Merge pull request #113896 from nilekhc/kms-hot-reload-tests

chore: improves tests for hot reload of encryptionconfig

Kubernetes-commit: abf8f35356f16796347bb6821a1c366adae5b909

go.mod

@@ -44,7 +44,7 @@ require (
 	gopkg.in/square/go-jose.v2 v2.2.2
 	k8s.io/api v0.0.0-20230130210333-a26a16a095ca
 	k8s.io/apimachinery v0.0.0-20230130210107-16efa9d4d9ad
-	k8s.io/client-go v0.0.0-20230130210700-b1350830d0e9
+	k8s.io/client-go v0.0.0-20230131094649-f457a57d6d25
 	k8s.io/component-base v0.0.0-20230130211343-7f701f65558b
 	k8s.io/klog/v2 v2.80.1
 	k8s.io/kms v0.0.0-20230130211557-69cf3ad36fff
@@ -124,7 +124,7 @@ require (
 replace (
 	k8s.io/api => k8s.io/api v0.0.0-20230130210333-a26a16a095ca
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230130210107-16efa9d4d9ad
-	k8s.io/client-go => k8s.io/client-go v0.0.0-20230130210700-b1350830d0e9
+	k8s.io/client-go => k8s.io/client-go v0.0.0-20230131094649-f457a57d6d25
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20230130211343-7f701f65558b
 	k8s.io/kms => k8s.io/kms v0.0.0-20230130211557-69cf3ad36fff
 )

go.sum

@@ -995,8 +995,8 @@ k8s.io/api v0.0.0-20230130210333-a26a16a095ca h1:DiK/fyFP99vwPb6bD0ALCpIDGGttJRr
 k8s.io/api v0.0.0-20230130210333-a26a16a095ca/go.mod h1:/G4byrYDtfU5j3WB+BljcHzz/uTgbShQjqqd+4Nf8/k=
 k8s.io/apimachinery v0.0.0-20230130210107-16efa9d4d9ad h1:vK07BHinXbZSX/BmXD1ooCOJLOjnYj7kuQEk1gY5C2s=
 k8s.io/apimachinery v0.0.0-20230130210107-16efa9d4d9ad/go.mod h1:vHN6PbAMjAdfTmelSxvL6ArY78dheDkun5qgeM5sRXE=
-k8s.io/client-go v0.0.0-20230130210700-b1350830d0e9 h1:P35IAzk5ZfOUhSu0apMZIXSRdY+6pwXHpfGbTwaq4f0=
-k8s.io/client-go v0.0.0-20230130210700-b1350830d0e9/go.mod h1:LfqF5JRk3r8vO49GdJJcGA3vBtuzvI65sHmyjlxt4dM=
+k8s.io/client-go v0.0.0-20230131094649-f457a57d6d25 h1:5suLWNQTq4QEG8pC4JsGdQpcZ7qeYYJ4Ttmn3tyCVZI=
+k8s.io/client-go v0.0.0-20230131094649-f457a57d6d25/go.mod h1:LfqF5JRk3r8vO49GdJJcGA3vBtuzvI65sHmyjlxt4dM=
 k8s.io/component-base v0.0.0-20230130211343-7f701f65558b h1:ynzOrV9PLBIa+H/quCJmJtxExQvOpsEMYlPwWjkazQY=
 k8s.io/component-base v0.0.0-20230130211343-7f701f65558b/go.mod h1:6JXb8vRSlGdFcr3VR/z09iBhsIDwDP7Zms8bHoL7a2Q=
 k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=

pkg/server/options/encryptionconfig/config.go

@@ -161,7 +161,7 @@ func LoadEncryptionConfig(ctx context.Context, filepath string, reload bool) (*E
 		kmsHealthChecks = []healthz.HealthChecker{kmsHealthChecker(kmsHealthChecks)}
 	}
 
