docs: Clarify that encryption should not be in reconciler pipeline

UpgradeImpact ============= Operators should verify that encryption is not enabled in their reconciler pipelines; having it enabled there may harm data durability. For more information, see https://launchpad.net/bugs/1910804 Change-Id: I1a1d78ed91d940ef0b4eba186dcafd714b4fb808 Closes-Bug: #1910804
2021-01-21 11:53:09 -08:00 · 2021-01-21 11:53:09 -08:00 · 13c0980e71
commit 13c0980e71
parent 4ee05c5ddc
2 changed files with 9 additions and 2 deletions
--- a/doc/source/overview_encryption.rst
+++ b/doc/source/overview_encryption.rst
@ -781,8 +781,9 @@ encrypted.

 Encryption has no impact on the `container-reconciler` service. The
 `container-reconciler` uses an internal client to move objects between
-different policy rings. The destination object has the same URL as the source
-object and the object is moved without re-encryption.
+different policy rings. The reconciler's pipeline *MUST NOT* have encryption
+enabled. The destination object has the same URL as the source object and the
+object is moved without re-encryption.


 Considerations for developers
--- a/etc/container-reconciler.conf-sample
+++ b/etc/container-reconciler.conf-sample
@ -58,6 +58,12 @@
 # ionice_priority =

 [pipeline:main]
+# Note that the reconciler's pipeline is intentionally very sparse -- it is
+# only responsible for moving data from one policy to another and should not
+# perform any transformations beyond (potentially) changing erasure coding.
+# It notably MUST NOT include transformative middlewares (such as encryption),
+# redirection middlewares (such as symlink), or composing middlewares (such
+# as slo and dlo).
 pipeline = catch_errors proxy-logging cache proxy-server

 [app:proxy-server]