New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom resource encryption #113015
Custom resource encryption #113015
Conversation
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/transformation_testcase.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/transformation_testcase.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/transformation_testcase.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
test/integration/controlplane/transformation/all_transformation_test.go
Outdated
Show resolved
Hide resolved
/remove-sig api-machinery |
/cc |
New integration test from 0c2357af6aa40ec0f6b5cae1fc60c748eec997a1 applied to
|
/milestone v1.26 |
staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/options.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/cmd/server/options/options.go
Show resolved
Hide resolved
@@ -161,6 +216,23 @@ func (e *transformTest) getETCDPath() string { | |||
return fmt.Sprintf("/%s/secrets/%s/%s", e.storageConfig.Prefix, e.ns.Name, e.secret.Name) | |||
} | |||
|
|||
func (e *transformTest) getETCDPathForResource(group, resource, name, namespaceName string) string { | |||
if e.secret != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's pretty hard to follow for state inside transformTest
to override params... can we make this a pure function that takes storagePrefix, group, resource, name, namespace
params?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, what's the difference between getETCDPathForResource and getETCDPath? can we collapse to a single etcd path computation function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also, what's the difference between getETCDPathForResource and getETCDPath? can we collapse to a single etcd path computation function?
I didn't want to touch getETCDPath to minimize changes on existing test files. If you prefer to combine them, then I will go ahead and update kms_transformation_test.go and kmsv2_transformation_test.go. LMK!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, go ahead and clean up run
and getETCDPath
... the ripples don't look too bad and I think leave the test package in a less confusing state (mostly just makes the paths that assume they are dealing with secrets explicitly say so)
I got a clean run with this diff:
diff --git a/test/integration/controlplane/transformation/kms_transformation_test.go b/test/integration/controlplane/transformation/kms_transformation_test.go
index 9773296ee29..3db46c22c3b 100644
--- a/test/integration/controlplane/transformation/kms_transformation_test.go
+++ b/test/integration/controlplane/transformation/kms_transformation_test.go
@@ -145,7 +145,7 @@ resources:
// Since Data Encryption Key (DEK) is randomly generated (per encryption operation), we need to ask KMS Mock for it.
plainTextDEK := pluginMock.LastEncryptRequest()
- secretETCDPath := test.getETCDPath()
+ secretETCDPath := test.getETCDPathForResource("", "secrets", test.secret.Name, test.secret.Namespace)
rawEnvelope, err := test.getRawSecretFromETCD()
if err != nil {
t.Fatalf("failed to read %s from etcd: %v", secretETCDPath, err)
diff --git a/test/integration/controlplane/transformation/kmsv2_transformation_test.go b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
index dfb250a938f..f8b385adb24 100644
--- a/test/integration/controlplane/transformation/kmsv2_transformation_test.go
+++ b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
@@ -154,7 +154,7 @@ resources:
// Since Data Encryption Key (DEK) is randomly generated (per encryption operation), we need to ask KMS Mock for it.
plainTextDEK := pluginMock.LastEncryptRequest()
- secretETCDPath := test.getETCDPath()
+ secretETCDPath := test.getETCDPathForResource("", "secrets", test.secret.Name, test.secret.Namespace)
rawEnvelope, err := test.getRawSecretFromETCD()
if err != nil {
t.Fatalf("failed to read %s from etcd: %v", secretETCDPath, err)
diff --git a/test/integration/controlplane/transformation/secrets_transformation_test.go b/test/integration/controlplane/transformation/secrets_transformation_test.go
index b899237a937..ccbd86ef0ff 100644
--- a/test/integration/controlplane/transformation/secrets_transformation_test.go
+++ b/test/integration/controlplane/transformation/secrets_transformation_test.go
@@ -95,7 +95,7 @@ func TestSecretsShouldBeTransformed(t *testing.T) {
if err != nil {
t.Fatalf("Failed to create test secret, error: %v", err)
}
- test.run(tt.unSealFunc, tt.transformerPrefix)
+ test.runResource(test.logger, tt.unSealFunc, tt.transformerPrefix, "", "v1", "secrets", test.secret.Name, test.secret.Namespace)
test.cleanUp()
}
}
diff --git a/test/integration/controlplane/transformation/transformation_testcase.go b/test/integration/controlplane/transformation/transformation_testcase.go
index d5ca2b8fcc7..cea83135866 100644
--- a/test/integration/controlplane/transformation/transformation_testcase.go
+++ b/test/integration/controlplane/transformation/transformation_testcase.go
@@ -114,10 +114,6 @@ func (e *transformTest) cleanUp() {
e.kubeAPIServer.TearDownFn()
}
-func (e *transformTest) run(unSealSecretFunc unSealSecret, expectedEnvelopePrefix string) {
- e.runResource(e.logger, unSealSecretFunc, expectedEnvelopePrefix, "", "v1", "secrets", "", "")
-}
-
func (e *transformTest) runResource(l kubeapiservertesting.Logger, unSealSecretFunc unSealSecret, expectedEnvelopePrefix,
group,
version,
@@ -212,17 +208,7 @@ func (e *transformTest) benchmark(b *testing.B) {
}
}
-func (e *transformTest) getETCDPath() string {
- return fmt.Sprintf("/%s/secrets/%s/%s", e.storageConfig.Prefix, e.ns.Name, e.secret.Name)
-}
-
func (e *transformTest) getETCDPathForResource(group, resource, name, namespaceName string) string {
- if e.secret != nil {
- group = ""
- resource = "secrets"
- name = testSecret
- namespaceName = testNamespace
- }
groupResource := resource
if group != "" {
groupResource = fmt.Sprintf("%s/%s", group, resource)
@@ -234,7 +220,7 @@ func (e *transformTest) getETCDPathForResource(group, resource, name, namespaceN
}
func (e *transformTest) getRawSecretFromETCD() ([]byte, error) {
- secretETCDPath := e.getETCDPath()
+ secretETCDPath := e.getETCDPathForResource("", "secrets", e.secret.Name, e.ns.Name)
etcdResponse, err := e.readRawRecordFromETCD(secretETCDPath)
if err != nil {
return nil, fmt.Errorf("failed to read %s from etcd: %v", secretETCDPath, err)
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Show resolved
Hide resolved
staging/src/k8s.io/apiextensions-apiserver/pkg/apiserver/customresource_handler.go
Show resolved
Hide resolved
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt, ritazh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
/lgtm |
My suggestion for the changelog text (which can be Markdown): kube-apiserver: APIs backed by CustomResourceDefinitions can now be specified in the `--encryption-provider-config` file; when specified, the data for those custom resources can now be encrypted in etcd. I like to put command line arguments inside backticks. |
Thanks for the suggestion @sftim! I've updated above. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Enable encryption of custom resources in ETCD
Which issue(s) this PR fixes:
Fixes #104165
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: