New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an AEAD encrypting transformer for storing secrets encrypted at rest #41939
Changes from all commits
f418468
a73990a
4f27d8f
7827899
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,13 +17,14 @@ limitations under the License. | |
package factory | ||
|
||
import ( | ||
"k8s.io/apiserver/pkg/storage" | ||
"k8s.io/apiserver/pkg/storage/etcd3" | ||
"k8s.io/apiserver/pkg/storage/storagebackend" | ||
|
||
"github.com/coreos/etcd/clientv3" | ||
"github.com/coreos/etcd/pkg/transport" | ||
"golang.org/x/net/context" | ||
|
||
"k8s.io/apiserver/pkg/storage" | ||
"k8s.io/apiserver/pkg/storage/etcd3" | ||
"k8s.io/apiserver/pkg/storage/storagebackend" | ||
"k8s.io/apiserver/pkg/storage/value" | ||
) | ||
|
||
func newETCD3Storage(c storagebackend.Config) (storage.Interface, DestroyFunc, error) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't see the similar change for the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same question here, any plan to support etcd2? |
||
|
@@ -55,8 +56,12 @@ func newETCD3Storage(c storagebackend.Config) (storage.Interface, DestroyFunc, e | |
cancel() | ||
client.Close() | ||
} | ||
transformer := c.Transformer | ||
if transformer == nil { | ||
transformer = value.IdentityTransformer | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are there plans to ever make something other than There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maaaybe gzip/otherzips? |
||
} | ||
if c.Quorum { | ||
return etcd3.New(client, c.Codec, c.Prefix, etcd3.IdentityTransformer), destroyFunc, nil | ||
return etcd3.New(client, c.Codec, c.Prefix, transformer), destroyFunc, nil | ||
} | ||
return etcd3.NewWithNoQuorumRead(client, c.Codec, c.Prefix, etcd3.IdentityTransformer), destroyFunc, nil | ||
return etcd3.NewWithNoQuorumRead(client, c.Codec, c.Prefix, transformer), destroyFunc, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do use the new transformers? Will additional flags be added to https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/etcd.go#L65 in a follow up PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, working with others to do that (proposal is still being discussed for that part). The transformer interface should be opaque to config and vice versa.