New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move the common logic of checking for kms-plugin's version into gRPC client interceptor. #84387
Conversation
/test pull-kubernetes-kubemark-e2e-gce-big |
/assign @liggitt |
} | ||
|
||
err := invoker(ctx, method, req, reply, cc, opts...) | ||
klog.V(5).Infof("Invoked method:%s, error:%v", method, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we really want to log on every encrypt/decrypt call? this seems so verbose as to be useless
invoker grpc.UnaryInvoker, | ||
opts ...grpc.CallOption, | ||
) error { | ||
if method != "/v1beta1.KeyManagementService/Version" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this leaks details of the v1beta1 implementation in k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1
, and if we switch to v1 in the future, would silently be skipped. that needs to be protected against.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt, all makes sense, PTAL.
5a293e1
to
1ae8f4e
Compare
invoker grpc.UnaryInvoker, | ||
opts ...grpc.CallOption, | ||
) error { | ||
if !strings.HasSuffix(method, ".KeyManagementService/Version") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking more of letting this be a check in the api package (e.g. IsVersionCheckMethod(method)
) to prevent other packages from needing to know about the service/method name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt, I like the idea of IsVersionCheckMethod, though I am not sure what you mean by the "api package". Could you, please, clarify this for me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1
package is the one that knows the service/method name corresponding to the version check. It would make sense to contain that knowledge to that package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt Makes sense. PTAL.
1ae8f4e
to
bea3b72
Compare
@@ -0,0 +1,23 @@ | |||
/* | |||
Copyright 2017 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: 2019
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
nit on copyright, lgtm otherwise /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: immutableT, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…client interceptor.
bea3b72
to
d2b4723
Compare
/lgtm |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This PR reduces code duplication that currently exist between the Encrypt and Decrypt methods of KMS service.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: