Skip to content

Convert k8s.io/kms/apis from gogo to protoc #132833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2025
Merged

Convert k8s.io/kms/apis from gogo to protoc #132833

merged 1 commit into from
Jul 16, 2025
+1,534 −1,001

Conversation

saschagrunert
Copy link
Member

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Use standard protoc for the kms APIs instead of gogo.

Which issue(s) this PR is related to:

Part of #96564

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Removed deprecated gogo protocol definitions from `k8s.io/kms/apis` in favor of `google.golang.org/protobuf`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

None

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 9, 2025
@saschagrunert saschagrunert changed the title Convert k8s.io/kms/apis from gogo to protoc WIP: Convert k8s.io/kms/apis from gogo to protoc Jul 9, 2025
@k8s-ci-robot k8s-ci-robot added the do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jul 9, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 9, 2025
@k8s-ci-robot k8s-ci-robot requested review from BenTheElder, enj and a team July 9, 2025 05:48
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Jul 9, 2025
@saschagrunert saschagrunert changed the title WIP: Convert k8s.io/kms/apis from gogo to protoc Convert k8s.io/kms/apis from gogo to protoc Jul 9, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 9, 2025
@saschagrunert saschagrunert force-pushed the kms-gogo branch 6 times, most recently from ba15451 to eb3f591 Compare July 9, 2025 10:47
@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jul 9, 2025
@saschagrunert saschagrunert changed the title WIP: Convert k8s.io/kms/apis from gogo to protoc Convert k8s.io/kms/apis from gogo to protoc Jul 10, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 10, 2025
liggitt
liggitt reviewed Jul 14, 2025
View reviewed changes
@saschagrunert saschagrunert force-pushed the kms-gogo branch 7 times, most recently from 8c76a5f to e403217 Compare July 16, 2025 11:15
liggitt
liggitt reviewed Jul 16, 2025
View reviewed changes
liggitt
liggitt reviewed Jul 16, 2025
View reviewed changes
test/integration/controlplane/transformation/kmsv2_transformation_test.go Outdated
@@ -464,6 +464,7 @@ resources:
var firstEncryptedDEKSource []byte
var f checkFunc
if useSeed {
//nolint:govet // copying the lock is nonrelevant for this test
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we change all these signatures to take a pointer so we don't have to add nolint:govet anywhere?

diff --git a/test/integration/controlplane/transformation/kmsv2_transformation_test.go b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
index c4a716f870a..a0ecbbc1c95 100644
--- a/test/integration/controlplane/transformation/kmsv2_transformation_test.go
+++ b/test/integration/controlplane/transformation/kmsv2_transformation_test.go
@@ -464,8 +464,7 @@ resources:
 	var firstEncryptedDEKSource []byte
 	var f checkFunc
 	if useSeed {
-		//nolint:govet // copying the lock is nonrelevant for this test
-		f = func(_ int, _ uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+		f = func(_ int, _ uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 			firstEncryptedDEKSource = obj.EncryptedDEKSource
 
 			if obj.KeyID != "1" {
@@ -473,8 +472,7 @@ resources:
 			}
 		}
 	} else {
-		//nolint:govet // copying the lock is nonrelevant for this test
-		f = func(_ int, counter uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+		f = func(_ int, counter uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 			firstEncryptedDEKSource = obj.EncryptedDEKSource
 
