v2

package
v0.0.0-...-f938a04 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Implementation of the KMS Plugin API v2.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RegisterKeyManagementServiceServer 

func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer)

Types

type DecryptRequest 

type DecryptRequest struct {
	// The data to be decrypted.
	Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
	// UID is a unique identifier for the request.
	Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
	// The keyID that was provided to the apiserver during encryption.
	// This represents the KMS KEK that was used to encrypt the data.
	KeyId string `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	// Additional metadata that was sent by the KMS plugin during encryption.
	Annotations          map[string][]byte `` /* 163-byte string literal not displayed */
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

func (*DecryptRequest) Descriptor 

func (*DecryptRequest) Descriptor() ([]byte, []int)

func (*DecryptRequest) GetAnnotations 

func (m *DecryptRequest) GetAnnotations() map[string][]byte

func (*DecryptRequest) GetCiphertext 

func (m *DecryptRequest) GetCiphertext() []byte

func (*DecryptRequest) GetKeyId 

func (m *DecryptRequest) GetKeyId() string

func (*DecryptRequest) GetUid 

func (m *DecryptRequest) GetUid() string

func (*DecryptRequest) ProtoMessage 

func (*DecryptRequest) ProtoMessage()

func (*DecryptRequest) Reset 

func (m *DecryptRequest) Reset()

func (*DecryptRequest) String 

func (m *DecryptRequest) String() string

func (*DecryptRequest) XXX_DiscardUnknown 

func (m *DecryptRequest) XXX_DiscardUnknown()

func (*DecryptRequest) XXX_Marshal 

func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*DecryptRequest) XXX_Merge 

func (m *DecryptRequest) XXX_Merge(src proto.Message)

func (*DecryptRequest) XXX_Size 

func (m *DecryptRequest) XXX_Size() int

func (*DecryptRequest) XXX_Unmarshal 

func (m *DecryptRequest) XXX_Unmarshal(b []byte) error

type DecryptResponse 

type DecryptResponse struct {
	// The decrypted data.
	Plaintext            []byte   `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*DecryptResponse) Descriptor 

func (*DecryptResponse) Descriptor() ([]byte, []int)

func (*DecryptResponse) GetPlaintext 

func (m *DecryptResponse) GetPlaintext() []byte

func (*DecryptResponse) ProtoMessage 

func (*DecryptResponse) ProtoMessage()

func (*DecryptResponse) Reset 

func (m *DecryptResponse) Reset()

func (*DecryptResponse) String 

func (m *DecryptResponse) String() string

func (*DecryptResponse) XXX_DiscardUnknown 

func (m *DecryptResponse) XXX_DiscardUnknown()

func (*DecryptResponse) XXX_Marshal 

func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*DecryptResponse) XXX_Merge 

func (m *DecryptResponse) XXX_Merge(src proto.Message)

func (*DecryptResponse) XXX_Size 

func (m *DecryptResponse) XXX_Size() int

func (*DecryptResponse) XXX_Unmarshal 

func (m *DecryptResponse) XXX_Unmarshal(b []byte) error

type EncryptRequest 

type EncryptRequest struct {
	// The data to be encrypted.
	Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
	// UID is a unique identifier for the request.
	Uid                  string   `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*EncryptRequest) Descriptor 

func (*EncryptRequest) Descriptor() ([]byte, []int)

func (*EncryptRequest) GetPlaintext 

func (m *EncryptRequest) GetPlaintext() []byte

func (*EncryptRequest) GetUid 

func (m *EncryptRequest) GetUid() string

func (*EncryptRequest) ProtoMessage 

func (*EncryptRequest) ProtoMessage()

func (*EncryptRequest) Reset 

func (m *EncryptRequest) Reset()

func (*EncryptRequest) String 

func (m *EncryptRequest) String() string

func (*EncryptRequest) XXX_DiscardUnknown 

func (m *EncryptRequest) XXX_DiscardUnknown()

func (*EncryptRequest) XXX_Marshal 

func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EncryptRequest) XXX_Merge 

func (m *EncryptRequest) XXX_Merge(src proto.Message)

