Documentation ¶
Overview ¶
Implementation of the KMS Plugin API v2.
Index ¶
- func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer)
- type DecryptRequest
- func (*DecryptRequest) Descriptor() ([]byte, []int)
- func (m *DecryptRequest) GetAnnotations() map[string][]byte
- func (m *DecryptRequest) GetCiphertext() []byte
- func (m *DecryptRequest) GetKeyId() string
- func (m *DecryptRequest) GetUid() string
- func (*DecryptRequest) ProtoMessage()
- func (m *DecryptRequest) Reset()
- func (m *DecryptRequest) String() string
- func (m *DecryptRequest) XXX_DiscardUnknown()
- func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *DecryptRequest) XXX_Merge(src proto.Message)
- func (m *DecryptRequest) XXX_Size() int
- func (m *DecryptRequest) XXX_Unmarshal(b []byte) error
- type DecryptResponse
- func (*DecryptResponse) Descriptor() ([]byte, []int)
- func (m *DecryptResponse) GetPlaintext() []byte
- func (*DecryptResponse) ProtoMessage()
- func (m *DecryptResponse) Reset()
- func (m *DecryptResponse) String() string
- func (m *DecryptResponse) XXX_DiscardUnknown()
- func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *DecryptResponse) XXX_Merge(src proto.Message)
- func (m *DecryptResponse) XXX_Size() int
- func (m *DecryptResponse) XXX_Unmarshal(b []byte) error
- type EncryptRequest
- func (*EncryptRequest) Descriptor() ([]byte, []int)
- func (m *EncryptRequest) GetPlaintext() []byte
- func (m *EncryptRequest) GetUid() string
- func (*EncryptRequest) ProtoMessage()
- func (m *EncryptRequest) Reset()
- func (m *EncryptRequest) String() string
- func (m *EncryptRequest) XXX_DiscardUnknown()
- func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *EncryptRequest) XXX_Merge(src proto.Message)
- func (m *EncryptRequest) XXX_Size() int
- func (m *EncryptRequest) XXX_Unmarshal(b []byte) error
- type EncryptResponse
- func (*EncryptResponse) Descriptor() ([]byte, []int)
- func (m *EncryptResponse) GetAnnotations() map[string][]byte
- func (m *EncryptResponse) GetCiphertext() []byte
- func (m *EncryptResponse) GetKeyId() string
- func (*EncryptResponse) ProtoMessage()
- func (m *EncryptResponse) Reset()
- func (m *EncryptResponse) String() string
- func (m *EncryptResponse) XXX_DiscardUnknown()
- func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *EncryptResponse) XXX_Merge(src proto.Message)
- func (m *EncryptResponse) XXX_Size() int
- func (m *EncryptResponse) XXX_Unmarshal(b []byte) error
- type HealthChecker
- type KeyManagementServiceClient
- type KeyManagementServiceServer
- type Plugin
- func (g *Plugin) Decrypt(ctx context.Context, request *DecryptRequest) (*DecryptResponse, error)
- func (g *Plugin) Encrypt(ctx context.Context, request *EncryptRequest) (*EncryptResponse, error)
- func (g *Plugin) Register(s *grpc.Server)
- func (g *Plugin) Status(ctx context.Context, request *StatusRequest) (*StatusResponse, error)
- type StatusRequest
- func (*StatusRequest) Descriptor() ([]byte, []int)
- func (*StatusRequest) ProtoMessage()
- func (m *StatusRequest) Reset()
- func (m *StatusRequest) String() string
- func (m *StatusRequest) XXX_DiscardUnknown()
- func (m *StatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *StatusRequest) XXX_Merge(src proto.Message)
- func (m *StatusRequest) XXX_Size() int
- func (m *StatusRequest) XXX_Unmarshal(b []byte) error
- type StatusResponse
- func (*StatusResponse) Descriptor() ([]byte, []int)
- func (m *StatusResponse) GetHealthz() string
- func (m *StatusResponse) GetKeyId() string
- func (m *StatusResponse) GetVersion() string
- func (*StatusResponse) ProtoMessage()
- func (m *StatusResponse) Reset()
- func (m *StatusResponse) String() string
- func (m *StatusResponse) XXX_DiscardUnknown()
- func (m *StatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *StatusResponse) XXX_Merge(src proto.Message)
