Enabling key rotation
Enable key rotation by adding the required annotation to a Namespace,
StorageClass, or PersistentVolumeClaim.
To enable key rotation, add the annotation keyrotation.csiaddons.openshift.io/schedule:
<value> to PersistentVolumeClaim, Namespace, or
StorageClass (in the decreasing order of precedence).
<value> can be @hourly, @daily,
@weekly, @monthly, or @yearly. If
<value>is empty, the default is @weekly. The following examples
use @weekly.
Important: Key rotation is only supported for RBD backed volumes.
Annotating Namespace
Command example:
oc get namespace defaultExample output:
NAME STATUS AGE default Active 5d2h
Command
example:
oc annotate namespace default "keyrotation.csiaddons.openshift.io/schedule=@weekly"Example output:
namespace/default annotated
Annotating StorageClass
Command example:
oc get storageclass rbd-scExample
output:
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE rbd-sc rbd.csi.ceph.com Delete Immediate true 5d2h
Command
example:
oc annotate storageclass rbd-sc "keyrotation.csiaddons.openshift.io/schedule=@weekly"Example output:
storageclass.storage.k8s.io/rbd-sc annotated
Annotating PersistentVolumeClaim
Command example:
oc get pvc data-pvcExample
output:
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE data-pvc Bound pvc-f37b8582-4b04-4676-88dd-e1b95c6abf74 1Gi RWO default 20h
Command
example:
oc annotate pvc data-pvc "keyrotation.csiaddons.openshift.io/schedule=@weekly"Example output:
persistentvolumeclaim/data-pvc annotated
Command
example:
oc get encryptionkeyrotationcronjobs.csiaddons.openshift.ioExample
output:
NAME SCHEDULE SUSPEND ACTIVE LASTSCHEDULE AGE data-pvc-1642663516 @weekly 3s
Command
example:
oc annotate pvc data-pvc "keyrotation.csiaddons.openshift.io/schedule=*/1 * * * *" --overwrite=trueExample output:
persistentvolumeclaim/data-pvc annotated
Command
example:
oc get encryptionkeyrotationcronjobs.csiaddons.openshift.ioExample
output:
NAME SCHEDULE SUSPEND ACTIVE LASTSCHEDULE AGE data-pvc-1642664617 */1 * * * * 3s