Merge pull request #115123 from aramase/v2beta1

[KMSv2] Generate proto API and update feature gate for beta

staging/src/k8s.io/apiserver/pkg/features/kube_features.go

@@ -125,6 +125,7 @@ const (
 	// owner: @aramase
 	// kep: https://kep.k8s.io/3299
 	// alpha: v1.25
+	// beta: v1.27
 	//
 	// Enables KMS v2 API for encryption at rest.
 	KMSv2 featuregate.Feature = "KMSv2"
@@ -244,7 +245,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	EfficientWatchResumption: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 
-	KMSv2: {Default: false, PreRelease: featuregate.Alpha},
+	KMSv2: {Default: true, PreRelease: featuregate.Beta},
 
 	OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
 

staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go

@@ -108,7 +108,7 @@ func (t *testKMSv2EnvelopeService) Status(ctx context.Context) (*kmsservice.Stat
 	if t.err != nil {
 		return nil, t.err
 	}
-	return &kmsservice.StatusResponse{Healthz: "ok", KeyID: t.keyID, Version: "v2alpha1"}, nil
+	return &kmsservice.StatusResponse{Healthz: "ok", KeyID: t.keyID, Version: "v2beta1"}, nil
 }
 
 // The factory method to create mock envelope service.
@@ -1565,7 +1565,7 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
 			statusResponse: &kmsservice.StatusResponse{
 				Healthz: "unhealthy",
 			},
-			expectedErr: "got unexpected healthz status: unhealthy, expected KMSv2 API version v2alpha1, got , got invalid KMSv2 KeyID ",
+			expectedErr: "got unexpected healthz status: unhealthy, expected KMSv2 API version v2beta1, got , got invalid KMSv2 KeyID ",
 			wantMetrics: `
 			# HELP apiserver_envelope_encryption_invalid_key_id_from_status_total [ALPHA] Number of times an invalid keyID is returned by the Status RPC call split by error.
 			# TYPE apiserver_envelope_encryption_invalid_key_id_from_status_total counter
@@ -1573,11 +1573,11 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
 			`,
 		},
 		{
-			desc: "version is not v2alpha1",
+			desc: "version is not v2beta1",
 			statusResponse: &kmsservice.StatusResponse{
 				Version: "v1beta1",
 			},
-			expectedErr: "got unexpected healthz status: , expected KMSv2 API version v2alpha1, got v1beta1, got invalid KMSv2 KeyID ",
+			expectedErr: "got unexpected healthz status: , expected KMSv2 API version v2beta1, got v1beta1, got invalid KMSv2 KeyID ",
 			wantMetrics: `
 			# HELP apiserver_envelope_encryption_invalid_key_id_from_status_total [ALPHA] Number of times an invalid keyID is returned by the Status RPC call split by error.
 			# TYPE apiserver_envelope_encryption_invalid_key_id_from_status_total counter
@@ -1588,7 +1588,7 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
 			desc: "missing keyID",
 			statusResponse: &kmsservice.StatusResponse{
 				Healthz: "ok",
-				Version: "v2alpha1",
+				Version: "v2beta1",
 			},
 			expectedErr: "got invalid KMSv2 KeyID ",
 			wantMetrics: `
@@ -1601,7 +1601,7 @@ func TestIsKMSv2ProviderHealthyError(t *testing.T) {
 			desc: "invalid long keyID",
 			statusResponse: &kmsservice.StatusResponse{
 				Healthz: "ok",
-				Version: "v2alpha1",
+				Version: "v2beta1",
 				KeyID:   sampleInvalidKeyID,
 			},
 			expectedErr: "got invalid KMSv2 KeyID ",

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go

@@ -35,7 +35,7 @@ import (
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/storage/value"
 	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
-	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
+	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
 	"k8s.io/klog/v2"
 	kmsservice "k8s.io/kms/pkg/service"
@@ -49,7 +49,7 @@ func init() {
 
 const (
 	// KMSAPIVersion is the version of the KMS API.
-	KMSAPIVersion = "v2alpha1"
+	KMSAPIVersion = "v2beta1"
 	// annotationsMaxSize is the maximum size of the annotations.
 	annotationsMaxSize = 32 * 1024 // 32 kB
 	// KeyIDMaxSize is the maximum size of the keyID.

