Add option to disable KeyRotation

[black-dragon74]

This patch adds the feature to disable key rotation by annotating any of NS, SC or PVC.

The annotation to be used is: keyrotation.csiaddons.openshift.io/disable=true

[black-dragon74]

Testing

Using RBACs

// Logs: Set suspend to true
2024-10-29T10:27:02.132Z        INFO    encryptionkeyrotationcronjob is suspended, skipping scheduling  {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730197551","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730197551", "reconcileID": "08e25193-6666-4c6c-bd51-322bdc89fd2b"}

// Logs: Set suspend back to false
2024-10-29T10:27:17.789Z        INFO    no upcoming schedule, requeue with delay until next run {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730197551","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730197551", "reconcileID": "711f0dd6-a245-48f6-a9d8-21bc5c5be4b8", "now": "2024-10-29T10:27:17.789Z", "nextRun": "2024-10-29T10:30:00.000Z"}

Using annotations

Disable key rotation

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1730200402   */22 * * * *                                     6s

❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/enable=false" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
No resources found in rook-ceph namespace.

Logs:

2024-10-29T11:13:35.066Z        INFO    EncryptionKeyRotationCronJob is disabled by annotation, exiting reconcile       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402"}
2024-10-29T11:13:35.067Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402", "SchedulePrecedence": "sc-only"}
2024-10-29T11:13:35.067Z        INFO    Annotation not set, exiting reconcile   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a31369ac-84f7-4d04-b4fa-9b2ef5aa9666", "EncryptionKeyrotationCronJobName": "rbd-pvc-1730200402"}
2024-10-29T11:13:35.067Z        INFO    encryptionkeyrotationcronjob resource not found {"controller": "encryptionkeyrotationcronjob", "controllerGroup": "csiaddons.openshift.io", "controllerKind": "EncryptionKeyRotationCronJob", "EncryptionKeyRotationCronJob": {"name":"rbd-pvc-1730200402","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc-1730200402", "reconcileID": "b301917b-02fd-477b-b3dc-2b82a921cb3b"}

Enable key rotation

❯ oc annotate sc/rook-ceph-block "keyrotation.csiaddons.openshift.io/enable=true" --overwrite
storageclass.storage.k8s.io/rook-ceph-block annotated

❯ oc get encryptionkeyrotationcronjobs
NAME                 SCHEDULE       SUSPEND   ACTIVE   LASTSCHEDULE   AGE
rbd-pvc-1730200430   */22 * * * *                                     3

Logs:

2024-10-29T11:13:50.058Z        INFO    Determining schedule using precedence   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "SchedulePrecedence": "sc-only"}
2024-10-29T11:13:50.058Z        INFO    Adding annotation       {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "KeyRotationSchedule": "*/22 * * * *", "Annotation": "{\"metadata\":{\"annotations\":{\"keyrotation.csiaddons.openshift.io/cronjob\":\"rbd-pvc-1730200430\",\"keyrotation.csiaddons.openshift.io/schedule\":\"*/22 * * * *\"}}}"}
2024-10-29T11:13:50.077Z        INFO    successfully created new encryptionkeyrotationcronjob   {"controller": "persistentvolumeclaim", "controllerGroup": "", "controllerKind": "PersistentVolumeClaim", "PersistentVolumeClaim": {"name":"rbd-pvc","namespace":"rook-ceph"}, "namespace": "rook-ceph", "name": "rbd-pvc", "reconcileID": "a2609602-7e78-4225-9abc-e900c7a3ec8c", "KeyRotationSchedule": "*/22 * * * *"}

[nixpanic]

Also don't forget to add the new annotation to the documentation!

[iPraveenParihar]

LGTM, @black-dragon74 please add doc for disable option.

[Madhu-1]

@nixpanic PTAL

[Madhu-1]

@mergifyio rebase

[mergify[bot]]

rebase

✅ Branch has been successfully rebased