- func (m *StatusResponse) XXX_Size() int
- func (m *StatusResponse) XXX_Unmarshal(b []byte) error
- type UnimplementedKeyManagementServiceServer
- func (*UnimplementedKeyManagementServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error)
- func (*UnimplementedKeyManagementServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error)
- func (*UnimplementedKeyManagementServiceServer) Status(ctx context.Context, req *StatusRequest) (*StatusResponse, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RegisterKeyManagementServiceServer ¶
func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer)
Types ¶
type DecryptRequest ¶
type DecryptRequest struct { // The data to be decrypted. Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` // UID is a unique identifier for the request. Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"` // The keyID that was provided to the apiserver during encryption. // This represents the KMS KEK that was used to encrypt the data. KeyId string `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` // Additional metadata that was sent by the KMS plugin during encryption. Annotations map[string][]byte `` /* 163-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*DecryptRequest) Descriptor ¶
func (*DecryptRequest) Descriptor() ([]byte, []int)
func (*DecryptRequest) GetAnnotations ¶
func (m *DecryptRequest) GetAnnotations() map[string][]byte
func (*DecryptRequest) GetCiphertext ¶
func (m *DecryptRequest) GetCiphertext() []byte
func (*DecryptRequest) GetKeyId ¶
func (m *DecryptRequest) GetKeyId() string
func (*DecryptRequest) GetUid ¶
func (m *DecryptRequest) GetUid() string
func (*DecryptRequest) ProtoMessage ¶
func (*DecryptRequest) ProtoMessage()
func (*DecryptRequest) Reset ¶
func (m *DecryptRequest) Reset()
func (*DecryptRequest) String ¶
func (m *DecryptRequest) String() string
func (*DecryptRequest) XXX_DiscardUnknown ¶
func (m *DecryptRequest) XXX_DiscardUnknown()
func (*DecryptRequest) XXX_Marshal ¶
func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*DecryptRequest) XXX_Merge ¶
func (m *DecryptRequest) XXX_Merge(src proto.Message)
func (*DecryptRequest) XXX_Size ¶
func (m *DecryptRequest) XXX_Size() int
func (*DecryptRequest) XXX_Unmarshal ¶
func (m *DecryptRequest) XXX_Unmarshal(b []byte) error
type DecryptResponse ¶
type DecryptResponse struct { // The decrypted data. Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*DecryptResponse) Descriptor ¶
func (*DecryptResponse) Descriptor() ([]byte, []int)
func (*DecryptResponse) GetPlaintext ¶
func (m *DecryptResponse) GetPlaintext() []byte
func (*DecryptResponse) ProtoMessage ¶
func (*DecryptResponse) ProtoMessage()
func (*DecryptResponse) Reset ¶
func (m *DecryptResponse) Reset()
func (*DecryptResponse) String ¶
func (m *DecryptResponse) String() string
func (*DecryptResponse) XXX_DiscardUnknown ¶
func (m *DecryptResponse) XXX_DiscardUnknown()
func (*DecryptResponse) XXX_Marshal ¶
func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*DecryptResponse) XXX_Merge ¶
func (m *DecryptResponse) XXX_Merge(src proto.Message)
func (*DecryptResponse) XXX_Size ¶
func (m *DecryptResponse) XXX_Size() int
func (*DecryptResponse) XXX_Unmarshal ¶
func (m *DecryptResponse) XXX_Unmarshal(b []byte) error
type EncryptRequest ¶
type EncryptRequest struct { // The data to be encrypted. Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` // UID is a unique identifier for the request. Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*EncryptRequest) Descriptor ¶
func (*EncryptRequest) Descriptor() ([]byte, []int)
func (*EncryptRequest) GetPlaintext ¶
func (m *EncryptRequest) GetPlaintext() []byte
func (*EncryptRequest) GetUid ¶
func (m *EncryptRequest) GetUid() string
func (*EncryptRequest) ProtoMessage ¶
func (*EncryptRequest) ProtoMessage()
