kubernetes/test/integration/controlplane/transformation/kms_transformation_test.go

const dekKeySizeLen

const kmsAPIVersion

type envelope

func (r envelope) prefix() string {}

func (r envelope) prefixLen() int {}

func (r envelope) dekLen() int {}

func (r envelope) cipherTextDEK() []byte {}

func (r envelope) startOfPayload(providerName string) int {}

func (r envelope) cipherTextPayload() []byte {}

func (r envelope) plainTextPayload(secretETCDPath string) ([]byte, error) {}

// TestKMSProvider is an integration test between KubeAPI, ETCD and KMS Plugin
// Concretely, this test verifies the following integration contracts:
// 1. Raw records in ETCD that were processed by KMS Provider should be prefixed with k8s:enc:kms:v1:grpc-kms-provider-name:
// 2. Data Encryption Key (DEK) should be generated by envelopeTransformer and passed to KMS gRPC Plugin
// 3. KMS gRPC Plugin should encrypt the DEK with a Key Encryption Key (KEK) and pass it back to envelopeTransformer
// 4. The cipherTextPayload (ex. Secret) should be encrypted via AES CBC transform
// 5. Prefix-EncryptedDEK-EncryptedPayload structure should be deposited to ETCD
// 6. Direct AES GCM decryption of the cipherTextPayload written with AES CBC transform does not work
// 7. Existing AES CBC secrets should be un-enveloped on direct reads from Kube API Server
// 8. No-op updates to the secret should cause new AES GCM key to be used
// 9. Direct AES GCM decryption works after the new AES GCM key is used
func TestKMSProvider(t *testing.T) {}

// TestECHotReload is an integration test that verifies hot reload of KMS encryption config works.
// This test asserts following scenarios:
// 1. start at 'kms-provider'
// 2. create some secrets
// 3. add 'new-kms-provider' as write KMS (this is okay because we only have 1 API server)
// 4. wait for config to be observed
// 5. run storage migration on secrets
// 6. confirm that secrets have the new prefix
// 7. remove 'kms-provider'
// 8. wait for config to be observed
// 9. confirm that reads still work
// 10. confirm that cluster wide secret read still works
// 11. confirm that api server can restart with last applied encryption config
func TestEncryptionConfigHotReload(t *testing.T) {}

func TestEncryptAll(t *testing.T) {}

func TestEncryptAllWithWildcard(t *testing.T) {}

func TestEncryptionConfigHotReloadFilePolling(t *testing.T) {}

func verifyPrefixOfSecretResource(t *testing.T, wantPrefix string, test *transformTest) {}

func verifyIfKMSTransformersSwapped(t *testing.T, wantPrefix, wantPrefixForEncryptAll string, test *transformTest) {}

func updateFile(t *testing.T, configDir, filename string, newContent []byte) {}

func TestKMSHealthz(t *testing.T) {}

func TestKMSHealthzWithReload(t *testing.T) {}