const dekKeySizeLen … const kmsAPIVersion … type envelope … func (r envelope) prefix() string { … } func (r envelope) prefixLen() int { … } func (r envelope) dekLen() int { … } func (r envelope) cipherTextDEK() []byte { … } func (r envelope) startOfPayload(providerName string) int { … } func (r envelope) cipherTextPayload() []byte { … } func (r envelope) plainTextPayload(secretETCDPath string) ([]byte, error) { … } // TestKMSProvider is an integration test between KubeAPI, ETCD and KMS Plugin // Concretely, this test verifies the following integration contracts: // 1. Raw records in ETCD that were processed by KMS Provider should be prefixed with k8s:enc:kms:v1:grpc-kms-provider-name: // 2. Data Encryption Key (DEK) should be generated by envelopeTransformer and passed to KMS gRPC Plugin // 3. KMS gRPC Plugin should encrypt the DEK with a Key Encryption Key (KEK) and pass it back to envelopeTransformer // 4. The cipherTextPayload (ex. Secret) should be encrypted via AES CBC transform // 5. Prefix-EncryptedDEK-EncryptedPayload structure should be deposited to ETCD // 6. Direct AES GCM decryption of the cipherTextPayload written with AES CBC transform does not work // 7. Existing AES CBC secrets should be un-enveloped on direct reads from Kube API Server // 8. No-op updates to the secret should cause new AES GCM key to be used // 9. Direct AES GCM decryption works after the new AES GCM key is used func TestKMSProvider(t *testing.T) { … } // TestECHotReload is an integration test that verifies hot reload of KMS encryption config works. // This test asserts following scenarios: // 1. start at 'kms-provider' // 2. create some secrets // 3. add 'new-kms-provider' as write KMS (this is okay because we only have 1 API server) // 4. wait for config to be observed // 5. run storage migration on secrets // 6. confirm that secrets have the new prefix // 7. remove 'kms-provider' // 8. wait for config to be observed // 9. confirm that reads still work // 10. confirm that cluster wide secret read still works // 11. confirm that api server can restart with last applied encryption config func TestEncryptionConfigHotReload(t *testing.T) { … } func TestEncryptAll(t *testing.T) { … } func TestEncryptAllWithWildcard(t *testing.T) { … } func TestEncryptionConfigHotReloadFilePolling(t *testing.T) { … } func verifyPrefixOfSecretResource(t *testing.T, wantPrefix string, test *transformTest) { … } func verifyIfKMSTransformersSwapped(t *testing.T, wantPrefix, wantPrefixForEncryptAll string, test *transformTest) { … } func updateFile(t *testing.T, configDir, filename string, newContent []byte) { … } func TestKMSHealthz(t *testing.T) { … } func TestKMSHealthzWithReload(t *testing.T) { … }