New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement KMS v2alpha1 #111126
Implement KMS v2alpha1 #111126
Conversation
4c06744
to
92c4f2e
Compare
5db3533
to
3a153d3
Compare
/cc @deads2k |
073b88e
to
9ce0015
Compare
51b1c8b
to
ea339fd
Compare
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity/identity.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1/types.go
Outdated
Show resolved
Hide resolved
Hello 👋, 1.25 Release Lead here. The exception request is approved and your updated deadline to make any changes to your PR is 9:00 AM PST Tuesday 9th August 2022. Thank you! /milestone v1.25 |
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1/api.proto
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
Outdated
Show resolved
Hide resolved
bab41a5
to
f74ab3e
Compare
- add feature gate - add encrypted object and run generated_files - generate protobuf for encrypted object and add unit tests - move parse endpoint to util and refactor - refactor interface and remove unused interceptor - add protobuf generate to update-generated-kms.sh - add integration tests - add defaulting for apiVersion in kmsConfiguration - handle v1/v2 and default in encryption config parsing - move metrics to own pkg and reuse for v2 - use Marshal and Unmarshal instead of serializer - add context for all service methods - check version and keyid for healthz Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
f74ab3e
to
f19f3f4
Compare
|
||
const ( | ||
// KMSAPIVersion is the version of the KMS API. | ||
KMSAPIVersion = "v2alpha1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so we require grpc implementors to return this value in v2 responses currently? and we'll bump this to beta and then to just v2 at GA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's right! This is the same behavior as v1beta1
today. In case of v1
we perform this check before every RPC call to the plugin. In v2 this is only part of the health check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
huh. since v1beta1 never got to v1, I'm having a bit of a hard time picturing how we'll simultaneously support v2beta1 and v2, but can resolve that before the beta point where we have to have some cross-release compatibility story
/approve for API bits and vendor.txt change |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aramase, enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implements kubernetes/enhancements#3302
TransformFromStorage
andTransformToStorage
)EncryptedObject
type for new storage format using protobufKMSConfiguration
to configure the API version for kms provider (Allowed values:v2
,empty or anything else will default fallback to v1
)KMSv2
feature gateStatus
RPCWhich issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: