Content-Length: 688063 | pFad | http://github.com/kubernetes/kubernetes/pull/132833/files

F4 Convert `k8s.io/kms/apis` from gogo to protoc by saschagrunert · Pull Request #132833 · kubernetes/kubernetes · GitHub
Skip to content

Convert k8s.io/kms/apis from gogo to protoc #132833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 16, 2025
+1,534 −1,001
Merged

Convert k8s.io/kms/apis from gogo to protoc #132833

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion hack/unwanted-dependencies.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,6 @@
"k8s.io/apiserver",
"k8s.io/client-go",
"k8s.io/code-generator",
"k8s.io/kms",
"k8s.io/kube-aggregator",
"k8s.io/kubelet",
"k8s.io/kubernetes",
Expand Down
4 changes: 2 additions & 2 deletions hack/update-codegen.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1025,8 +1025,6 @@ function codegen::protobindings() {

"staging/src/k8s.io/kubelet/pkg/apis/deviceplugin"

"staging/src/k8s.io/kms/apis"
"staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"

"staging/src/k8s.io/kubelet/pkg/apis/dra"

Expand All @@ -1035,6 +1033,8 @@ function codegen::protobindings() {

)
local apis_using_protoc=(
"staging/src/k8s.io/kms/apis"
"staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"
"staging/src/k8s.io/cri-api/pkg/apis/runtime"
"staging/src/k8s.io/externaljwt/apis"
)
Expand Down
32 changes: 19 additions & 13 deletions staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,12 +402,12 @@ func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKey
// this allows us to easily exercise both modes without restarting the API server
// TODO integration test that this dynamically takes effect
useSeed := GetKDF(h.name)
stateUseSeed := state.EncryptedObject.EncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED
stateUseSeed := state.EncryptedObjectEncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED

// state is valid and status keyID is unchanged from when we generated this DEK/seed so there is no need to rotate it
// just move the expiration of the current state forward by the reuse interval
// useSeed can only change at runtime during tests, so we check it here to allow us to easily exercise both modes
if errState == nil && state.EncryptedObject.KeyID == statusKeyID && stateUseSeed == useSeed {
if errState == nil && state.EncryptedObjectKeyID == statusKeyID && stateUseSeed == useSeed {
state.ExpirationTimestamp = expirationTimestamp
h.state.Store(&state)
return nil
Expand All @@ -423,11 +423,14 @@ func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKey
// TODO maybe add success metrics?
if errGen == nil && encObject.KeyID == statusKeyID {
h.state.Store(&envelopekmsv2.State{
Transformer: transformer,
EncryptedObject: *encObject,
UID: uid,
ExpirationTimestamp: expirationTimestamp,
CacheKey: cacheKey,
Transformer: transformer,
EncryptedObjectKeyID: encObject.KeyID,
EncryptedObjectEncryptedDEKSource: encObject.EncryptedDEKSource,
EncryptedObjectAnnotations: encObject.Annotations,
EncryptedObjectEncryptedDEKSourceType: encObject.EncryptedDEKSourceType,
UID: uid,
ExpirationTimestamp: expirationTimestamp,
CacheKey: cacheKey,
})

// it should be logically impossible for the new state to be invalid but check just in case
Expand All @@ -439,16 +442,17 @@ func (h *kmsv2PluginProbe) rotateDEKOnKeyIDChange(ctx context.Context, statusKey
"uid", uid,
"useSeed", useSeed,
"newKeyIDHash", envelopekmsv2.GetHashIfNotEmpty(encObject.KeyID),
"oldKeyIDHash", envelopekmsv2.GetHashIfNotEmpty(state.EncryptedObject.KeyID),
"oldKeyIDHash", envelopekmsv2.GetHashIfNotEmpty(state.EncryptedObjectKeyID),
"expirationTimestamp", expirationTimestamp.Format(time.RFC3339),
)
}
return nil
}
}

//nolint:errorlint // printing the <nil> error is intentional
return fmt.Errorf("failed to rotate DEK uid=%q, useSeed=%v, errState=%v, errGen=%v, statusKeyIDHash=%q, encryptKeyIDHash=%q, stateKeyIDHash=%q, expirationTimestamp=%s",
uid, useSeed, errState, errGen, envelopekmsv2.GetHashIfNotEmpty(statusKeyID), envelopekmsv2.GetHashIfNotEmpty(encObject.KeyID), envelopekmsv2.GetHashIfNotEmpty(state.EncryptedObject.KeyID), state.ExpirationTimestamp.Format(time.RFC3339))
uid, useSeed, errState, errGen, envelopekmsv2.GetHashIfNotEmpty(statusKeyID), envelopekmsv2.GetHashIfNotEmpty(encObject.KeyID), envelopekmsv2.GetHashIfNotEmpty(state.EncryptedObjectKeyID), state.ExpirationTimestamp.Format(time.RFC3339))
}

