github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3003ab7ad2b71b047f0dddd09397c67fef3e4b08
kubernetes/staging
History
Kubernetes Submit Queue 0d17e9deb7 Merge pull request #48574 from sakshamsharma/kms-transformer 
Automatic merge from submit-queue

Add Google cloud KMS service for envelope encryption transformer

This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer).

For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls.

Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though.

Upcoming after this PR:
* Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory.
* Track key version to assist in data re-encryption after a KEK rotation.

Development branch containing the changes described above: https://github.com/sakshamsharma/kubernetes/pull/4

Envelope transformer used by this PR was merged in #49350 

Concerns #48522 

Planned configuration:
```
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
    - secrets
    providers:
    - kms:
        cachesize: 100
        configfile: gcp-cloudkms.conf
        name: gcp-cloudkms
    - identity: {}
```

gcp-cloudkms.conf:
```
[GoogleCloudKMS]
    kms-location: global
    kms-keyring: google-container-engine
    kms-cryptokey: example-key
```
2017-08-29 11:11:10 -07:00
..
src/k8s.io
Merge pull request #48574 from sakshamsharma/kms-transformer
2017-08-29 11:11:10 -07:00
BUILD
Fixup after k8s.io/{kube-gen -> code-generator} rename
2017-08-17 17:55:12 +02:00
godeps-json-updater.go
Clean up staging/godeps-json-updater.go
2017-04-06 09:32:57 +02:00
OWNERS
Add OWNERS for staging and api
2017-04-19 15:58:09 -04:00
prime-apimachinery.sh
Fixup after k8s.io/{kube-gen -> code-generator} rename
2017-08-17 17:55:12 +02:00
README.md
Fixup after k8s.io/{kube-gen -> code-generator} rename
2017-08-17 17:55:12 +02:00

README.md

External Repository Staging Area

This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.

Repositories currently staged here:

The code in the staging/ directory is authoritative, i.e. the only copy of the code. You can directly modify such code.

Using staged repositories from Kubernetes code

Kubernetes code uses the repositories in this directory via symlinks in the vendor/k8s.io directory into this staging area. For example, when Kubernetes code imports a package from the k8s.io/client-go repository, that import is resolved to staging/src/k8s.io/client-go relative to the project root:

// pkg/example/some_code.go
package example

import (
  "k8s.io/client-go/dynamic" // resolves to staging/src/k8s.io/client-go/dynamic
)

Once the change-over to external repositories is complete, these repositories will actually be vendored from k8s.io/<package-name>.

Reference in New Issue View Git Blame Copy Permalink