github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
123,232 Commits 1 Branch 31 Tags
0c955f7cbb1fa40e44f99153358928ef306bceda
Commit Graph

91 Commits

Author SHA1 Message Date
Antonio Ojea
6552f2710f use default flags for apiserver on integration tests 2024-06-04 22:09:35 +00:00
Stephen Kitt
5300466a5c Use canonical json-patch v4 import 
The canonical import for json-patch v4 is
gopkg.in/evanphx/json-patch.v4 (see
https://github.com/evanphx/json-patch/blob/master/README.md#get-it for
reference).

Using the v4-specific path should also reduce the risk of unwanted v5
upgrade attempts, because they won't be offered as automated upgrades
by dependency upgrade management tools, and they won't happen through
indirect dependencies (see
https://github.com/kubernetes/kubernetes/pull/120327 for context).

Signed-off-by: Stephen Kitt <skitt@redhat.com>
 2024-05-28 10:48:22 +02:00
Patrick Ohly
b92273a760 apiserver + controllers: enhance context support 
27a68aee3a introduced context support for events. Creating an event
broadcaster with context makes tests more resilient against leaking goroutines
when that context gets canceled at the end of a test and enables per-test
output via ktesting.

The context could get passed to the constructor. A cleaner solution is to
enhance context support for the apiserver and then pass the context into the
controller's run method. This ripples up the call stack to all places which
start an apiserver.
 2024-04-29 20:59:21 +02:00
Dr. Stefan Schimanski
3b6d2a66a4 pkg/controlplane: split apart generic server part of instance.go 
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
 2024-04-29 10:15:02 +02:00
Marek Siarkowicz
3ee8178768 Cleanup defer from SetFeatureGateDuringTest function call 2024-04-24 20:25:29 +02:00
Anish Ramasekar
8d563c2cde Revert "Run controlplane/transformation integration tests in parallel" 2024-04-23 13:48:33 -07:00
Anish Ramasekar
689363be06 Run transformation integration tests in parallel 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-04-22 09:46:42 -07:00
Anish Ramasekar
1e048d5f24 generate unique UDS path for transformation integration tests 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-04-22 09:42:16 -07:00
Patrick Ohly
1d653e6185 test: use cancelation from ktesting 
The return type of ktesting.NewTestContext is now a TContext. Code
which combined it WithCancel often didn't compile anymore (cannot overwrite
ktesting.TContext with context.Context). This is a good thing because all of
that code can be simplified to let ktesting handle the cancelation.
 2024-03-01 07:51:22 +01:00
Anish Ramasekar
77241d3125 Add apiserver_encryption_config_controller_automatic_reloads_total 
metric

- Adds `apiserver_encryption_config_controller_automatic_reloads_total`
  metric with status label for encryption config reload success/failure.
- Deprecated `apiserver_encryption_config_controller_automatic_reload_failures_total` and `apiserver_encryption_config_controller_automatic_reload_success_total`

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2024-02-12 21:47:46 -08:00
Anish Ramasekar
75695dae10 move encryption config types to standard API server config location 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-12-18 20:54:24 +00:00
Nilekh Chaudhari
e95b7c6d8b feat: updates encryption config file watch logic to polling 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

fix (#2)

