KMS vault provider #3
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Automatic merge from submit-queue fix fuzzer for hostpath type that the path can be an empty string **What this PR does / why we need it**: It seems the path of `HostPath` generated by fuzzer can be an empty string. This is causing [pull-kubernetes-unit](https://k8s-gubernator.appspot.com/builds/kubernetes-jenkins/pr-logs/directory/pull-kubernetes-unit) failing. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#51260 **Special notes for your reviewer**: /assign @thockin @luxas @ixdy **Release note**: ```release-note None ```
…oupling Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223) Enable finalizers independent of GC enablement Decouple finalizer processing from garbage collection configuration. Finalizers should be effective even when garbage collection is disabled for a given store. Fixes kubernetes#50528. ```release-note NONE ``` /cc @kubernetes/sig-api-machinery-bugs /cc @caesarxuchao @liggitt @sttts @pmorie
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223) Remove redundant err definition **What this PR does / why we need it**: Remove redundant err definition,err is defined by using "err :=" at line 107 **Release note**: NONE ```release-note ```
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223) Add tests around TableConvert and server side printing Also wire in more table printers @fabianofranz
Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223) cloudprovider.Zones should support external cloud providers **What this PR does / why we need it**: Provides methods in cloudprovider.Zones that allows external cloud providers to set the correct zone labels to nodes. Part of kubernetes#48690 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#49308 **Special notes for your reviewer**: Should help with getting ccm/external cloud providers to beta. **Release note**: ```release-note cloudprovider.Zones should support external cloud providers ``` cc @luxas @wlan0 @thockin
…irst-class Automatic merge from submit-queue (batch tested with PRs 51148, 50816, 49741, 50858, 51223) openapi: Change references to be first-class **What this PR does / why we need it**: References in the openapi are currently completely hidden from the model, and just passed through as we walk the tree. The problem is that they can have a different description and more importantly, different extensions. Change them to be first-class citizen, and fully part of the model. It means that visitors have to implement one more function and decide if something specific should be done with references. Validation is updated to just completely ignore them and passthrough (like it was done before). **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51224, 51191, 51158, 50669, 51222) StatefulSet: Deflake e2e "restart" phase. This addresses another source of flakiness found while investigating kubernetes#48031. The test used to scale the StatefulSet down to 0, wait for ListPods to return 0 matching Pods, and then scale the StatefulSet back up. This was prone to a race in which StatefulSet was told to scale back up before it had observed its own deletion of the last Pod, as evidenced by logs showing the creation of Pod ss-1 prior to the creation of the replacement Pod ss-0. Instead, we now wait for the controller to observe all deletions before scaling it back up. This should fix flakes of the form: ``` Too many pods scheduled, expected 1 got 2 ```
Automatic merge from submit-queue (batch tested with PRs 51224, 51191, 51158, 50669, 51222) Fix backward compatibility for renamed OpenAPI definitions Fixes kubernetes#47372
Automatic merge from submit-queue (batch tested with PRs 51224, 51191, 51158, 50669, 51222) Enable overlay2 on cos-m60 in node e2e tests Ref: kubernetes#42926 - Restart docker with `-s overlay2` in cloud-init before running all node e2e tests. I have to copy the systemd unit file to `/etc/systemd/system` because the `/usr/lib/systemd/system/` is read only. - Updated node e2e tests to use the new cos-m60 image. - The name of the cloud init file (`cos-init-live-restore.yaml`) does not indicate overlay2 will be enabled, but I can't just change the name in this PR, since it's referenced in test-infra. **Release note**: ``` None ``` /assign @Random-Liu
Automatic merge from submit-queue (batch tested with PRs 51224, 51191, 51158, 50669, 51222) Modify the initialization of results in generic_scheduler.go Signed-off-by: zhangjie <zhangjie0619@yeah.net> **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51224, 51191, 51158, 50669, 51222) Change the FakeCloudAddressService to store Alpha objects internally The change assumes the compute Alpha object is the superset of the v1 object. By storing the Alpha objects internally in the fake, we can convert them to Beta and v1 to test different functions.
…t-cronjob-utils Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848) Fix comment of cronjob utils.go **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#50951 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848) Fix forkedjson.LookupPatchMetadata for pointers. **What this PR does / why we need it**: Fixes a bug in `forkedjson.LookupPatchMetadata`. It is triggered when called with some API objects such as the `Selector` field (a pointer) in https://godoc.org/k8s.io/api/extensions/v1beta1#DeploymentSpec. The provided test case fails without the lines added to `fields.go`. **Which issue this PR fixes** N/A **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848) Refactor CephFS PV spec **What this PR does / why we need it**: refactor CephFS Volume Persistent Volume Spec so CephFS PV's SecretRef allows referencing a secret from a persistent volume in any namespace. This allows locating credentials for persistent volumes in namespaces other than the one containing the PVC. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes-retired/external-storage#309 **Special notes for your reviewer**: @kubernetes/sig-storage-api-reviews **Release note**: ```release-note Allow CephFS PV to specify a namespace for secret ```
Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848) StatefulSet: Deflake e2e `kubectl exec` commands. This may help with another source of flakiness found while investigating kubernetes#48031. We seem to get a lot of flakes due to "connection refused" while running `kubectl exec`. I can't find any reason this would be caused by the test flow, so I'm adding retries to see if that helps.
