CNTRLPLANE-3661: add etcd data re-encryption after encryption key rotation (#8219)#8790
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## release-4.22 #8790 +/- ##
================================================
+ Coverage 35.45% 35.71% +0.26%
================================================
Files 767 774 +7
Lines 93724 94614 +890
================================================
+ Hits 33226 33795 +569
- Misses 57785 58050 +265
- Partials 2713 2769 +56
🚀 New features to boost your workflow:
|
- Add a re-encryption controller in the HCCO that detects encryption key rotations and triggers StorageVersionMigration CRs to re-encrypt all existing etcd data with the new active key - Track progress through a new EtcdDataEncryptionUpToDate condition on HCP/HostedCluster - Vendor library-go's KubeStorageVersionMigrator and kube-storage-version-migrator informer/lister packages
47cda15 to
fafc784
Compare
|
@muraee: This pull request references CNTRLPLANE-3661 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/approve for API |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed, muraee The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/verified by ahitacat Then I have rotate the key, and update the cluster. I could see the EtcdDataEncryptionUpToDate And the status.secretEncryption.activeKey is equal to the expected one: It seems OK enough to me to merge it. |
|
@ahitacat: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Scheduling tests matching the |
AI Test Failure AnalysisJob: Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6 |
|
/retest-required |
|
/hold Revision fafc784 was retested 3 times: holding |
|
/override ci/prow/e2e-aws |
|
/hold cancel |
|
@celebdor: Overrode contexts on behalf of celebdor: ci/prow/e2e-aws DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@muraee: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4b28599
into
openshift:release-4.22
….0-4.22.3 Add azure CPO image overrides for 4.22 to backport API-driven Azure topology and private connectivity (CNTRLPLANE-3619, PR openshift#8721) and etcd data re-encryption after encryption key rotation (CNTRLPLANE-3656, PR openshift#8790). 4.22.4 does not need an override: both PRs merged 2026-06-26, before the 4.22.4 development cutoff (2026-07-01). - 4.22.0-4.22.3: CNTRLPLANE-3619 (PR openshift#8721), CNTRLPLANE-3656 (PR openshift#8790) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
….0-4.22.3 Add azure CPO image overrides for 4.22 to backport API-driven Azure topology and private connectivity (CNTRLPLANE-3619, PR openshift#8721) and etcd data re-encryption after encryption key rotation (CNTRLPLANE-3656, PR openshift#8790). 4.22.4 does not need an override: both PRs merged 2026-06-26, before the 4.22.4 development cutoff (2026-07-01). - 4.22.0-4.22.3: CNTRLPLANE-3619 (PR openshift#8721), CNTRLPLANE-3656 (PR openshift#8790) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
manual backport of #8219