Skip to content

Scoped secret store: migration infrastructure for existing keys #4226

Open
Open
Scoped secret store: migration infrastructure for existing keys#4226
Labels
authenticationenhancementNew feature or requestgoPull requests that update go code
@amirejaz

Description

@amirejaz
amirejaz
opened on Mar 19, 2026

Summary

Phase 3 of the scoped secret store implementation (#4192).

Existing users may have registry tokens and workload auth secrets stored under bare keys (no __thv_ prefix). This phase adds crash-safe migration infrastructure to rename them into the correct scope on first run.

Work

  • MigrateSystemKeys(ctx, provider, migrations []KeyMigration) error in migration.go
  • Uses BulkDeleteSecrets (store-before-delete ordering) so a crash mid-migration does not leave secrets unreachable
  • Guarded by a config flag so migration only runs once
  • Unit tests covering full migration, partial failure, and idempotency

Dependencies

Depends on Phase 2. Must ship together with Phase 4 (wire callers) — shipping migration without updated callers, or updated callers without migration, would break existing users.

Metadata

Metadata

Assignees

No one assigned

    Labels

    authenticationenhancementNew feature or requestgoPull requests that update go code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions