state

package
v0.0.0-...-201d816 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 7 Imported by: 24

Documentation

Index

Constants

View Source
const (
	KubernetesDescriptionKey        = "kubernetes.io/description"
	KubernetesDescriptionScaryValue = `` /* 156-byte string literal not displayed */

)

These annotations try to scare anyone away from editing the encryption secrets. It is trivial for an external actor to break the invariants of the state machine and render the cluster unrecoverable.

Variables

This section is empty.

Functions

func EqualKeyAndEqualID

func EqualKeyAndEqualID(s1, s2 *KeyState) bool

func MigratedFor

func MigratedFor(grs []schema.GroupResource, km KeyState) (ok bool, missing []schema.GroupResource, reason string)

MigratedFor returns whether all given resources are marked as migrated in the given key. It returns missing GRs and a reason if that's not the case.

func NameToKeyID

func NameToKeyID(name string) (uint64, bool)

Types

type GroupResourceState

type GroupResourceState struct {
	// the write key of the group resource.
	WriteKey KeyState
	// all read keys of the group resource. Potentially includes the write key.
	ReadKeys []KeyState
}

GroupResourceState represents, for a single group resource, the write and read keys in a format that can be directly translated to and from the on disk EncryptionConfiguration object.

func (GroupResourceState) HasWriteKey

func (k GroupResourceState) HasWriteKey() bool

type KeyState

type KeyState struct {
	Key  apiserverconfigv1.Key
	Mode Mode

	// described whether it is backed by a secret.
	Backed   bool
	Migrated MigrationState
	// some controller logic caused this secret to be created by the key controller.
	InternalReason string
	// the user via unsupportConfigOverrides.encryption.reason triggered this key.
	ExternalReason string
}

func KeysWithPotentiallyPersistedDataAndNextReadKey

func KeysWithPotentiallyPersistedDataAndNextReadKey(grs []schema.GroupResource, recentFirstSortedKeys []KeyState) []KeyState

KeysWithPotentiallyPersistedDataAndNextReadKey returns the minimal, recent secrets which have migrated all given GRs.

func SortRecentFirst

func SortRecentFirst(unsorted []KeyState) []KeyState

type MigrationState

type MigrationState struct {
	// the timestamp fo the last migration
	Timestamp time.Time
	// the resources that were migrated at some point in time to this key.
	Resources []schema.GroupResource
}

type Mode

type Mode string

Mode is the value associated with the encryptionSecretMode annotation

const (
	AESCBC    Mode = "aescbc" // available from the first release, see defaultMode below
	AESGCM    Mode = "aesgcm"
	SecretBox Mode = "secretbox" // available from the first release, see defaultMode below
	Identity  Mode = "identity"  // available from the first release, see defaultMode below

	// Changing this value requires caution to not break downgrades.
	// Specifically, if some new Mode is released in version X, that new Mode cannot
	// be used as the defaultMode until version X+1.  Thus on a downgrade the operator
	// from version X will still be able to honor the observed encryption state
	// (and it will do a key rotation to force the use of the old defaultMode).
	DefaultMode = Identity // we default to encryption being disabled for now
)

The current set of modes that are supported along with the default Mode that is used. These values are encoded into the secret and thus must not be changed. Strings are used over iota because they are easier for a human to understand.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL