Skip to content

fix: persist local kms keys and fence pod deletes#172

Merged
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:feat/local-kms-pod-fencing
Jul 10, 2026
Merged

fix: persist local kms keys and fence pod deletes#172
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:feat/local-kms-pod-fencing

Conversation

@GatewayJ

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

  • rustfs/backlog#1072
  • rustfs/backlog#1075

Summary of Changes

  • Persist Local KMS key files under the RustFS data PVC by default (/data/rustfs0/.kms-keys) and block unsafe legacy /data/kms-keys migration until key files and .master-key.salt are copied.
  • Add typed Local KMS master key configuration via spec.encryption.local.masterKeySecretRef, plus explicit development-only allowInsecureDevDefaults, matching the RustFS server RUSTFS_KMS_* startup contract.
  • Reject raw RUSTFS_KMS_* tenant env overrides so KMS is validated and rendered by the operator.
  • Require fencing before all force-delete pod cleanup policies and require a verified Tenant owner chain for every pod deletion.
  • Update CRDs, docs, and Console encryption UI/API for the Local KMS and pod cleanup contracts.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (if user-visible change)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact:

Local KMS users must configure spec.encryption.local.masterKeySecretRef unless they explicitly opt into development-only insecure defaults. Existing tenants using the legacy implicit /data/kms-keys path must copy key files and .master-key.salt to the PVC-backed key directory and keep the same local master key before rollout.

Verification

make pre-commit

Additional Notes

rustfs/backlog#1075 is currently tracked as Medium severity. This PR treats Ready=Unknown as down but unfenced. Force deletion only proceeds after node deletion or an effective out-of-service taint that the target Pod does not tolerate, and only for Pods with a verified Tenant owner chain.

@GatewayJ GatewayJ force-pushed the feat/local-kms-pod-fencing branch from e50fc57 to de9af2f Compare July 10, 2026 15:14
@GatewayJ GatewayJ marked this pull request as ready for review July 10, 2026 15:16
@GatewayJ

Copy link
Copy Markdown
Member Author

@codex

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: de9af2f925

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/reconcile.rs
Comment on lines +461 to +464
let replicasets_api: kube::Api<appsv1::ReplicaSet> =
kube::Api::namespaced(ctx.client.clone(), namespace);
let deployments_api: kube::Api<appsv1::Deployment> =
kube::Api::namespaced(ctx.client.clone(), namespace);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Grant RBAC for Deployment owner lookups

When the cleanup path sees a ReplicaSet-owned pod (for DeleteDeploymentPod/DeleteBothStatefulSetAndDeploymentPod, or legacy delete policies on a labeled Deployment pod), these new replicasets_api/deployments_api lookups require apps/replicasets and apps/deployments get permission. I checked deploy/rustfs-operator/templates/clusterrole.yaml and deploy/k8s-dev/operator-rbac.yaml; both still grant only apps/statefulsets, so installed operators will get a 403 here and abort reconciliation before deleting the stuck pod. Add the matching RBAC resources alongside the new lookups.

Useful? React with 👍 / 👎.

@GatewayJ GatewayJ added this pull request to the merge queue Jul 10, 2026
Merged via the queue into rustfs:main with commit ca7d367 Jul 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant