-
Notifications
You must be signed in to change notification settings - Fork 0
/
server.go
136 lines (108 loc) · 3.13 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
package server
import (
"fmt"
"net"
"os"
"golang.org/x/net/context"
"golang.org/x/sys/unix"
"google.golang.org/grpc"
gcfg "gopkg.in/gcfg.v1"
pb "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1"
"k8s.io/cloud-provider-openstack/pkg/kms/barbican"
"k8s.io/cloud-provider-openstack/pkg/kms/encryption/aescbc"
"k8s.io/klog"
)
const (
netProtocol = "unix"
version = "v1beta1"
runtimename = "barbican"
runtimeversion = "0.0.1"
)
// KMSserver struct
type KMSserver struct {
cfg barbican.Config
barbican barbican.BarbicanService
}
func initConfig(configFilePath string, cfg *barbican.Config) error {
config, err := os.Open(configFilePath)
defer config.Close()
if err != nil {
return err
}
err = gcfg.FatalOnly(gcfg.ReadInto(cfg, config))
if err != nil {
return err
}
return nil
}
// Run Grpc server for barbican KMS
func Run(configFilePath string, socketpath string, sigchan <-chan os.Signal) (err error) {
klog.Infof("Barbican KMS Plugin Starting Version: %s, RunTimeVersion: %s", version, runtimeversion)
s := new(KMSserver)
err = initConfig(configFilePath, &s.cfg)
s.barbican = &barbican.Barbican{}
if err != nil {
klog.V(4).Infof("Error in Getting Config File: %v", err)
return err
}
// unlink the unix socket
if err = unix.Unlink(socketpath); err != nil {
klog.V(4).Infof("Error to unlink unix socket: %v", err)
}
listener, err := net.Listen(netProtocol, socketpath)
if err != nil {
klog.Fatalf("Failed to Listen: %v", err)
return err
}
gServer := grpc.NewServer()
pb.RegisterKeyManagementServiceServer(gServer, s)
go gServer.Serve(listener)
for {
sig := <-sigchan
if sig == unix.SIGINT || sig == unix.SIGTERM {
fmt.Println("force stop, shutting down grpc server")
gServer.GracefulStop()
return nil
}
}
}
// Version returns KMS service version
func (s *KMSserver) Version(ctx context.Context, req *pb.VersionRequest) (*pb.VersionResponse, error) {
klog.V(4).Infof("Version Information Requested by Kubernetes api server")
res := &pb.VersionResponse{
Version: version,
RuntimeName: runtimename,
RuntimeVersion: runtimeversion,
}
return res, nil
}
// Decrypt decrypts the cipher
func (s *KMSserver) Decrypt(ctx context.Context, req *pb.DecryptRequest) (*pb.DecryptResponse, error) {
klog.V(4).Infof("Decrypt Request by Kubernetes api server")
key, err := s.barbican.GetSecret(s.cfg)
if err != nil {
klog.V(4).Infof("Failed to get key %v: ", err)
return nil, err
}
plain, err := aescbc.Decrypt(req.Cipher, key)
if err != nil {
klog.V(4).Infof("Failed to decrypt data %v: ", err)
return nil, err
}
return &pb.DecryptResponse{Plain: plain}, nil
}
// Encrypt encrypts DEK
func (s *KMSserver) Encrypt(ctx context.Context, req *pb.EncryptRequest) (*pb.EncryptResponse, error) {
klog.V(4).Infof("Encrypt Request by Kubernetes api server")
key, err := s.barbican.GetSecret(s.cfg)
if err != nil {
klog.V(4).Infof("Failed to get key %v: ", err)
return nil, err
}
cipher, err := aescbc.Encrypt(req.Plain, key)
if err != nil {
klog.V(4).Infof("Failed to encrypt data %v: ", err)
return nil, err
}
return &pb.EncryptResponse{Cipher: cipher}, nil
}