red-hat-storage · openshift-merge-bot · Nov 15, 2024 · Nov 7, 2024 · Nov 11, 2024 · Nov 12, 2024
diff --git a/api/v1alpha1/storageconsumer_types.go b/api/v1alpha1/storageconsumer_types.go
@@ -94,6 +94,10 @@ type ClientStatus struct {
 	// StorageQuotaUtilizationRatio is the ratio of utilized quota of connected client
 	// +optional
 	StorageQuotaUtilizationRatio float64 `json:"storageQuotaUtilizationRatio,omitempty"`
+
+	// ID is the k8s UID of connected storageclient
+	// +optional
+	ID string `json:"clientId,omitempty"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/catalog/index.yaml b/catalog/index.yaml
@@ -18,7 +18,7 @@ schema: olm.channel
 package: rook-ceph-operator
 name: alpha
 entries:
-  - name: rook-ceph-operator.v4.17.0
+  - name: rook-ceph-operator.v4.18.0
 
 ---
 defaultChannel: alpha
@@ -29,4 +29,4 @@ schema: olm.channel
 package: noobaa-operator
 name: alpha
 entries:
-  - name: noobaa-operator.v5.17.0
+  - name: noobaa-operator.v5.18.0
diff --git a/config/crd/bases/ocs.openshift.io_storageconsumers.yaml b/config/crd/bases/ocs.openshift.io_storageconsumers.yaml
@@ -76,6 +76,9 @@ spec:
               client:
                 description: Information of storage client received from consumer
                 properties:
+                  clientId:
+                    description: ID is the k8s UID of connected storageclient
+                    type: string
                   clusterId:
                     description: ClusterID is the id of the openshift cluster
                     type: string

diff --git a/config/rbac/oauth_proxy_role.yaml b/config/rbac/oauth_proxy_role.yaml
@@ -11,3 +11,9 @@ rules:
   resources:
   - subjectaccessreviews
   verbs: ["create"]
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - create
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -318,6 +318,7 @@ rules:
   - delete
   - get
   - list
+  - update
   - watch
 - apiGroups:
   - template.openshift.io

diff --git a/controllers/defaults/defaults.go b/controllers/defaults/defaults.go
@@ -19,6 +19,11 @@ const (
 	// KubeMinorTopologySpreadConstraints is the minimum minor kube version to support TSC
 	// used along with KubeMajorTSC for version comparison
 	KubeMinorTopologySpreadConstraints = "19"
+	// This annotation is used by both StorageCluster and StorageClass to specify whether
+	// the key rotation feature is enabled. Users can add this annotation to StorageCluster
+	// with a value of "false" to disable key rotation. When present, this annotation is then
+	// propagated to the associated StorageClasses.
+	KeyRotationEnableAnnotation = "keyrotation.csiaddons.openshift.io/enable"
 )
 
 var (

diff --git a/controllers/storagecluster/odfinfoconfig.go b/controllers/storagecluster/odfinfoconfig.go
@@ -177,7 +177,7 @@ func getConnectedClients(r *StorageClusterReconciler, storageCluster *ocsv1.Stor
 		newConnectedClient := ocsv1a1.ConnectedClient{
 			Name:      name,
 			ClusterID: clusterID,
-			ClientID:  string(storageConsumer.UID),
+			ClientID:  storageConsumer.Status.Client.ID,
 		}
 		connectedClients = append(connectedClients, newConnectedClient)
 	}

diff --git a/controllers/storagecluster/reconcile.go b/controllers/storagecluster/reconcile.go
@@ -116,7 +116,7 @@ var validTopologyLabelKeys = []string{
 // +kubebuilder:rbac:groups=ocs.openshift.io,resources=*,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list
+// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;update;delete;get;list
 // +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete

diff --git a/controllers/storagecluster/storageclasses.go b/controllers/storagecluster/storageclasses.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
+	"github.com/red-hat-storage/ocs-operator/v4/controllers/defaults"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/platform"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
 	cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
@@ -30,8 +31,8 @@ const (
 )
 
