When Adding new CKM key/role Atlas should validate if it can safely change existing CKM key
When we create new CKM key with new role and update credentials on project level, Atlas validates that new role can read new key. But it does not validate if new role can read existing CKM key.
When Atlas starts re-encrypting existing cluster, first node goes down but can't be started because new role can't read old key. There is no way to restore/rollback this change unless raise a ticket for MongoDB support.
Suggestion: when we upgrade credentials/role/KMS key in UI, Atlas should validate if it can finish this change BEFORE applying changes to nodes.