-	// KMSTimeout is the duration we will wait before closing old transformers.
+	// KMSCloseGracePeriod is the duration we will wait before closing old transformers.
 	// The way we calculate is as follows:
 	// 1. Sum all timeouts across all KMS plugins. (check kmsPrefixTransformer for differences between v1 and v2)
 	// 2. Multiply that by 2 (to allow for some buffer)

pkg/server/options/encryptionconfig/config_test.go

@@ -177,41 +177,71 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
 	// Creates compound/prefix transformers with different ordering of available transformers.
 	// Transforms data using one of them, and tries to untransform using the others.
 	// Repeats this for all possible combinations.
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod := 46 * time.Second
 	correctConfigWithIdentityFirst := "testdata/valid-configs/identity-first.yaml"
 	identityFirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithIdentityFirst, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithIdentityFirst)
 	}
+	if identityFirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, identityFirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod = 32 * time.Second
 	correctConfigWithAesGcmFirst := "testdata/valid-configs/aes-gcm-first.yaml"
 	aesGcmFirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithAesGcmFirst, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithAesGcmFirst)
 	}
+	if aesGcmFirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, aesGcmFirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod = 26 * time.Second
 	correctConfigWithAesCbcFirst := "testdata/valid-configs/aes-cbc-first.yaml"
 	aesCbcFirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithAesCbcFirst, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithAesCbcFirst)
 	}
+	if aesCbcFirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, aesCbcFirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod = 14 * time.Second
 	correctConfigWithSecretboxFirst := "testdata/valid-configs/secret-box-first.yaml"
 	secretboxFirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithSecretboxFirst, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithSecretboxFirst)
 	}
+	if secretboxFirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, secretboxFirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod = 34 * time.Second
 	correctConfigWithKMSFirst := "testdata/valid-configs/kms-first.yaml"
 	kmsFirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithKMSFirst, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithKMSFirst)
 	}
+	if kmsFirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, kmsFirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
+	// Math for GracePeriod is explained at - https://github.com/kubernetes/kubernetes/blob/c9ed04762f94a319d7b1fb718dc345491a32bea6/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go#L159-L163
+	expectedKMSCloseGracePeriod = 42 * time.Second
 	correctConfigWithKMSv2First := "testdata/valid-configs/kmsv2-first.yaml"
 	kmsv2FirstEncryptionConfiguration, err := LoadEncryptionConfig(ctx, correctConfigWithKMSv2First, false)
 	if err != nil {
 		t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithKMSv2First)
 	}
+	if kmsv2FirstEncryptionConfiguration.KMSCloseGracePeriod != expectedKMSCloseGracePeriod {
+		t.Fatalf("KMSCloseGracePeriod mismatch (-want +got):\n%s", cmp.Diff(expectedKMSCloseGracePeriod, kmsv2FirstEncryptionConfiguration.KMSCloseGracePeriod))
+	}
 
 	// Pick the transformer for any of the returned resources.
 	identityFirstTransformer := identityFirstEncryptionConfiguration.Transformers[schema.ParseGroupResource("secrets")]

pkg/server/options/encryptionconfig/testdata/valid-configs/aes-cbc-first.yaml

@@ -14,6 +14,7 @@ resources:
           name: testprovider
           endpoint: unix:///tmp/testprovider.sock
           cachesize: 10
+          timeout: 5s
       - kms:
           apiVersion: v2
           name: testproviderv2

pkg/server/options/encryptionconfig/testdata/valid-configs/aes-gcm-first.yaml

@@ -22,6 +22,7 @@ resources:
           apiVersion: v2
           name: testproviderv2
           endpoint: unix:///tmp/testprovider.sock
+          timeout: 10s
       - aescbc:
           keys:
             - name: key1

pkg/server/options/encryptionconfig/testdata/valid-configs/identity-first.yaml

@@ -16,6 +16,7 @@ resources:
           name: testprovider
           endpoint: unix:///tmp/testprovider.sock
           cachesize: 10
+          timeout: 10s
       - kms:
           apiVersion: v2
           name: testproviderv2

pkg/server/options/encryptionconfig/testdata/valid-configs/kms-first.yaml

@@ -8,6 +8,7 @@ resources:
           name: testprovider
           endpoint: unix:///tmp/testprovider.sock
           cachesize: 10
+          timeout: 7s
       - kms:
           apiVersion: v2
           name: testproviderv2

pkg/server/options/encryptionconfig/testdata/valid-configs/kmsv2-first.yaml

@@ -8,6 +8,7 @@ resources:
           apiVersion: v2
           name: testproviderv2
           endpoint: unix:///tmp/testprovider.sock
+          timeout: 15s
       - kms:
           name: testprovider
           endpoint: unix:///tmp/testprovider.sock

pkg/server/options/encryptionconfig/testdata/valid-configs/secret-box-first.yaml

@@ -22,6 +22,7 @@ resources:
           apiVersion: v2
           name: testproviderv2
           endpoint: unix:///tmp/testprovider.sock
+          timeout: 1s
       - identity: {}
       - aesgcm:
           keys: