Add option to disable KeyRotation

This patch adds the feature to disable key rotation by annotating either of NS, SC or PVC. The annotation to be used is: `keyrotation.csiaddons.openshift.io/disable=true` Signed-off-by: Niraj Yadav <[email protected]>
csi-addons · Sep 3, 2024 · f0e7c46 · f0e7c46
1 parent 32e811c
commit f0e7c46
Showing 1 changed file with 96 additions and 2 deletions.
diff --git a/internal/controller/csiaddons/persistentvolumeclaim_controller.go b/internal/controller/csiaddons/persistentvolumeclaim_controller.go
@@ -61,6 +61,7 @@ var (
 	rsCSIAddonsDriverAnnotation     = "reclaimspace." + csiaddonsv1alpha1.GroupVersion.Group + "/drivers"
 
 	krcJobScheduleTimeAnnotation = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/schedule"
+	krcJobDisableAnnotation      = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/disable"
 	krcJobNameAnnotation         = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/cronjob"
 	krCSIAddonsDriverAnnotation  = "keyrotation." + csiaddonsv1alpha1.GroupVersion.Group + "/drivers"
 
@@ -299,6 +300,8 @@ func (r *PersistentVolumeClaimReconciler) determineScheduleAndRequeue(
 //     PVCs without ReclaimSpace annotations will be enqueued.
 //   - If the StorageClass has KeyRotation annotation,
 //     PVCs without the KeyRotation annotation will be enqueued.
+//   - If the StorageClass has KeyRotation disable annotation,
+//     PVCs without the KeyRotation disable annotation will be enqueued.
 func (r *PersistentVolumeClaimReconciler) storageClassEventHandler() handler.EventHandler {
 	return handler.EnqueueRequestsFromMapFunc(
 		func(ctx context.Context, obj client.Object) []reconcile.Request {
@@ -320,12 +323,16 @@ func (r *PersistentVolumeClaimReconciler) storageClassEventHandler() handler.Eve
 			_, scHasReclaimSpaceAnnotation := obj.GetAnnotations()[rsCronJobScheduleTimeAnnotation]
 			_, scHasKeyRotationAnnotation := obj.GetAnnotations()[krcJobScheduleTimeAnnotation]
 
+			_, scHasKeyRotationDisableAnnotation := obj.GetAnnotations()[krcJobDisableAnnotation]
+
 			var requests []reconcile.Request
 			for _, pvc := range pvcList.Items {
 
 				_, pvcHasReclaimSpaceAnnotation := pvc.GetAnnotations()[rsCronJobScheduleTimeAnnotation]
 				_, pvcHasKeyRotationAnnotation := pvc.GetAnnotations()[krcJobScheduleTimeAnnotation]
 
+				_, pvcHasKeyRotationDisableAnnotation := pvc.GetAnnotations()[krcJobDisableAnnotation]
+
 				needToEnqueue := false
 
 				if scHasReclaimSpaceAnnotation && !pvcHasReclaimSpaceAnnotation {
@@ -334,6 +341,9 @@ func (r *PersistentVolumeClaimReconciler) storageClassEventHandler() handler.Eve
 				if scHasKeyRotationAnnotation && !pvcHasKeyRotationAnnotation {
 					needToEnqueue = true
 				}
+				if scHasKeyRotationDisableAnnotation && !pvcHasKeyRotationDisableAnnotation {
+					needToEnqueue = true
+				}
 
 				if needToEnqueue {
 					requests = append(requests, reconcile.Request{
@@ -411,7 +421,12 @@ func (r *PersistentVolumeClaimReconciler) SetupWithManager(mgr ctrl.Manager, ctr
 			krcOldSchdeule, krcOldOk := e.ObjectOld.GetAnnotations()[krcJobScheduleTimeAnnotation]
 			krcNewSchdeule, krcNewOk := e.ObjectNew.GetAnnotations()[krcJobScheduleTimeAnnotation]
 
-			return (oldOk != newOk || oldSchdeule != newSchdeule) || (krcOldOk != krcNewOk || krcOldSchdeule != krcNewSchdeule)
+			krcOldDisable, krcOldDisableOk := e.ObjectOld.GetAnnotations()[krcJobDisableAnnotation]
+			krcNewDisable, krcNewDisableOk := e.ObjectNew.GetAnnotations()[krcJobDisableAnnotation]
+
+			return (oldOk != newOk || oldSchdeule != newSchdeule) ||
+				(krcOldOk != krcNewOk || krcOldSchdeule != krcNewSchdeule) ||
+				(krcOldDisableOk != krcNewDisableOk || krcOldDisable != krcNewDisable)
 		},
 	}
 
