[KMSv2] Mark KMS v1beta1 as deprecated with no further fixes (#119007)

* add feature gate Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> * add validation and warning in load config Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> * mark v1beta1 proto message deprecated Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> --------- Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com> Kubernetes-commit: 1acdb4ae86e0e43475c31f108a6106b1f5ea5027
2023-07-06 13:39:03 -07:00 · 2023-07-06 13:39:03 -07:00 · 5d08b1abe9
parent 24d5ac4b98
commit 5d08b1abe9
5 changed files with 56 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@ -43,10 +43,10 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.0.0-20230706062605-a69cc64b8aea
 	k8s.io/apimachinery v0.0.0-20230628220152-83d6d372b1a4
-	k8s.io/client-go v0.0.0-20230706063706-5d8fd6bf0a71
+	k8s.io/client-go v0.0.0-20230706193217-d31edad7e26d
 	k8s.io/component-base v0.0.0-20230706070231-63369697f0ec
 	k8s.io/klog/v2 v2.100.1
-	k8s.io/kms v0.0.0-20230619011758-484bb0d20287
+	k8s.io/kms v0.0.0-20230706235007-2273d4f89020
 	k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2
@ -127,7 +127,7 @@ require (
 replace (
 	k8s.io/api => k8s.io/api v0.0.0-20230706062605-a69cc64b8aea
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230628220152-83d6d372b1a4
-	k8s.io/client-go => k8s.io/client-go v0.0.0-20230706063706-5d8fd6bf0a71
+	k8s.io/client-go => k8s.io/client-go v0.0.0-20230706193217-d31edad7e26d
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20230706070231-63369697f0ec
-	k8s.io/kms => k8s.io/kms v0.0.0-20230619011758-484bb0d20287
+	k8s.io/kms => k8s.io/kms v0.0.0-20230706235007-2273d4f89020
 )
--- a/go.sum
+++ b/go.sum
@ -672,14 +672,14 @@ k8s.io/api v0.0.0-20230706062605-a69cc64b8aea h1:Wmw+hwQKZdnoXQWQKf+yzCoPY8/rDBm
 k8s.io/api v0.0.0-20230706062605-a69cc64b8aea/go.mod h1:ghFHmaoujTvUqKl24+WADIX4gEvgTA8BEpgFe3ZPylQ=
 k8s.io/apimachinery v0.0.0-20230628220152-83d6d372b1a4 h1:ntS2ZHGzNY/ISRKPPU937LFSwjYZ7poMcwAeu1xCnKM=
 k8s.io/apimachinery v0.0.0-20230628220152-83d6d372b1a4/go.mod h1:tAiIbF8KB8+Ri2DfUWwZGwNOThIwM0fhXLnOymriu+4=
-k8s.io/client-go v0.0.0-20230706063706-5d8fd6bf0a71 h1:g8LfyE9Rv2qb4Oen12UgefQtqtR6UzN4fXGnhGNJjow=
-k8s.io/client-go v0.0.0-20230706063706-5d8fd6bf0a71/go.mod h1:ZpAEvaNK1G5zw2NdLfh0nDbdNijaDGbP6OO9ftDqPpk=
+k8s.io/client-go v0.0.0-20230706193217-d31edad7e26d h1:dV/RK6/9qiCbyWrVhPaiFojP/1/YOjnw6i1Z3JyeuEE=
+k8s.io/client-go v0.0.0-20230706193217-d31edad7e26d/go.mod h1:ZpAEvaNK1G5zw2NdLfh0nDbdNijaDGbP6OO9ftDqPpk=
 k8s.io/component-base v0.0.0-20230706070231-63369697f0ec h1:Jp8V9IROgsd7hlRayWEwme9biJBB2cibC0CpP2HGveU=
 k8s.io/component-base v0.0.0-20230706070231-63369697f0ec/go.mod h1:aiE+qizM73R49NuVbaxClSQu2Yj+zIDCEN6OY8Zcp3w=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/kms v0.0.0-20230619011758-484bb0d20287 h1:Vg6e1YgSgGMHIh3drUHYjKG3ppnI7w4dVC7zxJQ8oB4=
-k8s.io/kms v0.0.0-20230619011758-484bb0d20287/go.mod h1:46HwEqmLkogFRJ79eD+bppt1S+9P0Yl4gWolyHIyl88=
+k8s.io/kms v0.0.0-20230706235007-2273d4f89020 h1:6zftrcpbnLRCHE75wwmtawDwEcA2HkPZZUVfB+iO8FA=
+k8s.io/kms v0.0.0-20230706235007-2273d4f89020/go.mod h1:Zewij0m0jbnhS/uea+IDMMW0DQkw659tQfp/+9rVb+U=
 k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961 h1:pqRVJGQJz6oeZby8qmPKXYIBjyrcv7EHCe/33UkZMYA=
 k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961/go.mod h1:l8HTwL5fqnlns4jOveW1L75eo7R9KFHxiE0bsPGy428=
 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -109,6 +109,13 @@ const (
 	// Allows for updating watchcache resource version with progress notify events.
 	EfficientWatchResumption featuregate.Feature = "EfficientWatchResumption"

