etcdencryption

package

v1.33.3 Latest Latest Go to latest Published: Nov 17, 2021 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gardener/gardener

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func GetSecretKeyForResources(config *apiserverconfigv1.EncryptionConfiguration, resources string) (string, string, error)
func IsConfigurationNotFoundError(err error) bool
func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)
func NewEncryptionConfiguration(encryptionConfig *EncryptionConfig) *apiserverconfigv1.EncryptionConfiguration
func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)
func NewEncryptionKeyName(t time.Time) string
func NewEncryptionKeySecret(r io.Reader) (string, error)
func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)
func Unmarshal(bytes []byte) (infodata.InfoData, error)
func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error
func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)
type EncryptionConfig
- func GetEncryptionConfig(gardenerResourceDataList gardencorev1alpha1helper.GardenerResourceDataList) (*EncryptionConfig, error)
- func NewEncryptionConfig(keys []EncryptionKey, forcePlainTextResources, rewriteResources bool) (*EncryptionConfig, error)
type EncryptionConfigData
type EncryptionKey
type EncryptionKeyData

Constants ¶

View Source

const ETCDEncryptionDataType = infodata.TypeVersion("etcdEncryption")

ETCDEncryptionDataType is the type used to denote an ETCDKeyData structure in the ShootState

Variables ¶

This section is empty.

Functions ¶

func GetSecretKeyForResources ¶ added in v1.4.0

func GetSecretKeyForResources(config *apiserverconfigv1.EncryptionConfiguration, resources string) (string, string, error)

GetSecretKeyForResources returns the AESCBC key name and AESCBC key secret which is used to encrypt the resource. If the AESCBC is not found then it returns empty strings.

func IsConfigurationNotFoundError ¶

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load ¶

func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionConfiguration ¶ added in v1.4.0

func NewEncryptionConfiguration(encryptionConfig *EncryptionConfig) *apiserverconfigv1.EncryptionConfiguration

NewEncryptionConfiguration creates an EncryptionConfiguration from the key and state

func NewEncryptionKey ¶

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName ¶

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret ¶

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func ReadSecret ¶

func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func Unmarshal ¶ added in v1.4.0

func Unmarshal(bytes []byte) (infodata.InfoData, error)

Unmarshal unmarshals an ETCDKeyData json.

func UpdateSecret ¶

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write ¶

func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)

Write encodes an EncryptionConfiguration.

Types ¶

type EncryptionConfig ¶ added in v1.4.0

type EncryptionConfig struct {
	EncryptionKeys          []EncryptionKey
	ForcePlainTextResources bool
	RewriteResources        bool
}

EncryptionConfig holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

func GetEncryptionConfig ¶ added in v1.4.0

func GetEncryptionConfig(gardenerResourceDataList gardencorev1alpha1helper.GardenerResourceDataList) (*EncryptionConfig, error)

GetEncryptionConfig retrieves the ETCDEncryptionConfig from the gardenerResourceDataList.

func NewEncryptionConfig ¶ added in v1.4.0

func NewEncryptionConfig(keys []EncryptionKey, forcePlainTextResources, rewriteResources bool) (*EncryptionConfig, error)

NewEncryptionConfig creates a new ETCDEncryptionKey from a given key and name

func (*EncryptionConfig) AddEncryptionKeyFromSecret ¶ added in v1.4.0

func (e *EncryptionConfig) AddEncryptionKeyFromSecret(secret *corev1.Secret) error

AddEncryptionKeyFromSecret gets the active etcd encryption key from the secret object and adds it to the ETCDEncryptionConfig. TODO: this function can be removed in a future version when all the encryption configurations have been synced to the ShootState.

func (*EncryptionConfig) AddNewEncryptionKey ¶ added in v1.4.0

func (e *EncryptionConfig) AddNewEncryptionKey() error

AddNewEncryptionKey generates a new etcd encryption key and adds it to the ETCDEncryptionConfig.

func (*EncryptionConfig) Marshal ¶ added in v1.4.0

func (e *EncryptionConfig) Marshal() ([]byte, error)

Marshal ETCDEncryption InfoData

func (*EncryptionConfig) SetForcePlainTextResources ¶ added in v1.4.0

func (e *EncryptionConfig) SetForcePlainTextResources(forcePlainTextResources bool)

SetForcePlainTextResources sets whether resources should be encrypted or not. If the configuration changes RewriteResource is set to true.

func (*EncryptionConfig) TypeVersion ¶ added in v1.4.0

func (e *EncryptionConfig) TypeVersion() infodata.TypeVersion

TypeVersion implements InfoData

type EncryptionConfigData ¶ added in v1.4.0

type EncryptionConfigData struct {
	EncryptionKeys          []EncryptionKeyData `json:"encryptionKeys"`
	ForcePlainTextResources bool                `json:"forcePlainTextResources"`
	RewriteResources        bool                `json:"rewriteResources"`
}

EncryptionConfigData holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

type EncryptionKey ¶ added in v1.4.0

type EncryptionKey struct {
	Key  string
	Name string
}

EncryptionKey holds the key and its name used to encrypt resources in ETCD.

type EncryptionKeyData ¶ added in v1.4.0

type EncryptionKeyData struct {
	Key  string `json:"key"`
	Name string `json:"name"`
}

EncryptionKeyData holds the key and its name used to encrypt resources in ETCD

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL