Enhancement: etcd data re-encryption for key rotation in HyperShift#1969
Open
muraee wants to merge 1 commit intoopenshift:masterfrom
Open
Enhancement: etcd data re-encryption for key rotation in HyperShift#1969muraee wants to merge 1 commit intoopenshift:masterfrom
muraee wants to merge 1 commit intoopenshift:masterfrom
Conversation
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
ae1dfec to
eabd02a
Compare
bryan-cox
reviewed
Apr 10, 2026
| ### Non-Goals | ||
|
|
||
| 1. Management of the creation and renewal of encryption keys -- | ||
| keys are managed externally (by the ARO RP or user). |
Member
There was a problem hiding this comment.
Maybe the ARO HCP specific language should be dropped here since this works on other platforms?
Author
There was a problem hiding this comment.
Good point. The motivation for calling out ARO-HCP specifically is that it's the primary driver for this work (the S360 compliance requirement is what makes re-encryption mandatory rather than nice-to-have). That said, the solution itself is fully generic and platform-agnostic.
I can rephrase to lead with the generic value ("any customer relying on key rotation as a security control") and mention ARO-HCP as the motivating use case rather than making it sound ARO-specific. Happy to update this if you'd like.
AI-assisted response via Claude Code
enhancements/hypershift/etcd-data-reencryption-on-key-rotation.md
Outdated
Show resolved
Hide resolved
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
eabd02a to
7b4c875
Compare
ardaguclu
reviewed
Apr 13, 2026
Member
ardaguclu
left a comment
ardaguclu
left a comment
There was a problem hiding this comment.
I specifically focused on Why KubeStorageVersionMigrator Instead of MigrationController section. It looks good to me. I dropped a comment more about agreement instead of any objection.
|
|
||
| ### Implementation Details/Notes/Constraints | ||
|
|
||
| #### Why KubeStorageVersionMigrator Instead of MigrationController |
Member
There was a problem hiding this comment.
Not using MigrationController is better idea because it is tightly coupled with other encryption controllers and I'm not sure that it works properly without them.
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
7 tasks
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
7b4c875 to
82ddb23
Compare
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
@muraee: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
KubeStorageVersionMigratorfrom library-go to createStorageVersionMigrationCRs in the guest cluster, transparently re-encrypting all encrypted resources with the active keyEtcdDataEncryptionUpToDatecondition on HCP/HostedCluster for progress trackingTracks: OCPSTRAT-2527, OCPSTRAT-2540
Related: ARO-21568, ARO-21456
Test plan
🤖 Generated with Claude Code