func (*EncryptRequest) XXX_Size 

func (m *EncryptRequest) XXX_Size() int

func (*EncryptRequest) XXX_Unmarshal 

func (m *EncryptRequest) XXX_Unmarshal(b []byte) error

type EncryptResponse 

type EncryptResponse struct {
	// The encrypted data.
	// ciphertext must satisfy the following constraints:
	// 1. The ciphertext is not empty.
	// 2. The ciphertext is less than 1 kB.
	Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"`
	// The KMS key ID used to encrypt the data. This must always refer to the KMS KEK and not any local KEKs that may be in use.
	// This can be used to inform staleness of data updated via value.Transformer.TransformFromStorage.
	// keyID must satisfy the following constraints:
	// 1. The keyID is not empty.
	// 2. The size of keyID is less than 1 kB.
	KeyId string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	// Additional metadata to be stored with the encrypted data.
	// This data is stored in plaintext in etcd. KMS plugin implementations are responsible for pre-encrypting any sensitive data.
	// Annotations must satisfy the following constraints:
	//  1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123).
	//  2. The size of annotations keys + values is less than 32 kB.
	Annotations          map[string][]byte `` /* 163-byte string literal not displayed */
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

func (*EncryptResponse) Descriptor 

func (*EncryptResponse) Descriptor() ([]byte, []int)

func (*EncryptResponse) GetAnnotations 

func (m *EncryptResponse) GetAnnotations() map[string][]byte

func (*EncryptResponse) GetCiphertext 

func (m *EncryptResponse) GetCiphertext() []byte

func (*EncryptResponse) GetKeyId 

func (m *EncryptResponse) GetKeyId() string

func (*EncryptResponse) ProtoMessage 

func (*EncryptResponse) ProtoMessage()

func (*EncryptResponse) Reset 

func (m *EncryptResponse) Reset()

func (*EncryptResponse) String 

func (m *EncryptResponse) String() string

func (*EncryptResponse) XXX_DiscardUnknown 

func (m *EncryptResponse) XXX_DiscardUnknown()

func (*EncryptResponse) XXX_Marshal 

func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*EncryptResponse) XXX_Merge 

func (m *EncryptResponse) XXX_Merge(src proto.Message)

func (*EncryptResponse) XXX_Size 

func (m *EncryptResponse) XXX_Size() int

func (*EncryptResponse) XXX_Unmarshal 

func (m *EncryptResponse) XXX_Unmarshal(b []byte) error

type HealthChecker 

type HealthChecker struct{}

func NewHealthChecker 

func NewHealthChecker() *HealthChecker

func (*HealthChecker) PingKMS 

func (h *HealthChecker) PingKMS(ctx context.Context, conn *grpc.ClientConn) error

func (*HealthChecker) PingRPC 

func (h *HealthChecker) PingRPC(ctx context.Context, conn *grpc.ClientConn) error

type KeyManagementServiceClient 

type KeyManagementServiceClient interface {
	// this API is meant to be polled
	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
	// Execute decryption operation in KMS provider.
	Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error)
	// Execute encryption operation in KMS provider.
	Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error)
}

KeyManagementServiceClient is the client API for KeyManagementService service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.

func NewKeyManagementServiceClient 

func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClient

type KeyManagementServiceServer 

type KeyManagementServiceServer interface {
	// this API is meant to be polled
	Status(context.Context, *StatusRequest) (*StatusResponse, error)
	// Execute decryption operation in KMS provider.
	Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error)
	// Execute encryption operation in KMS provider.
	Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error)
}

KeyManagementServiceServer is the server API for KeyManagementService service.

type Plugin 

type Plugin struct {
	// contains filtered or unexported fields
}

func NewPlugin 

func NewPlugin(keyService *cloudkms.ProjectsLocationsKeyRingsCryptoKeysService, keyURI, keySuffix string) *Plugin

New constructs Plugin.

func (*Plugin) Decrypt 

func (g *Plugin) Decrypt(ctx context.Context, request *DecryptRequest) (*DecryptResponse, error)

Decrypt decrypts payload supplied by K8S API Server.

func (*Plugin) Encrypt 

func (g *Plugin) Encrypt(ctx context.Context, request *EncryptRequest) (*EncryptResponse, error)

Encrypt encrypts payload provided by K8S API Server.

func (*Plugin) Register 

func (g *Plugin) Register(s *grpc.Server)

Register registers the plugin as a service management service.

func (*Plugin) Status 

func (g *Plugin) Status(ctx context.Context, request *StatusRequest) (*StatusResponse, error)

Status returns the version of KMS API version that plugin supports. Response also contains the status of the plugin, which is calculated as availability of the encryption key that the plugin is confinged with, and the current primary key version. kube-apiserver will provide this key version in Encrypt and Decrypt calls and will be able to know whether the remote CLoud KMS key has been rotated or not.

type StatusRequest 

type StatusRequest struct {
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*StatusRequest) Descriptor 

func (*StatusRequest) Descriptor() ([]byte, []int)

func (*StatusRequest) ProtoMessage 

func (*StatusRequest) ProtoMessage()

func (*StatusRequest) Reset 

func (m *StatusRequest) Reset()

func (*StatusRequest) String 

func (m *StatusRequest) String() string

func (*StatusRequest) XXX_DiscardUnknown 

func (m *StatusRequest) XXX_DiscardUnknown()

func (*StatusRequest) XXX_Marshal 

func (m *StatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*StatusRequest) XXX_Merge 

func (m *StatusRequest) XXX_Merge(src proto.Message)

func (*StatusRequest) XXX_Size 

func (m *StatusRequest) XXX_Size() int

func (*StatusRequest) XXX_Unmarshal 

func (m *StatusRequest) XXX_Unmarshal(b []byte) error

type StatusResponse 

type StatusResponse struct {
	// Version of the KMS gRPC plugin API. Must equal v2 to v2beta1 (v2 is recommended, but both are equivalent).
	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
	// Any value other than "ok" is failing healthz.  On failure, the associated API server healthz endpoint will contain this value as part of the error message.
	Healthz string `protobuf:"bytes,2,opt,name=healthz,proto3" json:"healthz,omitempty"`
	// the current write key, used to determine staleness of data updated via value.Transformer.TransformFromStorage.
	// keyID must satisfy the following constraints:
	// 1. The keyID is not empty.
	// 2. The size of keyID is less than 1 kB.
	KeyId                string   `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*StatusResponse) Descriptor 

func (*StatusResponse) Descriptor() ([]byte, []int)

func (*StatusResponse) GetHealthz 

func (m *StatusResponse) GetHealthz() string

func (*StatusResponse) GetKeyId 

func (m *StatusResponse) GetKeyId() string

func (*StatusResponse) GetVersion 

func (m *StatusResponse) GetVersion() string

func (*StatusResponse) ProtoMessage 

func (*StatusResponse) ProtoMessage()

func (*StatusResponse) Reset 

func (m *StatusResponse) Reset()

func (*StatusResponse) String 

func (m *StatusResponse) String() string

func (*StatusResponse) XXX_DiscardUnknown 

func (m *StatusResponse) XXX_DiscardUnknown()

func (*StatusResponse) XXX_Marshal 

func (m *StatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*StatusResponse) XXX_Merge 

func (m *StatusResponse) XXX_Merge(src proto.Message)

func (*StatusResponse) XXX_Size 

func (m *StatusResponse) XXX_Size() int

func (*StatusResponse) XXX_Unmarshal 

func (m *StatusResponse) XXX_Unmarshal(b []byte) error

type UnimplementedKeyManagementServiceServer 

type UnimplementedKeyManagementServiceServer struct {
}

UnimplementedKeyManagementServiceServer can be embedded to have forward compatible implementations.

func (*UnimplementedKeyManagementServiceServer) Decrypt 

func (*UnimplementedKeyManagementServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error)

func (*UnimplementedKeyManagementServiceServer) Encrypt 

func (*UnimplementedKeyManagementServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error)

func (*UnimplementedKeyManagementServiceServer) Status 

func (*UnimplementedKeyManagementServiceServer) Status(ctx context.Context, req *StatusRequest) (*StatusResponse, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.