Documentation
¶
Index ¶
- func IsConfigurationNotFoundError(err error) bool
- func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)
- func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)
- func NewEncryptionKeyName(t time.Time) string
- func NewEncryptionKeySecret(r io.Reader) (string, error)
- func NewPassiveConfiguration(t time.Time, r io.Reader) (*apiserverconfigv1.EncryptionConfiguration, error)
- func ParseEncryptionKeyName(keyName string) (time.Time, error)
- func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)
- func SetResourceEncryption(c *apiserverconfigv1.EncryptionConfiguration, resource string, encrypted bool) error
- func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error
- func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsConfigurationNotFoundError ¶
IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.
func Load ¶
func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)
Load decodes an EncryptionConfiguration from the given data.
func NewEncryptionKey ¶
NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.
func NewEncryptionKeyName ¶
NewEncryptionKeyName creates a new key with the given timestamp.
func NewEncryptionKeySecret ¶
NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.
func NewPassiveConfiguration ¶
func NewPassiveConfiguration(t time.Time, r io.Reader) (*apiserverconfigv1.EncryptionConfiguration, error)
NewPassiveConfiguration creates an initial configuration for etcd encryption The list of encryption providers contains identity as first provider, which has the effect, that this configuration does not yet encrypt written secrets. The configuration has to be activated to actually encrypt written secrets. Nevertheless, an encryption provider aescbc is already contained in the configuration at the second position in the list of providers. A key is created for aescbc with the key's name containing the given time.
apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - providers:
- identity: {}
- aescbc: keys:
- name: key1559747207815249000 secret: Y8LEzbtK/2mdXrw6W/faAxNLu+mTCmcQeWojShAJGEg= resources: metadata:
- secrets
func ParseEncryptionKeyName ¶
ParseEncryptionKeyName parses the key name.
func ReadSecret ¶
func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)
ReadSecret reads and validates the EncryptionConfiguration of the given secret.
func SetResourceEncryption ¶
func SetResourceEncryption(c *apiserverconfigv1.EncryptionConfiguration, resource string, encrypted bool) error
SetResourceEncryption sets the EncryptionConfiguration to active or non-active (passive) state. State active means that provider aescbc is the first in the list of providers. State non-active (passive) means that provider identity is the first in the list of providers.
func UpdateSecret ¶
func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error
UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.
func Write ¶
func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)
Write encodes an EncryptionConfiguration.
Types ¶
This section is empty.
Source Files