Update to newest imgcrypt, aufs and zfs
Older versions transitively dragged in k8s.io/kubernetes, the newer versions do not. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
111
vendor/github.com/containers/ocicrypt/config/constructors.go
generated
vendored
111
vendor/github.com/containers/ocicrypt/config/constructors.go
generated
vendored
@@ -17,7 +17,11 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"github.com/containers/ocicrypt/crypto/pkcs11"
|
||||
"strings"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
// EncryptWithJwe returns a CryptoConfig to encrypt with jwe public keys
|
||||
@@ -70,6 +74,88 @@ func EncryptWithGpg(gpgRecipients [][]byte, gpgPubRingFile []byte) (CryptoConfig
|
||||
}, nil
|
||||
}
|
||||
|
||||
// EncryptWithPkcs11 returns a CryptoConfig to encrypt with configured pkcs11 parameters
|
||||
func EncryptWithPkcs11(pkcs11Config *pkcs11.Pkcs11Config, pkcs11Pubkeys, pkcs11Yamls [][]byte) (CryptoConfig, error) {
|
||||
dc := DecryptConfig{}
|
||||
ep := map[string][][]byte{}
|
||||
|
||||
if len(pkcs11Yamls) > 0 {
|
||||
if pkcs11Config == nil {
|
||||
return CryptoConfig{}, errors.New("pkcs11Config must not be nil")
|
||||
}
|
||||
p11confYaml, err := yaml.Marshal(pkcs11Config)
|
||||
if err != nil {
|
||||
return CryptoConfig{}, errors.Wrapf(err, "Could not marshal Pkcs11Config to Yaml")
|
||||
}
|
||||
|
||||
dc = DecryptConfig{
|
||||
Parameters: map[string][][]byte{
|
||||
"pkcs11-config": {p11confYaml},
|
||||
},
|
||||
}
|
||||
ep["pkcs11-yamls"] = pkcs11Yamls
|
||||
}
|
||||
if len(pkcs11Pubkeys) > 0 {
|
||||
ep["pkcs11-pubkeys"] = pkcs11Pubkeys
|
||||
}
|
||||
|
||||
return CryptoConfig{
|
||||
EncryptConfig: &EncryptConfig{
|
||||
Parameters: ep,
|
||||
DecryptConfig: dc,
|
||||
},
|
||||
DecryptConfig: &dc,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// EncryptWithKeyProvider returns a CryptoConfig to encrypt with configured keyprovider parameters
|
||||
func EncryptWithKeyProvider(keyProviders [][]byte) (CryptoConfig, error) {
|
||||
dc := DecryptConfig{}
|
||||
ep := make(map[string][][]byte)
|
||||
for _, keyProvider := range keyProviders {
|
||||
keyProvidersStr := string(keyProvider)
|
||||
idx := strings.Index(keyProvidersStr, ":")
|
||||
if idx > 0 {
|
||||
ep[keyProvidersStr[:idx]] = append(ep[keyProvidersStr[:idx]], []byte(keyProvidersStr[idx+1:]))
|
||||
} else {
|
||||
ep[keyProvidersStr] = append(ep[keyProvidersStr], []byte("Enabled"))
|
||||
}
|
||||
}
|
||||
|
||||
return CryptoConfig{
|
||||
EncryptConfig: &EncryptConfig{
|
||||
Parameters: ep,
|
||||
DecryptConfig: dc,
|
||||
},
|
||||
DecryptConfig: &dc,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// DecryptWithKeyProvider returns a CryptoConfig to decrypt with configured keyprovider parameters
|
||||
func DecryptWithKeyProvider(keyProviders [][]byte) (CryptoConfig, error) {
|
||||
dp := make(map[string][][]byte)
|
||||
ep := map[string][][]byte{}
|
||||
for _, keyProvider := range keyProviders {
|
||||
keyProvidersStr := string(keyProvider)
|
||||
idx := strings.Index(keyProvidersStr, ":")
|
||||
if idx > 0 {
|
||||
dp[keyProvidersStr[:idx]] = append(dp[keyProvidersStr[:idx]], []byte(keyProvidersStr[idx+1:]))
|
||||
} else {
|
||||
dp[keyProvidersStr] = append(dp[keyProvidersStr], []byte("Enabled"))
|
||||
}
|
||||
}
|
||||
dc := DecryptConfig{
|
||||
Parameters: dp,
|
||||
}
|
||||
return CryptoConfig{
|
||||
EncryptConfig: &EncryptConfig{
|
||||
Parameters: ep,
|
||||
DecryptConfig: dc,
|
||||
},
|
||||
DecryptConfig: &dc,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// DecryptWithPrivKeys returns a CryptoConfig to decrypt with configured private keys
|
||||
