Skip to content
Permalink
Browse files

Add defaulting logic for EncryptionConfiguration.

  • Loading branch information
immutableT committed Nov 15, 2019
1 parent 65aefd3 commit 8d5f4911d0c2960fd9c0446fec4351616c5ae601
Showing with 891 additions and 198 deletions.
  1. +1 −0 hack/.golint_failures
  2. +1 −0 staging/src/k8s.io/apiserver/pkg/apis/config/BUILD
  3. +8 −1 staging/src/k8s.io/apiserver/pkg/apis/config/types.go
  4. +12 −1 staging/src/k8s.io/apiserver/pkg/apis/config/v1/BUILD
  5. +54 −0 staging/src/k8s.io/apiserver/pkg/apis/config/v1/defaults.go
  6. +92 −0 staging/src/k8s.io/apiserver/pkg/apis/config/v1/defaults_test.go
  7. +1 −0 staging/src/k8s.io/apiserver/pkg/apis/config/v1/register.go
  8. +1 −1 staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go
  9. +2 −2 staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.conversion.go
  10. +5 −0 staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.deepcopy.go
  11. +5 −0 staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.defaults.go
  12. +39 −0 staging/src/k8s.io/apiserver/pkg/apis/config/validation/BUILD
  13. +219 −0 staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go
  14. +345 −0 staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation_test.go
  15. +5 −0 staging/src/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go
  16. +2 −1 staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD
  17. +22 −73 staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
  18. +7 −80 staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
  19. +19 −11 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope.go
  20. +46 −26 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
  21. +4 −2 staging/src/k8s.io/apiserver/pkg/storage/value/metrics.go
  22. +1 −0 vendor/modules.txt
@@ -358,6 +358,7 @@ staging/src/k8s.io/apiserver/pkg/apis/audit
staging/src/k8s.io/apiserver/pkg/apis/audit/v1
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1
staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1
staging/src/k8s.io/apiserver/pkg/apis/config/v1
staging/src/k8s.io/apiserver/pkg/apis/example
staging/src/k8s.io/apiserver/pkg/apis/example/v1
staging/src/k8s.io/apiserver/pkg/apis/example2
@@ -30,6 +30,7 @@ filegroup(
srcs = [
":package-srcs",
"//staging/src/k8s.io/apiserver/pkg/apis/config/v1:all-srcs",
"//staging/src/k8s.io/apiserver/pkg/apis/config/validation:all-srcs",
],
tags = ["automanaged"],
visibility = ["//visibility:public"],
@@ -17,6 +17,8 @@ limitations under the License.
package config

import (
"fmt"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

@@ -74,6 +76,11 @@ type Key struct {
Secret string
}

// String implements Stringer interface in a log safe way.
func (k Key) String() string {
return fmt.Sprintf("Name: %s, Secret: [REDACTED]", k.Name)
}

// IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
type IdentityConfiguration struct{}

@@ -83,7 +90,7 @@ type KMSConfiguration struct {
Name string
// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
// +optional
CacheSize int32
CacheSize *int32
// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
Endpoint string
// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
@@ -1,8 +1,9 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")

go_library(
name = "go_default_library",
srcs = [
"defaults.go",
"doc.go",
"register.go",
"types.go",
@@ -35,3 +36,13 @@ filegroup(
tags = ["automanaged"],
visibility = ["//visibility:public"],
)

go_test(
name = "go_default_test",
srcs = ["defaults_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/github.com/google/go-cmp/cmp:go_default_library",
],
)
@@ -0,0 +1,54 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1

import (
"time"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
)

var (
defaultTimeout = &metav1.Duration{Duration: 3 * time.Second}
defaultCacheSize int32 = 1000
)

func addDefaultingFuncs(scheme *runtime.Scheme) error {
return RegisterDefaults(scheme)
}

// SetDefaults_EncryptionConfiguration applies defaults to EncryptionConfiguration.
func SetDefaults_EncryptionConfiguration(obj *EncryptionConfiguration) {
for _, r := range obj.Resources {
for _, p := range r.Providers {
if p.KMS != nil {
setKMSProviderDefaults(p.KMS)
}
}
}
}

func setKMSProviderDefaults(obj *KMSConfiguration) {
if obj.Timeout == nil {
obj.Timeout = defaultTimeout
}

if obj.CacheSize == nil {
obj.CacheSize = &defaultCacheSize
}
}
@@ -0,0 +1,92 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1

import (
"testing"
"time"

v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

"github.com/google/go-cmp/cmp"
)

func TestKMSProviderTimeoutDefaults(t *testing.T) {
testCases := []struct {
desc string
in *KMSConfiguration
want *KMSConfiguration
}{
{
desc: "timeout not supplied",
in: &KMSConfiguration{},
want: &KMSConfiguration{Timeout: defaultTimeout, CacheSize: &defaultCacheSize},
},
{
desc: "timeout supplied",
in: &KMSConfiguration{Timeout: &v1.Duration{Duration: 1 * time.Minute}},
want: &KMSConfiguration{Timeout: &v1.Duration{Duration: 1 * time.Minute}, CacheSize: &defaultCacheSize},
},
}

for _, tt := range testCases {
t.Run(tt.desc, func(t *testing.T) {
setKMSProviderDefaults(tt.in)
if d := cmp.Diff(tt.want, tt.in); d != "" {
t.Fatalf("KMS Provider mismatch (-want +got):\n%s", d)
}
})
}
}

func TestKMSProviderCacheDefaults(t *testing.T) {
var (
zero int32 = 0
ten int32 = 10
)

testCases := []struct {
desc string
in *KMSConfiguration
want *KMSConfiguration
}{
{
desc: "cache size not supplied",
in: &KMSConfiguration{},
want: &KMSConfiguration{Timeout: defaultTimeout, CacheSize: &defaultCacheSize},
},
{
desc: "cache of zero size supplied",
in: &KMSConfiguration{CacheSize: &zero},
want: &KMSConfiguration{Timeout: defaultTimeout, CacheSize: &zero},
},
{
desc: "positive cache size supplied",
in: &KMSConfiguration{CacheSize: &ten},
want: &KMSConfiguration{Timeout: defaultTimeout, CacheSize: &ten},
},
}

for _, tt := range testCases {
t.Run(tt.desc, func(t *testing.T) {
setKMSProviderDefaults(tt.in)
if d := cmp.Diff(tt.want, tt.in); d != "" {
t.Fatalf("KMS Provider mismatch (-want +got):\n%s", d)
}
})
}
}
@@ -40,6 +40,7 @@ func init() {
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
localSchemeBuilder.Register(addDefaultingFuncs)
}

func addKnownTypes(scheme *runtime.Scheme) error {
@@ -83,7 +83,7 @@ type KMSConfiguration struct {
Name string `json:"name"`
// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
// +optional
CacheSize int32 `json:"cachesize,omitempty"`
CacheSize *int32 `json:"cachesize,omitempty"`
// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
Endpoint string `json:"endpoint"`
// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

Some generated files are not rendered by default. Learn more.

@@ -0,0 +1,39 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")

go_library(
name = "go_default_library",
srcs = ["validation.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/apis/config/validation",
importpath = "k8s.io/apiserver/pkg/apis/config/validation",
visibility = ["//visibility:public"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
],
)

go_test(
name = "go_default_test",
srcs = ["validation_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
"//vendor/github.com/google/go-cmp/cmp:go_default_library",
],
)

filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)

filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)

0 comments on commit 8d5f491

Please sign in to comment.
You can’t perform that action at this time.