OCPSTRAT-2527, OCPSTRAT-2540: Enhancement: etcd data re-encryption for key rotation in HyperShift

[muraee]

Summary

• Add enhancement proposal for etcd data re-encryption after encryption key rotation in HyperShift
• Introduces a new HCCO controller that leverages KubeStorageVersionMigrator from library-go to create StorageVersionMigration CRs in the guest cluster, transparently re-encrypting all encrypted resources with the active key
• Adds EtcdDataEncryptionUpToDate condition on HCP/HostedCluster for progress tracking
• Guards against premature backup key removal
• Supports all encryption types (Azure KMS, AWS KMS, IBM Cloud KMS, AESCBC)

Tracks: OCPSTRAT-2527, OCPSTRAT-2540
Related: ARO-21568, ARO-21456

Test plan

• Unit tests for key fingerprint computation and controller reconciliation logic
• Integration tests for StorageVersionMigration CR lifecycle
• E2E tests for Azure KMS and AESCBC key rotation with re-encryption

🤖 Generated with Claude Code

[ardaguclu]

I specifically focused on Why KubeStorageVersionMigrator Instead of MigrationController section. It looks good to me. I dropped a comment more about agreement instead of any objection.

[openshift-ci-robot]

@muraee: This pull request references OCPSTRAT-2527 which is a valid jira issue.

This pull request references OCPSTRAT-2540 which is a valid jira issue.

Details

In response to this:

Summary

• Add enhancement proposal for etcd data re-encryption after encryption key rotation in HyperShift
• Introduces a new HCCO controller that leverages KubeStorageVersionMigrator from library-go to create StorageVersionMigration CRs in the guest cluster, transparently re-encrypting all encrypted resources with the active key
• Adds EtcdDataEncryptionUpToDate condition on HCP/HostedCluster for progress tracking
• Guards against premature backup key removal
• Supports all encryption types (Azure KMS, AWS KMS, IBM Cloud KMS, AESCBC)

Tracks: OCPSTRAT-2527, OCPSTRAT-2540
Related: ARO-21568, ARO-21456

Test plan

• Unit tests for key fingerprint computation and controller reconciliation logic
• Integration tests for StorageVersionMigration CR lifecycle
• E2E tests for Azure KMS and AESCBC key rotation with re-encryption

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[csrwng]

Just a couple of thoughts for kms in general:

• we currently run the kube-storage-version-migrator in the data plane. I really see no good reason to do so, since we don't need workers to migrate storage, but having no workers would block migration if we leave it where it is.
• (orthogonal but relevant) we're not consistently encrypting resources. Latest code seems to enable encryption for secrets if doing aescbc encryption, but secrets,configmaps,routes,oauthaccesstokens,oauthauthorizetokens when doing kms encryption. Furthermore, routes,oauthaccesstokens, and oauthauthorizetokens are not getting encrypted in any case because we would need the kms sidecar on the openshift apiservers that serve those resources.
• we should fix the API. Currently, we only allow main/backup key of the same type (all aescbc, or all kms, etc). It should be possible to have multiple keys of different types given that it's what upstream kubernetes allows.
• we're not doing key rotation properly. When we introduce a new main key, that key should first be added as a backup/read key to all instances of kube-apiserver. Once that has rolled out, then we can start making the new key the write key. Otherwise, when we introduce the new write key to the first instance of kube-apiserver, it could start encrypting with the new key, the other instances that have not been updated, will potentially start crashlooping because they cannot decode the secrets encoded with the new key.

[csrwng]

Could we reflect in HostedCluster status which keys are actively being used and reject spec changes that could potentially result in data loss?

[csrwng]

Thank you for the latest changes @muraee !

Some general comments:

• We shouldn't rely on VAP for enforcing the behavior we want. I think we should build the feature assuming that there is no VAP and only add the VAP as a nice API UX improvement. To this end, we should have a way of ignoring a change to the spec while we're in the process of migrating storage. Or immediately accept the new spec, but keep the previously incomplete provider config so we can decrypt it and safely migrate to the new one.
• We're not yet addressing the issue of breaking existing instances of kube apiserver while adding a new encryption provider. If we immediately start encrypting with whatever the user put in the spec, and roll that change out to the kube apiserver, only the first instance where the change is applied will be available, while the other 2 instances will potentially crash loop until their config changes. Rolling out a new key/provider should be done in 2 stages.
• While we're deprecating the back up key configuration, we cannot ignore it completely. If you have a back up key in your spec, we need to include it in the KAS's configuration so we can decrypt with it.
• For the status, it seems that what we need is a list of encryption configurations instead of just one active one. That would allow us to keep track of back up keys, incomplete migrations, etc. and also keep track of the state when rolling out a new write configuration.

