package kmsv2
import "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"
Package kmsv2 transforms values for storage at rest using a Envelope v2 provider
Package kmsv2 transforms values for storage at rest using a Envelope v2 provider
Package kmsv2 transforms values for storage at rest using a Envelope provider
Index ¶
- Constants
- Variables
- func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service, useSeed bool) (value.Transformer, *kmstypes.EncryptedObject, []byte, error)
- func GetHashIfNotEmpty(data string) string
- func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, stateFunc StateFunc, apiServerID string) value.Transformer
- func NewGRPCService(ctx context.Context, endpoint, providerName string, callTimeout time.Duration) (kmsservice.Service, error)
- func ValidateEncryptedObject(o *kmstypes.EncryptedObject) error
- type ErrCodeKeyID
- type State
- type StateFunc
Constants ¶
const ( // KMSAPIVersionv2 is a version of the KMS API. KMSAPIVersionv2 = "v2" // KMSAPIVersionv2beta1 is a version of the KMS API. KMSAPIVersionv2beta1 = "v2beta1" // KeyIDMaxSize is the maximum size of the keyID. KeyIDMaxSize = 1 * 1024 // 1 kB )
Variables ¶
NowFunc is exported so tests can override it.
Functions ¶
func GenerateTransformer ¶
func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service, useSeed bool) (value.Transformer, *kmstypes.EncryptedObject, []byte, error)
GenerateTransformer generates a new transformer and encrypts the DEK/seed using the envelope service. It returns the transformer, the encrypted DEK/seed, cache key and error.
func GetHashIfNotEmpty ¶
GetHashIfNotEmpty returns the sha256 hash of the data if it is not empty.
func NewEnvelopeTransformer ¶
func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, stateFunc StateFunc, apiServerID string) value.Transformer
NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme. It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to the data items they encrypt.
func NewGRPCService ¶
func NewGRPCService(ctx context.Context, endpoint, providerName string, callTimeout time.Duration) (kmsservice.Service, error)
NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider.
func ValidateEncryptedObject ¶
func ValidateEncryptedObject(o *kmstypes.EncryptedObject) error
Types ¶
type ErrCodeKeyID ¶
type ErrCodeKeyID string
func ValidateKeyID ¶
func ValidateKeyID(keyID string) (ErrCodeKeyID, error)
ValidateKeyID tests the following: 1. The keyID is not empty. 2. The size of keyID is less than 1 kB.
type State ¶
type State struct {
Transformer value.Transformer
EncryptedObject kmstypes.EncryptedObject
UID string
ExpirationTimestamp time.Time
// CacheKey is the key used to cache the DEK/seed in envelopeTransformer.cache.
CacheKey []byte
}
func (*State) ValidateEncryptCapability ¶
type StateFunc ¶
Source Files ¶
cache.go envelope.go grpc_service.go
Directories ¶
| Path | Synopsis |
|---|---|
| pkg/storage/value/encrypt/envelope/kmsv2/v2 | Package v2 contains definition of kms-plugin's serialized types. |
- Version
- v0.33.0 (latest)
- Published
- Apr 23, 2025
- Platform
- linux/amd64
- Imports
- 33 packages
- Last checked
- 7 hours ago –
Tools for package owners.