Unify cloudprovided and normal KMS plugins
Kubernetes-commit: 6a4afc897c2ed4fb80f1b6121a06f86bc8095cd8
This commit is contained in:
Saksham Sharma
Kubernetes Publisher
parent
c68d80e8a2
commit
b9e05868ba
|
|
@ -36,11 +36,10 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:"
|
||||
aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:"
|
||||
secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:"
|
||||
kmsTransformerPrefixV1 = "k8s:enc:kms:v1:"
|
||||
cloudProvidedKMSTransformerPrefixV1 = "k8s:enc:cloudprovidedkms:v1:"
|
||||
aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:"
|
||||
aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:"
|
||||
secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:"
|
||||
kmsTransformerPrefixV1 = "k8s:enc:kms:v1:"
|
||||
)
|
||||
|
||||
// GetTransformerOverrides returns the transformer overrides by reading and parsing the encryption provider configuration file
|
||||
|
|
@ -163,19 +162,7 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
|
|||
if pluginFound == false {
|
||||
return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name)
|
||||
}
|
||||
transformer, err = getEnvelopePrefixTransformer(provider.KMS.CoreKMSConfig, envelopeService, kmsTransformerPrefixV1)
|
||||
found = true
|
||||
}
|
||||
|
||||
if provider.CloudProvidedKMS != nil {
|
||||
if found == true {
|
||||
return nil, fmt.Errorf("more than one provider specified in a single element, should split into different list elements")
|
||||
}
|
||||
envelopeService, err := KMSPluginRegistry.getCloudProvidedPlugin(provider.CloudProvidedKMS.Name)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not configure Cloud-Provided KMS plugin %q, %v", provider.CloudProvidedKMS.Name, err)
|
||||
}
|
||||
transformer, err = getEnvelopePrefixTransformer(provider.CloudProvidedKMS.CoreKMSConfig, envelopeService, cloudProvidedKMSTransformerPrefixV1)
|
||||
transformer, err = getEnvelopePrefixTransformer(provider.KMS, envelopeService, kmsTransformerPrefixV1)
|
||||
found = true
|
||||
}
|
||||
|
||||
|
|
@ -296,7 +283,7 @@ func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransfo
|
|||
|
||||
// getEnvelopePrefixTransformer returns a prefix transformer from the provided config.
|
||||
// envelopeService is used as the root of trust.
|
||||
func getEnvelopePrefixTransformer(config *CoreKMSConfig, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) {
|
||||
func getEnvelopePrefixTransformer(config *KMSConfig, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) {
|
||||
envelopeTransformer, err := envelope.NewEnvelopeTransformer(envelopeService, config.CacheSize, aestransformer.NewCBCTransformer)
|
||||
if err != nil {
|
||||
return value.PrefixTransformer{}, err
|
||||
|
|
|
|||
|
|
@ -58,9 +58,6 @@ resources:
|
|||
name: testprovider
|
||||
configfile: testproviderconfig
|
||||
cachesize: 10
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- aescbc:
|
||||
keys:
|
||||
- name: key1
|
||||
|
|
@ -100,9 +97,6 @@ resources:
|
|||
secret: c2VjcmV0IGlzIHNlY3VyZQ==
|
||||
- name: key2
|
||||
secret: dGhpcyBpcyBwYXNzd29yZA==
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- identity: {}
|
||||
`
|
||||
|
||||
|
|
@ -124,9 +118,6 @@ resources:
|
|||
configfile: testproviderconfig
|
||||
cachesize: 10
|
||||
- identity: {}
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- secretbox:
|
||||
keys:
|
||||
- name: key1
|
||||
|
|
@ -150,9 +141,6 @@ resources:
|
|||
keys:
|
||||
- name: key1
|
||||
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- aescbc:
|
||||
keys:
|
||||
- name: key1
|
||||
|
|
@ -194,45 +182,6 @@ resources:
|
|||
- name: key2
|
||||
secret: dGhpcyBpcyBwYXNzd29yZA==
|
||||
- identity: {}
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- aesgcm:
|
||||
keys:
|
||||
- name: key1
|
||||
secret: c2VjcmV0IGlzIHNlY3VyZQ==
|
||||
- name: key2
|
||||
secret: dGhpcyBpcyBwYXNzd29yZA==
|
||||
`
|
||||
|
||||
correctConfigWithCloudProvidedKMSFirst = `
|
||||
kind: EncryptionConfig
|
||||
apiVersion: v1