 			if obj.KeyID != "1" {
@@ -534,8 +532,7 @@ resources:
 	// - create
 	var checkDEK checkFunc
 	if useSeed {
-		//nolint:govet // copying the lock is nonrelevant for this test
-		checkDEK = func(_ int, _ uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+		checkDEK = func(_ int, _ uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 			if len(obj.EncryptedDEKSource) == 0 {
 				t.Error("unexpected empty DEK source")
 			}
@@ -549,8 +546,7 @@ resources:
 			}
 		}
 	} else {
-		//nolint:govet // copying the lock is nonrelevant for this test
-		checkDEK = func(_ int, counter uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+		checkDEK = func(_ int, counter uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 			if len(obj.EncryptedDEKSource) == 0 {
 				t.Error("unexpected empty DEK source")
 			}
@@ -689,8 +685,7 @@ func TestKMSv2ProviderDEKSourceReuse(t *testing.T) {
 		kmsName := "kms-provider-dek-reuse-false"
 		defer encryptionconfig.SetKDFForTests(kmsName, false)()
 		testKMSv2ProviderDEKSourceReuse(t, kmsName,
-			//nolint:govet // copying the lock is nonrelevant for this test
-			func(i int, counter uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+			func(i int, counter uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 				if obj.KeyID != "1" {
 					t.Errorf("key %s: want key ID %s, got %s", etcdKey, "1", obj.KeyID)
 				}
@@ -708,8 +703,7 @@ func TestKMSv2ProviderDEKSourceReuse(t *testing.T) {
 		kmsName := "kms-provider-dek-reuse-true"
 		defer encryptionconfig.SetKDFForTests(kmsName, true)()
 		testKMSv2ProviderDEKSourceReuse(t, kmsName,
-			//nolint:govet // copying the lock is nonrelevant for this test
-			func(_ int, _ uint64, etcdKey string, obj kmstypes.EncryptedObject) {
+			func(_ int, _ uint64, etcdKey string, obj *kmstypes.EncryptedObject) {
 				if obj.KeyID != "1" {
 					t.Errorf("key %s: want key ID %s, got %s", etcdKey, "1", obj.KeyID)
 				}
@@ -770,7 +764,7 @@ resources:
 	)
 }
 
-type checkFunc func(i int, counter uint64, etcdKey string, obj kmstypes.EncryptedObject)
+type checkFunc func(i int, counter uint64, etcdKey string, obj *kmstypes.EncryptedObject)
 
 func assertPodDEKSources(ctx context.Context, t *testing.T, config storagebackend.Config, podCount, dekSourcesCount int, kmsName, kmsPrefix string, f checkFunc) {
 	t.Helper()
@@ -824,14 +818,12 @@ func assertPodDEKSources(ctx context.Context, t *testing.T, config storagebacken
 		}
 
 		counter := binary.LittleEndian.Uint64(count)
-		//nolint:govet // copying the lock is nonrelevant for this test
-		f(i, counter, string(kv.Key), out[i])
+		f(i, counter, string(kv.Key), &out[i])
 	}
 
 	uniqueDEKSources := sets.NewString()
-	//nolint:govet // copying the lock is nonrelevant for this test
-	for _, object := range out {
-		object := object
+	for i := range out {
+		object := &out[i]
 		uniqueDEKSources.Insert(string(object.EncryptedDEKSource))
 		if useSeed {
 			if object.EncryptedDEKSourceType != kmstypes.EncryptedDEKSourceType_HKDF_SHA256_XNONCE_AES_GCM_SEED {

@saschagrunert
Convert k8s.io/kms/apis from gogo to protoc
8e66515 
Use standard protoc for the kms APIs instead of gogo.

Part of kubernetes#96564

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert
Copy link
Member Author

/test pull-kubernetes-unit

@liggitt
Copy link
Member

liggitt commented Jul 16, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 16, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 40b7d261f2bcfa323d781e092464932315852ec3

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 16, 2025
@saschagrunert
Copy link
Member Author

/test pull-kubernetes-unit

@k8s-ci-robot k8s-ci-robot merged commit 5df27c4 into kubernetes:master Jul 16, 2025
12 of 14 checks passed
@github-project-automation github-project-automation bot moved this from Needs Triage to Closed / Done in SIG Auth Jul 16, 2025
@k8s-ci-robot k8s-ci-robot added this to the v1.34 milestone Jul 16, 2025
@saschagrunert saschagrunert deleted the kms-gogo branch July 17, 2025 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@BenTheElder BenTheElder Awaiting requested review from BenTheElder

@enj enj Awaiting requested review from enj

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
SIG Auth
Status: Closed / Done
Milestone
v1.34
Development

Successfully merging this pull request may close these issues.
3 participants
@saschagrunert @k8s-ci-robot @liggitt
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy