Remove GetLatestKeyVersion()

Signed-off-by: Zhecheng Li <zhechengli@microsoft.com>

pkg/plugin/keyvault.go

@@ -39,7 +39,6 @@ const (
 	versionAnnotationKey          = "version.azure.akv.io"
 	algorithmAnnotationKey        = "algorithm.azure.akv.io"
 	keyVersionAnnotationKey       = "keyversion.azure.akv.io"
-	keyIDHashAnnotationKey        = "keyidhash.azure.akv.io"
 	dateAnnotationValue           = "Date"
 	requestIDAnnotationValue      = "X-Ms-Request-Id"
 	keyvaultRegionAnnotationValue = "X-Ms-Keyvault-Region"
@@ -155,22 +154,6 @@ func NewKeyVaultClient(
 	return client, nil
 }
 
-func (kvc *KeyVaultClient) GetLatestKeyVersion(ctx context.Context) (string, error) {
-	keyBundle, err := kvc.baseClient.GetKey(ctx, kvc.vaultURL, kvc.keyName, "")
-	if err != nil {
-		return "", fmt.Errorf("failed to get key, error: %+v", err)
-	}
-	if keyBundle.Key == nil || keyBundle.Key.Kid == nil {
-		return "", fmt.Errorf("failed to get latest key version, key bundle is empty for keyvault %q, key %q", kvc.vaultName, kvc.keyName)
-	}
-	kidSplitted := strings.Split(*keyBundle.Key.Kid, "/")
-	if len(kidSplitted) == 0 {
-		return "", fmt.Errorf("failed to get latest key version, key id is invalid %q", *keyBundle.Key.Kid)
-	}
-	latestKeyVersion := kidSplitted[len(kidSplitted)-1]
-	return latestKeyVersion, nil
-}
-
 // Encrypt encrypts the given plain text using the keyvault key.
 func (kvc *KeyVaultClient) Encrypt(
 	ctx context.Context,
@@ -185,29 +168,31 @@ func (kvc *KeyVaultClient) Encrypt(
 	}
 
 	keyVersion := kvc.keyVersion
-	keyIDHash := kvc.keyIDHash
 	if kvc.keyVersionlessEnabled {
-		var err error
-		if keyVersion, err = kvc.GetLatestKeyVersion(ctx); err != nil {
-			return nil, fmt.Errorf("failed to get latest key version, error: %+v", err)
-		}
-
-		if keyIDHash, err = getKeyIDHash(kvc.vaultURL, kvc.keyName, keyVersion); err != nil {
-			return nil, fmt.Errorf("failed to get key id hash, error: %w", err)
-		}
+		keyVersion = ""
 	}
 
 	result, err := kvc.baseClient.Encrypt(ctx, kvc.vaultURL, kvc.keyName, keyVersion, params)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt, error: %+v", err)
 	}
 
-	if keyIDHash != fmt.Sprintf("%x", sha256.Sum256([]byte(*result.Kid))) {
-		return nil, fmt.Errorf(
-			"key id initialized does not match with the key id from encryption result, expected: %s, got: %s",
-			keyIDHash,
-			*result.Kid,
-		)
+	keyIDHash := ""
+	if kvc.keyVersionlessEnabled {
+		if result.Kid == nil {
+			return nil, fmt.Errorf("key id is nil in encryption result")
+		}
+		kidSplitted := strings.Split(*result.Kid, "/")
+		keyVersion = kidSplitted[len(kidSplitted)-1]
+	} else {
+		keyIDHash = kvc.keyIDHash
+		if keyIDHash != fmt.Sprintf("%x", sha256.Sum256([]byte(*result.Kid))) {
+			return nil, fmt.Errorf(
+				"key id initialized does not match with the key id from encryption result, expected: %s, got: %s",
+				keyIDHash,
+				*result.Kid,
+			)
+		}
 	}
 
 	annotations := map[string][]byte{
@@ -217,7 +202,6 @@ func (kvc *KeyVaultClient) Encrypt(
 		versionAnnotationKey:        []byte(encryptionResponseVersion),
 		algorithmAnnotationKey:      []byte(encryptionAlgorithm),
 		keyVersionAnnotationKey:     []byte(keyVersion),
-		keyIDHashAnnotationKey:      []byte(keyIDHash),
 	}
 
 	mlog.Info("Encryption succeeded", "vaultName", kvc.vaultName, "keyName", kvc.keyName, "keyVersion", keyVersion)
@@ -289,16 +273,14 @@ func (kvc *KeyVaultClient) validateAnnotations(
 		return fmt.Errorf("invalid annotations, annotations cannot be empty")
 	}
 
-	expectedKeyIDHash := kvc.keyIDHash
-	if len(annotations[keyIDHashAnnotationKey]) != 0 {
-		expectedKeyIDHash = string(annotations[keyIDHashAnnotationKey])
-	}
-	if keyID != expectedKeyIDHash {
-		return fmt.Errorf(
-			"key id %s does not match expected key id %s used for encryption",
-			keyID,
-			expectedKeyIDHash,
-		)
+	if len(annotations[keyVersionAnnotationKey]) == 0 {
+		if keyID != kvc.keyIDHash {
+			return fmt.Errorf(
+				"key id %s does not match expected key id %s used for encryption",
+				keyID,
+				kvc.keyIDHash,
+			)
+		}
 	}
 
 	algorithm := string(annotations[algorithmAnnotationKey])