-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load encryption config once #112685
Load encryption config once #112685
Conversation
/cc |
04637d4
to
986f4c9
Compare
986f4c9
to
412a923
Compare
I feel like this needs an integration test, but I am unsure how to write one for it. |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
412a923
to
743d4e8
Compare
/triage accepted |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I took a stab at this in 76a24ece25de418756dad9258eb187f4a169aa7c |
de77113
to
76a24ec
Compare
This change updates the API server code to load the encryption config once at start up instead of multiple times. Previously the code would set up the storage transformers and the etcd healthz checks in separate parse steps. This is problematic for KMS v2 key ID based staleness checks which need to be able to assert that the API server has a single view into the KMS plugin's current key ID. Signed-off-by: Monis Khan <mok@microsoft.com>
Signed-off-by: Monis Khan <mok@microsoft.com>
76a24ec
to
cf58cb1
Compare
@liggitt I came up with a different approach that might be preferred, see #112789 diff from this PR. |
Closing this in favor of #112789 |
This change updates the API server code to load the encryption
config once at start up instead of multiple times. Previously the
code would set up the storage transformers and the etcd healthz
checks in separate parse steps. This is problematic for KMS v2 key
ID based staleness checks which need to be able to assert that the
API server has a single view into the KMS plugin's current key ID.
Signed-off-by: Monis Khan mok@microsoft.com
/kind feature
xref #111922 #112486