Skip to content

Commit

Permalink
[KMSv2] Generate proto API and update feature gate for beta
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
  • Loading branch information
@aramase
aramase committed Mar 14, 2023
1 parent 1cb3349 commit ad698cc
Show file tree
Hide file tree
Showing 20 changed files with 102 additions and 102 deletions.
3 changes: 2 additions & 1 deletion staging/src/k8s.io/apiserver/pkg/features/kube_features.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@ const (
// owner: @aramase
// kep: https://kep.k8s.io/3299
// alpha: v1.25
// beta: v1.27
//
// Enables KMS v2 API for encryption at rest.
KMSv2 featuregate.Feature = "KMSv2"
Expand Down Expand Up @@ -244,7 +245,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS

EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},

KMSv2: {Default: false, PreRelease: featuregate.Alpha},
KMSv2: {Default: true, PreRelease: featuregate.Beta},

OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},

Expand Down
12 changes: 6 additions & 6 deletions staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ func (t *testKMSv2EnvelopeService) Status(ctx context.Context) (*kmsservice.Stat
if t.err != nil {
return nil, t.err
}
return &kmsservice.StatusResponse{Healthz: "ok", KeyID: t.keyID, Version: "v2alpha1"}, nil
return &kmsservice.StatusResponse{Healthz: "ok", KeyID: t.keyID, Version: "v2beta1"}, nil
}

// The factory method to create mock envelope service.
Expand Down Expand Up @@ -1565,19 +1565,19 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
statusResponse: &kmsservice.StatusResponse{
Healthz: "unhealthy",
},
expectedErr: "got unexpected healthz status: unhealthy, expected KMSv2 API version v2alpha1, got , got invalid KMSv2 KeyID ",
expectedErr: "got unexpected healthz status: unhealthy, expected KMSv2 API version v2beta1, got , got invalid KMSv2 KeyID ",
wantMetrics: `
# HELP apiserver_envelope_encryption_invalid_key_id_from_status_total [ALPHA] Number of times an invalid keyID is returned by the Status RPC call split by error.
# TYPE apiserver_envelope_encryption_invalid_key_id_from_status_total counter
apiserver_envelope_encryption_invalid_key_id_from_status_total{error="empty",provider_name="testplugin"} 1
`,
},
{
desc: "version is not v2alpha1",
desc: "version is not v2beta1",
statusResponse: &kmsservice.StatusResponse{
Version: "v1beta1",
},
expectedErr: "got unexpected healthz status: , expected KMSv2 API version v2alpha1, got v1beta1, got invalid KMSv2 KeyID ",
expectedErr: "got unexpected healthz status: , expected KMSv2 API version v2beta1, got v1beta1, got invalid KMSv2 KeyID ",
wantMetrics: `
# HELP apiserver_envelope_encryption_invalid_key_id_from_status_total [ALPHA] Number of times an invalid keyID is returned by the Status RPC call split by error.
# TYPE apiserver_envelope_encryption_invalid_key_id_from_status_total counter
Expand All @@ -1588,7 +1588,7 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
desc: "missing keyID",
statusResponse: &kmsservice.StatusResponse{
Healthz: "ok",
Version: "v2alpha1",
Version: "v2beta1",
},
expectedErr: "got invalid KMSv2 KeyID ",
wantMetrics: `
Expand All @@ -1601,7 +1601,7 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
desc: "invalid long keyID",
statusResponse: &kmsservice.StatusResponse{
Healthz: "ok",
Version: "v2alpha1",
Version: "v2beta1",
KeyID: sampleInvalidKeyID,
},
expectedErr: "got invalid KMSv2 KeyID ",
Expand Down
4 changes: 2 additions & 2 deletions staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ import (
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/klog/v2"
kmsservice "k8s.io/kms/pkg/service"
Expand All @@ -46,7 +46,7 @@ func init() {

