Skip to content

Commit

Permalink
Add option to disable KeyRotation
Browse files Browse the repository at this point in the history
This commit adds the option to disable the keyrotation
by annotating the storageclasses, namespaces or PVCs
with:`keyrotation.csiaddons-opneshift.io/enable: false`

Signed-off-by: Niraj Yadav <[email protected]>
  • Loading branch information
black-dragon74 committed Oct 24, 2024
1 parent cf2bcce commit 726852e
Showing 1 changed file with 96 additions and 0 deletions.
96 changes: 96 additions & 0 deletions internal/controller/csiaddons/persistentvolumeclaim_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ var (
rsCronJobNameAnnotation = "reclaimspace." + csiaddonsv1alpha1.GroupVersion.Group + "/cronjob"
rsCSIAddonsDriverAnnotation = "reclaimspace." + csiaddonsv1alpha1.GroupVersion.Group + "/drivers"

krEnableAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/enable"
krcJobScheduleTimeAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/schedule"
krcJobNameAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/cronjob"
krCSIAddonsDriverAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/drivers"
Expand Down Expand Up @@ -754,6 +755,25 @@ func (r *PersistentVolumeClaimReconciler) processKeyRotation(
}
}

disabled, err := r.checkDisabledByAnnotation(ctx, logger, pvc, krEnableAnnotation)
if err != nil {
return err
}

if disabled {
if krcJob != nil {
err = r.Delete(ctx, krcJob)
if client.IgnoreNotFound(err) != nil {
errMsg := "failed to delete EncryptionKeyRotationCronJob"
logger.Error(err, errMsg)
return fmt.Errorf("%s: %w", errMsg, err)
}
}

logger.Info("EncryptionKeyRotationCronJob is disabled by annotation, exiting reconcile")
return nil
}

// Determine schedule
sched, err := r.determineScheduleAndRequeue(ctx, logger, pvc, pv.Spec.CSI.Driver, krcJobScheduleTimeAnnotation)
if errors.Is(err, ErrScheduleNotFound) {
Expand Down Expand Up @@ -976,3 +996,79 @@ func (r *PersistentVolumeClaimReconciler) getScheduleFromPVC(

return ""
}

// checkAnnotationForValue checks if the given object has the specified annotation
// with the expected value.
func checkAnnotationForValue(obj metav1.Object, key, expected string) bool {
if val, ok := obj.GetAnnotations()[key]; ok && val == expected {
return true
}
return false
}

// hasValidStorageClassName checks if the provided PersistentVolumeClaim has a non-empty StorageClassName.
func hasValidStorageClassName(pvc *corev1.PersistentVolumeClaim) bool {
return pvc.Spec.StorageClassName != nil && len(*pvc.Spec.StorageClassName) > 0
}

func (r *PersistentVolumeClaimReconciler) checkDisabledByAnnotation(
ctx context.Context,
logger *logr.Logger,
pvc *corev1.PersistentVolumeClaim,
annotationKey string) (bool, error) {

if r.SchedulePrecedence == util.ScheduleSCOnly {
if !hasValidStorageClassName(pvc) {
return false, nil
}
storageClassName := *pvc.Spec.StorageClassName

sc := &storagev1.StorageClass{}
err := r.Client.Get(ctx, client.ObjectKey{Name: storageClassName}, sc)
if err != nil {
logger.Error(err, "Failed to get StorageClass", "StorageClass", storageClassName)
return false, err
}

if checkAnnotationForValue(sc, annotationKey, "false") {
return true, nil
}

return false, nil
}

// Else, we follow the regular precedence
// Check on PVC
if checkAnnotationForValue(pvc, annotationKey, "false") {
return true, nil
}

// Check on Namespace
ns := &corev1.Namespace{}
err := r.Client.Get(ctx, types.NamespacedName{Name: pvc.Namespace}, ns)
if err != nil {
logger.Error(err, "Failed to get Namespace", "Namespace", pvc.Namespace)
return false, err
}
if checkAnnotationForValue(ns, annotationKey, "false") {
return true, nil
}

// Check on SC
if !hasValidStorageClassName(pvc) {
return false, nil
}
storageClassName := *pvc.Spec.StorageClassName

sc := &storagev1.StorageClass{}
err = r.Client.Get(ctx, client.ObjectKey{Name: storageClassName}, sc)
if err != nil {
logger.Error(err, "Failed to get StorageClass", "StorageClass", storageClassName)
return false, err
}
if checkAnnotationForValue(sc, annotationKey, "false") {
return true, nil
}

return false, nil
}

0 comments on commit 726852e

Please sign in to comment.