etcdencryption

package
v1.20.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2021 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const ETCDEncryptionDataType = infodata.TypeVersion("etcdEncryption")

ETCDEncryptionDataType is the type used to denote an ETCDKeyData structure in the ShootState

Variables

This section is empty.

Functions

func GetSecretKeyForResources added in v1.4.0

func GetSecretKeyForResources(config *apiserverconfigv1.EncryptionConfiguration, resources string) (string, string, error)

GetSecretKeyForResources returns the AESCBC key name and AESCBC key secret which is used to encrypt the resource. If the AESCBC is not found then it returns empty strings.

func IsConfigurationNotFoundError

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionConfiguration added in v1.4.0

func NewEncryptionConfiguration(encryptionConfig *EncryptionConfig) *apiserverconfigv1.EncryptionConfiguration

NewEncryptionConfiguration creates an EncryptionConfiguration from the key and state

func NewEncryptionKey

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func ReadSecret

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func Unmarshal added in v1.4.0

func Unmarshal(bytes []byte) (infodata.InfoData, error)

Unmarshal unmarshals an ETCDKeyData json.

func UpdateSecret

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write

Write encodes an EncryptionConfiguration.

Types

type EncryptionConfig added in v1.4.0

type EncryptionConfig struct {
	EncryptionKeys          []EncryptionKey
	ForcePlainTextResources bool
	RewriteResources        bool
}

EncryptionConfig holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

func GetEncryptionConfig added in v1.4.0

func GetEncryptionConfig(gardenerResourceDataList gardencorev1alpha1helper.GardenerResourceDataList) (*EncryptionConfig, error)

GetEncryptionConfig retrieves the ETCDEncryptionConfig from the gardenerResourceDataList.

func NewEncryptionConfig added in v1.4.0

func NewEncryptionConfig(keys []EncryptionKey, forcePlainTextResources, rewriteResources bool) (*EncryptionConfig, error)

NewEncryptionConfig creates a new ETCDEncryptionKey from a given key and name

func (*EncryptionConfig) AddEncryptionKeyFromSecret added in v1.4.0

func (e *EncryptionConfig) AddEncryptionKeyFromSecret(secret *corev1.Secret) error

AddEncryptionKeyFromSecret gets the active etcd encryption key from the secret object and adds it to the ETCDEncryptionConfig. TODO: this function can be removed in a future version when all the encryption configurations have been synced to the ShootState.

func (*EncryptionConfig) AddNewEncryptionKey added in v1.4.0

func (e *EncryptionConfig) AddNewEncryptionKey() error

AddNewEncryptionKey generates a new etcd encryption key and adds it to the ETCDEncryptionConfig.

func (*EncryptionConfig) Marshal added in v1.4.0

func (e *EncryptionConfig) Marshal() ([]byte, error)

Marshal ETCDEncryption InfoData

func (*EncryptionConfig) SetForcePlainTextResources added in v1.4.0

func (e *EncryptionConfig) SetForcePlainTextResources(forcePlainTextResources bool)

SetForcePlainTextResources sets whether resources should be encrypted or not. If the configuration changes RewriteResource is set to true.

func (*EncryptionConfig) TypeVersion added in v1.4.0

func (e *EncryptionConfig) TypeVersion() infodata.TypeVersion

TypeVersion implements InfoData

type EncryptionConfigData added in v1.4.0

type EncryptionConfigData struct {
	EncryptionKeys          []EncryptionKeyData `json:"encryptionKeys"`
	ForcePlainTextResources bool                `json:"forcePlainTextResources"`
	RewriteResources        bool                `json:"rewriteResources"`
}

EncryptionConfigData holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

type EncryptionKey added in v1.4.0

type EncryptionKey struct {
	Key  string
	Name string
}

EncryptionKey holds the key and its name used to encrypt resources in ETCD.

type EncryptionKeyData added in v1.4.0

type EncryptionKeyData struct {
	Key  string `json:"key"`
	Name string `json:"name"`
}

EncryptionKeyData holds the key and its name used to encrypt resources in ETCD

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL