-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Data Encryption Key (DEK) Key Encryption Key (KEK) integration… #60236
Conversation
/assign @mikedanese |
|
||
// Allow users of the plugin to sense requests that were passed to KMS. | ||
encryptRequest chan *kmsapi.EncryptRequest | ||
decryptRequest chan *kmsapi.DecryptRequest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are you using channels as opposed to a slice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was suggested to me in the past that channels are preferred to direct memory access when it comes to communication between GO routines.
Of course, a slice or even kmsapi.EncryptRequest would work just fine here.
|
||
func (r rawDEKKEKSecret) getDEKLen() int { | ||
// DEK's length is stored in the two bytes that follow the prefix. | ||
return int(binary.BigEndian.Uint16(r[len(kmsPrefix) : len(kmsPrefix)+dekKeySizeLen])) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi: cryptobyte is a library for reading length prefixed data. we don't have to pull it in just for this though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you.
It would seem that envelop.go would benefit from cryptobyte as well.
decryptRequest chan *kmsapi.DecryptRequest | ||
} | ||
|
||
func NewBase64Plugin() (*base64Plugin, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems like it should be a private function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I plan to suggest the use of this mock in grpc_service_unix_test.go.
t.Fatalf("failed to create mock of KMS Plugin: %v", err) | ||
} | ||
defer pluginMock.cleanUp() | ||
go pluginMock.grpcServer.Serve(pluginMock.listener) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider wrapping this in a Fatalf()
go t.Fatalf("err serving: %v", pluginMock.grpcServer.Serve(pluginMock.listener))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this will block execution of the test on that line.
GO routine would need to wait for the evaluation arguments passed to t.Fatalf - waiting for Server func to exit.
defer test.cleanUp() | ||
|
||
secretETCDPath := test.getETCDPath() | ||
var rawSecretAsSeenByETCD rawDEKKEKSecret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are you forward declaring this as opposed to just using := on the next line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I don't forward declare it as rawDEKKEKSecret, it will become []byte on the next line, and I would have to cast it to rawDEKKEKSecret later.
Would love to know if there is a more elegant way of doing this.
/ok-to-test |
/retest Review the full test history for this PR. Silence the bot with an |
5 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
5 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/lgtm cancel |
/retest |
/retest |
/retest |
/test pull-kubernetes-verify |
/test pull-kubernetes-unit |
… tests via KMS Plugin Mock.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: immutableT, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Automatic merge from submit-queue (batch tested with PRs 60236, 60332, 57375, 60451, 57408). If you want to cherry-pick this change to another branch, please follow the instructions here. |
… tests via KMS Plugin Mock.
What this PR does / why we need it:
Adding integration tests between KubeAPI and KMS Plugin.
Concretely, this test verifies the following integration contracts:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: