sttts/gist:f2feda2314368c012fc9f54246591319

## gistfile1.txt
diff --git a/pkg/operator/encryption/state/types.go b/pkg/operator/encryption/state/types.go
index 9a7174e4..4ca9fdab 100644
--- a/pkg/operator/encryption/state/types.go
+++ b/pkg/operator/encryption/state/types.go
@@ -49,6 +49,18 @@ type MigrationState struct {
 	Resources []schema.GroupResource
 }

+func (s *MigrationState) HasAll(rs []schema.GroupResource) bool {
+nextR:
+	for _, r := range rs {
+		for _, migrated := range s.Resources {
+			if migrated == r {
+				continue nextR
+			}
+		}
+		return false
+	}
+}
+
 // Mode is the value associated with the encryptionSecretMode annotation
 type Mode string

diff --git a/pkg/operator/encryption/statemachine/transition.go b/pkg/operator/encryption/statemachine/transition.go
index b123984d..c671602a 100644
--- a/pkg/operator/encryption/statemachine/transition.go
+++ b/pkg/operator/encryption/statemachine/transition.go
@@ -146,10 +146,27 @@ func getDesiredEncryptionState(oldEncryptionConfig *apiserverconfigv1.Encryption
 	allReadSecretsAsExpected := true
 	currentlyEncryptedGRs := oldEncryptedGRs
 	if oldEncryptionConfig == nil {
-		// if the config is not there, we assume it was deleted. Assume worst case of all toBeEncryptedGRs were encrypted.
+		// if the config is not there, we assume it was deleted. Assume worst case when finding
+		// potentially persisted data keys.
 		currentlyEncryptedGRs = toBeEncryptedGRs
 	}
 	expectedReadSecrets := state.KeysWithPotentiallyPersistedData(currentlyEncryptedGRs, backedKeys)
+	if oldEncryptionConfig == nil && len(expectedReadSecrets) > 0 {
+		lastExpectedReadKey := expectedReadSecrets[len(expectedReadSecrets)-1]
+
+		// we recover from a missing config. Normally we would go through identity here as a write key.
+		// But if we have found a key that has all GRs marked as migrated, this was still set as
+		// read key before because we only prune read keys from the config if the last remaining key
+		// has this property.
+		if lastExpectedReadKey.Migrated.HasAll(toBeEncryptedGRs) {
+			// set write key to last complete migration key
+			for gr, grState := range desiredEncryptionState {
+				grState.WriteKey = lastExpectedReadKey
+				desiredEncryptionState[gr] = grState
+			}
+			// allReadSecretsAsExpected will be false later because the expected read keys are missing
+		}
+	}
 	for gr, grState := range desiredEncryptionState {
 		changed := false
 		for _, expected := range expectedReadSecrets {
	diff --git a/pkg/operator/encryption/state/types.go b/pkg/operator/encryption/state/types.go
	index 9a7174e4..4ca9fdab 100644
	--- a/pkg/operator/encryption/state/types.go
	+++ b/pkg/operator/encryption/state/types.go
	@@ -49,6 +49,18 @@ type MigrationState struct {
	Resources []schema.GroupResource
	}

	+func (s *MigrationState) HasAll(rs []schema.GroupResource) bool {
	+nextR:
	+ for _, r := range rs {
	+ for _, migrated := range s.Resources {
	+ if migrated == r {
	+ continue nextR
	+ }
	+ }
	+ return false
	+ }
	+}
	+
	// Mode is the value associated with the encryptionSecretMode annotation
	type Mode string

	diff --git a/pkg/operator/encryption/statemachine/transition.go b/pkg/operator/encryption/statemachine/transition.go
	index b123984d..c671602a 100644
	--- a/pkg/operator/encryption/statemachine/transition.go
	+++ b/pkg/operator/encryption/statemachine/transition.go
	@@ -146,10 +146,27 @@ func getDesiredEncryptionState(oldEncryptionConfig *apiserverconfigv1.Encryption
	allReadSecretsAsExpected := true
	currentlyEncryptedGRs := oldEncryptedGRs
	if oldEncryptionConfig == nil {
	- // if the config is not there, we assume it was deleted. Assume worst case of all toBeEncryptedGRs were encrypted.
	+ // if the config is not there, we assume it was deleted. Assume worst case when finding
	+ // potentially persisted data keys.
	currentlyEncryptedGRs = toBeEncryptedGRs
	}
	expectedReadSecrets := state.KeysWithPotentiallyPersistedData(currentlyEncryptedGRs, backedKeys)
	+ if oldEncryptionConfig == nil && len(expectedReadSecrets) > 0 {
	+ lastExpectedReadKey := expectedReadSecrets[len(expectedReadSecrets)-1]
	+
	+ // we recover from a missing config. Normally we would go through identity here as a write key.
	+ // But if we have found a key that has all GRs marked as migrated, this was still set as
	+ // read key before because we only prune read keys from the config if the last remaining key
	+ // has this property.
	+ if lastExpectedReadKey.Migrated.HasAll(toBeEncryptedGRs) {
	+ // set write key to last complete migration key
	+ for gr, grState := range desiredEncryptionState {
	+ grState.WriteKey = lastExpectedReadKey
	+ desiredEncryptionState[gr] = grState
	+ }
	+ // allReadSecretsAsExpected will be false later because the expected read keys are missing
	+ }
	+ }
	for gr, grState := range desiredEncryptionState {
	changed := false
	for _, expected := range expectedReadSecrets {