encryptionconfiguration

package
v0.33.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2019 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsConfigurationNotFoundError

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionKey

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewPassiveConfiguration

func NewPassiveConfiguration(t time.Time, r io.Reader) (*apiserverconfigv1.EncryptionConfiguration, error)

NewPassiveConfiguration creates an initial configuration for etcd encryption The list of encryption providers contains identity as first provider, which has the effect, that this configuration does not yet encrypt written secrets. The configuration has to be activated to actually encrypt written secrets. Nevertheless, an encryption provider aescbc is already contained in the configuration at the second position in the list of providers. A key is created for aescbc with the key's name containing the given time.

apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - providers:

  • identity: {}
  • aescbc: keys:
  • name: key1559747207815249000 secret: Y8LEzbtK/2mdXrw6W/faAxNLu+mTCmcQeWojShAJGEg= resources: metadata:
  • secrets

func ParseEncryptionKeyName

func ParseEncryptionKeyName(keyName string) (time.Time, error)

ParseEncryptionKeyName parses the key name.

func ReadSecret

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func SetResourceEncryption

func SetResourceEncryption(c *apiserverconfigv1.EncryptionConfiguration, resource string, encrypted bool) error

SetResourceEncryption sets the EncryptionConfiguration to active or non-active (passive) state. State active means that provider aescbc is the first in the list of providers. State non-active (passive) means that provider identity is the first in the list of providers.

func UpdateSecret

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write

Write encodes an EncryptionConfiguration.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL