Merge pull request #121311 from nilekhc/validation-doc

chore: updates api doc Kubernetes-commit: 07515c0021436b2550bf5a826f818fda677f62e0
2023-10-30 22:41:59 +01:00 · 2023-10-30 22:41:59 +01:00 · 2253cd2628
parent 17d270f3cf f0fe5d558c
commit 2253cd2628
4 changed files with 22 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@ -47,7 +47,7 @@ require (
 	k8s.io/client-go v0.0.0-20231027173027-30eba26adb82
 	k8s.io/component-base v0.0.0-20231027174419-7eefecff8918
 	k8s.io/klog/v2 v2.100.1
-	k8s.io/kms v0.0.0-20231027175145-cd9f8a2ccd2b
+	k8s.io/kms v0.0.0-20231031012129-523a5e8e70a1
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0
@ -130,5 +130,5 @@ replace (
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20231027171410-92fa50ee03b2
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20231027173027-30eba26adb82
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20231027174419-7eefecff8918
-	k8s.io/kms => k8s.io/kms v0.0.0-20231027175145-cd9f8a2ccd2b
+	k8s.io/kms => k8s.io/kms v0.0.0-20231031012129-523a5e8e70a1
 )
--- a/go.sum
+++ b/go.sum
@ -408,8 +408,8 @@ k8s.io/component-base v0.0.0-20231027174419-7eefecff8918 h1:REROa5iZinlgOCnq1UxC
 k8s.io/component-base v0.0.0-20231027174419-7eefecff8918/go.mod h1:pWKBYrw3h6RE9E/iVyrVjoUpYforObgVsPP7aCVGeic=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kms v0.0.0-20231027175145-cd9f8a2ccd2b h1:XGIsWWlSvvssK73WE4OvgFiUeeQsCQdHXzwe1TxTlrc=
-k8s.io/kms v0.0.0-20231027175145-cd9f8a2ccd2b/go.mod h1:WeoYp2pADIIcbDSHEiBOrxrzwMeo+GqfvPed2sFDMkU=
+k8s.io/kms v0.0.0-20231031012129-523a5e8e70a1 h1:NjJWKqxAfC+bj/B0XSfbl7QSKHGgDturoUCMoRpDOwA=
+k8s.io/kms v0.0.0-20231031012129-523a5e8e70a1/go.mod h1:WeoYp2pADIIcbDSHEiBOrxrzwMeo+GqfvPed2sFDMkU=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
--- a/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.pb.go
+++ b/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.pb.go
@ -71,11 +71,20 @@ type EncryptedObject struct {
 	// EncryptedData is the encrypted data.
 	EncryptedData []byte `protobuf:"bytes,1,opt,name=encryptedData,proto3" json:"encryptedData,omitempty"`
 	// KeyID is the KMS key ID used for encryption operations.
+	// keyID must satisfy the following constraints:
+	// 1. The keyID is not empty.
+	// 2. The size of keyID is less than 1 kB.
 	KeyID string `protobuf:"bytes,2,opt,name=keyID,proto3" json:"keyID,omitempty"`
 	// EncryptedDEKSource is the ciphertext of the source of the DEK used to encrypt the data stored in encryptedData.
 	// encryptedDEKSourceType defines the process of using the plaintext of this field to determine the aforementioned DEK.
+	// encryptedDEKSource must satisfy the following constraints:
+	// 1. The encrypted DEK source is not empty.
+	// 2. The size of encrypted DEK source is less than 1 kB.
 	EncryptedDEKSource []byte `protobuf:"bytes,3,opt,name=encryptedDEKSource,proto3" json:"encryptedDEKSource,omitempty"`
 	// Annotations is additional metadata that was provided by the KMS plugin.
+	// Annotations must satisfy the following constraints:
+	//  1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123).
+	//  2. The size of annotations keys + values is less than 32 kB.
 	Annotations map[string][]byte `protobuf:"bytes,4,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// encryptedDEKSourceType defines the process of using the plaintext of encryptedDEKSource to determine the DEK.
 	EncryptedDEKSourceType EncryptedDEKSourceType `protobuf:"varint,5,opt,name=encryptedDEKSourceType,proto3,enum=v2.EncryptedDEKSourceType" json:"encryptedDEKSourceType,omitempty"`
--- a/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.proto
+++ b/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.proto
@ -26,13 +26,22 @@ message EncryptedObject {
  bytes encryptedData = 1;

  // KeyID is the KMS key ID used for encryption operations.
+  // keyID must satisfy the following constraints:
+  // 1. The keyID is not empty.
+  // 2. The size of keyID is less than 1 kB.
  string keyID = 2;

  // EncryptedDEKSource is the ciphertext of the source of the DEK used to encrypt the data stored in encryptedData.
  // encryptedDEKSourceType defines the process of using the plaintext of this field to determine the aforementioned DEK.
+  // encryptedDEKSource must satisfy the following constraints:
+  // 1. The encrypted DEK source is not empty.
+  // 2. The size of encrypted DEK source is less than 1 kB.
  bytes encryptedDEKSource = 3;

  // Annotations is additional metadata that was provided by the KMS plugin.
+  // Annotations must satisfy the following constraints:
+  //  1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123).
+  //  2. The size of annotations keys + values is less than 32 kB.
  map<string, bytes> annotations = 4;

  // encryptedDEKSourceType defines the process of using the plaintext of encryptedDEKSource to determine the DEK.