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go

@@ -35,7 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/storage/value"
-	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
+	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
 	"k8s.io/component-base/metrics/legacyregistry"
 	"k8s.io/component-base/metrics/testutil"

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service.go

@@ -29,7 +29,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
 	"k8s.io/klog/v2"
-	kmsapi "k8s.io/kms/apis/v2alpha1"
+	kmsapi "k8s.io/kms/apis/v2"
 	kmsservice "k8s.io/kms/pkg/service"
 	"k8s.io/kms/pkg/util"
 )

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/grpc_service_unix_test.go

@@ -25,11 +25,10 @@ import (
 	"testing"
 	"time"
 
-	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
-	mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1"
-	"k8s.io/component-base/metrics/testutil"
-
 	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
+	mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2"
+	"k8s.io/component-base/metrics/testutil"
 	kmsservice "k8s.io/kms/pkg/service"
 )
 
@@ -441,7 +440,7 @@ func TestKMSOperationsMetric(t *testing.T) {
 					t.Fatalf("failed when execute encrypt, error: %v", err)
 				}
 			},
-			labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Encrypt", "OK"},
+			labelValues: []string{testProviderName, "/v2.KeyManagementService/Encrypt", "OK"},
 			wantCount:   1,
 		},
 		{
@@ -451,7 +450,7 @@ func TestKMSOperationsMetric(t *testing.T) {
 					t.Fatalf("failed when execute decrypt, error: %v", err)
 				}
 			},
-			labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Decrypt", "OK"},
+			labelValues: []string{testProviderName, "/v2.KeyManagementService/Decrypt", "OK"},
 			wantCount:   1,
 		},
 		{
@@ -461,7 +460,7 @@ func TestKMSOperationsMetric(t *testing.T) {
 					t.Fatalf("failed when execute status, error: %v", err)
 				}
 			},
-			labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Status", "OK"},
+			labelValues: []string{testProviderName, "/v2.KeyManagementService/Status", "OK"},
 			wantCount:   1,
 		},
 		{
@@ -473,7 +472,7 @@ func TestKMSOperationsMetric(t *testing.T) {
 					}
 				}
 			},
-			labelValues: []string{testProviderName, "/v2alpha1.KeyManagementService/Status", "OK"},
+			labelValues: []string{testProviderName, "/v2.KeyManagementService/Status", "OK"},
 			wantCount:   10,
 		},
 	}

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.pb.go

@@ -17,7 +17,7 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: api.proto
 
-package v2alpha1
+package v2
 
 import (
 	fmt "fmt"
@@ -104,28 +104,28 @@ func (m *EncryptedObject) GetAnnotations() map[string][]byte {
 }
 
 func init() {
-	proto.RegisterType((*EncryptedObject)(nil), "v2alpha1.EncryptedObject")
-	proto.RegisterMapType((map[string][]byte)(nil), "v2alpha1.EncryptedObject.AnnotationsEntry")
+	proto.RegisterType((*EncryptedObject)(nil), "v2.EncryptedObject")
+	proto.RegisterMapType((map[string][]byte)(nil), "v2.EncryptedObject.AnnotationsEntry")
 }
 