|
||||
resources:
|
||||
- resources:
|
||||
- secrets
|
||||
providers:
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- kms:
|
||||
name: testprovider
|
||||
configfile: testproviderconfig
|
||||
cachesize: 10
|
||||
- secretbox:
|
||||
keys:
|
||||
- name: key1
|
||||
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
|
||||
- aescbc:
|
||||
keys:
|
||||
- name: key1
|
||||
secret: c2VjcmV0IGlzIHNlY3VyZQ==
|
||||
- name: key2
|
||||
secret: dGhpcyBpcyBwYXNzd29yZA==
|
||||
- identity: {}
|
||||
- cloudprovidedkms:
|
||||
name: testprovider
|
||||
cachesize: 10
|
||||
- aesgcm:
|
||||
keys:
|
||||
- name: key1
|
||||
|
|
@ -300,15 +249,9 @@ var _ envelope.Service = &testEnvelopeService{}
|
|||
func TestEncryptionProviderConfigCorrect(t *testing.T) {
|
||||
os.OpenFile(testEnvelopeServiceConfigPath, os.O_CREATE, 0666)
|
||||
defer os.Remove(testEnvelopeServiceConfigPath)
|
||||
KMSPluginRegistry.Register(testEnvelopeServiceProviderName, func(config io.Reader) (envelope.Service, error) {
|
||||
KMSPluginRegistry.Register(testEnvelopeServiceProviderName, func(_ io.Reader) (envelope.Service, error) {
|
||||
return &testEnvelopeService{}, nil
|
||||
})
|
||||
KMSPluginRegistry.RegisterCloudProvidedKMSPlugin(func(name string) (envelope.Service, error) {
|
||||
if name == testEnvelopeServiceProviderName {
|
||||
return &testEnvelopeService{}, nil
|
||||
}
|
||||
return nil, fmt.Errorf("no such cloud provided KMS plugin registered: %q", name)
|
||||
})
|
||||
|
||||
// Creates compound/prefix transformers with different ordering of available transformers.
|
||||
// Transforms data using one of them, and tries to untransform using the others.
|
||||
|
|
@ -338,18 +281,12 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
|
|||
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithKMSFirst)
|
||||
}
|
||||
|
||||
cloudProvidedKMSFirstTransformerOverrides, err := ParseEncryptionConfiguration(strings.NewReader(correctConfigWithCloudProvidedKMSFirst))
|
||||
if err != nil {
|
||||
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithCloudProvidedKMSFirst)
|
||||
}
|
||||
|
||||
// Pick the transformer for any of the returned resources.
|
||||
identityFirstTransformer := identityFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
aesGcmFirstTransformer := aesGcmFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
aesCbcFirstTransformer := aesCbcFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
secretboxFirstTransformer := secretboxFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
kmsFirstTransformer := kmsFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
cloudProvidedKMSFirstTransformer := cloudProvidedKMSFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
|
||||
|
||||
context := value.DefaultContext([]byte(sampleContextText))
|
||||
originalText := []byte(sampleText)
|
||||
|
|
@ -363,7 +300,6 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
|
|||
{secretboxFirstTransformer, "secretboxFirst"},
|
||||
{identityFirstTransformer, "identityFirst"},
|
||||
{kmsFirstTransformer, "kmsFirst"},
|
||||
{cloudProvidedKMSFirstTransformer, "cloudProvidedKMSFirst"},
|
||||
}
|
||||
|
||||
for _, testCase := range transformers {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ package encryptionconfig
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"reflect"
|
||||
|
|
@ -35,13 +34,10 @@ import (
|
|||
// the parameter is nil.
|
||||
type Factory func(config io.Reader) (envelope.Service, error)
|
||||
|
||||
type cloudKMSFactory func(name string) (envelope.Service, error)
|
||||
|
||||
// KMSPlugins contains all registered KMS options.
|
||||
type KMSPlugins struct {
|
||||
lock sync.RWMutex
|
||||
registry map[string]Factory
|
||||
cloudKMS cloudKMSFactory
|
||||
}
|
||||
|
||||
var (
|
||||
|
|
@ -59,7 +55,8 @@ var (
|
|||
type PluginEnabledFunc func(name string, config io.Reader) bool
|
||||
|
||||
// Register registers a plugin Factory by name. This
|
||||
// is expected to happen during app startup.
