases where user wants to have a different schedule.

TLDR; We need a way to tell the controller that the user wants to have control of the existing CR and I would prefer it to be explicit. /exclude ticks both the boxes. If you have anything else to suggest, I'd love that.

@black-dragon74 So its a 3 step process.
user finds the cronjob, adds exclude annotation on it and then sets suspend field to true ?

Yes. We can do without the exclude annotation for suspend but modifications to schedule depend on it. So we decided to have it present in both the cases.

nixpanic · 2024-10-16T08:49:59Z

@black-dragon74 the annotations should be mentioned in the documentation too. Please add a paragraph about those.

black-dragon74 · 2024-10-16T08:52:15Z

@black-dragon74 the annotations should be mentioned in the documentation too. Please add a paragraph about those.

May I follow the documentation updates in a separate PR?

P.S: The upcoming disable operations are related to this PR and documentation would be similar as well.

Rakshith-R · 2024-10-16T11:09:27Z

+	if schedule, err = r.getScheduleFromNS(ctx, pvc, logger, driverName, annotationKey); schedule != "" {
+		return schedule, nil
+	}
+	if errors.Is(err, ErrConnNotFoundRequeueNeeded) {


you should proceed to check schedule on SC only when you get ErrScheduleNotFound here right ?

you need to error out for ConnNotFound + errors other than ErrScheduleNotFound ?

Right, in cases where the schedule in present only on the NS and we are unable to fetch the NS.

Madhu-1 · 2024-10-16T11:51:22Z

 	krcJobScheduleTimeAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/schedule"
 	krcJobNameAnnotation         = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/cronjob"
 	krCSIAddonsDriverAnnotation  = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/drivers"
+	krcJobExcludeAnnotation      = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/exclude"


instead of exclude, can we have a state that represents state i.e. managed/unmanaged. by default the controller sets it to managed state, and if the user/admin wants they can change the state to unmanaged and modify the CR. if they want to revert back the changes, just set the state back to managed?

As an annotation or a spec field?

For now annotation only.

nixpanic · 2024-10-17T15:15:15Z

May I follow the documentation updates in a separate PR?

My preference is to include a commit about it in this PR. There is a large chance it is forgotten otherwise.

Madhu-1 · 2024-10-23T07:33:21Z

-func annotationValueMissing(scAnnotations, pvcAnnotations map[string]string, keys []string) bool {
+// AnnotationValueMissingOrDiff checks if any of the specified keys are missing
+// or differ from the PVC annotations when they are present in the StorageClass annotations.
+func annotationValueMissingOrDiff(scAnnotations, pvcAnnotations map[string]string, keys []string) bool {


AnnotationValueMissingOrDiff to annotationValueMissingOrDiff

Madhu-1 · 2024-10-23T07:44:23Z

+			}
+
+			logger.Error(err, "Failed to get StorageClass", "StorageClass", storageClassName)
+			return ""


why we are returning empty in case of actual error, IMO this should be retried if there any problem in getting the SC

determineScheduleAndRequeue will return the ErrScheduleNotFound upon getting an empty schedule from getScheduleFromSC

what about the case where we failed to get the SC (apart from not found error)? we should retry in that case

Madhu-1 · 2024-10-23T07:47:10Z

 	flag.StringVar(&cfg.Namespace, "namespace", cfg.Namespace, "Namespace where the CSIAddons pod is deployed")
 	flag.BoolVar(&enableAdmissionWebhooks, "enable-admission-webhooks", false, "[DEPRECATED] Enable the admission webhooks")
 	flag.BoolVar(&showVersion, "version", false, "Print Version details")
+	flag.StringVar(&cfg.SchedulePrecedence, "schedule-precedence", "", "The order of precedence in which schedule of reclaimspace and keyrotation is considered. Possible values are sc-only")


can we have a validation for this one to ensure that only user is passing expected values?

In case of invalid values, we fall back to the default precedence (ignoring it). The new precedence is used only when the value is sc-only. You want to exit in case of invalid value (we do that in case of configmap)?

we need to validate and exit in the main.go or from where ever we are reading the value from the configmap, if we don't have the logs we will not get to know why it got skipped

Pull request has been modified.

