Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption config: correctly handle overlapping providers #82434

Merged
merged 1 commit into from
Sep 12, 2019
Merged

Encryption config: correctly handle overlapping providers #82434

merged 1 commit into from
Sep 12, 2019

Conversation

enj
Copy link
Member

@enj enj commented Sep 6, 2019

This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix. If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix. A failure in the first one should not
prevent a later match from being attempted.

Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions. Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.

Signed-off-by: Monis Khan mkhan@redhat.com

/kind bug

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 6, 2019
@enj
Copy link
Member Author

enj commented Sep 6, 2019

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Sep 6, 2019
@enj
Copy link
Member Author

enj commented Sep 6, 2019

/retest

smarterclayton
smarterclayton reviewed Sep 6, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go Outdated
// but a failure in the first one should not prevent a later match from being attempted.
// Thus we never short-circuit on a prefix match that results in an error.
if err != nil {
lastErr = err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use the last err or the first err?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know if there a good way to say which error is the most useful. They are all equal in my mind because they match the required prefix.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also they are likely to all be the same, some variation on:

no matching key was found for the provided AES transformer

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also they are likely to all be the same, some variation on:

no matching key was found for the provided AES transformer

Hmm that may be too broad in the case of you accidentally changing the key but not its name. I can aggregate them all?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or summarize? If we have to live debug this it’s has gotten really real and we’re likely to be panicking

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@enj
Encryption config: correctly handle overlapping providers
4dc16f2 
This change updates NewPrefixTransformers to not short-circuit on
the first transformer that has a matching prefix.  If the same type
of encryption ProviderConfiguration is used more than once, they
will share the same prefix.  A failure in the first one should not
prevent a later match from being attempted.

Added TestCBCKeyRotationWithOverlappingProviders unit test to
prevent regressions.  Note that this test explicitly exercises this
flow using an EncryptionConfiguration object as the structure of the
resulting transformer is an important part of the check.

Signed-off-by: Monis Khan <mkhan@redhat.com>
@enj enj force-pushed the enj/i/enc_overlapping_prefix branch from 3bf06e7 to 4dc16f2 Compare September 6, 2019 19:14
@smarterclayton
Copy link
Contributor

/lgtm
/approve

For 1.17 and backport to 1.16/1.15

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 6, 2019
@enj
Copy link
Member Author

enj commented Sep 6, 2019

/cherrypick release-1.16

@enj
Copy link
Member Author

enj commented Sep 6, 2019

/cherrypick release-1.15

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 6, 2019
@enj
Copy link
Member Author

enj commented Sep 6, 2019

/retest

@k8s-ci-robot k8s-ci-robot merged commit 0328625 into kubernetes:master Sep 12, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Sep 12, 2019
@enj
Copy link
Member Author

enj commented Sep 12, 2019

/cherrypick release-1.16

@enj enj mentioned this pull request Sep 12, 2019
Merged
k8s-ci-robot added a commit that referenced this pull request Sep 29, 2019
@k8s-ci-robot
Merge pull request #82637 from enj/automated-cherry-pick-of-#82434-up…
80bd714 
…stream-release-1.16

Automated cherry pick of #82434: Encryption config: correctly handle overlapping providers
@enj enj mentioned this pull request Nov 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smarterclayton smarterclayton smarterclayton left review comments

@liggitt liggitt Awaiting requested review from liggitt

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@smarterclayton smarterclayton

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.
3 participants
@enj @smarterclayton @k8s-ci-robot