// getCurrentState returns the latest state from the last status and encrypt calls.
Expand All @@ -461,11 +465,13 @@ func (h *kmsv2PluginProbe) getCurrentState() (envelopekmsv2.State, error) {
return envelopekmsv2.State{}, fmt.Errorf("got unexpected nil transformer")
}

encryptedObjectCopy := state.EncryptedObject
if len(encryptedObjectCopy.EncryptedData) != 0 {
return envelopekmsv2.State{}, fmt.Errorf("got unexpected non-empty EncryptedData")
encryptedObjectCopy := kmstypes.EncryptedObject{
KeyID: state.EncryptedObjectKeyID,
EncryptedDEKSource: state.EncryptedObjectEncryptedDEKSource,
Annotations: state.EncryptedObjectAnnotations,
EncryptedDEKSourceType: state.EncryptedObjectEncryptedDEKSourceType,
EncryptedData: []byte{0}, // any non-empty value to pass validation
}
encryptedObjectCopy.EncryptedData = []byte{0} // any non-empty value to pass validation
if err := envelopekmsv2.ValidateEncryptedObject(&encryptedObjectCopy); err != nil {
return envelopekmsv2.State{}, fmt.Errorf("got invalid EncryptedObject: %w", err)
}
Expand Down
71 changes: 39 additions & 32 deletions staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -713,7 +713,7 @@ func TestKMSPluginHealthz(t *testing.T) {
apiServerID: "",
}
keyID := "1"
kmsv2Probe.state.Store(&envelopekmsv2.State{EncryptedObject: kmstypes.EncryptedObject{KeyID: keyID}})
kmsv2Probe.state.Store(&envelopekmsv2.State{EncryptedObjectKeyID: keyID})

testCases := []struct {
desc string
Expand Down Expand Up @@ -1888,8 +1888,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: envelopekmsv2.State{},
statusKeyID: "1",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "1"},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "1",
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand All @@ -1905,8 +1905,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "2", now, false),
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2"},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 0,
wantLogs: nil,
Expand All @@ -1919,8 +1919,9 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
useSeed: true,
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2", EncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
EncryptedObjectEncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED,
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand All @@ -1936,8 +1937,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "2", now, true),
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2"},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand All @@ -1954,8 +1955,9 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
useSeed: true,
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2", EncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
EncryptedObjectEncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED,
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 0,
wantLogs: nil,
Expand All @@ -1968,8 +1970,9 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
useSeed: defaultUseSeed,
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2", EncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
EncryptedObjectEncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED,
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand All @@ -1986,8 +1989,9 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
useSeed: defaultUseSeed,
statusKeyID: "2",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2", EncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "2",
EncryptedObjectEncryptedDEKSourceType: kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED,
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 0,
wantLogs: nil,
Expand All @@ -1999,8 +2003,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "3", now.Add(-time.Hour), false),
statusKeyID: "3",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "3"},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "3",
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 0,
wantLogs: nil,
Expand All @@ -2012,8 +2016,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "3", now.Add(-time.Hour), false),
statusKeyID: "4",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "4"},
ExpirationTimestamp: now.Add(3 * time.Minute),
EncryptedObjectKeyID: "4",
ExpirationTimestamp: now.Add(3 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand All @@ -2029,8 +2033,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "4", now.Add(7*time.Minute), false),
statusKeyID: "5",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "4"},
ExpirationTimestamp: now.Add(7 * time.Minute),
EncryptedObjectKeyID: "4",
ExpirationTimestamp: now.Add(7 * time.Minute),
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand Down Expand Up @@ -2061,8 +2065,8 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
state: validState(t, "2", now, false),
statusKeyID: "3",
wantState: envelopekmsv2.State{
EncryptedObject: kmstypes.EncryptedObject{KeyID: "2"},
ExpirationTimestamp: now,
EncryptedObjectKeyID: "2",
ExpirationTimestamp: now,
},
wantEncryptCalls: 1,
wantLogs: []string{
Expand Down Expand Up @@ -2099,7 +2103,7 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
t.Errorf("log mismatch (-want +got):\n%s", diff)
}

ignoredFields := sets.NewString("Transformer", "EncryptedObject.EncryptedDEKSource", "UID", "CacheKey")
ignoredFields := sets.NewString("Transformer", "EncryptedObjectEncryptedDEKSource", "UID", "CacheKey")

gotState := *h.state.Load()