func (*EncryptRequest) Reset ¶
func (m *EncryptRequest) Reset()
func (*EncryptRequest) String ¶
func (m *EncryptRequest) String() string
func (*EncryptRequest) XXX_DiscardUnknown ¶
func (m *EncryptRequest) XXX_DiscardUnknown()
func (*EncryptRequest) XXX_Marshal ¶
func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*EncryptRequest) XXX_Merge ¶
func (m *EncryptRequest) XXX_Merge(src proto.Message)
func (*EncryptRequest) XXX_Size ¶
func (m *EncryptRequest) XXX_Size() int
func (*EncryptRequest) XXX_Unmarshal ¶
func (m *EncryptRequest) XXX_Unmarshal(b []byte) error
type EncryptResponse ¶
type EncryptResponse struct { // The encrypted data. // ciphertext must satisfy the following constraints: // 1. The ciphertext is not empty. // 2. The ciphertext is less than 1 kB. Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` // The KMS key ID used to encrypt the data. This must always refer to the KMS KEK and not any local KEKs that may be in use. // This can be used to inform staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. KeyId string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` // Additional metadata to be stored with the encrypted data. // This data is stored in plaintext in etcd. KMS plugin implementations are responsible for pre-encrypting any sensitive data. // Annotations must satisfy the following constraints: // 1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123). // 2. The size of annotations keys + values is less than 32 kB. Annotations map[string][]byte `` /* 163-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*EncryptResponse) Descriptor ¶
func (*EncryptResponse) Descriptor() ([]byte, []int)
func (*EncryptResponse) GetAnnotations ¶
func (m *EncryptResponse) GetAnnotations() map[string][]byte
func (*EncryptResponse) GetCiphertext ¶
func (m *EncryptResponse) GetCiphertext() []byte
func (*EncryptResponse) GetKeyId ¶
func (m *EncryptResponse) GetKeyId() string
func (*EncryptResponse) ProtoMessage ¶
func (*EncryptResponse) ProtoMessage()
func (*EncryptResponse) Reset ¶
func (m *EncryptResponse) Reset()
func (*EncryptResponse) String ¶
func (m *EncryptResponse) String() string
func (*EncryptResponse) XXX_DiscardUnknown ¶
func (m *EncryptResponse) XXX_DiscardUnknown()
func (*EncryptResponse) XXX_Marshal ¶
func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*EncryptResponse) XXX_Merge ¶
func (m *EncryptResponse) XXX_Merge(src proto.Message)
func (*EncryptResponse) XXX_Size ¶
func (m *EncryptResponse) XXX_Size() int
func (*EncryptResponse) XXX_Unmarshal ¶
func (m *EncryptResponse) XXX_Unmarshal(b []byte) error
type HealthChecker ¶
type HealthChecker struct{}
func NewHealthChecker ¶
func NewHealthChecker() *HealthChecker
func (*HealthChecker) PingKMS ¶
func (h *HealthChecker) PingKMS(ctx context.Context, conn *grpc.ClientConn) error
func (*HealthChecker) PingRPC ¶
func (h *HealthChecker) PingRPC(ctx context.Context, conn *grpc.ClientConn) error
type KeyManagementServiceClient ¶
type KeyManagementServiceClient interface { // this API is meant to be polled Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) // Execute decryption operation in KMS provider. Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) }
KeyManagementServiceClient is the client API for KeyManagementService service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
func NewKeyManagementServiceClient ¶
func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClient
type KeyManagementServiceServer ¶
type KeyManagementServiceServer interface { // this API is meant to be polled Status(context.Context, *StatusRequest) (*StatusResponse, error) // Execute decryption operation in KMS provider. Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) }
KeyManagementServiceServer is the server API for KeyManagementService service.
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
func NewPlugin ¶
func NewPlugin(keyService *cloudkms.ProjectsLocationsKeyRingsCryptoKeysService, keyURI, keySuffix string) *Plugin
New constructs Plugin.
func (*Plugin) Decrypt ¶
func (g *Plugin) Decrypt(ctx context.Context, request *DecryptRequest) (*DecryptResponse, error)
Decrypt decrypts payload supplied by K8S API Server.
func (*Plugin) Encrypt ¶
func (g *Plugin) Encrypt(ctx context.Context, request *EncryptRequest) (*EncryptResponse, error)
Encrypt encrypts payload provided by K8S API Server.
func (*Plugin) Status ¶
func (g *Plugin) Status(ctx context.Context, request *StatusRequest) (*StatusResponse, error)
Status returns the version of KMS API version that plugin supports. Response also contains the status of the plugin, which is calculated as availability of the encryption key that the plugin is confinged with, and the current primary key version. kube-apiserver will provide this key version in Encrypt and Decrypt calls and will be able to know whether the remote CLoud KMS key has been rotated or not.
type StatusRequest ¶
type StatusRequest struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*StatusRequest) Descriptor ¶
func (*StatusRequest) Descriptor() ([]byte, []int)
func (*StatusRequest) ProtoMessage ¶
func (*StatusRequest) ProtoMessage()
func (*StatusRequest) Reset ¶
func (m *StatusRequest) Reset()
func (*StatusRequest) String ¶
func (m *StatusRequest) String() string
func (*StatusRequest) XXX_DiscardUnknown ¶
func (m *StatusRequest) XXX_DiscardUnknown()
func (*StatusRequest) XXX_Marshal ¶
func (m *StatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*StatusRequest) XXX_Merge ¶
func (m *StatusRequest) XXX_Merge(src proto.Message)
func (*StatusRequest) XXX_Size ¶
func (m *StatusRequest) XXX_Size() int
func (*StatusRequest) XXX_Unmarshal ¶
func (m *StatusRequest) XXX_Unmarshal(b []byte) error
type StatusResponse ¶
type StatusResponse struct { // Version of the KMS gRPC plugin API. Must equal v2 to v2beta1 (v2 is recommended, but both are equivalent). Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` // Any value other than "ok" is failing healthz. On failure, the associated API server healthz endpoint will contain this value as part of the error message. Healthz string `protobuf:"bytes,2,opt,name=healthz,proto3" json:"healthz,omitempty"` // the current write key, used to determine staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. KeyId string `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*StatusResponse) Descriptor ¶
func (*StatusResponse) Descriptor() ([]byte, []int)
func (*StatusResponse) GetHealthz ¶
func (m *StatusResponse) GetHealthz() string
func (*StatusResponse) GetKeyId ¶
func (m *StatusResponse) GetKeyId() string
func (*StatusResponse) GetVersion ¶
func (m *StatusResponse) GetVersion() string
func (*StatusResponse) ProtoMessage ¶
func (*StatusResponse) ProtoMessage()
func (*StatusResponse) Reset ¶
func (m *StatusResponse) Reset()
func (*StatusResponse) String ¶
func (m *StatusResponse) String() string
func (*StatusResponse) XXX_DiscardUnknown ¶
func (m *StatusResponse) XXX_DiscardUnknown()
func (*StatusResponse) XXX_Marshal ¶
func (m *StatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*StatusResponse) XXX_Merge ¶
func (m *StatusResponse) XXX_Merge(src proto.Message)
func (*StatusResponse) XXX_Size ¶
func (m *StatusResponse) XXX_Size() int
func (*StatusResponse) XXX_Unmarshal ¶
func (m *StatusResponse) XXX_Unmarshal(b []byte) error
type UnimplementedKeyManagementServiceServer ¶
type UnimplementedKeyManagementServiceServer struct { }
UnimplementedKeyManagementServiceServer can be embedded to have forward compatible implementations.
func (*UnimplementedKeyManagementServiceServer) Decrypt ¶
func (*UnimplementedKeyManagementServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error)
func (*UnimplementedKeyManagementServiceServer) Encrypt ¶
func (*UnimplementedKeyManagementServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error)
func (*UnimplementedKeyManagementServiceServer) Status ¶
func (*UnimplementedKeyManagementServiceServer) Status(ctx context.Context, req *StatusRequest) (*StatusResponse, error)