File tree Expand file tree Collapse file tree 2 files changed +12
-1
lines changed
Expand file tree Collapse file tree 2 files changed +12
-1
lines changed Original file line number Diff line number Diff line change @@ -71,6 +71,9 @@ const (
7171 AnnotationAuthTokenSecretName = "ydb.tech/auth-token-secret-name"
7272 AnnotationAuthTokenSecretKey = "ydb.tech/auth-token-secret-key"
7373
74+ // Preserve original key id when `.spec.StorageClusterRef` name changes
75+ EncryptionKeyStorageNameAnnotation = "ydb.tech/encryption-key-storage-name"
76+
7477 AnnotationValueTrue = "true"
7578
7679 legacyTenantNameFormat = "/%s/%s"
Original file line number Diff line number Diff line change @@ -138,6 +138,14 @@ func (b *DatabaseBuilder) GetResourceBuilders(restConfig *rest.Config) []Resourc
138138 )
139139 }
140140
141+ // This allows to specify old Storage value when changing StorageClusterRef.
142+ // therefore, encryption key ID will stay the same and no re-encryption needed
143+ // for databases.
144+ storageNameForKeyID := b .Spec .StorageClusterRef .Name
145+ if override , ok := b .Annotations [api .EncryptionKeyStorageNameAnnotation ]; ok {
146+ storageNameForKeyID = override
147+ }
148+
141149 keyConfig := schema.KeyConfig {
142150 Keys : []schema.Key {
143151 {
@@ -146,7 +154,7 @@ func (b *DatabaseBuilder) GetResourceBuilders(restConfig *rest.Config) []Resourc
146154 api .DatabaseEncryptionKeySecretDir ,
147155 api .DatabaseEncryptionKeySecretFile ,
148156 ),
149- ID : SHAChecksum (b . Spec . StorageClusterRef . Name ),
157+ ID : SHAChecksum (storageNameForKeyID ),
150158 Pin : b .Spec .Encryption .Pin ,
151159 Version : 1 ,
152160 },
You can’t perform that action at this time.
0 commit comments