Documentation ¶
Index ¶
- Variables
- func GetEncryptionConfigHash(filepath string) (string, error)
- func GetKDF(kmsName string) bool
- func SetKDFForTests(kmsName string, b bool) func()
- type DynamicTransformers
- func (d *DynamicTransformers) Check(req *http.Request) error
- func (d *DynamicTransformers) Name() string
- func (d *DynamicTransformers) Set(transformerOverrides map[schema.GroupResource]storagevalue.Transformer, ...)
- func (d *DynamicTransformers) TransformerForResource(resource schema.GroupResource) storagevalue.Transformer
- type EncryptionConfiguration
- type StaticTransformers
Constants ¶
This section is empty.
Variables ¶
var ( // The factory to create kmsv2 service. Exported for integration tests. EnvelopeKMSv2ServiceFactory = envelopekmsv2.NewGRPCService )
Functions ¶
func GetEncryptionConfigHash ¶ added in v0.29.0
GetEncryptionConfigHash reads the encryption configuration file at filepath and returns the hash of the file. It does not attempt to decode or load the config, and serves as a cheap check to determine if the file has changed.
func GetKDF ¶ added in v0.29.0
this function should be used to determine enablement of the KMSv2KDF feature instead of getting it from DefaultFeatureGate as the feature gate is now locked to true starting with v1.29 to allow integration tests to run in parallel, this "feature flag" can be set per KMS provider as long as all providers use distinct names.
func SetKDFForTests ¶ added in v0.29.0
this function should only be called in tests to swap enablement of the KMSv2KDF feature Caller must guarantee that all KMS providers have distinct names across all tests.
Types ¶
type DynamicTransformers ¶ added in v0.26.0
type DynamicTransformers struct {
// contains filtered or unexported fields
}
DynamicTransformers holds transformers that may be dynamically updated via a single external actor, likely a controller. This struct must avoid locks (even read write locks) as it is inline to all calls to storage.
func NewDynamicTransformers ¶ added in v0.26.0
func NewDynamicTransformers( transformerOverrides map[schema.GroupResource]storagevalue.Transformer, kmsPluginHealthzCheck healthz.HealthChecker, closeTransformers context.CancelFunc, kmsCloseGracePeriod time.Duration, ) *DynamicTransformers
NewDynamicTransformers returns transformers, health checks for kms providers and an ability to close transformers.
func (*DynamicTransformers) Check ¶ added in v0.26.0
func (d *DynamicTransformers) Check(req *http.Request) error
Check implements healthz.HealthChecker
func (*DynamicTransformers) Name ¶ added in v0.26.0
func (d *DynamicTransformers) Name() string
Name implements healthz.HealthChecker
func (*DynamicTransformers) Set ¶ added in v0.26.0
func (d *DynamicTransformers) Set( transformerOverrides map[schema.GroupResource]storagevalue.Transformer, closeTransformers context.CancelFunc, kmsPluginHealthzCheck healthz.HealthChecker, kmsCloseGracePeriod time.Duration, )
Set sets the transformer overrides. This method is not go routine safe and must only be called by the same, single caller throughout the lifetime of this object.
func (*DynamicTransformers) TransformerForResource ¶ added in v0.26.0
func (d *DynamicTransformers) TransformerForResource(resource schema.GroupResource) storagevalue.Transformer
TransformerForResource returns the transformer for the given resource.
type EncryptionConfiguration ¶ added in v0.26.0
type EncryptionConfiguration struct { // Transformers is a list of value.Transformer that will be used to encrypt and decrypt data. Transformers map[schema.GroupResource]storagevalue.Transformer // HealthChecks is a list of healthz.HealthChecker that will be used to check the health of the encryption providers. HealthChecks []healthz.HealthChecker // EncryptionFileContentHash is the hash of the encryption config file. EncryptionFileContentHash string // KMSCloseGracePeriod is the duration we will wait before closing old transformers. // We wait for any in-flight requests to finish by using the duration which is longer than their timeout. KMSCloseGracePeriod time.Duration }
EncryptionConfiguration represents the parsed and normalized encryption configuration for the apiserver.
func LoadEncryptionConfig ¶ added in v0.26.0
func LoadEncryptionConfig(ctx context.Context, filepath string, reload bool, apiServerID string) (*EncryptionConfiguration, error)
LoadEncryptionConfig parses and validates the encryption config specified by filepath. It may launch multiple go routines whose lifecycle is controlled by ctx. In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. If reload is true, or KMS v2 plugins are used with no KMS v1 plugins, the returned slice of health checkers will always be of length 1.
type StaticTransformers ¶ added in v0.26.0
type StaticTransformers map[schema.GroupResource]storagevalue.Transformer
func (StaticTransformers) TransformerForResource ¶ added in v0.26.0
func (s StaticTransformers) TransformerForResource(resource schema.GroupResource) storagevalue.Transformer