Automatic merge from submit-queue (batch tested with PRs 50213, 50707, 49502, 51230, 50848) Expand the test to include other flags as well **What this PR does / why we need it**: Expand the test to include other flags as well **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note ``` `NONE`
Automatic merge from submit-queue Always create vendor/BUILD in hack/update-bazel.sh **What this PR does / why we need it**: makes sure there's always a `vendor/BUILD` file. When updating `godeps`, the [instructions](https://github.com/kubernetes/community/blob/master/contributors/devel/godep.md) say to recursively remove `vendor/`, which also removes the `vendor/BUILD` file. Unless you manually recreate this file, running `update-bazel.sh` would instead update the `all-srcs` rule in the root `BUILD.bazel` file, which is not desired. `gazelle` and `kazel` won't create `vendor/BUILD` on their own, since there are no go sources directly in `vendor/`. With this PR, we'll make sure that the `vendor/BUILD` file always exists, creating it if necessary. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#51075 **Release note**: ```release-note NONE ``` /assign @spxtr @mikedanese cc @thockin
Automatic merge from submit-queue (batch tested with PRs 51229, 50131, 51074, 51167, 51213) Fix typos in kubefed **What this PR does / why we need it**: Fix some typos in kubefed. **Which issue this PR fixes** : fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51229, 50131, 51074, 51167, 51213) [proxy] Clean up LocalPort related functions and structures in proxier.go **What this PR does / why we need it**: See, https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/iptables/proxier.go#L1694 I think RevertPorts() is independent from iptables, and would be used by other proxiers which needs to hold/close local port. Perhaps we can move RevertPorts() from proxier.go to pkg/proxy/util package so that it can be consumed among different proxiers. And, reduce codes in proxier.go **Which issue this PR fixes**: fixes kubernetes#51073 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51229, 50131, 51074, 51167, 51213) Allow remote runtimes to pass apparmor host validation **What this PR does / why we need it**: Allow remote runtimes to pass apparmor host validation. **Which issue this PR fixes** : fixes kubernetes#51156 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51229, 50131, 51074, 51167, 51213) Avoid explicit mention of plugin name in error strings.
…WaitForReadyNodes, respectively.
Automatic merge from submit-queue (batch tested with PRs 50919, 51410, 50099, 51300, 50296) Take mount options to GA by adding PV.spec.mountOptions **What this PR does / why we need it**: Implements kubernetes/community#771 issue: kubernetes/enhancements#168 **Special notes for your reviewer**: TODO: - ~StorageClass mountOptions~ As described in proposal, this adds PV.spec.mountOptions + mountOptions parameter to every plugin that is both provisionable & supports mount options. (personally, even having done all the work already, i don't agree w/ the proposal that mountOptions should be SC parameter but... :)) **Release note**: ```release-note Add mount options field to PersistentVolume spec ```
Automatic merge from submit-queue (batch tested with PRs 50919, 51410, 50099, 51300, 50296) GCE: Read networkProjectID param Fixes kubernetes#48515 /assign bowei The first commit is the original PR cherrypicked. The master's kubelet isn't provided a cloud config path, so the project is retrieved via instance metadata. In the GKE case, this project cannot be retrieved by the master and caused an error. **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 50919, 51410, 50099, 51300, 50296) Remove failure check from deployment controller @kubernetes/sig-apps-pr-reviews this check is useless w/o automatic rollback so I am removing it.