 func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) }
 
 var fileDescriptor_00212fb1f9d3bf1c = []byte{
-	// 252 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x5c, 0x90, 0xc1, 0x4b, 0xf3, 0x30,
-	0x18, 0xc6, 0xe9, 0xfa, 0x7d, 0x62, 0xb3, 0x8a, 0x23, 0x78, 0x28, 0x9e, 0xca, 0xf0, 0x50, 0x3c,
-	0x24, 0x58, 0x2f, 0xc3, 0x83, 0xe0, 0x68, 0x0f, 0xa2, 0x20, 0xe4, 0xe8, 0xed, 0xdd, 0x7c, 0x99,
-	0x35, 0x35, 0x09, 0x49, 0x0c, 0xf4, 0xaf, 0x57, 0x96, 0x59, 0xe6, 0x76, 0xcb, 0xf3, 0xf0, 0x7b,
-	0xe0, 0x97, 0x97, 0x64, 0x60, 0x3a, 0x66, 0xac, 0xf6, 0x9a, 0x9e, 0x86, 0x1a, 0x7a, 0xf3, 0x0e,
-	0x37, 0xf3, 0xef, 0x84, 0x9c, 0xb7, 0x6a, 0x6d, 0x07, 0xe3, 0xf1, 0xed, 0x65, 0xf5, 0x81, 0x6b,
-	0x4f, 0xaf, 0xc8, 0x19, 0x8e, 0x55, 0x03, 0x1e, 0x8a, 0xa4, 0x4c, 0xaa, 0x5c, 0x1c, 0x96, 0xf4,
-	0x82, 0xfc, 0x97, 0x38, 0x3c, 0x36, 0xc5, 0xa4, 0x4c, 0xaa, 0x4c, 0xec, 0x02, 0x9d, 0x93, 0x7c,
-	0x8f, 0xb5, 0x4f, 0x45, 0x1a, 0xa7, 0x07, 0x1d, 0x7d, 0x26, 0x53, 0x50, 0x4a, 0x7b, 0xf0, 0x9d,
-	0x56, 0xae, 0xf8, 0x57, 0xa6, 0xd5, 0xb4, 0xbe, 0x66, 0xa3, 0x13, 0x3b, 0xf2, 0x61, 0x0f, 0x7b,
-	0xb8, 0x55, 0xde, 0x0e, 0xe2, 0xef, 0xfc, 0xf2, 0x9e, 0xcc, 0x8e, 0x01, 0x3a, 0x23, 0xa9, 0xc4,
-	0x21, 0x7a, 0x67, 0x62, 0xfb, 0xdc, 0xda, 0x06, 0xe8, 0xbf, 0x30, 0xda, 0xe6, 0x62, 0x17, 0xee,
-	0x26, 0x8b, 0x64, 0xd9, 0xbc, 0x2e, 0xe5, 0xc2, 0xb1, 0x4e, 0x73, 0x30, 0x9d, 0x43, 0x1b, 0xd0,
-	0x72, 0x23, 0x37, 0xdc, 0x79, 0x6d, 0x61, 0x83, 0x3c, 0x92, 0xfc, 0xf7, 0x03, 0x1c, 0x55, 0xc0,
-	0x5e, 0x1b, 0xe4, 0xf2, 0xd3, 0x85, 0x9a, 0x8f, 0xce, 0xab, 0x93, 0x78, 0xd8, 0xdb, 0x9f, 0x00,
-	0x00, 0x00, 0xff, 0xff, 0x37, 0xf9, 0x4d, 0xc2, 0x65, 0x01, 0x00, 0x00,
+	// 244 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x5c, 0x90, 0xb1, 0x4b, 0x03, 0x31,
+	0x14, 0xc6, 0xc9, 0x9d, 0x0a, 0x97, 0x9e, 0x58, 0x82, 0xc3, 0xe1, 0x74, 0x94, 0x0e, 0x37, 0x25,
+	0x10, 0x97, 0x22, 0x52, 0x50, 0x7a, 0x82, 0x38, 0x08, 0x19, 0xdd, 0xd2, 0xfa, 0x28, 0x67, 0x6a,
+	0x12, 0x92, 0x18, 0xc8, 0x9f, 0xee, 0x26, 0x4d, 0x95, 0xda, 0xdb, 0xde, 0xf7, 0xf1, 0xfb, 0xe0,
+	0xc7, 0xc3, 0x95, 0xb4, 0x03, 0xb5, 0xce, 0x04, 0x43, 0x8a, 0xc8, 0x67, 0xdf, 0x08, 0x5f, 0xf5,
+	0x7a, 0xe3, 0x92, 0x0d, 0xf0, 0xfe, 0xba, 0xfe, 0x80, 0x4d, 0x20, 0x73, 0x7c, 0x09, 0x7f, 0xd5,
+	0x4a, 0x06, 0xd9, 0xa0, 0x16, 0x75, 0xb5, 0x38, 0x2d, 0xc9, 0x35, 0x3e, 0x57, 0x90, 0x9e, 0x57,
+	0x4d, 0xd1, 0xa2, 0xae, 0x12, 0x87, 0x40, 0x66, 0xb8, 0x3e, 0x62, 0xfd, 0x4b, 0x53, 0xe6, 0xe9,
+	0x49, 0x47, 0x9e, 0xf0, 0x44, 0x6a, 0x6d, 0x82, 0x0c, 0x83, 0xd1, 0xbe, 0x39, 0x6b, 0xcb, 0x6e,
+	0xc2, 0xe7, 0x34, 0x72, 0x3a, 0x32, 0xa1, 0x0f, 0x47, 0xac, 0xd7, 0xc1, 0x25, 0xf1, 0x7f, 0x78,
+	0xb3, 0xc4, 0xd3, 0x31, 0x40, 0xa6, 0xb8, 0x54, 0x90, 0xb2, 0x71, 0x25, 0xf6, 0xe7, 0xde, 0x33,
+	0xca, 0xdd, 0x17, 0x64, 0xcf, 0x5a, 0x1c, 0xc2, 0x5d, 0xb1, 0x40, 0x8f, 0xcb, 0xb7, 0x7b, 0xb5,
+	0xf0, 0x74, 0x30, 0x4c, 0xda, 0xc1, 0x83, 0x8b, 0xe0, 0x98, 0x55, 0x5b, 0xe6, 0x83, 0x71, 0x72,
+	0x0b, 0x2c, 0x93, 0xec, 0x57, 0x9d, 0x81, 0x8e, 0xb0, 0x33, 0x16, 0x98, 0xfa, 0xf4, 0x91, 0xb3,
+	0xc8, 0xd7, 0x17, 0xf9, 0x8d, 0xb7, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x00, 0x80, 0x43, 0x93,
+	0x53, 0x01, 0x00, 0x00,
 }