const (
// KMSAPIVersion is the version of the KMS API.
KMSAPIVersion = "v2alpha1"
KMSAPIVersion = "v2beta1"
// annotationsMaxSize is the maximum size of the annotations.
annotationsMaxSize = 32 * 1024 // 32 kB
// KeyIDMaxSize is the maximum size of the keyID.
Expand Down
2 changes: 1 addition & 1 deletion staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ import (
"k8s.io/apimachinery/pkg/util/uuid"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/storage/value"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/component-base/metrics/legacyregistry"
"k8s.io/component-base/metrics/testutil"
Expand Down
2 changes: 1 addition & 1 deletion staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/klog/v2"
kmsapi "k8s.io/kms/apis/v2alpha1"
kmsapi "k8s.io/kms/apis/v2"
kmsservice "k8s.io/kms/pkg/service"
"k8s.io/kms/pkg/util"
)
Expand Down
13 changes: 6 additions & 7 deletions ...g/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service_unix_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,10 @@ import (
"testing"
"time"

"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1"
mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2"
"k8s.io/component-base/metrics/testutil"

"k8s.io/apimachinery/pkg/util/uuid"
kmsservice "k8s.io/kms/pkg/service"
)

Expand Down Expand Up @@ -441,7 +440,7 @@ func TestKMSOperationsMetric(t *testing.T) {
t.Fatalf("failed when execute encrypt, error: %v", err)
}
},
labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Encrypt", "OK"},
labelValues: []string{testProviderName, "/v2.KeyManagementService/Encrypt", "OK"},
wantCount: 1,
},
{
Expand All @@ -451,7 +450,7 @@ func TestKMSOperationsMetric(t *testing.T) {
t.Fatalf("failed when execute decrypt, error: %v", err)
}
},
labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Decrypt", "OK"},
labelValues: []string{testProviderName, "/v2.KeyManagementService/Decrypt", "OK"},
wantCount: 1,
},
{
Expand All @@ -461,7 +460,7 @@ func TestKMSOperationsMetric(t *testing.T) {
t.Fatalf("failed when execute status, error: %v", err)
}
},
labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Status", "OK"},
labelValues: []string{testProviderName, "/v2.KeyManagementService/Status", "OK"},
wantCount: 1,
},
{
Expand All @@ -473,7 +472,7 @@ func TestKMSOperationsMetric(t *testing.T) {
}
}
},
labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Status", "OK"},
labelValues: []string{testProviderName, "/v2.KeyManagementService/Status", "OK"},
wantCount: 10,
},
}
Expand Down
0 ...ue/encrypt/envelope/kmsv2/v2alpha1/OWNERS → ...ge/value/encrypt/envelope/kmsv2/v2/OWNERS
View file
File renamed without changes.
40 changes: 20 additions & 20 deletions ...encrypt/envelope/kmsv2/v2alpha1/api.pb.go → ...value/encrypt/envelope/kmsv2/v2/api.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...encrypt/envelope/kmsv2/v2alpha1/api.proto → ...value/encrypt/envelope/kmsv2/v2/api.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ limitations under the License.
// To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
syntax = "proto3";

package v2alpha1;
option go_package = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1";
package v2;
option go_package = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2";

// EncryptedObject is the representation of data stored in etcd after envelope encryption.
message EncryptedObject {
Expand Down
4 changes: 2 additions & 2 deletions .../src/k8s.io/kms/apis/v2alpha1/v2alpha1.go → ...age/value/encrypt/envelope/kmsv2/v2/v2.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,5 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

// Package v2alpha1 contains definition of kms-plugin's gRPC service.
package v2alpha1
// Package v2 contains definition of kms-plugin's serialized types.
package v2
6 changes: 3 additions & 3 deletions ...elope/testing/v2alpha1/kms_plugin_mock.go → ...pt/envelope/testing/v2/kms_plugin_mock.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

package v2alpha1
package v2

import (
"context"
Expand All @@ -36,15 +36,15 @@ import (

"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/klog/v2"
kmsapi "k8s.io/kms/apis/v2alpha1"
kmsapi "k8s.io/kms/apis/v2"
)

const (
// Now only supported unix domain socket.
unixProtocol = "unix"

// Current version for the protocol interface definition.
kmsapiVersion = "v2alpha1"
kmsapiVersion = "v2beta1"
)

// Base64Plugin gRPC sever for a mock KMS provider.
Expand Down

0 comments on commit ad698cc

Please sign in to comment.