Disabling key rotation for Kubernetes authentication

You can disable key rotation for the following:
  • All the persistent volume claims (PVCs) of storage class
  • A specific PVC

Disabling key rotation for all PVCs of a storage class

To disable key rotation for all PVCs, update the annotation of the storage class:
oc get storageclass rbd-sc
NAME       PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
rbd-sc     rbd.csi.ceph.com   Delete          Immediate           true                   5d2h
oc annotate storageclass rbd-sc "keyrotation.csiaddons.openshift.io/enable: false"
storageclass.storage.k8s.io/rbd-sc annotated

Disabling key rotation for a specific persistent volume claim

  1. Identify the EncryptionKeyRotationCronJob CR for the PVC you want to disable key rotation on:
    oc get encryptionkeyrotationcronjob -o jsonpath='{range .items[?(@.spec.jobTemplate.spec.target.persistentVolumeClaim=="<PVC_NAME>")]}{.metadata.name}{"\n"}{end}'
    Where <PVC_NAME> is the name of the PVC that you want to disable.
  2. Apply the following to the EncryptionKeyRotationCronJobCR from the previous step to disable the key rotation:
    1. Update the csiaddons.openshift.io/state annotation from managed to unmanaged:
      oc annotate encryptionkeyrotationcronjob <encryptionkeyrotationcronjob_name> "csiaddons.openshift.io/state=unmanaged" --overwrite=true
      Where <encryptionkeyrotationcronjob_name> is the name of the EncryptionKeyRotationCronJob CR.
    2. Add suspend: true under the spec field:
      oc patch encryptionkeyrotationcronjob <encryptionkeyrotationcronjob_name> -p '{"spec": {"suspend": true}}' --type=merge.
  3. Save and exit. The key rotation will be disabled for the PVC.