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2/api.proto

@@ -17,8 +17,8 @@ limitations under the License.
 // To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
 syntax = "proto3";
 
-package v2alpha1;
-option go_package = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1";
+package v2;
+option go_package = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2";
 
 // EncryptedObject is the representation of data stored in etcd after envelope encryption.
 message EncryptedObject {

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2/v2.go

@@ -14,5 +14,5 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v2alpha1 contains definition of kms-plugin's gRPC service.
-package v2alpha1
+// Package v2 contains definition of kms-plugin's serialized types.
+package v2

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2/kms_plugin_mock.go

@@ -17,7 +17,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v2alpha1
+package v2
 
 import (
 	"context"
@@ -36,7 +36,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
-	kmsapi "k8s.io/kms/apis/v2alpha1"
+	kmsapi "k8s.io/kms/apis/v2"
 )
 
 const (
@@ -44,7 +44,7 @@ const (
 	unixProtocol = "unix"
 
 	// Current version for the protocol interface definition.
-	kmsapiVersion = "v2alpha1"
+	kmsapiVersion = "v2beta1"
 )
 
 // Base64Plugin gRPC sever for a mock KMS provider.

staging/src/k8s.io/kms/apis/v2/api.pb.go

@@ -17,7 +17,7 @@ limitations under the License.
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: api.proto
 
-package v2alpha1
+package v2
 
 import (
 	context "context"
@@ -342,46 +342,46 @@ func (m *EncryptResponse) GetAnnotations() map[string][]byte {
 }
 
 func init() {
-	proto.RegisterType((*StatusRequest)(nil), "v2alpha1.StatusRequest")
-	proto.RegisterType((*StatusResponse)(nil), "v2alpha1.StatusResponse")
-	proto.RegisterType((*DecryptRequest)(nil), "v2alpha1.DecryptRequest")
-	proto.RegisterMapType((map[string][]byte)(nil), "v2alpha1.DecryptRequest.AnnotationsEntry")
-	proto.RegisterType((*DecryptResponse)(nil), "v2alpha1.DecryptResponse")
-	proto.RegisterType((*EncryptRequest)(nil), "v2alpha1.EncryptRequest")
-	proto.RegisterType((*EncryptResponse)(nil), "v2alpha1.EncryptResponse")
-	proto.RegisterMapType((map[string][]byte)(nil), "v2alpha1.EncryptResponse.AnnotationsEntry")
+	proto.RegisterType((*StatusRequest)(nil), "v2.StatusRequest")
+	proto.RegisterType((*StatusResponse)(nil), "v2.StatusResponse")
+	proto.RegisterType((*DecryptRequest)(nil), "v2.DecryptRequest")
+	proto.RegisterMapType((map[string][]byte)(nil), "v2.DecryptRequest.AnnotationsEntry")
+	proto.RegisterType((*DecryptResponse)(nil), "v2.DecryptResponse")
+	proto.RegisterType((*EncryptRequest)(nil), "v2.EncryptRequest")
+	proto.RegisterType((*EncryptResponse)(nil), "v2.EncryptResponse")
+	proto.RegisterMapType((map[string][]byte)(nil), "v2.EncryptResponse.AnnotationsEntry")
 }
 
