[KMSv2] Use status key ID to determine staleness of encrypted data

[enj]

Today you need multiple encryption providers to communicate to the API server if data stored in etcd is stale (i.e. the KMS v1beta1 API has no way to communicate staleness). The KMS v2 API includes a key ID in the status API to allow for such a check to be performed. We need to wire the knowledge of the current key ID into the envelope encryption code.

xref: #111126 (comment)

/assign
/milestone v1.26
/sig auth
/triage accepted

[cailynse]

Hi @enj! Release Bug Triage Shadow here - I just wanted to see if this is still on track for the 1.26 release? It looks like you have made lots of progress!

[enj]

@cailynse yup I am hoping to have this sorted before KubeCon :)

[cailynse]

Hey! @enj - checking in again to see if there are any updates

[enj]

@cailynse I am going to push this out to next release because the associated refactors took a long time to merge and some are still in-flight for v1.26.

/milestone v1.27

[k8s-ci-robot]

@enj: The provided milestone is not valid for this repository. Milestones in this repository: [next-candidate, v1.16, v1.17, v1.18, v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26]

Use /milestone clear to clear the milestone.

In response to this:

@cailynse I am going to push this out to next release because the associated refactors took a long time to merge and some are still in-flight for v1.26.

/milestone v1.27

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[enj]

/assign @ritazh
/unassign @enj