-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encryption config: correctly handle overlapping providers #82434
Encryption config: correctly handle overlapping providers #82434
Conversation
/priority important-soon |
/retest |
// but a failure in the first one should not prevent a later match from being attempted. | ||
// Thus we never short-circuit on a prefix match that results in an error. | ||
if err != nil { | ||
lastErr = err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use the last err or the first err?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not know if there a good way to say which error is the most useful. They are all equal in my mind because they match the required prefix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also they are likely to all be the same, some variation on:
no matching key was found for the provided AES transformer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also they are likely to all be the same, some variation on:
no matching key was found for the provided AES transformer
Hmm that may be too broad in the case of you accidentally changing the key but not its name. I can aggregate them all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or summarize? If we have to live debug this it’s has gotten really real and we’re likely to be panicking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
This change updates NewPrefixTransformers to not short-circuit on the first transformer that has a matching prefix. If the same type of encryption ProviderConfiguration is used more than once, they will share the same prefix. A failure in the first one should not prevent a later match from being attempted. Added TestCBCKeyRotationWithOverlappingProviders unit test to prevent regressions. Note that this test explicitly exercises this flow using an EncryptionConfiguration object as the structure of the resulting transformer is an important part of the check. Signed-off-by: Monis Khan <mkhan@redhat.com>
3bf06e7
to
4dc16f2
Compare
/lgtm For 1.17 and backport to 1.16/1.15 |
/cherrypick release-1.16 |
/cherrypick release-1.15 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/cherrypick release-1.16 |
…stream-release-1.16 Automated cherry pick of #82434: Encryption config: correctly handle overlapping providers
This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix. If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix. A failure in the first one should not
prevent a later match from being attempted.
Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions. Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.
Signed-off-by: Monis Khan mkhan@redhat.com
/kind bug