Skip to content

[KMS] Strategy for storage migration #111925

New issue
New issue
Open
Open
[KMS] Strategy for storage migration#111925
Assignees
enj
Labels
sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
Milestone
 
v1.34
@aramase

Description

@aramase
aramase
opened on Aug 18, 2022

Creating this umbrella issue to track how we handle storage migration for kms:

  • How to interact with kms v2 design of using currentKeyID
  • How will it work for v1beta1to enable migration from AES-CBC to AES-GCM

    kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go

    Lines 490 to 492 in d581cc9

    // TODO(aramase): Post v1.25: We cannot drop CBC read support until we automate storage migration.
    // We could have a release note that hard requires users to perform storage migration.
    return unionTransformers{aestransformer.NewGCMTransformer(block), aestransformer.NewCBCTransformer(block)}

/sig auth
/cc @enj
/triage accepted

Metadata

Metadata

Assignees

Labels

sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

[sig-release] Bug Triage

Status

Tracked
SIG Auth: KMS v2

Status

New KEP
SIG Auth

Status

Backlog

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions