secrets

Documentation

Index

• Constants
• func FromKeyState(component string, ks state.KeyState) (*corev1.Secret, error)
• func ListKeySecrets(ctx context.Context, secretClient corev1client.SecretsGetter, ...) ([]*corev1.Secret, error)
• func ToKeyState(s *corev1.Secret) (state.KeyState, error)
• type MigratedGroupResources
  • func (m *MigratedGroupResources) HasResource(resource schema.GroupResource) bool

Constants

const (
	// This label is used to find secrets that build up the final encryption config.  The names of the
	// secrets are in format <shared prefix>-<unique monotonically increasing uint> (the uint is the keyID).
	// For example, openshift-kube-apiserver-encryption-3.  Note that other than the -3 postfix, the name of
	// the secret is irrelevant since the label is used to find the secrets.  Of course the key minting
	// controller cares about the entire name since it needs to know when it has already created a secret for a given
	// keyID meaning it cannot just use a random prefix.  As such the name must include the data that is contained
	// within the label.  Thus the format used is <component>-encryption-<keyID>.  This keeps everything distinct
	// and fully deterministic.  The keys are ordered by keyID where a smaller ID means an earlier key.
	// This means that the latest secret (the one with the largest keyID) is the current desired write key.
	EncryptionKeySecretsLabel = "encryption.apiserver.operator.openshift.io/component"

	// The time (in RFC3339 format) at which the migrated state observation occurred.  The key minting
	// controller parses this field to determine if enough time has passed and a new key should be created.
	EncryptionSecretMigratedTimestamp = "encryption.apiserver.operator.openshift.io/migrated-timestamp"
	// The list of resources that were migrated when encryptionSecretMigratedTimestamp was set.
	// See the MigratedGroupResources struct below to understand the JSON encoding used.
	EncryptionSecretMigratedResources = "encryption.apiserver.operator.openshift.io/migrated-resources"

	// In the data field of the secret API object, this (map) key is used to hold the actual encryption key
	// (i.e. for AES-CBC mode the value associated with this map key is 32 bytes of random noise).
	EncryptionSecretKeyDataKey = "encryption.apiserver.operator.openshift.io-key"

	// encryptionSecretFinalizer is a finalizer attached to all secrets generated
	// by the encryption controllers.  Its sole purpose is to prevent the accidental
	// deletion of secrets by enforcing a two phase delete.
	EncryptionSecretFinalizer = "encryption.apiserver.operator.openshift.io/deletion-protection"
)

Functions

func FromKeyState

func FromKeyState(component string, ks state.KeyState) (*corev1.Secret, error)

ToKeyState converts a key state to a key secret.

func ListKeySecrets

func ListKeySecrets(ctx context.Context, secretClient corev1client.SecretsGetter, encryptionSecretSelector metav1.ListOptions) ([]*corev1.Secret, error)

ListKeySecrets returns the current key secrets from openshift-config-managed.

func ToKeyState

func ToKeyState(s *corev1.Secret) (state.KeyState, error)

ToKeyState converts a key secret to a key state.

Types

type MigratedGroupResources

type MigratedGroupResources struct {
	Resources []schema.GroupResource `json:"resources"`
}

MigratedGroupResources is the data structured stored in the encryption.apiserver.operator.openshift.io/migrated-resources of a key secret.

func (*MigratedGroupResources) HasResource

func (m *MigratedGroupResources) HasResource(resource schema.GroupResource) bool

HasResource returns whether the given group resource is contained in the migrated group resource list.