Expand All @@ -2110,15 +2114,15 @@ func Test_kmsv2PluginProbe_rotateDEKOnKeyIDChange(t *testing.T) {
}

if len(cmp.Diff(tt.wantState, gotState)) > 0 { // we only need to run this check when the state changes
validCiphertext := len(gotState.EncryptedObject.EncryptedDEKSource) > 0
validCiphertext := len(gotState.EncryptedObjectEncryptedDEKSource) > 0
if tt.useSeed {
validCiphertext = validCiphertext && gotState.EncryptedObject.EncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED
validCiphertext = validCiphertext && gotState.EncryptedObjectEncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED
} else {
validCiphertext = validCiphertext && gotState.EncryptedObject.EncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_AES_GCM_KEY
validCiphertext = validCiphertext && gotState.EncryptedObjectEncryptedDEKSourceType == kmstypes.EncryptedDEKSourceType_AES_GCM_KEY
}
if !validCiphertext {
t.Errorf("invalid ciphertext with useSeed=%v, encryptedDEKSourceLen=%d, encryptedDEKSourceType=%d", tt.useSeed,
len(gotState.EncryptedObject.EncryptedDEKSource), gotState.EncryptedObject.EncryptedDEKSourceType)
len(gotState.EncryptedObjectEncryptedDEKSource), gotState.EncryptedObjectEncryptedDEKSourceType)
}
}

Expand Down Expand Up @@ -2170,10 +2174,13 @@ func validState(t *testing.T, keyID string, exp time.Time, useSeed bool) envelop
t.Fatal(err)
}
return envelopekmsv2.State{
Transformer: transformer,
EncryptedObject: *encObject,
ExpirationTimestamp: exp,
CacheKey: cacheKey,
Transformer: transformer,
EncryptedObjectKeyID: encObject.KeyID,
EncryptedObjectEncryptedDEKSource: encObject.EncryptedDEKSource,
EncryptedObjectAnnotations: encObject.Annotations,
EncryptedObjectEncryptedDEKSourceType: encObject.EncryptedDEKSourceType,
ExpirationTimestamp: exp,
CacheKey: cacheKey,
}
}

Expand Down
26 changes: 17 additions & 9 deletions staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@ import (
"time"
"unsafe"

"github.com/gogo/protobuf/proto"
"go.opentelemetry.io/otel/attribute"
"golang.org/x/crypto/cryptobyte"
"google.golang.org/protobuf/proto"

utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/uuid"
Expand Down Expand Up @@ -90,7 +90,10 @@ type ErrCodeKeyID string
type State struct {
Transformer value.Transformer

EncryptedObject kmstypes.EncryptedObject
EncryptedObjectKeyID string
EncryptedObjectEncryptedDEKSource []byte
EncryptedObjectAnnotations map[string][]byte
EncryptedObjectEncryptedDEKSourceType kmstypes.EncryptedDEKSourceType

UID string

Expand All @@ -103,7 +106,7 @@ type State struct {
func (s *State) ValidateEncryptCapability() error {
if now := NowFunc(); now.After(s.ExpirationTimestamp) {
return fmt.Errorf("encryptedDEKSource with keyID hash %q expired at %s (current time is %s)",
GetHashIfNotEmpty(s.EncryptedObject.KeyID), s.ExpirationTimestamp.Format(time.RFC3339), now.Format(time.RFC3339))
GetHashIfNotEmpty(s.EncryptedObjectKeyID), s.ExpirationTimestamp.Format(time.RFC3339), now.Format(time.RFC3339))
}
return nil
}
Expand Down Expand Up @@ -219,8 +222,8 @@ func (t *envelopeTransformer) TransformFromStorage(ctx context.Context, data []b
// data is considered stale if the key ID does not match our current write transformer
return out,
stale ||
encryptedObject.KeyID != state.EncryptedObject.KeyID ||
encryptedObject.EncryptedDEKSourceType != state.EncryptedObject.EncryptedDEKSourceType,
encryptedObject.KeyID != state.EncryptedObjectKeyID ||
encryptedObject.EncryptedDEKSourceType != state.EncryptedObjectEncryptedDEKSourceType,
nil
}

Expand Down Expand Up @@ -266,14 +269,19 @@ func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byt
}
span.AddEvent("Data encryption succeeded")

metrics.RecordKeyID(metrics.ToStorageLabel, t.providerName, state.EncryptedObject.KeyID, t.apiServerID)
metrics.RecordKeyID(metrics.ToStorageLabel, t.providerName, state.EncryptedObjectKeyID, t.apiServerID)

encObjectCopy := state.EncryptedObject
encObjectCopy.EncryptedData = result
encObjectCopy := &kmstypes.EncryptedObject{
KeyID: state.EncryptedObjectKeyID,
EncryptedDEKSource: state.EncryptedObjectEncryptedDEKSource,
Annotations: state.EncryptedObjectAnnotations,
EncryptedDEKSourceType: state.EncryptedObjectEncryptedDEKSourceType,
EncryptedData: result,
}

span.AddEvent("About to encode encrypted object")
// Serialize the EncryptedObject to a byte array.
out, err := t.doEncode(&encObjectCopy)
out, err := t.doEncode(encObjectCopy)
if err != nil {
span.AddEvent("Encoding encrypted object failed")
span.RecordError(err)
Expand Down
Loading








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/kubernetes/kubernetes/pull/132833/files

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy