kubernetes/test/integration/controlplane/transformation/kmsv2_transformation_test.go

type envelopekmsv2

func (r envelopekmsv2) prefix() string {}

func (r envelopekmsv2) prefixLen() int {}

func (r envelopekmsv2) cipherTextDEKSource() ([]byte, error) {}

func (r envelopekmsv2) startOfPayload(_ string) int {}

func (r envelopekmsv2) cipherTextPayload() ([]byte, error) {}

func (r envelopekmsv2) plainTextPayload(secretETCDPath string) ([]byte, error) {}

// TestDefaultValues tests default flag values without setting any of the feature flags or
// calling SetKDFForTests, and assert that the data stored in etcd is using KDF
func TestDefaultValues(t *testing.T) {}

// TestKMSv2Provider is an integration test between KubeAPI, ETCD and KMSv2 Plugin
// Concretely, this test verifies the following integration contracts:
// 1. Raw records in ETCD that were processed by KMSv2 Provider should be prefixed with k8s:enc:kms:v2:<plugin name>:
// 2. Data Encryption Key (DEK) / DEK seed should be generated by envelopeTransformer and passed to KMS gRPC Plugin
// 3. KMS gRPC Plugin should encrypt the DEK/seed with a Key Encryption Key (KEK) and pass it back to envelopeTransformer
// 4. The cipherTextPayload (ex. Secret) should be encrypted via AES GCM transform / extended nonce GCM
// 5. kmstypes.EncryptedObject structure should be serialized and deposited in ETCD
func TestKMSv2Provider(t *testing.T) {}

func testKMSv2Provider(t *testing.T, kmsName string, useSeed bool) {}

// TestKMSv2ProviderKeyIDStaleness is an integration test between KubeAPI and KMSv2 Plugin
// Concretely, this test verifies the following contracts for no-op updates:
// 1. When the key ID is unchanged, the resource version must not change
// 2. When the key ID changes, the resource version changes (but only once)
// 3. For all subsequent updates, the resource version must not change
// 4. When kms-plugin is down, expect creation of new pod and encryption to succeed while the DEK/seed is valid
// 5. when kms-plugin is down, no-op update for a pod should succeed and not result in RV change while the DEK/seed is valid
// 6. When kms-plugin is down, expect creation of new pod and encryption to fail once the DEK/seed is invalid
// 7. when kms-plugin is down, no-op update for a pod should succeed and not result in RV change even once the DEK/seed is valid
func TestKMSv2ProviderKeyIDStaleness(t *testing.T) {}

func testKMSv2ProviderKeyIDStaleness(t *testing.T, kmsName string, resetSetKDFForTests func()) {}

func TestKMSv2ProviderDEKSourceReuse(t *testing.T) {}

func testKMSv2ProviderDEKSourceReuse(t *testing.T, kmsName string, f checkFunc) {}

type checkFunc

func assertPodDEKSources(ctx context.Context, t *testing.T, config storagebackend.Config, podCount, dekSourcesCount int, kmsName, kmsPrefix string, f checkFunc) {}

func TestKMSv2Healthz(t *testing.T) {}

func TestKMSv2SingleService(t *testing.T) {}

// TestKMSv2FeatureFlag is an integration test between KubeAPI and ETCD
// Concretely, this test verifies the following:
// 1. When feature flag is enabled, loading a encryptionConfig with KMSv2 should work
// 2. After a restart, loading a encryptionConfig with the same KMSv2 plugin from 1 should work,
// decryption of data encrypted with v2 should work
func TestKMSv2FeatureFlag(t *testing.T) {}

var benchSecret

func BenchmarkKMSv2KDF(b *testing.B) {}

func getRESTOptionsGetterForSecrets(t testing.TB, test *transformTest) generic.RESTOptionsGetter {}

func noValidation(_ context.Context, _ runtime.Object) error {}

var benchRESTSecret

func BenchmarkKMSv2REST(b *testing.B) {}

func randomBool() bool {}

// TestKMSv2ProviderLegacyData confirms that legacy data recorded from the earliest released commit can still be read.
func TestKMSv2ProviderLegacyData(t *testing.T) {}

func testKMSv2ProviderLegacyData(t *testing.T) {}