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-10-30 16:20:39 +00:00
Kubernetes Prow Robot
ebf46ce1b4 Merge pull request #121485 from ritazh/kmsv2-ga 
[KMSv2] promote KMSv2 and KMSv2KDF to GA
 2023-10-27 02:23:50 +02:00
Rita Zhang
a9b1adbafc [KMSv2] promote KMSv2 and KMSv2KDF to GA 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-10-26 15:05:31 -07:00
Nilekh Chaudhari
a92c1269e2 test: fixes hot reload flake 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-10-25 01:14:00 +00:00
Nilekh Chaudhari
71a1565d06 revert: reverts fixes for TestEncryptionConfigHotReload flake 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-10-25 01:08:04 +00:00
Nilekh Chaudhari
d9c967113f tests: fixes flake in TestEncryptionConfigHotReload 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-10-23 18:03:05 +00:00
Rita Zhang
7710128636 kms: remove livez check 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-09-12 08:48:26 -07:00
Rita Zhang
43ccf6c4e8 kmsv2: add apiserver identity to metrics 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-09-09 15:31:32 -07:00
Monis Khan
657cc2045e kmsv2: enable KMSv2KDF feature gate by default 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-09-05 15:20:10 -04:00
Monis Khan
95121fe846 kmsv2: add legacy data integration test 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-09-01 15:33:28 -04:00
Kubernetes Prow Robot
a99e377a54 Merge pull request #120221 from enj/enj/i/kms_cache_metrics_lock 
kmsv2: fix race in simpleCache.set when setting cache size metric
 2023-09-01 10:00:31 -07:00
Monis Khan
b10697c788 kmsv2: fix race in simpleCache.set when setting cache size metric 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-08-31 16:26:58 -04:00
Kubernetes Prow Robot
9c25ce6f3e Merge pull request #119540 from SataQiu/clean-apiserver-20230724 
Remove the deprecated kube-apiserver identity lease garbage collector for k8s.io/component=kube-apiserver
 2023-08-28 10:49:42 -07:00
Rita Zhang
d86e72202c kmsv2 test feature enablement unit test 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-08-18 15:28:32 -07:00
Rita Zhang
67769438e1 kmsv2 test feature enablement disablement and restart 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-07-25 09:50:59 -07:00
SataQiu
213ed03c00 remove deprecated kube-apiserver identity lease garbage collector 2023-07-25 10:10:18 +08:00
Kubernetes Prow Robot
773a6b1e46 Merge pull request #118828 from enj/enj/f/kms_v2_hkdf_expand 
kmsv2: KDF based nonce extension
 2023-07-21 16:10:19 -07:00
Monis Khan
bf49c727ba kmsv2: KDF based nonce extension 
Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-07-21 15:25:52 -04:00
Richa Banker
cd5f3d9f9d Add impl for uvip 2023-07-18 17:36:22 -07:00
Nilekh Chaudhari
131216fa8f chore: hashes keyID 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-07-13 20:42:09 +00:00
HirazawaUi
5289a7b029 fix fd leaks and failed file removing for test directory 2023-05-09 09:22:31 -05:00
Kubernetes Prow Robot
8a58c00c2a Merge pull request #117735 from nilekhc/fix-TestKMSv2Healthz-flake 
[KMSv2] fix: fixes flake in TestKMSv2Healthz
 2023-05-04 15:45:33 -07:00
Kante Yin
a7035f5459 Pass Context to StartTestServer 
Signed-off-by: Kante Yin <kerthcet@gmail.com>
 2023-05-04 10:25:09 +08:00
Nilekh Chaudhari
9d19c207d2 fix: fixes flake in TestKMSv2Healthz 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-05-02 21:01:48 +00:00
Rita Zhang
906f0607ef Clean up kms test 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-03-28 22:36:41 -07:00
Kubernetes Prow Robot
50070e664b Merge pull request #116626 from nilekhc/fix-kmsv2-healthz-flake 
[KMSv2] fix: increases timeout to avoid flake
 2023-03-14 20:28:34 -07:00
Kubernetes Prow Robot
15040e1c86 Merge pull request #115123 from aramase/v2beta1 
[KMSv2] Generate proto API and update feature gate for beta
 2023-03-14 19:26:25 -07:00
Nilekh Chaudhari
c09aa7dead fix: increases timeout to avoid flake 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-03-15 00:18:58 +00:00
Anish Ramasekar
ad698cc0ae [KMSv2] Generate proto API and update feature gate for beta 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-03-14 23:18:16 +00:00
Antonio Ojea
23252d70b4 add integration test 2023-03-14 22:58:11 +00:00
Monis Khan
832d6f0e19 kmsv2: re-use DEK while key ID is unchanged 
This change updates KMS v2 to not create a new DEK for every
encryption.  Instead, we re-use the DEK while the key ID is stable.

Specifically:

We no longer use a random 12 byte nonce per encryption.  Instead, we
use both a random 4 byte nonce and an 8 byte nonce set via an atomic
counter.  Since each DEK is randomly generated and never re-used,
the combination of DEK and counter are always unique.  Thus there
can never be a nonce collision.  AES GCM strongly encourages the use
of a 12 byte nonce, hence the additional 4 byte random nonce.  We
could leave those 4 bytes set to all zeros, but there is no harm in
setting them to random data (it may help in some edge cases such as
live VM migration).

If the plugin is not healthy, the last DEK will be used for
encryption for up to three minutes (there is no difference on the
behavior of reads which have always used the DEK cache).  This will
reduce the impact of a short plugin outage while making it easy to
perform storage migration after a key ID change (i.e. simply wait
ten minutes after the key ID change before starting the migration).

The DEK rotation cycle is performed in sync with the KMS v2 status
poll thus we always have the correct information to determine if a
read is stale in regards to storage migration.

Signed-off-by: Monis Khan <mok@microsoft.com>
 2023-03-14 10:23:50 -04:00
Nilekh Chaudhari
9382fab9b6 feat: implements encrypt all 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-03-08 22:18:49 +00:00
Yuan Chen
a24aef6510 Replace a function closure 
Replace more closures with pointer conversion

Replace deprecated Int32Ptr to Int32
 2023-02-27 09:13:36 -08:00
Anish Ramasekar
c9b8ad6a55 [KMSv2] restructure kms staging dir 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-02-21 22:40:25 +00:00
Anish Ramasekar
de3b2d525b [KMSv2] Add metrics for grpc service 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-02-09 18:51:37 +00:00
Nilekh Chaudhari
b3f326722d chore: improves tests 
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
 2023-01-30 23:18:14 +00:00
Anish Ramasekar
4804baa011 kmsv2: implement expire cache with clock 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
 2023-01-25 22:50:32 +00:00
Kubernetes Prow Robot
285e7969b2 Merge pull request #114544 from ritazh/kmsv2-keyid-staleness 
[KMSv2] Use status key ID to determine staleness of encrypted data
 2023-01-19 10:28:16 -08:00
Rita Zhang
510ac9b391 kmsv2: use status key ID to update staleness of encrypted data 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
 2023-01-19 08:09:24 -08:00