type envelopekmsv2 … func (r envelopekmsv2) prefix() string { … } func (r envelopekmsv2) prefixLen() int { … } func (r envelopekmsv2) cipherTextDEKSource() ([]byte, error) { … } func (r envelopekmsv2) startOfPayload(_ string) int { … } func (r envelopekmsv2) cipherTextPayload() ([]byte, error) { … } func (r envelopekmsv2) plainTextPayload(secretETCDPath string) ([]byte, error) { … } // TestDefaultValues tests default flag values without setting any of the feature flags or // calling SetKDFForTests, and assert that the data stored in etcd is using KDF func TestDefaultValues(t *testing.T) { … } // TestKMSv2Provider is an integration test between KubeAPI, ETCD and KMSv2 Plugin // Concretely, this test verifies the following integration contracts: // 1. Raw records in ETCD that were processed by KMSv2 Provider should be prefixed with k8s:enc:kms:v2:<plugin name>: // 2. Data Encryption Key (DEK) / DEK seed should be generated by envelopeTransformer and passed to KMS gRPC Plugin // 3. KMS gRPC Plugin should encrypt the DEK/seed with a Key Encryption Key (KEK) and pass it back to envelopeTransformer // 4. The cipherTextPayload (ex. Secret) should be encrypted via AES GCM transform / extended nonce GCM // 5. kmstypes.EncryptedObject structure should be serialized and deposited in ETCD func TestKMSv2Provider(t *testing.T) { … } func testKMSv2Provider(t *testing.T, kmsName string, useSeed bool) { … } // TestKMSv2ProviderKeyIDStaleness is an integration test between KubeAPI and KMSv2 Plugin // Concretely, this test verifies the following contracts for no-op updates: // 1. When the key ID is unchanged, the resource version must not change // 2. When the key ID changes, the resource version changes (but only once) // 3. For all subsequent updates, the resource version must not change // 4. When kms-plugin is down, expect creation of new pod and encryption to succeed while the DEK/seed is valid // 5. when kms-plugin is down, no-op update for a pod should succeed and not result in RV change while the DEK/seed is valid // 6. When kms-plugin is down, expect creation of new pod and encryption to fail once the DEK/seed is invalid // 7. when kms-plugin is down, no-op update for a pod should succeed and not result in RV change even once the DEK/seed is valid func TestKMSv2ProviderKeyIDStaleness(t *testing.T) { … } func testKMSv2ProviderKeyIDStaleness(t *testing.T, kmsName string, resetSetKDFForTests func()) { … } func TestKMSv2ProviderDEKSourceReuse(t *testing.T) { … } func testKMSv2ProviderDEKSourceReuse(t *testing.T, kmsName string, f checkFunc) { … } type checkFunc … func assertPodDEKSources(ctx context.Context, t *testing.T, config storagebackend.Config, podCount, dekSourcesCount int, kmsName, kmsPrefix string, f checkFunc) { … } func TestKMSv2Healthz(t *testing.T) { … } func TestKMSv2SingleService(t *testing.T) { … } // TestKMSv2FeatureFlag is an integration test between KubeAPI and ETCD // Concretely, this test verifies the following: // 1. When feature flag is enabled, loading a encryptionConfig with KMSv2 should work // 2. After a restart, loading a encryptionConfig with the same KMSv2 plugin from 1 should work, // decryption of data encrypted with v2 should work func TestKMSv2FeatureFlag(t *testing.T) { … } var benchSecret … func BenchmarkKMSv2KDF(b *testing.B) { … } func getRESTOptionsGetterForSecrets(t testing.TB, test *transformTest) generic.RESTOptionsGetter { … } func noValidation(_ context.Context, _ runtime.Object) error { … } var benchRESTSecret … func BenchmarkKMSv2REST(b *testing.B) { … } func randomBool() bool { … } // TestKMSv2ProviderLegacyData confirms that legacy data recorded from the earliest released commit can still be read. func TestKMSv2ProviderLegacyData(t *testing.T) { … } func testKMSv2ProviderLegacyData(t *testing.T) { … }