OCPSTRAT-2527, OCPSTRAT-2540: Enhancement: etcd data re-encryption for key rotation in HyperShift#1969
Open
muraee wants to merge 2 commits intoopenshift:masterfrom
Open
OCPSTRAT-2527, OCPSTRAT-2540: Enhancement: etcd data re-encryption for key rotation in HyperShift#1969muraee wants to merge 2 commits intoopenshift:masterfrom
muraee wants to merge 2 commits intoopenshift:masterfrom
Conversation
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
ae1dfec to
eabd02a
Compare
bryan-cox
reviewed
Apr 10, 2026
| ### Non-Goals | ||
|
|
||
| 1. Management of the creation and renewal of encryption keys -- | ||
| keys are managed externally (by the ARO RP or user). |
Member
There was a problem hiding this comment.
Maybe the ARO HCP specific language should be dropped here since this works on other platforms?
Author
There was a problem hiding this comment.
Good point. The motivation for calling out ARO-HCP specifically is that it's the primary driver for this work (the S360 compliance requirement is what makes re-encryption mandatory rather than nice-to-have). That said, the solution itself is fully generic and platform-agnostic.
I can rephrase to lead with the generic value ("any customer relying on key rotation as a security control") and mention ARO-HCP as the motivating use case rather than making it sound ARO-specific. Happy to update this if you'd like.
AI-assisted response via Claude Code
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
eabd02a to
7b4c875
Compare
ardaguclu
reviewed
Apr 13, 2026
Member
ardaguclu
left a comment
ardaguclu
left a comment
There was a problem hiding this comment.
I specifically focused on Why KubeStorageVersionMigrator Instead of MigrationController section. It looks good to me. I dropped a comment more about agreement instead of any objection.
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
7 tasks
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 13, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
7b4c875 to
82ddb23
Compare
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 14, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
added a commit
to muraee/hypershift
that referenced
this pull request
Apr 15, 2026
Add a re-encryption controller in the HCCO that triggers StorageVersionMigration after an encryption key rotation, ensuring all existing etcd data is re-encrypted with the new active key. Components: - API: EtcdDataEncryptionUpToDate condition type and reasons - CPO: key fingerprint computation and rekey-needed annotation on kas-secret-encryption-config secret - HCCO: new reencryption controller using library-go's KubeStorageVersionMigrator to drive StorageVersionMigration CRs - HyperShift Operator: condition bubble-up from HCP to HostedCluster Ref: OCPSTRAT-2527, OCPSTRAT-2540 Enhancement: openshift/enhancements#1969 Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@muraee: This pull request references OCPSTRAT-2527 which is a valid jira issue. This pull request references OCPSTRAT-2540 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
Just a couple of thoughts for kms in general:
|
Contributor
|
Could we reflect in HostedCluster status which keys are actively being used and reject spec changes that could potentially result in data loss? |
enxebre
reviewed
Apr 17, 2026
| read provider. However, there is no mechanism to re-encrypt existing | ||
| etcd data with the new key after rotation. This enhancement adds a | ||
| re-encryption controller in the Hosted Cluster Config Operator (HCCO) | ||
| that leverages the existing `kube-storage-version-migrator` in every |
Member
There was a problem hiding this comment.
this would tie our ability to rotate with having data plane compute which we don't want to
Author
There was a problem hiding this comment.
addressed, the kube-storage-version-migrator will run in the ControlPlane
…ackupKey - Deploy kube-storage-version-migrator in HCP namespace (control plane) instead of data plane, enabling re-encryption with zero worker nodes - Disable data-plane operator via annotation removal in cluster-kube-storage-version-migrator-operator repo - Add status.secretEncryption.activeKey field to HC/HCP with full key spec for rotation detection and EncryptionConfiguration resilience - Deprecate backupKey spec fields in favor of status-based tracking - Update workflow, architecture, risks, and support procedures Co-Authored-By: Claude Opus 4.6 <[email protected]>
muraee
force-pushed
the
hypershift-etcd-reencryption
branch
from
5c2acd4 to
4401ea1
Compare
Contributor
|
@muraee: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
KubeStorageVersionMigratorfrom library-go to createStorageVersionMigrationCRs in the guest cluster, transparently re-encrypting all encrypted resources with the active keyEtcdDataEncryptionUpToDatecondition on HCP/HostedCluster for progress trackingTracks: OCPSTRAT-2527, OCPSTRAT-2540
Related: ARO-21568, ARO-21456
Test plan
🤖 Generated with Claude Code