Skip to content

Add opt-in decryption fallback#42

Merged
louisgls merged 1 commit intomainfrom
fix/decryption-fallback
Apr 23, 2026
Merged

Add opt-in decryption fallback#42
louisgls merged 1 commit intomainfrom
fix/decryption-fallback

Conversation

@louisgls
Copy link
Copy Markdown
Collaborator

@louisgls louisgls commented Apr 23, 2026

Summary

  • add an opt-in S3PROXY_DECRYPTION_FALLBACK path for GET object decryption
  • retry only DEK unwrap/decryption metadata path after the primary KEK fails; payload decryption still happens once on the successful path
  • expose generic Helm extraEnv instead of a dedicated fallback chart value
  • add configurable Deployment strategy (RollingUpdate by default, supports Recreate)
  • document the new Helm values and add regression coverage

Usage

extraEnv:
  - name: S3PROXY_DECRYPTION_FALLBACK
    value: "true"

deploymentStrategy:
  type: Recreate

Validation

  • go test ./...
  • golangci-lint run
  • CGO_ENABLED=0 GOOS=linux go build -o /tmp/s3proxy-decryption-fallback ./s3proxy/cmd
  • helm template test charts/s3proxy
  • helm template test charts/s3proxy --set deploymentStrategy.type=Recreate --set-string extraEnv[0].name=S3PROXY_DECRYPTION_FALLBACK --set-string extraEnv[0].value=true

@louisgls louisgls merged commit e017346 into main Apr 23, 2026
2 checks passed
@louisgls louisgls deleted the fix/decryption-fallback branch April 23, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@louisgls