Documentation ¶
Index ¶
Constants ¶
const ( KubernetesDescriptionKey = "kubernetes.io/description" KubernetesDescriptionScaryValue = `` /* 156-byte string literal not displayed */ )
These annotations try to scare anyone away from editing the encryption secrets. It is trivial for an external actor to break the invariants of the state machine and render the cluster unrecoverable.
Variables ¶
This section is empty.
Functions ¶
func EqualKeyAndEqualID ¶
func MigratedFor ¶
func MigratedFor(grs []schema.GroupResource, km KeyState) (ok bool, missing []schema.GroupResource, reason string)
MigratedFor returns whether all given resources are marked as migrated in the given key. It returns missing GRs and a reason if that's not the case.
func NameToKeyID ¶
Types ¶
type GroupResourceState ¶
type GroupResourceState struct { // the write key of the group resource. WriteKey KeyState // all read keys of the group resource. Potentially includes the write key. ReadKeys []KeyState }
GroupResourceState represents, for a single group resource, the write and read keys in a format that can be directly translated to and from the on disk EncryptionConfiguration object.
func (GroupResourceState) HasWriteKey ¶
func (k GroupResourceState) HasWriteKey() bool
type KeyState ¶
type KeyState struct { Key apiserverconfigv1.Key Mode Mode // described whether it is backed by a secret. Backed bool Migrated MigrationState // some controller logic caused this secret to be created by the key controller. InternalReason string // the user via unsupportConfigOverrides.encryption.reason triggered this key. ExternalReason string }
func KeysWithPotentiallyPersistedDataAndNextReadKey ¶
func KeysWithPotentiallyPersistedDataAndNextReadKey(grs []schema.GroupResource, recentFirstSortedKeys []KeyState) []KeyState
KeysWithPotentiallyPersistedDataAndNextReadKey returns the minimal, recent secrets which have migrated all given GRs.
func SortRecentFirst ¶
type MigrationState ¶
type MigrationState struct { // the timestamp fo the last migration Timestamp time.Time // the resources that were migrated at some point in time to this key. Resources []schema.GroupResource }
type Mode ¶
type Mode string
Mode is the value associated with the encryptionSecretMode annotation
const ( AESCBC Mode = "aescbc" // available from the first release, see defaultMode below SecretBox Mode = "secretbox" // available from the first release, see defaultMode below Identity Mode = "identity" // available from the first release, see defaultMode below // Changing this value requires caution to not break downgrades. // Specifically, if some new Mode is released in version X, that new Mode cannot // be used as the defaultMode until version X+1. Thus on a downgrade the operator // from version X will still be able to honor the observed encryption state // (and it will do a key rotation to force the use of the old defaultMode). DefaultMode = Identity // we default to encryption being disabled for now )
The current set of modes that are supported along with the default Mode that is used. These values are encoded into the secret and thus must not be changed. Strings are used over iota because they are easier for a human to understand.