github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce kubeapiserver.config.k8s.io/v1 with EncryptionConfiguration and use a standard method for parsing config file.

Browse Source 
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Slava Semushin
2018-05-02 18:21:38 +02:00
committed by Stanislav Laznicka
parent e0ce8478b2
commit c21cb548e6
11 changed files with 365 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
test/integration/master/secrets_transformation_test.go
View File

@@ -23,7 +23,7 @@ import (
"fmt"
"testing"
"k8s.io/apiserver/pkg/server/options/encryptionconfig"
apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1"
"k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
)
@@ -33,8 +33,8 @@ const (
aesCBCPrefix = "k8s:enc:aescbc:v1:key1:"
aesGCMConfigYAML = `
kind: EncryptionConfig
apiVersion: v1
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
@@ -46,8 +46,8 @@ resources:
`
aesCBCConfigYAML = `
kind: EncryptionConfig
apiVersion: v1
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
@@ -59,8 +59,8 @@ resources:
`
identityConfigYAML = `
kind: EncryptionConfig
apiVersion: v1
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
@@ -72,7 +72,7 @@ resources:
// TestSecretsShouldBeEnveloped is an integration test between KubeAPI and etcd that checks:
// 1. Secrets are encrypted on write
// 2. Secrets are decrypted on read
// when EncryptionConfig is passed to KubeAPI server.
// when EncryptionConfiguration is passed to KubeAPI server.
func TestSecretsShouldBeTransformed(t *testing.T) {
var testCases = []struct {
transformerConfigContent string
@@ -128,7 +128,7 @@ func runBenchmark(b *testing.B, transformerConfig string) {
}
func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
transformerConfig encryptionconfig.ProviderConfig) ([]byte, error) {
transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {
block, err := newAESCipher(transformerConfig.AESGCM.Keys[0].Secret)
if err != nil {
@@ -146,7 +146,7 @@ func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
}
func unSealWithCBCTransformer(cipherText []byte, ctx value.Context,
transformerConfig encryptionconfig.ProviderConfig) ([]byte, error) {
transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {
block, err := newAESCipher(transformerConfig.AESCBC.Keys[0].Secret)
if err != nil {