Disabling key rotation

Disable key rotation for a storage class or specific persistent volume claim (PVC) by updating annotations or modifying the EncryptionKeyRotationCronJob to stop scheduled rotation.

You can disable key rotation for the following:

  • All the persistent volume claims (PVCs) of storage class
  • A specific PVC

Disabling key rotation for all PVCs of a storage class

To disable key rotation for all PVCs, update the annotation of the storage class:

Command example:
oc get storageclass rbd-sc
Example output:
NAME       PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
rbd-sc     rbd.csi.ceph.com   Delete          Immediate           true                   5d2h
Command example:
oc annotate storageclass rbd-sc "keyrotation.csiaddons.openshift.io/enable: false"
Example output:
storageclass.storage.k8s.io/rbd-sc annotated

Disabling key rotation for a specific persistent volume claim

  1. Identify the EncryptionKeyRotationCronJob CR for the PVC you want to disable key rotation on:
    oc get encryptionkeyrotationcronjob -o jsonpath='{range .items[?(@.spec.jobTemplate.spec.target.persistentVolumeClaim=="<PVC_NAME>")]}{.metadata.name}{"\n"}{end}'

    Where <PVC_NAME> is the name of the PVC that you want to disable.

  2. Apply the following to the EncryptionKeyRotationCronJob CR from the previous step to disable the key rotation:
    1. Update the csiaddons.openshift.io/state annotation from managed to unmanaged:
      oc annotate encryptionkeyrotationcronjob <encryptionkeyrotationcronjob_name> "csiaddons.openshift.io/state=unmanaged" --overwrite=true

      Where <encryptionkeyrotationcronjob_name> is the name of the EncryptionKeyRotationCronJob CR.

    2. Add suspend: true under the spec field:
      oc patch encryptionkeyrotationcronjob <encryptionkeyrotationcronjob_name> -p '{"spec": {"suspend": true}}' --type=merge.
    3. Save and exit. The key rotation is disabled for the PVC.