Do not encrypt deletion marker with CMK key

Signed-off-by: Alan Protasio <alanprot@gmail.com>

Author: alanprot

CHANGELOG.md

@@ -25,6 +25,7 @@
 * [CHANGE] Bucket Index: Add `series_max_size` and `chunk_max_size` to bucket index. #5489
 * [CHANGE] StoreGateway: Rename `cortex_bucket_store_chunk_pool_returned_bytes_total` and `cortex_bucket_store_chunk_pool_requested_bytes_total` to `cortex_bucket_store_chunk_pool_operation_bytes_total`. #5552
 * [CHANGE] Query Frontend/Querier: Make build info API disabled by default and add feature flag `api.build-info-enabled` to enable it. #5533
+* [CHANGE] Purger: Do no use S3 tenant kms key when uploading deletion marker. #5575 
 * [FEATURE] Store Gateway: Add `max_downloaded_bytes_per_request` to limit max bytes to download per store gateway request.
 * [FEATURE] Added 2 flags `-alertmanager.alertmanager-client.grpc-max-send-msg-size` and ` -alertmanager.alertmanager-client.grpc-max-recv-msg-size` to configure alert manager grpc client message size limits. #5338
 * [FEATURE] Query Frontend: Add `cortex_rejected_queries_total` metric for throttled queries. #5356

pkg/purger/tenant_deletion_api.go

@@ -52,7 +52,7 @@ func (api *TenantDeletionAPI) DeleteTenant(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	err = cortex_tsdb.WriteTenantDeletionMark(r.Context(), api.bucketClient, userID, api.cfgProvider, cortex_tsdb.NewTenantDeletionMark(time.Now()))
+	err = cortex_tsdb.WriteTenantDeletionMark(r.Context(), api.bucketClient, userID, cortex_tsdb.NewTenantDeletionMark(time.Now()))
 	if err != nil {
 		level.Error(api.logger).Log("msg", "failed to write tenant deletion mark", "user", userID, "err", err)
 

pkg/storage/tsdb/tenant_deletion_mark.go

@@ -11,7 +11,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/thanos-io/objstore"
 
-	"github.com/cortexproject/cortex/pkg/storage/bucket"
 	util_log "github.com/cortexproject/cortex/pkg/util/log"
 )
 
@@ -38,15 +37,15 @@ func TenantDeletionMarkExists(ctx context.Context, bkt objstore.BucketReader, us
 }
 
 // Uploads deletion mark to the tenant location in the bucket.
-func WriteTenantDeletionMark(ctx context.Context, bkt objstore.Bucket, userID string, cfgProvider bucket.TenantConfigProvider, mark *TenantDeletionMark) error {
-	bkt = bucket.NewUserBucketClient(userID, bkt, cfgProvider)
+func WriteTenantDeletionMark(ctx context.Context, bkt objstore.Bucket, userID string, mark *TenantDeletionMark) error {
+	markerFile := path.Join(userID, TenantDeletionMarkPath)
 
 	data, err := json.Marshal(mark)
 	if err != nil {
 		return errors.Wrap(err, "serialize tenant deletion mark")
 	}
 
-	return errors.Wrap(bkt.Upload(ctx, TenantDeletionMarkPath, bytes.NewReader(data)), "upload tenant deletion mark")
+	return errors.Wrap(bkt.Upload(ctx, markerFile, bytes.NewReader(data)), "upload tenant deletion mark")
 }
 
 // Returns tenant deletion mark for given user, if it exists. If it doesn't exist, returns nil mark, and no error.

pkg/storage/tsdb/tenant_deletion_mark_test.go

@@ -13,8 +13,9 @@ func TestTenantDeletionMarkExists(t *testing.T) {
 	const username = "user"
 
 	for name, tc := range map[string]struct {
-		objects map[string][]byte
-		exists  bool
+		objects      map[string][]byte
+		exists       bool
+		deletedUsers []string
 	}{
 		"empty": {
 			objects: nil,
@@ -35,6 +36,13 @@ func TestTenantDeletionMarkExists(t *testing.T) {
 			},
 			exists: true,
 		},
+		"mark exists - upload via WriteTenantDeletionMark": {
+			objects: map[string][]byte{
+				"user/01EQK4QKFHVSZYVJ908Y7HH9E0/meta.json": []byte("data"),
+			},
+			deletedUsers: []string{"user"},
+			exists:       true,
+		},
 	} {
 		t.Run(name, func(t *testing.T) {
 			bkt := objstore.NewInMemBucket()
@@ -43,6 +51,10 @@ func TestTenantDeletionMarkExists(t *testing.T) {
 				require.NoError(t, bkt.Upload(context.Background(), objName, bytes.NewReader(data)))
 			}
 
+			for _, user := range tc.deletedUsers {
+				require.NoError(t, WriteTenantDeletionMark(context.Background(), bkt, user, &TenantDeletionMark{}))
+			}
+
 			res, err := TenantDeletionMarkExists(context.Background(), bkt, username)
 			require.NoError(t, err)
 			require.Equal(t, tc.exists, res)