Documentation

Index

Constants

View Source
const (
	// This label is used to find secrets that build up the final encryption config.  The names of the
	// secrets are in format <shared prefix>-<unique monotonically increasing uint> (the uint is the keyID).
	// For example, openshift-kube-apiserver-encryption-3.  Note that other than the -3 postfix, the name of
	// the secret is irrelevant since the label is used to find the secrets.  Of course the key minting
	// controller cares about the entire name since it needs to know when it has already created a secret for a given
	// keyID meaning it cannot just use a random prefix.  As such the name must include the data that is contained
	// within the label.  Thus the format used is <component>-encryption-<keyID>.  This keeps everything distinct
	// and fully deterministic.  The keys are ordered by keyID where a smaller ID means an earlier key.
	// This means that the latest secret (the one with the largest keyID) is the current desired write key.
	EncryptionKeySecretsLabel = "encryption.apiserver.operator.openshift.io/component"

	// The time (in RFC3339 format) at which the migrated state observation occurred.  The key minting
	// controller parses this field to determine if enough time has passed and a new key should be created.
	EncryptionSecretMigratedTimestamp = "encryption.apiserver.operator.openshift.io/migrated-timestamp"
	// The list of resources that were migrated when encryptionSecretMigratedTimestamp was set.
	// See the MigratedGroupResources struct below to understand the JSON encoding used.
	EncryptionSecretMigratedResources = "encryption.apiserver.operator.openshift.io/migrated-resources"

	// In the data field of the secret API object, this (map) key is used to hold the actual encryption key
	// (i.e. for AES-CBC mode the value associated with this map key is 32 bytes of random noise).
	EncryptionSecretKeyDataKey = "encryption.apiserver.operator.openshift.io-key"

	// encryptionSecretFinalizer is a finalizer attached to all secrets generated
	// by the encryption controllers.  Its sole purpose is to prevent the accidental
	// deletion of secrets by enforcing a two phase delete.
	EncryptionSecretFinalizer = "encryption.apiserver.operator.openshift.io/deletion-protection"
)

Variables

This section is empty.

Functions

func FromKeyState

func FromKeyState(component string, ks state.KeyState) (*corev1.Secret, error)

    ToKeyState converts a key state to a key secret.

    func ListKeySecrets

    func ListKeySecrets(secretClient corev1client.SecretsGetter, encryptionSecretSelector metav1.ListOptions) ([]*corev1.Secret, error)

      ListKeySecrets returns the current key secrets from openshift-config-managed.

      func ToKeyState

      func ToKeyState(s *corev1.Secret) (state.KeyState, error)

        ToKeyState converts a key secret to a key state.

        Types

        type MigratedGroupResources

        type MigratedGroupResources struct {
        	Resources []schema.GroupResource `json:"resources"`
        }

          MigratedGroupResources is the data structured stored in the encryption.apiserver.operator.openshift.io/migrated-resources of a key secret.

          func (*MigratedGroupResources) HasResource

          func (m *MigratedGroupResources) HasResource(resource schema.GroupResource) bool

            HasResource returns whether the given group resource is contained in the migrated group resource list.