 func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) }
 
 var fileDescriptor_00212fb1f9d3bf1c = []byte{
-	// 410 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x93, 0xcf, 0x6f, 0xd3, 0x30,
-	0x14, 0xc7, 0x97, 0x86, 0x75, 0xf4, 0x6d, 0xb4, 0x93, 0x35, 0x84, 0x89, 0x10, 0x9a, 0x7c, 0x1a,
-	0x1c, 0x12, 0x51, 0x2e, 0x13, 0x12, 0x68, 0x20, 0x76, 0x40, 0x83, 0x4b, 0x7a, 0x83, 0x03, 0x32,
-	0xed, 0x13, 0xb1, 0x92, 0x3a, 0x26, 0x76, 0x22, 0xc2, 0x1f, 0x8a, 0xc4, 0x3f, 0xc0, 0xdf, 0x81,
-	0x92, 0x38, 0x4d, 0xd2, 0x52, 0x38, 0xed, 0xe6, 0xf7, 0x23, 0xdf, 0xef, 0xf3, 0xc7, 0x2f, 0x30,
-	0xe1, 0x4a, 0xf8, 0x2a, 0x4b, 0x4d, 0x4a, 0xee, 0x16, 0x73, 0x9e, 0xa8, 0x88, 0x3f, 0x63, 0x33,
-	0xb8, 0xb7, 0x30, 0xdc, 0xe4, 0x3a, 0xc4, 0x6f, 0x39, 0x6a, 0xc3, 0x3e, 0xc1, 0xb4, 0x4d, 0x68,
-	0x95, 0x4a, 0x8d, 0x84, 0xc2, 0x51, 0x81, 0x99, 0x16, 0xa9, 0xa4, 0xce, 0xb9, 0x73, 0x31, 0x09,
-	0xdb, 0xb0, 0xaa, 0x44, 0xc8, 0x13, 0x13, 0xfd, 0xa0, 0xa3, 0xa6, 0x62, 0x43, 0x72, 0x1f, 0xc6,
-	0x31, 0x96, 0x9f, 0xc5, 0x8a, 0xba, 0x75, 0xe1, 0x30, 0xc6, 0xf2, 0xdd, 0x8a, 0xfd, 0x76, 0x60,
-	0xfa, 0x16, 0x97, 0x59, 0xa9, 0x8c, 0xf5, 0x23, 0x8f, 0x01, 0x96, 0x42, 0x45, 0x98, 0x19, 0xfc,
-	0x6e, 0x6a, 0x83, 0x93, 0xb0, 0x97, 0x21, 0xa7, 0xe0, 0xe6, 0x62, 0x65, 0xf5, 0xab, 0xe3, 0x1e,
-	0x6d, 0x72, 0x03, 0xc7, 0x5c, 0xca, 0xd4, 0x70, 0x23, 0x52, 0xa9, 0xe9, 0x9d, 0x73, 0xf7, 0xe2,
-	0x78, 0xfe, 0xc4, 0x6f, 0x6f, 0xea, 0x0f, 0x7d, 0xfd, 0xd7, 0x5d, 0xef, 0xb5, 0x34, 0x59, 0x19,
-	0xf6, 0xbf, 0xf6, 0x5e, 0xc1, 0xe9, 0x76, 0x43, 0x35, 0x49, 0x8c, 0xa5, 0x65, 0x50, 0x1d, 0xc9,
-	0x19, 0x1c, 0x16, 0x3c, 0xc9, 0xb1, 0x9e, 0xee, 0x24, 0x6c, 0x82, 0x17, 0xa3, 0x4b, 0x87, 0x05,
-	0x30, 0xdb, 0xf8, 0x59, 0x8c, 0x8f, 0x60, 0xa2, 0x12, 0x2e, 0x64, 0xef, 0x9e, 0x5d, 0x82, 0x5d,
-	0xc1, 0xf4, 0x5a, 0x0e, 0xc0, 0xfc, 0xb3, 0x7f, 0x17, 0x0b, 0xfb, 0xe9, 0xc0, 0x6c, 0x23, 0x61,
-	0x3d, 0xff, 0x07, 0xb7, 0x43, 0x39, 0xea, 0xa3, 0x7c, 0x3f, 0x44, 0xe9, 0xd6, 0x28, 0x9f, 0x76,
