engineccl: Fix data key generation for v2 encryption #121111
Conversation
bdarnell
requested review from
srosenberg,
DarrylWong and
jbowens
and removed request for
a team
|
This change is |
There was a problem hiding this comment.
Reviewable status:
complete! 1 of 0 LGTMs obtained (waiting on @bdarnell, @DarrylWong, @jbowens, and @srosenberg)
pkg/cmd/roachtest/tests/encryption.go line 38 at r1 (raw file):
httpClient := roachtestutil.DefaultHTTPClient(c, t.L()) // Starting with two copies of "plain" lets us avoid special-casing the first key in our rotation test.
I don't get this.. Looks like the first loop iteration is doing a plain to plain rotation.. do we want that?
pkg/cmd/roachtest/tests/encryption.go line 40 at r1 (raw file):
// Starting with two copies of "plain" lets us avoid special-casing the first key in our rotation test. keys := []string{"plain", "plain"} // Rotate through multiple keys with different key sizes and both implementation versions.
[nit] Comments usually wrap at 80
pkg/ccl/storageccl/engineccl/testdata/data_key_manager line 254 at r1 (raw file):
get-active-data-key ---- encryption_type:AES_128_CTR_V2 creation_time:26 source:"data key manager" parent_key_id:"v2key"
[nit] missing \n
bdarnell
force-pushed
the
encryption-roachtest
branch
2 times, most recently
from
4f6b3f1
to
2e891d9
Compare
There was a problem hiding this comment.
I had trouble getting the test to work in remote roachtests (before I sent the PR I had only tested it locally), so I snuck in an additional feature to address part of #110123: Now you can specify path=* instead of matching the exact path from the store flag.
Reviewable status:
pkg/cmd/roachtest/tests/encryption.go line 38 at r1 (raw file):
Previously, RaduBerinde wrote…
I don't get this.. Looks like the first loop iteration is doing a
plaintoplainrotation.. do we want that?
Updated comments to explain what's going on: we have to specify pairs of keys so to have the current key be "plain" we need to specify the previous key as "plain" too. Or we could make the addition of the --enterprise-encryption key conditional on the loop index (skip it on the first start) but this way felt simpler.
pkg/cmd/roachtest/tests/encryption.go line 40 at r1 (raw file):
Previously, RaduBerinde wrote…
[nit] Comments usually wrap at 80
Rewrapped everything.
pkg/ccl/storageccl/engineccl/testdata/data_key_manager line 254 at r1 (raw file):
Previously, RaduBerinde wrote…
[nit] missing
\n
Fixed.
There was a problem hiding this comment.
Just looked at the new commit to address part of #110123 and it lgtm
Reviewed 2 of 8 files at r2, 1 of 5 files at r3, 1 of 1 files at r4.
Reviewable status:
-- commits line 15 at r4:
looks like some of the template survived
Matching the path between --store and --enterprise-encryption is difficult in roachtests, and may be difficult in other orchestration frameworks as well. Customizing keys on a per-store basis is rarely necessary so a wildcard can sidestep this difficulty. Updates cockroachdb#110123 Release note (cli change): The `--enterprise-encryption` flag now accepts the special value `path=*` to apply the specified keys to all stores.
Prior tests of v2 encryption were too low-level and did not cover the data key generation. The new roachtest provides end-to-end coverage. This fixes a bug in not-yet-released functionality Epic: none Release note: none
The key format is changing so defer to "gen encryption-key" instead of details of the v1 key format. Epic: none Release note: None
bdarnell
force-pushed
the
encryption-roachtest
branch
from
094c0ab
to
6086f5f
Compare
There was a problem hiding this comment.
Reviewable status:
Previously, jbowens (Jackson Owens) wrote…
looks like some of the template survived
Derp, I wish that part of the template started with # like the rest.
|
bors r=RaduBerinde,jbowens |
Prior tests of v2 encryption were too low-level and did not cover the data key generation. The new roachtest provides end-to-end coverage.
This fixes a bug in not-yet-released functionality
Epic: none
Release note: none