 var (
-	rbdDriverName    = storageclassDriverNamePrefix + ".rbd.csi.ceph.com"
-	cephFSDriverName = storageclassDriverNamePrefix + ".cephfs.csi.ceph.com"
+	RbdDriverName    = storageclassDriverNamePrefix + ".rbd.csi.ceph.com"
+	CephFSDriverName = storageclassDriverNamePrefix + ".cephfs.csi.ceph.com"
 	nfsDriverName    = storageclassDriverNamePrefix + ".nfs.csi.ceph.com"
 	obcDriverName    = storageclassDriverNamePrefix + ".ceph.rook.io/bucket"
 )
@@ -108,7 +109,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 		sc := scc.storageClass
 
 		switch {
-		case (strings.Contains(sc.Name, "-ceph-rbd") || (strings.Contains(sc.Provisioner, rbdDriverName)) && !strings.Contains(sc.Name, "-ceph-non-resilient-rbd")) && !scc.isClusterExternal:
+		case (strings.Contains(sc.Name, "-ceph-rbd") || (strings.Contains(sc.Provisioner, RbdDriverName)) && !strings.Contains(sc.Name, "-ceph-non-resilient-rbd")) && !scc.isClusterExternal:
 			// wait for CephBlockPool to be ready
 			cephBlockPool := cephv1.CephBlockPool{}
 			key := types.NamespacedName{Name: sc.Parameters["pool"], Namespace: namespace}
@@ -170,7 +171,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 				skippedSC = append(skippedSC, sc.Name)
 				continue
 			}
-		case (strings.Contains(sc.Name, "-cephfs") || strings.Contains(sc.Provisioner, cephFSDriverName)) && !scc.isClusterExternal:
+		case (strings.Contains(sc.Name, "-cephfs") || strings.Contains(sc.Provisioner, CephFSDriverName)) && !scc.isClusterExternal:
 			// wait for CephFilesystem to be ready
 			cephFilesystem := cephv1.CephFilesystem{}
 			key := types.NamespacedName{Name: sc.Parameters["fsName"], Namespace: namespace}
@@ -198,6 +199,7 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 			}
 		}
 
+		scRecreated := false
 		existing := &storagev1.StorageClass{}
 		err := r.Client.Get(context.TODO(), types.NamespacedName{Name: sc.Name, Namespace: sc.Namespace}, existing)
 
@@ -232,6 +234,20 @@ func (r *StorageClusterReconciler) createStorageClasses(sccs []StorageClassConfi
 					r.Log.Info("Failed to create StorageClass.", "StorageClass", klog.KRef(sc.Namespace, sc.Name))
 					return err
 				}
+				scRecreated = true
+			}
+			if !scRecreated {
+				// Delete existing key rotation annotation and set it on sc only when it is false
+				delete(existing.Annotations, defaults.KeyRotationEnableAnnotation)
+				if krState := sc.GetAnnotations()[defaults.KeyRotationEnableAnnotation]; krState == "false" {
+					util.AddAnnotation(existing, defaults.KeyRotationEnableAnnotation, krState)
+				}
+
+				err = r.Client.Update(context.TODO(), existing)
+				if err != nil {
+					r.Log.Error(err, "Failed to update annotations on the StorageClass.", "StorageClass", klog.KRef(sc.Namespace, existing.Name))
+					return err
+				}
 			}
 		}
 	}
@@ -254,7 +270,7 @@ func newCephFilesystemStorageClassConfiguration(initData *ocsv1.StorageCluster)
 					"description": "Provides RWO and RWX Filesystem volumes",
 				},
 			},
-			Provisioner:   cephFSDriverName,
+			Provisioner:   CephFSDriverName,
 			ReclaimPolicy: &persistentVolumeReclaimDelete,
 			// AllowVolumeExpansion is set to true to enable expansion of OCS backed Volumes
 			AllowVolumeExpansion: &allowVolumeExpansion,
@@ -289,7 +305,7 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S
 					"reclaimspace.csiaddons.openshift.io/schedule": "@weekly",
 				},
 			},
-			Provisioner:   rbdDriverName,
+			Provisioner:   RbdDriverName,
 			ReclaimPolicy: &persistentVolumeReclaimDelete,
 			// AllowVolumeExpansion is set to true to enable expansion of OCS backed Volumes
 			AllowVolumeExpansion: &allowVolumeExpansion,
@@ -314,6 +330,9 @@ func newCephBlockPoolStorageClassConfiguration(initData *ocsv1.StorageCluster) S
 	if initData.Spec.ManagedResources.CephBlockPools.DefaultStorageClass {
 		scc.storageClass.Annotations[defaultStorageClassAnnotation] = "true"
 	}
+	if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" {
+		util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false")
+	}
 	return scc
 }
 
