etcdencryption

package
v1.7.1-0...-23dd39d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2021 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const ETCDEncryptionDataType = infodata.TypeVersion("etcdEncryption")

ETCDEncryptionDataType is the type used to denote an ETCDKeyData structure in the ShootState

Variables

This section is empty.

Functions

func GetSecretKeyForResources 

func GetSecretKeyForResources(config *apiserverconfigv1.EncryptionConfiguration, resources string) (string, string, error)

GetSecretKeyForResources returns the AESCBC key name and AESCBC key secret which is used to encrypt the resource. If the AESCBC is not found then it returns empty strings.

func IsConfigurationNotFoundError 

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load 

func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionConfiguration 

func NewEncryptionConfiguration(encryptionConfig *EncryptionConfig) *apiserverconfigv1.EncryptionConfiguration

NewEncryptionConfiguration creates an EncryptionConfiguration from the key and state

func NewEncryptionKey 

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName 

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret 

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func ReadSecret 

func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func Unmarshal 

func Unmarshal(bytes []byte) (infodata.InfoData, error)

Unmarshal unmarshals an ETCDKeyData json.

func UpdateSecret 

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write 

func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)

Write encodes an EncryptionConfiguration.

Types

type EncryptionConfig 

type EncryptionConfig struct {
	EncryptionKeys          []EncryptionKey
	ForcePlainTextResources bool
	RewriteResources        bool
}

EncryptionConfig holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

func GetEncryptionConfig 

func GetEncryptionConfig(gardenerResourceDataList gardencorev1alpha1helper.GardenerResourceDataList) (*EncryptionConfig, error)

GetEncryptionConfig retrieves the ETCDEncryptionConfig from the gardenerResourceDataList.

func NewEncryptionConfig 

func NewEncryptionConfig(keys []EncryptionKey, forcePlainTextResources, rewriteResources bool) (*EncryptionConfig, error)

NewEncryptionConfig creates a new ETCDEncryptionKey from a given key and name

func (*EncryptionConfig) AddEncryptionKeyFromSecret 

func (e *EncryptionConfig) AddEncryptionKeyFromSecret(secret *corev1.Secret) error

AddEncryptionKeyFromSecret gets the active etcd encryption key from the secret object and adds it to the ETCDEncryptionConfig. TODO: this function can be removed in a future version when all the encryption configurations have been synced to the ShootState.

func (*EncryptionConfig) AddNewEncryptionKey 

func (e *EncryptionConfig) AddNewEncryptionKey() error

AddNewEncryptionKey generates a new etcd encryption key and adds it to the ETCDEncryptionConfig.

func (*EncryptionConfig) Marshal 

func (e *EncryptionConfig) Marshal() ([]byte, error)

Marshal ETCDEncryption InfoData

func (*EncryptionConfig) SetForcePlainTextResources 

func (e *EncryptionConfig) SetForcePlainTextResources(forcePlainTextResources bool)

SetForcePlainTextResources sets whether resources should be encrypted or not. If the configuration changes RewriteResource is set to true.

func (*EncryptionConfig) TypeVersion 

func (e *EncryptionConfig) TypeVersion() infodata.TypeVersion

TypeVersion implements InfoData

type EncryptionConfigData 

type EncryptionConfigData struct {
	EncryptionKeys          []EncryptionKeyData `json:"encryptionKeys"`
	ForcePlainTextResources bool                `json:"forcePlainTextResources"`
	RewriteResources        bool                `json:"rewriteResources"`
}

EncryptionConfigData holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

type EncryptionKey 

type EncryptionKey struct {
	Key  string
	Name string
}

EncryptionKey holds the key and its name used to encrypt resources in ETCD.

type EncryptionKeyData 

type EncryptionKeyData struct {
	Key  string `json:"key"`
	Name string `json:"name"`
}

EncryptionKeyData holds the key and its name used to encrypt resources in ETCD

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.