[muraee]

Thanks for the thorough review @csrwng! I've updated the enhancement to address all four points. Here's a summary of the changes:

Point 1 (VAP-independent safety): The system is now designed to be safe without the VAP. When a rotation is in progress (rolloutPhase is not empty), the HCCO controller continues with the snapshotted targetKey and ignores subsequent spec changes. Once the current rotation completes, the controller detects the new spec key mismatch and starts a fresh rotation. The VAP is reframed as a UX improvement — it gives users a clear admission-time error ("wait for re-encryption to complete") rather than silently queuing the change.

Point 2 (Two-stage KAS rollout): The workflow now uses a three-phase state machine driven by status.secretEncryption.rolloutPhase:

• Stage 1 (ReadOnlyDeploy): The new key is added as a read-only provider. The old key remains the write provider. During this rolling update, no pod writes with the new key, so all reads succeed across all replicas.
• Stage 2 (WritePromote): The new key is promoted to write provider, old key becomes read-only. Pods still on the previous config already have the new key as a read-only provider (from Stage 1), so they can decrypt data written by new-config pods.
• Stage 3 (Migrating): All KAS replicas have converged — StorageVersionMigration CRs are created to re-encrypt existing data.

The HCCO waits for full KAS convergence (updatedReplicas == replicas == readyReplicas) between each phase transition.

Point 3 (backupKey honored): spec.backupKey is used as a fallback when status.secretEncryption.activeKey is not yet set (upgrade transition — status not yet populated). However, once the status is initialized, backupKey cannot be honored alongside the status-driven keys because during a rotation both KMS sidecar slots are occupied by status.activeKey and status.targetKey — there is no third sidecar to service a spec.backupKey. For AESCBC (keys are inline, no sidecar needed) this constraint doesn't strictly apply, but for consistency and since backupKey is deprecated, we treat it uniformly as a transition-period fallback.

Point 4 (list vs single key status): Instead of a full list, the status now uses two named fields — activeKey (confirmed encrypted) and targetKey (being rolled out) — plus a rolloutPhase enum. This maps directly to the two-sidecar hardware constraint for KMS providers while providing the state tracking needed for the rollout and mid-rotation safety. The rolloutPhase field drives the CPO's EncryptionConfiguration generation via a simple lookup table.

[csrwng]

Review of the etcd data re-encryption enhancement. Please see inline comments for detailed feedback.

[enxebre]

did you mean storagemigration.k8s.io/v1beta1? https://kubernetes.io/docs/tasks/manage-kubernetes-objects/storage-version-migration/
we wouldn't want to rely on an alpha API for this

[muraee]

@enxebre These are actually two different API groups:

• migration.k8s.io/v1alpha1 — out-of-tree CRD from kube-storage-version-migrator, deployed by OpenShift's cluster-kube-storage-version-migrator-operator. This is what library-go's KubeStorageVersionMigrator uses (still current — no PRs to migrate it).
• storagemigration.k8s.io/v1beta1 — built-in in-tree API (KEP-4192), promoted to beta in K8s 1.35 = OCP 4.22. Requires the StorageVersionMigrator feature gate.

We're using migration.k8s.io/v1alpha1 because we vendor library-go's KubeStorageVersionMigrator, which handles CR creation, stale detection, annotation tracking, status monitoring, and pruning (~130 lines of production-tested code).

Switching to storagemigration.k8s.io/v1beta1 would mean either waiting for library-go to migrate (no signs of that happening) or reimplementing KubeStorageVersionMigrator from scratch against the new API. Is that something we want to take on, or is using the existing library-go implementation with migration.k8s.io/v1alpha1 acceptable for now?

[csrwng]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• enhancements/hypershift/OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@muraee: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.