+	// owner: @aramase
+	// kep: https://kep.k8s.io/3299
+	// deprecated: v1.28
+	//
+	// Enables KMS v1 API for encryption at rest.
+	KMSv1 featuregate.Feature = "KMSv1"
+
 	// owner: @aramase
 	// kep: https://kep.k8s.io/3299
 	// alpha: v1.25
@ -232,6 +239,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS

 	EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},

+	KMSv1: {Default: true, PreRelease: featuregate.Deprecated},
+
 	KMSv2: {Default: true, PreRelease: featuregate.Beta},

 	OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
--- a/pkg/server/options/encryptionconfig/config.go
+++ b/pkg/server/options/encryptionconfig/config.go
@ -674,6 +674,11 @@ func kmsPrefixTransformer(ctx context.Context, config *apiserverconfig.KMSConfig
 	kmsName := config.Name
 	switch config.APIVersion {
 	case kmsAPIVersionV1:
+		if !utilfeature.DefaultFeatureGate.Enabled(features.KMSv1) {
+			return storagevalue.PrefixTransformer{}, nil, nil, fmt.Errorf("KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead.  Set --feature-gates=KMSv1=true to use the deprecated KMSv1 feature.")
+		}
+		klog.InfoS("KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead.")
+
 		envelopeService, err := envelopeServiceFactory(ctx, config.Endpoint, config.Timeout.Duration)
 		if err != nil {
 			return storagevalue.PrefixTransformer{}, nil, nil, fmt.Errorf("could not configure KMSv1-Plugin's probe %q, error: %w", kmsName, err)
--- a/pkg/server/options/encryptionconfig/config_test.go
+++ b/pkg/server/options/encryptionconfig/config_test.go
@ -187,6 +187,7 @@ func TestLegacyConfig(t *testing.T) {

 func TestEncryptionProviderConfigCorrect(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, true)()
+
 	// Set factory for mock envelope service
 	factory := envelopeServiceFactory
 	factoryKMSv2 := EnvelopeKMSv2ServiceFactory
@ -318,6 +319,37 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
 	}
 }

+func TestKMSv1Deprecation(t *testing.T) {
+	testCases := []struct {
+		name         string
+		kmsv1Enabled bool
+		expectedErr  string
+	}{
+		{
+			name:         "config with kmsv1, KMSv1=false",
+			kmsv1Enabled: false,
+			expectedErr:  "KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead.  Set --feature-gates=KMSv1=true to use the deprecated KMSv1 feature.",
+		},
+		{
+			name:         "config with kmsv1, KMSv1=true",
+			kmsv1Enabled: true,
+			expectedErr:  "",
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, testCase.kmsv1Enabled)()
+
+			kmsv1Config := "testdata/valid-configs/kms/multiple-providers.yaml"
+			_, err := LoadEncryptionConfig(testContext(t), kmsv1Config, false)
+			if !strings.Contains(errString(err), testCase.expectedErr) {
+				t.Fatalf("expected error %q, got %q", testCase.expectedErr, errString(err))
+			}
+		})
+	}
+}
+
 func TestKMSMaxTimeout(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, true)()

@ -717,6 +749,7 @@ func TestKMSPluginHealthz(t *testing.T) {

 // tests for masking rules
 func TestWildcardMasking(t *testing.T) {
+
 	testCases := []struct {
 		desc          string
 		config        *apiserverconfig.EncryptionConfiguration
@ -1124,6 +1157,7 @@ func TestWildcardMasking(t *testing.T) {
 }

 func TestWildcardStructure(t *testing.T) {
+
 	testCases := []struct {
 		desc                         string
 		expectedResourceTransformers map[string]string