@@ -427,7 +442,12 @@ func (r *PersistentVolumeClaimReconciler) SetupWithManager(mgr ctrl.Manager, ctr
 			krcOldSchdeule, krcOldOk := e.ObjectOld.GetAnnotations()[krcJobScheduleTimeAnnotation]
 			krcNewSchdeule, krcNewOk := e.ObjectNew.GetAnnotations()[krcJobScheduleTimeAnnotation]
 
-			return (oldOk != newOk || oldSchdeule != newSchdeule) || (krcOldOk != krcNewOk || krcOldSchdeule != krcNewSchdeule)
+			krcOldDisable, krcOldDisableOk := e.ObjectOld.GetAnnotations()[krcJobDisableAnnotation]
+			krcNewDisable, krcNewDisableOk := e.ObjectNew.GetAnnotations()[krcJobDisableAnnotation]
+
+			return (oldOk != newOk || oldSchdeule != newSchdeule) ||
+				(krcOldOk != krcNewOk || krcOldSchdeule != krcNewSchdeule) ||
+				(krcOldDisableOk != krcNewDisableOk || krcOldDisable != krcNewDisable)
 		},
 	}
 
@@ -767,6 +787,60 @@ func constructKRCronJob(name, namespace, schedule, pvcName string) *csiaddonsv1a
 	}
 }
 
+// checkDisabledAnnotation checks if the annotation is set in the
+// PVC, namespace or the storage class. It returns true if the
+// annotation is set to `true`.
+func (r *PersistentVolumeClaimReconciler) checkDisabledAnnotation(
+	ctx context.Context,
+	logger *logr.Logger,
+	pvc *corev1.PersistentVolumeClaim,
+	annotation string,
+) (bool, error) {
+	// Check PVC for the annotation
+	annotations := pvc.GetAnnotations()
+	val, ok := annotations[annotation]
+	if ok {
+		return strings.ToLower(val) == "true", nil
+	}
+
+	// Check Namespace
+	ns := &corev1.Namespace{}
+	err := r.Client.Get(ctx, types.NamespacedName{Name: pvc.Namespace}, ns)
+	if err != nil {
+		logger.Error(err, "Failed to get Namespace", "Namespace", pvc.Namespace)
+		return false, err
+	}
+	val, ok = ns.GetAnnotations()[annotation]
+	if ok {
+		return strings.ToLower(val) == "true", nil
+	}
+
+	// Static PVs
+	if len(*pvc.Spec.StorageClassName) == 0 {
+		return false, nil
+	}
+
+	// Check StorageClass
+	sc := &storagev1.StorageClass{}
+	err = r.Client.Get(ctx, types.NamespacedName{Name: *pvc.Spec.StorageClassName}, sc)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			logger.Error(err, "StorageClass not found", "StorageClass", *pvc.Spec.StorageClassName)
+			return false, err
+		}
+
+		logger.Error(err, "Failed to get StorageClass", "StorageClass", *pvc.Spec.StorageClassName)
+		return false, err
+	}
+	val, ok = sc.GetAnnotations()[annotation]
+	if ok {
+		return strings.ToLower(val) == "true", nil
+	}
+
+	// Not disabled, not an error
+	return false, nil
+}
+
 // processKeyRotation reconciles EncryptionKeyRotation based on annotations
 func (r *PersistentVolumeClaimReconciler) processKeyRotation(
 	ctx context.Context,
@@ -783,6 +857,26 @@ func (r *PersistentVolumeClaimReconciler) processKeyRotation(
 		*logger = logger.WithValues("EncryptionKeyrotationCronJobName", krcJob.Name)
 	}
 
+	// Check if key rotation disable annotation is present
+	disabled, err := r.checkDisabledAnnotation(ctx, logger, pvc, krcJobDisableAnnotation)
+	if err != nil {
+		return err
+	}
+
+	if disabled {
+		if krcJob != nil {
+			err = r.Delete(ctx, krcJob)
+			if client.IgnoreNotFound(err) != nil {
+				logger.Error(err, "failed to delete child encryptionkeyrotationcronjob")
+
+				return fmt.Errorf("failed to delete child encryptionkeyrotationcronjob: %w", err)
+			}
+		}
+
+		logger.Info("key rotation is disabled, exiting reconcile")
+		return nil
+	}
+
 	// Determine schedule
 	sched, err := r.determineScheduleAndRequeue(ctx, logger, pvc, pv.Spec.CSI.Driver, krcJobScheduleTimeAnnotation)
 	if errors.Is(err, ErrScheduleNotFound) {