Skip to content

DGS-21595 Allow alternate KMS key IDs on a KEK #2018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 19, 2025
Merged

DGS-21595 Allow alternate KMS key IDs on a KEK #2018

merged 1 commit into from
Aug 19, 2025
+173 −5

Conversation

rayokota
Copy link
Member

@rayokota rayokota commented Aug 8, 2025

What

Checklist

  • Contains customer facing changes? Including API/behavior changes
  • Did you add sufficient unit test and/or integration test coverage for this PR?
    • If not, please explain why it is not required

References

JIRA:

Test & Review

Open questions / Follow-ups

@Copilot Copilot AI review requested due to automatic review settings August 8, 2025 23:19
@rayokota rayokota requested review from MSeal and a team as code owners August 8, 2025 23:19
@confluent-cla-assistant
Copy link

🎉 All Contributor License Agreements have been signed. Ready to merge.
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

Copilot
Copilot AI reviewed Aug 8, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for alternate KMS key IDs on Key Encryption Keys (KEK) to provide fallback encryption/decryption capabilities. The implementation allows specifying multiple KMS key IDs that will be tried in sequence during encryption and decryption operations.

  • Introduces a new AeadWrapper class that handles multiple KMS key IDs with fallback logic
  • Adds configuration support for alternate KMS key IDs via encrypt.alternate.kms.key.ids
  • Implements retry logic that attempts encryption/decryption with each available key ID

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/confluent_kafka/schema_registry/rules/encryption/encrypt_executor.py Implements the core functionality with AeadWrapper class and alternate KMS key ID support
tests/schema_registry/_sync/test_avro_serdes.py Adds synchronous test case for alternate KEK functionality
tests/schema_registry/_async/test_avro_serdes.py Adds asynchronous test case for alternate KEK functionality

@sonarqube-confluent

This comment has been minimized.

Sign in to view
1 similar comment
@sonarqube-confluent

This comment has been minimized.

Sign in to view
@sonarqube-confluent

This comment has been minimized.

Sign in to view
@sonarqube-confluent

This comment has been minimized.

Sign in to view
@sonarqube-confluent
Copy link

Failed

  • 65.50% Coverage on New Code (is less than 80.00%)

Analysis Details

14 Issues

  • Bug 0 Bugs
  • Vulnerability 0 Vulnerabilities
  • Code Smell 14 Code Smells

Coverage and Duplications

  • Coverage 65.50% Coverage (66.10% Estimated after merge)
  • Duplications No duplication information (5.40% Estimated after merge)

Project ID: confluent-kafka-python

View in SonarQube

@rayokota rayokota merged commit c15fdf8 into master Aug 19, 2025
2 of 3 checks passed
@rayokota rayokota deleted the multiple-kek branch August 19, 2025 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@Claimundefine Claimundefine Claimundefine approved these changes

@MSeal MSeal Awaiting requested review from MSeal MSeal is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rayokota @Claimundefine