Madhu-1

LGTM, please update the PR description to match the code changes

This patch modifies the parsing logic of schedule found in annotation so that the precedence is in form: SC > NS > PVC This applies for both keyrotation and reclaimspace The schedule present on the PVC annotations will always be equal to that of the highest precedence. Modifying it manually will lead to it being overwritten. Signed-off-by: Niraj Yadav <niryadav@redhat.com>

This commit introduces a new annotation that tracks the managed state for the CRs created by PersistentVolumeClaim controller. If the value of this annotation is `unmanaged` the pvc controller will not make any modifications to the CR. Signed-off-by: Niraj Yadav <niryadav@redhat.com>

This commit updates the docs for ReclaimSpace and EncryptionKeyRotation for the new state annotation: `csiaddons.openshift.io/state` Signed-off-by: Niraj Yadav <niryadav@redhat.com> fixme Signed-off-by: Niraj Yadav <niryadav@redhat.com> fixme Signed-off-by: Niraj Yadav <niryadav@redhat.com>

mergify Bot requested review from Madhu-1, Rakshith-R, iPraveenParihar, nixpanic and yati1998 September 18, 2024 14:16

Rakshith-R requested changes Sep 19, 2024

View reviewed changes

black-dragon74 force-pushed the mod-sched-precedence branch from b283354 to cd3dab1 Compare October 1, 2024 09:48

black-dragon74 force-pushed the mod-sched-precedence branch 3 times, most recently from 7a80ff8 to 1b1247c Compare October 8, 2024 13:51

black-dragon74 requested a review from Rakshith-R October 10, 2024 07:24

Rakshith-R reviewed Oct 10, 2024

View reviewed changes

black-dragon74 force-pushed the mod-sched-precedence branch 3 times, most recently from c8e62f9 to 69abd2c Compare October 15, 2024 07:09

nixpanic requested a review from Rakshith-R October 15, 2024 12:22

black-dragon74 force-pushed the mod-sched-precedence branch from 69abd2c to 950696b Compare October 16, 2024 07:57

Rakshith-R reviewed Oct 16, 2024

View reviewed changes

black-dragon74 force-pushed the mod-sched-precedence branch from 950696b to 75c600a Compare October 16, 2024 11:21

black-dragon74 requested a review from Rakshith-R October 16, 2024 11:27

Madhu-1 reviewed Oct 16, 2024

View reviewed changes

black-dragon74 force-pushed the mod-sched-precedence branch from 75c600a to 059a581 Compare October 16, 2024 15:17

black-dragon74 requested a review from Madhu-1 October 23, 2024 06:42

Madhu-1 previously approved these changes Oct 23, 2024

View reviewed changes

black-dragon74 force-pushed the mod-sched-precedence branch from 519fb8e to ba60945 Compare October 23, 2024 08:51

black-dragon74 force-pushed the mod-sched-precedence branch 4 times, most recently from da1b1e9 to e5241db Compare October 23, 2024 10:08

Madhu-1 approved these changes Oct 23, 2024

View reviewed changes

Rakshith-R approved these changes Oct 24, 2024

View reviewed changes

black-dragon74 added 3 commits October 24, 2024 08:52

black-dragon74 force-pushed the mod-sched-precedence branch from e5241db to 4cb36d7 Compare October 24, 2024 08:52

mergify Bot merged commit cf2bcce into csi-addons:main Oct 24, 2024

black-dragon74 mentioned this pull request Nov 14, 2024

Updating the schedule on SC has no effect #665

Closed

	if rsCronJob != nil {
	newRSCronJob := constructRSCronJob(rsCronJob.Name, req.Namespace, schedule, pvc.Name)
	if reflect.DeepEqual(newRSCronJob.Spec, rsCronJob.Spec) {
	logger.Info("No change in reclaimSpaceCronJob.Spec, exiting reconcile")

	return ctrl.Result{}, nil
	}
	// update rsCronJob spec
	rsCronJob.Spec = newRSCronJob.Spec
	err = r.Client.Update(ctx, rsCronJob)
	if err != nil {
	logger.Error(err, "Failed to update reclaimSpaceCronJob")

	return ctrl.Result{}, err
	}
	logger.Info("Successfully updated reclaimSpaceCronJob")

	return ctrl.Result{}, nil
	}

Conversation

black-dragon74 commented Sep 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

black-dragon74 commented Sep 18, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Info

Testing

Using precedence: sc-first

Using Precedence: pvc-first

Uh oh!

Rakshith-R left a comment

Choose a reason for hiding this comment

Uh oh!

nixpanic commented Oct 2, 2024

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

black-dragon74 Oct 14, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

nixpanic commented Oct 16, 2024

Uh oh!

black-dragon74 commented Oct 16, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

nixpanic commented Oct 17, 2024

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Madhu-1 left a comment

black-dragon74 commented Sep 18, 2024 •

edited

Loading

black-dragon74 commented Sep 18, 2024 •

edited

Loading

black-dragon74 Oct 14, 2024 •

edited

Loading

black-dragon74 commented Oct 16, 2024 •

edited

Loading