func DecryptWithPrivKeys(privKeys [][]byte, privKeysPasswords [][]byte) (CryptoConfig, error) {
|
||||
if len(privKeys) != len(privKeysPasswords) {
|
||||
@@ -132,3 +218,28 @@ func DecryptWithGpgPrivKeys(gpgPrivKeys, gpgPrivKeysPwds [][]byte) (CryptoConfig
|
||||
DecryptConfig: &dc,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// DecryptWithPkcs11Yaml returns a CryptoConfig to decrypt with pkcs11 YAML formatted key files
|
||||
func DecryptWithPkcs11Yaml(pkcs11Config *pkcs11.Pkcs11Config, pkcs11Yamls [][]byte) (CryptoConfig, error) {
|
||||
p11confYaml, err := yaml.Marshal(pkcs11Config)
|
||||
if err != nil {
|
||||
return CryptoConfig{}, errors.Wrapf(err, "Could not marshal Pkcs11Config to Yaml")
|
||||
}
|
||||
|
||||
dc := DecryptConfig{
|
||||
Parameters: map[string][][]byte{
|
||||
"pkcs11-yamls": pkcs11Yamls,
|
||||
"pkcs11-config": {p11confYaml},
|
||||
},
|
||||
}
|
||||
|
||||
ep := map[string][][]byte{}
|
||||
|
||||
return CryptoConfig{
|
||||
EncryptConfig: &EncryptConfig{
|
||||
Parameters: ep,
|
||||
DecryptConfig: dc,
|
||||
},
|
||||
DecryptConfig: &dc,
|
||||
}, nil
|
||||
}
|
||||
|
||||
81
vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
generated
vendored
Normal file
81
vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
generated
vendored
Normal file
@@ -0,0 +1,81 @@
|
||||
/*
|
||||
Copyright The ocicrypt Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package config
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"github.com/pkg/errors"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
)
|
||||
|
||||
// Command describes the structure of command, it consist of path and args, where path defines the location of
|
||||
// binary executable and args are passed on to the binary executable
|
||||
type Command struct {
|
||||
Path string `json:"path,omitempty"`
|
||||
Args []string `json:"args,omitempty"`
|
||||
}
|
||||
|
||||
// KeyProviderAttrs describes the structure of key provider, it defines the way of invocation to key provider
|
||||
type KeyProviderAttrs struct {
|
||||
Command *Command `json:"cmd,omitempty"`
|
||||
Grpc string `json:"grpc,omitempty"`
|
||||
}
|
||||
|
||||
// OcicryptConfig represents the format of an ocicrypt_provider.conf config file
|
||||
type OcicryptConfig struct {
|
||||
KeyProviderConfig map[string]KeyProviderAttrs `json:"key-providers"`
|
||||
}
|
||||
|
||||
const ENVVARNAME = "OCICRYPT_KEYPROVIDER_CONFIG"
|
||||
|
||||
// parseConfigFile parses a configuration file; it is not an error if the configuration file does
|
||||
// not exist, so no error is returned.
|
||||
func parseConfigFile(filename string) (*OcicryptConfig, error) {
|
||||
// a non-existent config file is not an error
|
||||
_, err := os.Stat(filename)
|
||||
if os.IsNotExist(err) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
data, err := ioutil.ReadFile(filename)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ic := &OcicryptConfig{}
|
||||
err = json.Unmarshal(data, ic)
|
||||
return ic, err
|
||||
}
|
||||
|
||||
// getConfiguration tries to read the configuration file at the following locations
|
||||
// ${OCICRYPT_KEYPROVIDER_CONFIG} == "/etc/ocicrypt_keyprovider.yaml"
|
||||
// If no configuration file could be found or read a null pointer is returned
|
||||
func GetConfiguration() (*OcicryptConfig, error) {
|
||||
var ic *OcicryptConfig
|
||||
var err error
|
||||
filename := os.Getenv(ENVVARNAME)
|
||||
if len(filename) > 0 {
|
||||
ic, err = parseConfigFile(filename)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error while parsing keyprovider config file")
|
||||
}
|
||||
} else {
|
||||
return nil, nil
|
||||
}
|
||||
return ic, nil
|
||||
}
|
||||
Reference in New Issue
Block a user