const aesCBCTransformerPrefixV1 … const aesGCMTransformerPrefixV1 … const secretboxTransformerPrefixV1 … const kmsTransformerPrefixV1 … const kmsTransformerPrefixV2 … const kmsv2PluginHealthzPositiveInterval … const kmsv2PluginHealthzNegativeInterval … const kmsv2PluginWriteDEKSourceMaxTTL … const kmsPluginHealthzNegativeTTL … const kmsPluginHealthzPositiveTTL … const kmsAPIVersionV1 … const kmsAPIVersionV2 … const kmsReloadHealthCheckName … var codecs … var kdfEnabledPerKMS … // this function should only be called in tests to swap enablement of the KMSv2KDF feature // Caller must guarantee that all KMS providers have distinct names across all tests. func SetKDFForTests(kmsName string, b bool) func() { … } // this function should be used to determine enablement of the KMSv2KDF feature // instead of getting it from DefaultFeatureGate as the feature gate is now locked // to true starting with v1.29 // to allow integration tests to run in parallel, this "feature flag" can be set // per KMS provider as long as all providers use distinct names. func GetKDF(kmsName string) bool { … } func init() { … } type kmsPluginHealthzResponse … type kmsPluginProbe … type kmsv2PluginProbe … type kmsHealthChecker … func (k kmsHealthChecker) Name() string { … } func (k kmsHealthChecker) Check(req *http.Request) error { … } func (h *kmsPluginProbe) toHealthzCheck(idx int) healthz.HealthChecker { … } func (h *kmsv2PluginProbe) toHealthzCheck(idx int) healthz.HealthChecker { … } type EncryptionConfiguration … // LoadEncryptionConfig parses and validates the encryption config specified by filepath. // It may launch multiple go routines whose lifecycle is controlled by ctx. // In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. // If reload is true, or KMS v2 plugins are used with no KMS v1 plugins, the returned slice of health checkers will always be of length 1. func LoadEncryptionConfig(ctx context.Context, filepath string, reload bool, apiServerID string) (*EncryptionConfiguration, error) { … } // getTransformerOverridesAndKMSPluginHealthzCheckers creates the set of transformers and KMS healthz checks based on the given config. // It may launch multiple go routines whose lifecycle is controlled by ctx. // In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. func getTransformerOverridesAndKMSPluginHealthzCheckers(ctx context.Context, config *apiserver.EncryptionConfiguration, apiServerID string) (map[schema.GroupResource]storagevalue.Transformer, []healthz.HealthChecker, *kmsState, error) { … } type healthChecker … // getTransformerOverridesAndKMSPluginProbes creates the set of transformers and KMS probes based on the given config. // It may launch multiple go routines whose lifecycle is controlled by ctx. // In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. func getTransformerOverridesAndKMSPluginProbes(ctx context.Context, config *apiserver.EncryptionConfiguration, apiServerID string) (map[schema.GroupResource]storagevalue.Transformer, []healthChecker, *kmsState, error) { … } // check encrypts and decrypts test data against KMS-Plugin's gRPC endpoint. func (h *kmsPluginProbe) check() error { … } // check gets the healthz status of the KMSv2-Plugin using the Status() method. func (h *kmsv2PluginProbe) check(ctx context.Context) error { … } // rotateDEKOnKeyIDChange tries to rotate to a new DEK/seed if the key ID returned by Status does not match the // current state. If a successful rotation is performed, the new DEK/seed and keyID overwrite the existing state. // On any failure during rotation (including mismatch between status and encrypt calls), the current state is // preserved and will remain valid to use for encryption until its expiration (the system attempts to coast). // If the key ID returned by Status matches the current state, the expiration of the current state is extended // and no rotation is performed. func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKeyID, uid string) error { … } // getCurrentState returns the latest state from the last status and encrypt calls. // If the returned error is nil, the state is considered valid indefinitely for read requests. // For write requests, the caller must also check that state.ValidateEncryptCapability does not error. func (h *kmsv2PluginProbe) getCurrentState() (envelopekmsv2.State, error) { … } func (h *kmsv2PluginProbe) isKMSv2ProviderHealthyAndMaybeRotateDEK(ctx context.Context, response *kmsservice.StatusResponse) error { … } // loadConfig parses the encryption configuration file at filepath and returns the parsed config and hash of the file. func loadConfig(filepath string, reload bool) (*apiserver.EncryptionConfiguration, string, error) { … } func loadDataAndHash(filepath string) ([]byte, string, error) { … } // GetEncryptionConfigHash reads the encryption configuration file at filepath and returns the hash of the file. // It does not attempt to decode or load the config, and serves as a cheap check to determine if the file has changed. func GetEncryptionConfigHash(filepath string) (string, error) { … } // prefixTransformersAndProbes creates the set of transformers and KMS probes based on the given resource config. // It may launch multiple go routines whose lifecycle is controlled by ctx. // In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. func prefixTransformersAndProbes(ctx context.Context, config apiserver.ResourceConfiguration, apiServerID string) ([]storagevalue.PrefixTransformer, []healthChecker, *kmsState, error) { … } type blockTransformerFunc … func aesPrefixTransformer(config *apiserver.AESConfiguration, fn blockTransformerFunc, prefix string) (storagevalue.PrefixTransformer, error) { … } func secretboxPrefixTransformer(config *apiserver.SecretboxConfiguration) (storagevalue.PrefixTransformer, error) { … } var envelopeServiceFactory … var EnvelopeKMSv2ServiceFactory … type kmsState … // accumulate computes the KMS state by: // - determining which KMS plugin versions are in use // - calculating kmsTimeoutSum which is used as transformTracker.kmsCloseGracePeriod // DynamicTransformers.Set waits for this period before closing old transformers after a config reload func (s *kmsState) accumulate(other *kmsState) { … } // kmsPrefixTransformer creates a KMS transformer and probe based on the given KMS config. // It may launch multiple go routines whose lifecycle is controlled by ctx. // In case of an error, the caller is responsible for canceling ctx to clean up any go routines that may have been launched. func kmsPrefixTransformer(ctx context.Context, config *apiserver.KMSConfiguration, apiServerID string) (storagevalue.PrefixTransformer, healthChecker, *kmsState, error) { … } func primeAndProbeKMSv2(ctx context.Context, probe *kmsv2PluginProbe, kmsName string) { … } func envelopePrefixTransformer(config *apiserver.KMSConfiguration, envelopeService envelope.Service, prefix string) storagevalue.PrefixTransformer { … } type unionTransformers … func (u unionTransformers) TransformFromStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) (out []byte, stale bool, err error) { … } func (u unionTransformers) TransformToStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) (out []byte, err error) { … } // computeEncryptionConfigHash returns the expected hash for an encryption config file that has been loaded as bytes. // We use a hash instead of the raw file contents when tracking changes to avoid holding any encryption keys in memory outside of their associated transformers. // This hash must be used in-memory and not externalized to the process because it has no cross-release stability guarantees. func computeEncryptionConfigHash(data []byte) string { … } var _ … var _ … type DynamicTransformers … type transformTracker … // NewDynamicTransformers returns transformers, health checks for kms providers and an ability to close transformers. func NewDynamicTransformers( transformerOverrides map[schema.GroupResource]storagevalue.Transformer, kmsPluginHealthzCheck healthz.HealthChecker, closeTransformers context.CancelFunc, kmsCloseGracePeriod time.Duration, ) *DynamicTransformers { … } // Check implements healthz.HealthChecker func (d *DynamicTransformers) Check(req *http.Request) error { … } // Name implements healthz.HealthChecker func (d *DynamicTransformers) Name() string { … } // TransformerForResource returns the transformer for the given resource. func (d *DynamicTransformers) TransformerForResource(resource schema.GroupResource) storagevalue.Transformer { … } // Set sets the transformer overrides. This method is not go routine safe and must only be called by the same, single caller throughout the lifetime of this object. func (d *DynamicTransformers) Set( transformerOverrides map[schema.GroupResource]storagevalue.Transformer, closeTransformers context.CancelFunc, kmsPluginHealthzCheck healthz.HealthChecker, kmsCloseGracePeriod time.Duration, ) { … } var _ … type resourceTransformer … func (r *resourceTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) ([]byte, bool, error) { … } func (r *resourceTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) ([]byte, error) { … } func (r *resourceTransformer) transformer() storagevalue.Transformer { … } var _ … type StaticTransformers … func (s StaticTransformers) TransformerForResource(resource schema.GroupResource) storagevalue.Transformer { … } var anyGroupAnyResource … func transformerFromOverrides(transformerOverrides map[schema.GroupResource]storagevalue.Transformer, resource schema.GroupResource) (out storagevalue.Transformer) { … } func grYAMLString(gr schema.GroupResource) string { … } var _ … type requestInfoTransformer … func newRequestInfoTransformer(resource schema.GroupResource, delegate storagevalue.Transformer) *requestInfoTransformer { … } func (l *requestInfoTransformer) TransformFromStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) ([]byte, bool, error) { … } func (l *requestInfoTransformer) TransformToStorage(ctx context.Context, data []byte, dataCtx storagevalue.Context) ([]byte, error) { … } func (l *requestInfoTransformer) withBaseValueCtx(ctx context.Context) context.Context { … } type joinValueContext … func (j *joinValueContext) Value(key any) any { … }
Codebase Browser
kubernetes