@@ -336,7 +355,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
 	persistentVolumeReclaimDelete := corev1.PersistentVolumeReclaimDelete
 	allowVolumeExpansion := true
 	volumeBindingWaitForFirstConsumer := storagev1.VolumeBindingWaitForFirstConsumer
-	return StorageClassConfiguration{
+	scc := StorageClassConfiguration{
 		storageClass: &storagev1.StorageClass{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: util.GenerateNameForNonResilientCephBlockPoolSC(initData),
@@ -345,7 +364,7 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
 					"reclaimspace.csiaddons.openshift.io/schedule": "@weekly",
 				},
 			},
-			Provisioner:       rbdDriverName,
+			Provisioner:       RbdDriverName,
 			ReclaimPolicy:     &persistentVolumeReclaimDelete,
 			VolumeBindingMode: &volumeBindingWaitForFirstConsumer,
 			// AllowVolumeExpansion is set to true to enable expansion of OCS backed Volumes
@@ -366,6 +385,10 @@ func newNonResilientCephBlockPoolStorageClassConfiguration(initData *ocsv1.Stora
 		},
 		isClusterExternal: initData.Spec.ExternalStorage.Enable,
 	}
+	if initData.GetAnnotations()[defaults.KeyRotationEnableAnnotation] == "false" {
+		util.AddAnnotation(scc.storageClass, defaults.KeyRotationEnableAnnotation, "false")
+	}
+	return scc
 }
 
 // newCephNFSStorageClassConfiguration generates configuration options for a Ceph NFS StorageClass.

diff --git a/controllers/storageclusterpeer/storageclusterpeer_controller.go b/controllers/storageclusterpeer/storageclusterpeer_controller.go
@@ -117,19 +117,19 @@ func (r *StorageClusterPeerReconciler) reconcileStates(storageClusterPeer *ocsv1
 	owner := util.FindOwnerRefByKind(storageClusterPeer, "StorageCluster")
 
 	if owner == nil {
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		return ctrl.Result{}, fmt.Errorf("failed to find StorgeCluster owning the StorageClusterPeer")
 	}
 
 	storageCluster.Name = owner.Name
 
 	if err := r.get(storageCluster); client.IgnoreNotFound(err) != nil {
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		r.log.Error(err, "Error fetching StorageCluster for StorageClusterPeer found in the same namespace.")
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
 		return ctrl.Result{}, err
 	} else if k8serrors.IsNotFound(err) {
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		r.log.Error(err, "Cannot find a StorageCluster for StorageClusterPeer in the same namespace.")
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
 		return ctrl.Result{}, nil
 	}
 
@@ -138,20 +138,20 @@ func (r *StorageClusterPeerReconciler) reconcileStates(storageClusterPeer *ocsv1
 	// Read StorageClusterUID from ticket
 	ticketArr := strings.Split(string(storageClusterPeer.Spec.OnboardingToken), ".")
 	if len(ticketArr) != 2 {
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		r.log.Error(fmt.Errorf("invalid ticket"), "Invalid onboarding ticket. Does not conform to expected ticket structure")
 		return ctrl.Result{}, nil
 	}
 	message, err := base64.StdEncoding.DecodeString(ticketArr[0])
 	if err != nil {
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		r.log.Error(err, "failed to decode onboarding ticket")
 		return ctrl.Result{}, nil
 	}
 	var ticketData services.OnboardingTicket
 	err = json.Unmarshal(message, &ticketData)
 	if err != nil {
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		r.log.Error(err, "onboarding ticket message is not a valid JSON.")
 		return ctrl.Result{}, nil
 	}
@@ -162,7 +162,7 @@ func (r *StorageClusterPeerReconciler) reconcileStates(storageClusterPeer *ocsv1
 
