Created
October 18, 2019 11:31
-
-
Save sttts/f2feda2314368c012fc9f54246591319 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/pkg/operator/encryption/state/types.go b/pkg/operator/encryption/state/types.go | |
index 9a7174e4..4ca9fdab 100644 | |
--- a/pkg/operator/encryption/state/types.go | |
+++ b/pkg/operator/encryption/state/types.go | |
@@ -49,6 +49,18 @@ type MigrationState struct { | |
Resources []schema.GroupResource | |
} | |
+func (s *MigrationState) HasAll(rs []schema.GroupResource) bool { | |
+nextR: | |
+ for _, r := range rs { | |
+ for _, migrated := range s.Resources { | |
+ if migrated == r { | |
+ continue nextR | |
+ } | |
+ } | |
+ return false | |
+ } | |
+} | |
+ | |
// Mode is the value associated with the encryptionSecretMode annotation | |
type Mode string | |
diff --git a/pkg/operator/encryption/statemachine/transition.go b/pkg/operator/encryption/statemachine/transition.go | |
index b123984d..c671602a 100644 | |
--- a/pkg/operator/encryption/statemachine/transition.go | |
+++ b/pkg/operator/encryption/statemachine/transition.go | |
@@ -146,10 +146,27 @@ func getDesiredEncryptionState(oldEncryptionConfig *apiserverconfigv1.Encryption | |
allReadSecretsAsExpected := true | |
currentlyEncryptedGRs := oldEncryptedGRs | |
if oldEncryptionConfig == nil { | |
- // if the config is not there, we assume it was deleted. Assume worst case of all toBeEncryptedGRs were encrypted. | |
+ // if the config is not there, we assume it was deleted. Assume worst case when finding | |
+ // potentially persisted data keys. | |
currentlyEncryptedGRs = toBeEncryptedGRs | |
} | |
expectedReadSecrets := state.KeysWithPotentiallyPersistedData(currentlyEncryptedGRs, backedKeys) | |
+ if oldEncryptionConfig == nil && len(expectedReadSecrets) > 0 { | |
+ lastExpectedReadKey := expectedReadSecrets[len(expectedReadSecrets)-1] | |
+ | |
+ // we recover from a missing config. Normally we would go through identity here as a write key. | |
+ // But if we have found a key that has all GRs marked as migrated, this was still set as | |
+ // read key before because we only prune read keys from the config if the last remaining key | |
+ // has this property. | |
+ if lastExpectedReadKey.Migrated.HasAll(toBeEncryptedGRs) { | |
+ // set write key to last complete migration key | |
+ for gr, grState := range desiredEncryptionState { | |
+ grState.WriteKey = lastExpectedReadKey | |
+ desiredEncryptionState[gr] = grState | |
+ } | |
+ // allReadSecretsAsExpected will be false later because the expected read keys are missing | |
+ } | |
+ } | |
for gr, grState := range desiredEncryptionState { | |
changed := false | |
for _, expected := range expectedReadSecrets { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment