Add KMS plugin registry

[sakshamsharma]

Allows supporting KMS services as encryption providers using a plugin mechanism similar to admission plugins.

Simplifies #48574

Progresses #48522

@deads2k PTAL

[deads2k]

I'd like to see this structure follow the admission plugin configuration structure and allow either a path or a rawextension directly here.

[deads2k]

I'd like to see this structure follow the admission plugin configuration structure and allow either a path or a rawextension directly here.

This is ok as a followup

[sakshamsharma]

I am not entirely sure whether this part is relevant to this process, and I think it can be removed without introducing any immediate issues. Have copied this from admissions plugins code.

[deads2k]

I am not entirely sure whether this part is relevant to this process, and I think it can be removed without introducing any immediate issues. Have copied this from admissions plugins code.

You should probably leave it for zero config options.

[sakshamsharma]

You should probably leave it for zero config options.

Does that mean I should delete this? I'm sorry, I didn't understand zero config options
Update: So I'll leave this code here.

[deads2k]

I'd like to see this moved to be a peer of AdmissionConfiguration and gain proper validation functions.

There is code duplication that should be resolved, but as a building block, I think this keeps our types closer to where they need to be.

The actual handling of the EncryptionProviderConfigFilepath needs to move into the storage layer apply methods too.

[liggitt]

shouldn't cachesize be part of the config?

nm, misread where this struct was

[sakshamsharma]

It is not specific to the plugin's configuration. It is a property of the envelope transformer. It will also be used by cloudprovidedkms based plugins (example #48574, see configuration in description)

[liggitt]

seems like this should match the config field name, both envelope or both kms

[deads2k]

I think this moves us in the right direction in spite of the debt. Fix the prefix and I can get behind this one.

[sakshamsharma]

Fixed the prefix, and added unit tests. Accidentally closed the PR.

@lavalamp @cheftako Can you PTAL at this? The idea is to mirror the admission plugins code
So no new parameter would be passed from kube-apiserver to the generic apiserver encryption configuration parsing (thus, not affecting other apiservers).
We would register the cloud from the kube-apiserver. Other KMS providers like vault will register themselves to this plugin factory as well. A different apiserver can choose which plugins to register.

[sakshamsharma]

/release-note-none

[cheftako]

Minor tweaks

[cheftako]

Please reorder found vs err handling. Assuming that there is an actual error, reporting that should take precedence. Especially as the failure to find a plugin provider could be the result of the error.

[cheftako]

I would expect that registration is a rare event but that getting a plugin might not be. If so then this might benefit from a RWLock.

[cheftako]

This works but it feels wrong to me to access a map just prior to initializing. May be less work on later devs if you put the nil check first.

[cheftako]

Not sure it is a good idea to hold the lock for this entire method. As it stands there are multiple pieces of code for which you are holding the lock that you do not control and could even be RPC calls. Assuming that the lock is only securing access to the registry object, I would suggest you should create a smaller get method which just access registry with its lock and then call that from here.

[sakshamsharma]

@cheftako Addressed those issues, thanks! I also added support for cloudprovidedkms configuration with tests. It looks almost the same as the KMS one. Another quick pass would be greatly appreciated, since the cloudprovidedkms was something you had recommended.

Example code after this PR in kube-apiserver:

cloudKMSGetter := func (name string) (envelope.Service, error) {
    cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider.CloudProvider, s.CloudProvider.CloudConfigFile)
    // handle err
    return cloud.KeyManagementService(name)
}
encryptionconfig.KMSPluginRegistry.RegisterCloudProvidedKMSPlugin(cloudKMSGetter)

transformerOverrides, err := encryptionconfig.GetTransformerOverrides(s.Etcd.EncryptionProviderConfigFilepath)

No dependency to cloudproviders introduced, no changes in function signature, other apiservers don't break.

If you want to see how #48574 looks after this PR, here's a version based on this PR: https://github.com/sakshamsharma/kubernetes/tree/gkms-with-plugin (commit of note: see latest commit)

Example of how to register vault:

vaultFactory := func (config io.Reader) (envelope.Service, error) {
     // make vault
}
encryptionconfig.KMSPluginRegistry.Register("vault", vaultFactory)

@deads2k @liggitt if this is still acceptable for you, can we merge this in? The other PR can then get in too (basically the changes on the above mentioned branch on my fork) because the controversial part is covered in this one.

[deads2k]

@deads2k @liggitt if this is still acceptable for you, can we merge this in? The other PR can then get in too (basically the changes on the above mentioned branch on my fork) because the controversial part is covered in this one.

I'll merge this bit this it is directly related to the API machinery and gives a good (if slightly debt-y) plugin mechanism. The other implementation pull seems to have slipped past sig-auth until a couple days ago. There probably ought to be more time to comment there.

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, sakshamsharma

Associated issue: 48574

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• staging/src/k8s.io/apiserver/OWNERS [deads2k]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[cheftako]

It feels wrong that we are trying to open/read the file here. It would seem better to just pass this location down to the factory and let it do the read. Especially as in something like a hybrid case this could be a key into a config server or be a file+coordinate into a larger config file. We should need to know or care about such things. However if we insist on opening+reading the file then we end up having to care about these things.

[sakshamsharma]

The admissions factory used this format, which is why I stuck with this. We can change this in a follow-up.
Once this PR is merged, I'll open a new one to change this and remove the reflect mentioned in your 2nd comment, along with some other cleanup.

[deads2k]

It feels wrong that we are trying to open/read the file here. It would seem better to just pass this location down to the factory and let it do the read. Especially as in something like a

To make this API congruent to the admission config, there will be a choice of separate file or embedded content depending the sensitivity (which we don't know since its pluggable) of the config in question.

[sakshamsharma]

An approach which I've proposed earlier, and I've seen used in the cloudproviders package:
Have a field config map[string]interface{} on the KMSConfig struct. Send it to the plugin factory. The plugin factory would use the mapstructure library to parse it into a struct safely. This library is used in certain cloudproviders like openstack.
So this way you can support both config: and configfile: attributes on the kms configuration.

May not be acceptable though, due to a point in the flow where the config is unstructured (it will still be read in a structured form later on). Just putting this out here.

[liggitt]

The reader interface lets you load a structured config from an external file or an inlined config. All our config files should be structured and versioned (see scheduler config, ABAC config, admission config, etc)

[cheftako]

What are we trying to protect ourselves against with this use of reflect? None of our other nil checks use it (other than the place we cut&pasted this code from). When we opened the config reader a nil check was sufficient. This object has not been copied/valueOf so I believe we are pulling in something we are better of without for no good reason.

[deads2k]

What are we trying to protect ourselves against with this use of reflect? None of our other nil checks use it (other than the place we cut&pasted this code from). When we opened the config reader a nil check was sufficient. This object has not been copied/valueOf so I believe we are pulling in something we are better of without for no good reason

Nil versus nil. Is it a nil interface or a non-nil interface with a nil value. It may drop out when these plugin paths are collapsed.

[cheftako]

Would like to see us fix config handling in a later release. Might be good to file an issue on it.

[sakshamsharma]

One of the comments was not in the proper format, and this package was removed from hack/.golint_failures by another PR recently.
@deads2k @cheftako @liggitt Sorry about that, can you please lgtm again?

Update: Something broke pull-kubernetes-bazel it appears. Will track submit queue and update this message when it is fixed.

[deads2k]

/retest

[cjwagner]

bump

[cjwagner]

/test pull-kubernetes-unit

[k8s-github-robot]

Automatic merge from submit-queue