…policy Automatic merge from submit-queue (batch tested with PRs 50919, 51410, 50099, 51300, 50296) Remove failure policy from initializer configuration A few reasons: * Implementing fail open initializers increases complexity a lot * We haven't seen strong use cases * We can always add it back
…cekeys Automatic merge from submit-queue (batch tested with PRs 50919, 51410, 50099, 51300, 50296) Add `retainKeys` to patchStrategy for v1 Volumes and extentions/v1beta1 DeploymentStrategy Add `retainKeys` to patchStrategy for v1 Volumes and extentions/v1beta1 DeploymentStrategy. With the new value in `patchStrategy`, the patch will include an optional directive that will tell the apiserver to clear defaulted fields and update. This will resolve issue like kubernetes#34292 (comment) and similar issue caused by defaulting in volume. The change is [backward compatible](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/add-new-patchStrategy-to-clear-fields-not-present-in-patch.md#version-skew). The proposal for this new patch strategy is in https://github.com/kubernetes/community/blob/master/contributors/design-proposals/add-new-patchStrategy-to-clear-fields-not-present-in-patch.md The implementation to support the new patch strategy's logic is in kubernetes#44597 and has been merged in 1.7. ```release-note Add `retainKeys` to patchStrategy for v1 Volumes and extentions/v1beta1 DeploymentStrategy. ``` /assign @apelisse /assign @janetkuo for deployment change /assign @saad-ali for volume change
…erlay Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488) Remove previous local storage resource name 'scratch" and "overlay" Remove previous local storage resource name 'scratch" and "overlay" **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: part of kubernetes#50818 **Special notes for your reviewer**: Now local ephemeral storage resource name is "ResourceEphemeralStorage", remove previous names as @vishh suggested in PR kubernetes#51070 **Release note**: ```release-note Remove previous local ephemeral storage resource names: "ResourceStorageOverlay" and "ResourceStorageScratch" ```
Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488) Admit NoNewPrivs for remote and rkt runtimes **What this PR does / why we need it**: kubernetes#51347 is aiming to admit NoNewPrivis for remote container runtime, but it didn't actually solve the problem. See @miaoyq 's comments [here](kubernetes#51347 (comment)). This PR always admit NoNewPrivs for runtimes except docker, which should fix the problem. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Fixes kubernetes#51319. **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488) Use glog instaed of fmt.Printf Signed-off-by: sakeven <jc5930@sina.cn> **What this PR does / why we need it**: The log `fmt.Printf` produces is inconsistent with `glog`. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ``` NONE ```
Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488) fixing package comment of v1 **What this PR does / why we need it**: fixing package comment of v1 in `staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go`. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: `NONE`
Automatic merge from submit-queue (batch tested with PRs 51425, 51404, 51459, 51504, 51488) simplify Run in controllermanager.go **What this PR does / why we need it**: remove part of code in controllermanager.go to createclient,createRecorder,startHTTP function **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note None ```
Automatic merge from submit-queue Added an end-to-end test ensuring that Cluster Autoscaler does not scale up when all pending pods are unschedulable **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 44719, 48454) Fix handling of APIserver errors when saving provisioned PVs. When API server crashes *after* saving a provisioned PV and before sending 200 OK, the controller tries to save the PV again. In this case, it gets AlreadyExists error, which should be interpreted as success and not as error. Especially, a volume that corresponds to the PV should not be deleted in the underlying storage. Fixes kubernetes#44372 ```release-note NONE ``` @kubernetes/sig-storage-pr-reviews
…dlineSeconds Automatic merge from submit-queue (batch tested with PRs 44719, 48454) check job ActiveDeadlineSeconds **What this PR does / why we need it**: enqueue a sync task after ActiveDeadlineSeconds **Which issue this PR fixes** *: fixes kubernetes#32149 **Special notes for your reviewer**: **Release note**: ```release-note enqueue a sync task to wake up jobcontroller to check job ActiveDeadlineSeconds in time ```
Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511) GCE: Add a fake forwarding rule service Also add more methods to the address service. These will be used for testing soon.
Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511) Add some periods in cloud controller manager's options Add some periods in cloud controller manager's options
Automatic merge from submit-queue (batch tested with PRs 51298, 51510, 51511) modifying the comment of BeforeDelete function to improve readability **What this PR does / why we need it**: modifying the comment of `BeforeDelete` function in `staging/src/k8s.io/apiserver/pkg/registry/rest/delete.go` to improve readability. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: `NONE`
Automatic merge from submit-queue Add Google cloud KMS service for envelope encryption transformer This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer). For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls. Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though. Upcoming after this PR: * Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory. * Track key version to assist in data re-encryption after a KEK rotation. Development branch containing the changes described above: sakshamsharma#4 Envelope transformer used by this PR was merged in kubernetes#49350 Concerns kubernetes#48522 Planned configuration: ``` kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - kms: cachesize: 100 configfile: gcp-cloudkms.conf name: gcp-cloudkms - identity: {} ``` gcp-cloudkms.conf: ``` [GoogleCloudKMS] kms-location: global kms-keyring: google-container-engine kms-cryptokey: example-key ```
|
@vineet-garg can you rebase |
|
@vineet-garg rebased |
|
@kksriram we are good to merge. vineet-garg/kms-vault-provider is exactly two commits ahead of oracle:for/upstream/master/vault_provider oracle/for/upstream/master/vault_provider...vineet-garg:kms-vault-provider |
|
Something seems off with the current PR. If you rebased the target branch with upstream master, then that means all these changes will also show up in the upstream PR. Most of the commits I see in this PR are from upstream k8s itself. |
|
@jhorwit2 both the source branch vineet-garg:kms-vault-provider and the target branch oracle:for/upstream/master/vault_provider are rebased with kubernetes:master The diff between the branch is also good as seen here I don't know why the PR shows all the commit. Note: target branch was rebased AFTER pull request was raised. But overall it is anything more than a git-hub UI issue? |
|
The branch seems to show up extra commits. Closing this pull request and opening a new one |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
41 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: Implements encryption provider based on Vault based KMS as described in proposal: PR:888
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #49817Special notes for your reviewer:
Release note:encryption provider based on Vault based KMS