 	ocsClient, err := providerClient.NewProviderClient(r.ctx, storageClusterPeer.Spec.ApiEndpoint, time.Second*10)
 	if err != nil {
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
 		return ctrl.Result{}, fmt.Errorf("failed to create a new provider client: %v", err)
 	}
 	defer ocsClient.Close()
@@ -174,18 +174,17 @@ func (r *StorageClusterPeerReconciler) reconcileStates(storageClusterPeer *ocsv1
 		r.log.Error(err, fmt.Sprintf("failed to Peer Storage Cluster, reason: %v.", err))
 		st, ok := status.FromError(err)
 		if !ok {
-			storageClusterPeer.Status.State = ocsv1.ReconcileFailed
 			r.log.Error(fmt.Errorf("invalid code"), "failed to extract an HTTP status code from error")
 			return ctrl.Result{}, fmt.Errorf("failed to extract an HTTP status code from error")
 		}
-		if st.Code() == codes.InvalidArgument {
-			storageClusterPeer.Status.State = ocsv1.ReconcileFailed
-			return ctrl.Result{}, nil
+		if st.Code() != codes.InvalidArgument {
+			return ctrl.Result{}, err
 		}
-		storageClusterPeer.Status.State = ocsv1.ReconcileFailed
-	} else {
-		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStatePeered
+		storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStateFailed
+		return ctrl.Result{}, nil
 	}
+
+	storageClusterPeer.Status.State = ocsv1.StorageClusterPeerStatePeered
 	return ctrl.Result{}, nil
 }
 

diff --git a/deploy/csv-templates/crds/ocs/ocs.openshift.io_storageconsumers.yaml b/deploy/csv-templates/crds/ocs/ocs.openshift.io_storageconsumers.yaml
@@ -76,6 +76,9 @@ spec:
               client:
                 description: Information of storage client received from consumer
                 properties:
+                  clientId:
+                    description: ID is the k8s UID of connected storageclient
+                    type: string
                   clusterId:
                     description: ClusterID is the id of the openshift cluster
                     type: string

diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in
@@ -489,6 +489,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - template.openshift.io
@@ -515,6 +516,12 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
+        - apiGroups:
+          - storage.k8s.io
+          resources:
+          - storageclasses
+          verbs:
+          - create
         serviceAccountName: ux-backend-server
       deployments:
       - name: ocs-operator

diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -498,6 +498,7 @@ spec:
           - delete
           - get
           - list
+          - update
           - watch
         - apiGroups:
           - template.openshift.io
@@ -524,6 +525,12 @@ spec:
           - subjectaccessreviews
           verbs:
           - create
+        - apiGroups:
+          - storage.k8s.io
+          resources:
+          - storageclasses
+          verbs:
+          - create
         serviceAccountName: ux-backend-server
       deployments:
       - name: ocs-operator
@@ -555,11 +562,11 @@ spec:
                 - name: OCS_METRICS_EXPORTER_IMAGE
                   value: quay.io/ocs-dev/ocs-metrics-exporter:latest
                 - name: ROOK_CEPH_IMAGE
-                  value: quay.io/ocs-dev/rook-ceph:vmaster-c455c6812
+                  value: quay.io/ocs-dev/rook-ceph:vmaster-793bbb006
                 - name: CEPH_IMAGE
                   value: quay.io/ceph/ceph:v18.2.0
                 - name: NOOBAA_CORE_IMAGE
-                  value: quay.io/noobaa/noobaa-core:master-20240901
+                  value: quay.io/noobaa/noobaa-core:master-20241111
                 - name: NOOBAA_DB_IMAGE
                   value: quay.io/sclorg/postgresql-15-c9s
                 - name: PROVIDER_API_SERVER_IMAGE
@@ -716,7 +723,7 @@ spec:
   provider:
     name: Red Hat
   relatedImages:
-  - image: quay.io/ocs-dev/rook-ceph:vmaster-c455c6812
+  - image: quay.io/ocs-dev/rook-ceph:vmaster-793bbb006
     name: rook-container
   - image: quay.io/ceph/ceph:v18.2.0
     name: ceph-container

diff --git a/deploy/ocs-operator/manifests/storageconsumer.crd.yaml b/deploy/ocs-operator/manifests/storageconsumer.crd.yaml
@@ -76,6 +76,9 @@ spec:
               client:
                 description: Information of storage client received from consumer
                 properties:
+                  clientId:
+                    description: ID is the k8s UID of connected storageclient
+                    type: string
                   clusterId:
                     description: ClusterID is the id of the openshift cluster
                     type: string

diff --git a/deploy/ocs-operator/manifests/ux_backend_role.yaml b/deploy/ocs-operator/manifests/ux_backend_role.yaml
@@ -21,3 +21,10 @@ rules:
   verbs:
   - get
   - list
+  - update
+- apiGroups:
+  - ceph.rook.io
+  resources:
+  - cephblockpools
+  verbs:
+  - create