|
||||
// is expected to happen during app startup. It does not allow
|
||||
// registering a plugin by the same name twice.
|
||||
func (ps *KMSPlugins) Register(name string, plugin Factory) {
|
||||
ps.lock.Lock()
|
||||
defer ps.lock.Unlock()
|
||||
|
|
@ -69,15 +66,10 @@ func (ps *KMSPlugins) Register(name string, plugin Factory) {
|
|||
}
|
||||
if found {
|
||||
glog.Fatalf("KMS plugin %q was registered twice", name)
|
||||
} else {
|
||||
ps.registry[name] = plugin
|
||||
glog.V(1).Infof("Registered KMS plugin %q", name)
|
||||
}
|
||||
glog.V(1).Infof("Registered KMS plugin %q", name)
|
||||
ps.registry[name] = plugin
|
||||
}
|
||||
|
||||
// RegisterCloudProvidedKMSPlugin registers the cloud's KMS provider as
|
||||
// an envelope.Service. This service is provided by the cloudprovider interface.
|
||||
func (ps *KMSPlugins) RegisterCloudProvidedKMSPlugin(cloudKMSGetter cloudKMSFactory) {
|
||||
ps.cloudKMS = cloudKMSGetter
|
||||
}
|
||||
|
||||
// getPlugin creates an instance of the named plugin. It returns `false` if the
|
||||
|
|
@ -111,14 +103,6 @@ func (ps *KMSPlugins) fetchPluginFromRegistry(name string) (Factory, bool) {
|
|||
return f, found
|
||||
}
|
||||
|
||||
// getCloudProvidedPlugin creates an instance of the named cloud provided KMS plugin.
|
||||
func (ps *KMSPlugins) getCloudProvidedPlugin(name string) (envelope.Service, error) {
|
||||
if ps.cloudKMS == nil {
|
||||
return nil, fmt.Errorf("no cloud registered for KMS plugins")
|
||||
}
|
||||
return ps.cloudKMS(name)
|
||||
}
|
||||
|
||||
// splitStream reads the stream bytes and constructs two copies of it.
|
||||
func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
|
||||
if config == nil || reflect.ValueOf(config).IsNil() {
|
||||
|
|
|
|||
|
|
@ -47,9 +47,6 @@ type ProviderConfig struct {
|
|||
Identity *IdentityConfig `json:"identity,omitempty"`
|
||||
// kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.
|
||||
KMS *KMSConfig `json:"kms,omitempty"`
|
||||
// cloudProvidedKMSConfig contains the name and cache size for a KMS based envelope transformer which uses
|
||||
// the KMS provided by the cloud.
|
||||
CloudProvidedKMS *CloudProvidedKMSConfig `json:"cloudprovidedkms,omitempty"`
|
||||
}
|
||||
|
||||
// AESConfig contains the API configuration for an AES transformer.
|
||||
|
|
@ -77,24 +74,13 @@ type Key struct {
|
|||
// IdentityConfig is an empty struct to allow identity transformer in provider configuration.
|
||||
type IdentityConfig struct{}
|
||||
|
||||
// CoreKMSConfig contains the name and cache sized for a KMS based envelope transformer.
|
||||
type CoreKMSConfig struct {
|
||||
// KMSConfig contains the name, cache size and path to configuration file for a KMS based envelope transformer.
|
||||
type KMSConfig struct {
|
||||
// name is the name of the KMS plugin to be used.
|
||||
Name string `json:"name"`
|
||||
// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
|
||||
// +optional
|
||||
CacheSize int `json:"cachesize,omitempty"`
|
||||
}
|
||||
|
||||
// KMSConfig contains the name, cache size and path to configuration file for a KMS based envelope transformer.
|
||||
type KMSConfig struct {
|
||||
*CoreKMSConfig
|
||||
// configfile is the path to the configuration file for the named KMS provider.
|
||||
ConfigFile string `json:"configfile"`
|
||||
}
|
||||
|
||||
// CloudProvidedKMSConfig contains the name and cache size for a KMS based envelope transformer which uses
|
||||
// the KMS provided by the cloud.
|
||||
type CloudProvidedKMSConfig struct {
|
||||
*CoreKMSConfig
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue