- func FromKeyState(component string, ks state.KeyState) (*corev1.Secret, error)
- func ListKeySecrets(secretClient corev1client.SecretsGetter, ...) (*corev1.Secret, error)
- func ToKeyState(s *corev1.Secret) (state.KeyState, error)
- type MigratedGroupResources
const ( // This label is used to find secrets that build up the final encryption config. The names of the // secrets are in format <shared prefix>-<unique monotonically increasing uint> (the uint is the keyID). // For example, openshift-kube-apiserver-encryption-3. Note that other than the -3 postfix, the name of // the secret is irrelevant since the label is used to find the secrets. Of course the key minting // controller cares about the entire name since it needs to know when it has already created a secret for a given // keyID meaning it cannot just use a random prefix. As such the name must include the data that is contained // within the label. Thus the format used is <component>-encryption-<keyID>. This keeps everything distinct // and fully deterministic. The keys are ordered by keyID where a smaller ID means an earlier key. // This means that the latest secret (the one with the largest keyID) is the current desired write key. EncryptionKeySecretsLabel = "encryption.apiserver.operator.openshift.io/component" // The time (in RFC3339 format) at which the migrated state observation occurred. The key minting // controller parses this field to determine if enough time has passed and a new key should be created. EncryptionSecretMigratedTimestamp = "encryption.apiserver.operator.openshift.io/migrated-timestamp" // The list of resources that were migrated when encryptionSecretMigratedTimestamp was set. // See the MigratedGroupResources struct below to understand the JSON encoding used. EncryptionSecretMigratedResources = "encryption.apiserver.operator.openshift.io/migrated-resources" // In the data field of the secret API object, this (map) key is used to hold the actual encryption key // (i.e. for AES-CBC mode the value associated with this map key is 32 bytes of random noise). EncryptionSecretKeyDataKey = "encryption.apiserver.operator.openshift.io-key" // encryptionSecretFinalizer is a finalizer attached to all secrets generated // by the encryption controllers. Its sole purpose is to prevent the accidental // deletion of secrets by enforcing a two phase delete. EncryptionSecretFinalizer = "encryption.apiserver.operator.openshift.io/deletion-protection" )
func FromKeyState ¶
ToKeyState converts a key state to a key secret.
func ListKeySecrets ¶
func ListKeySecrets(secretClient corev1client.SecretsGetter, encryptionSecretSelector metav1.ListOptions) (*corev1.Secret, error)
ListKeySecrets returns the current key secrets from openshift-config-managed.
type MigratedGroupResources ¶
MigratedGroupResources is the data structured stored in the encryption.apiserver.operator.openshift.io/migrated-resources of a key secret.