Merge pull request #2477 from SanjalKatiyar/fix_key_rotation

allow disabling key rotation

api/v1/storagecluster_types.go

@@ -459,8 +459,7 @@ type EncryptionSpec struct {
 type KeyRotationSpec struct {
 	// Enable represents whether the key rotation is enabled.
 	// +optional
-	// +kubebuilder:default=false
-	Enable bool `json:"enable,omitempty"`
+	Enable *bool `json:"enable,omitempty"`
 	// Schedule represents the cron schedule for key rotation.
 	// +optional
 	// +kubebuilder:default="@weekly"

config/crd/bases/ocs.openshift.io_storageclusters.yaml

@@ -546,7 +546,6 @@ spec:
                     description: KeyRotation defines options for Key Rotation.
                     properties:
                       enable:
-                        default: false
                         description: Enable represents whether the key rotation is
                           enabled.
                         type: boolean

controllers/storagecluster/cephcluster.go

@@ -202,10 +202,6 @@ func (obj *ocsCephCluster) ensureCreated(r *StorageClusterReconciler, sc *ocsv1.
 				return reconcile.Result{}, err
 			}
 		}
-
-		isEnabled, rotationSchedule := util.GetKeyRotationSpec(sc)
-		cephCluster.Spec.Security.KeyRotation.Enabled = isEnabled
-		cephCluster.Spec.Security.KeyRotation.Schedule = rotationSchedule
 	}
 
 	// Set StorageCluster instance as the owner and controller
@@ -558,6 +554,11 @@ func newCephCluster(sc *ocsv1.StorageCluster, cephImage string, serverVersion *v
 		}
 		cephCluster.Spec.Security.KeyManagementService.ConnectionDetails = kmsConfigMap.Data
 	}
+
+	isEnabled, rotationSchedule := util.GetKeyRotationSpec(sc)
+	cephCluster.Spec.Security.KeyRotation.Enabled = isEnabled
+	cephCluster.Spec.Security.KeyRotation.Schedule = rotationSchedule
+
 	return cephCluster, nil
 }
 

controllers/util/util.go

@@ -29,13 +29,17 @@ func DetectDuplicateInStringSlice(slice []string) bool {
 
 func GetKeyRotationSpec(sc *ocsv1.StorageCluster) (bool, string) {
 	schedule := sc.Spec.Encryption.KeyRotation.Schedule
-	if (sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide) && !sc.Spec.Encryption.KeyManagementService.Enable {
-		if schedule == "" {
-			// default schedule
-			schedule = "@weekly"
+	if schedule == "" {
+		// default schedule
+		schedule = "@weekly"
+	}
+
+	if sc.Spec.Encryption.KeyRotation.Enable == nil {
+		if (sc.Spec.Encryption.Enable || sc.Spec.Encryption.ClusterWide) && !sc.Spec.Encryption.KeyManagementService.Enable {
+			// use key-rotation by default if cluster-wide encryption is opted without KMS & "enable" spec is missing
+			return true, schedule
 		}
-		// use key-rotation by default if cluster-wide encryption is opted without KMS
-		return true, schedule
+		return false, schedule
 	}
-	return sc.Spec.Encryption.KeyRotation.Enable, schedule
+	return *sc.Spec.Encryption.KeyRotation.Enable, schedule
 }

deploy/csv-templates/crds/ocs/ocs.openshift.io_storageclusters.yaml

@@ -546,7 +546,6 @@ spec:
                     description: KeyRotation defines options for Key Rotation.
                     properties:
                       enable:
-                        default: false
                         description: Enable represents whether the key rotation is
                           enabled.
                         type: boolean

deploy/ocs-operator/manifests/storagecluster.crd.yaml

@@ -545,7 +545,6 @@ spec:
                     description: KeyRotation defines options for Key Rotation.
                     properties:
                       enable:
-                        default: false
                         description: Enable represents whether the key rotation is
                           enabled.
                         type: boolean