Documentation ¶
Index ¶
- Constants
- func NewClient(conn *grpc.ClientConn) pb.KeyManagementServiceClient
- func WaitForReady(client pb.KeyManagementServiceClient, duration time.Duration) error
- type SharedHealthCheck
- type V1Plugin
- func (p *V1Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb.DecryptResponse, error)
- func (p *V1Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb.EncryptResponse, error)
- func (p *V1Plugin) Health() error
- func (p *V1Plugin) Live() error
- func (p *V1Plugin) Register(s *grpc.Server)
- func (p *V1Plugin) Version(ctx context.Context, request *pb.VersionRequest) (*pb.VersionResponse, error)
- type V2Plugin
- func (p *V2Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb.DecryptResponse, error)
- func (p *V2Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb.EncryptResponse, error)
- func (p *V2Plugin) Health() error
- func (p *V2Plugin) Live() error
- func (p *V2Plugin) Register(s *grpc.Server)
- func (p *V2Plugin) Status(ctx context.Context, request *pb.StatusRequest) (*pb.StatusResponse, error)
Constants ¶
const ( DefaultHealthCheckPeriod = 30 * time.Second DefaultErrcBufSize = 100 )
TODO: make configurable
const (
GRPC_V1 = "v1"
)
const (
GRPC_V2 = "v2"
)
Variables ¶
This section is empty.
Functions ¶
func NewClient ¶
func NewClient(conn *grpc.ClientConn) pb.KeyManagementServiceClient
NewClient returns a KeyManagementServiceClient for a given grpc connection
func WaitForReady ¶
func WaitForReady(client pb.KeyManagementServiceClient, duration time.Duration) error
WaitForReady uses a given client to wait until the given duration for the server to become ready
Types ¶
type SharedHealthCheck ¶
type SharedHealthCheck struct {
// contains filtered or unexported fields
}
func NewSharedHealthCheck ¶
func NewSharedHealthCheck( checkPeriod time.Duration, errcBuf int, ) *SharedHealthCheck
func (*SharedHealthCheck) Start ¶
func (p *SharedHealthCheck) Start()
func (*SharedHealthCheck) Stop ¶
func (p *SharedHealthCheck) Stop()
type V1Plugin ¶
type V1Plugin struct {
// contains filtered or unexported fields
}
Plugin implements the KeyManagementServiceServer
func New ¶
func New(key string, svc kmsiface.KMSAPI, encryptionCtx map[string]string, healthCheck *SharedHealthCheck) *V1Plugin
New returns a new *V1Plugin
func (*V1Plugin) Decrypt ¶
func (p *V1Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb.DecryptResponse, error)
Decrypt executes the decrypt operation using AWS KMS
func (*V1Plugin) Encrypt ¶
func (p *V1Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb.EncryptResponse, error)
Encrypt executes the encryption operation using AWS KMS
func (*V1Plugin) Health ¶
Health checks KMS API availability.
The goal is to:
- not incur extra KMS API call if V1Plugin "Encrypt" method has already
- return latest health status (cached KMS status must reflect the current)
The error is sent via channel and consumed by goroutine. The error channel may be full and block, when there are too many failures. The error channel may be empty and block, when there's no failure. To handle those two cases, keep track latest health check timestamps.
Call KMS "Encrypt" API call iff:
- there was never a health check done
- there was no health check done for the last "healthCheckPeriod" (only use the cached error if the error is from recent API call)
func (*V1Plugin) Live ¶
Live checks the liveness of KMS API. If the error is user-induced (e.g., revoke CMK), the function returns NO error. If the error is due to KMS availability, the function returns the error.
func (*V1Plugin) Version ¶
func (p *V1Plugin) Version(ctx context.Context, request *pb.VersionRequest) (*pb.VersionResponse, error)
Version returns the V1Plugin server version
type V2Plugin ¶
type V2Plugin struct {
// contains filtered or unexported fields
}
Plugin implements the KeyManagementServiceServer
func NewV2 ¶
func NewV2(key string, svc kmsiface.KMSAPI, encryptionCtx map[string]string, healthCheck *SharedHealthCheck) *V2Plugin
New returns a new *V2Plugin
func (*V2Plugin) Decrypt ¶
func (p *V2Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb.DecryptResponse, error)
Decrypt executes the decrypt operation using AWS KMS
func (*V2Plugin) Encrypt ¶
func (p *V2Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb.EncryptResponse, error)
Encrypt executes the encryption operation using AWS KMS
func (*V2Plugin) Health ¶
Health checks KMS API availability.
The goal is to:
- not incur extra KMS API call if V2Plugin "Encrypt" method has already
- return latest health status (cached KMS status must reflect the current)
The error is sent via channel and consumed by goroutine. The error channel may be full and block, when there are too many failures. The error channel may be empty and block, when there's no failure. To handle those two cases, keep track latest health check timestamps.
Call KMS "Encrypt" API call iff:
- there was never a health check done
- there was no health check done for the last "healthCheckPeriod" (only use the cached error if the error is from recent API call)
func (*V2Plugin) Status ¶
func (p *V2Plugin) Status(ctx context.Context, request *pb.StatusRequest) (*pb.StatusResponse, error)
Status returns the V2Plugin server status