-	0x28, 0xb7, 0x6c, 0x6e, 0x97, 0xe5, 0xfc, 0x97, 0x03, 0x67, 0x37, 0x58, 0x7e, 0xe0, 0x92, 0x7f,
-	0xc5, 0x35, 0x4a, 0xb3, 0xc0, 0xac, 0x10, 0x4b, 0x24, 0x2f, 0x61, 0xdc, 0xac, 0x2a, 0x79, 0xd0,
-	0xcd, 0x36, 0xd8, 0x66, 0x8f, 0xee, 0x16, 0x9a, 0x99, 0xd9, 0x01, 0xb9, 0x82, 0x23, 0xfb, 0x46,
-	0x84, 0xee, 0x5b, 0x13, 0xef, 0xe1, 0x5f, 0x2a, 0x7d, 0x05, 0x8b, 0xa2, 0xaf, 0x30, 0x7c, 0xc7,
-	0xbe, 0xc2, 0x16, 0x37, 0x76, 0xf0, 0xc6, 0xfb, 0x48, 0xe3, 0x4b, 0xed, 0x8b, 0x34, 0x88, 0xd7,
-	0x3a, 0xe0, 0x4a, 0xe8, 0xa0, 0xed, 0xfe, 0x32, 0xae, 0xff, 0xd5, 0xe7, 0x7f, 0x02, 0x00, 0x00,
-	0xff, 0xff, 0x77, 0x22, 0x41, 0x93, 0xb8, 0x03, 0x00, 0x00,
+	// 403 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x93, 0xcd, 0x6e, 0xda, 0x40,
+	0x10, 0xc7, 0xb1, 0x5d, 0x40, 0x0c, 0x14, 0xe8, 0x96, 0x4a, 0x16, 0xaa, 0x2a, 0xb4, 0xed, 0x81,
+	0x93, 0xad, 0xba, 0x3d, 0xa0, 0x1e, 0xaa, 0xb6, 0x2a, 0x95, 0xaa, 0xaa, 0x17, 0x73, 0x6b, 0x0f,
+	0xd1, 0x06, 0x46, 0x61, 0x65, 0x58, 0x3b, 0xde, 0xb5, 0x15, 0xe7, 0xbd, 0xf2, 0x1e, 0x79, 0x84,
+	0x3c, 0x4a, 0x64, 0x7b, 0x01, 0x1b, 0x94, 0xe4, 0x94, 0x9b, 0xe7, 0xf3, 0x3f, 0xf3, 0xdb, 0x31,
+	0x74, 0x58, 0xc4, 0x9d, 0x28, 0x0e, 0x55, 0x48, 0xcc, 0xd4, 0xa3, 0x03, 0x78, 0xb9, 0x50, 0x4c,
+	0x25, 0xd2, 0xc7, 0xcb, 0x04, 0xa5, 0xa2, 0xff, 0xa1, 0xbf, 0x73, 0xc8, 0x28, 0x14, 0x12, 0x89,
+	0x0d, 0xed, 0x14, 0x63, 0xc9, 0x43, 0x61, 0x1b, 0x13, 0x63, 0xda, 0xf1, 0x77, 0x66, 0x1e, 0x59,
+	0x23, 0xdb, 0xa8, 0xf5, 0xb5, 0x6d, 0x96, 0x11, 0x6d, 0x92, 0x37, 0xd0, 0x0a, 0x30, 0x3b, 0xe3,
+	0x2b, 0xdb, 0x2a, 0x02, 0xcd, 0x00, 0xb3, 0xdf, 0x2b, 0x7a, 0x67, 0x40, 0xff, 0x27, 0x2e, 0xe3,
+	0x2c, 0x52, 0x5a, 0x8f, 0xbc, 0x03, 0x58, 0xf2, 0x68, 0x8d, 0xb1, 0xc2, 0x2b, 0x55, 0x08, 0xf4,
+	0xfc, 0x8a, 0x87, 0x0c, 0xc1, 0x4a, 0xf8, 0x4a, 0xf7, 0xcf, 0x3f, 0x1f, 0xe8, 0x4d, 0xe6, 0xd0,
+	0x65, 0x42, 0x84, 0x8a, 0x29, 0x1e, 0x0a, 0x69, 0xbf, 0x98, 0x58, 0xd3, 0xae, 0xf7, 0xde, 0x49,
+	0x3d, 0xa7, 0xae, 0xe8, 0x7c, 0x3f, 0x64, 0xcd, 0x85, 0x8a, 0x33, 0xbf, 0x5a, 0x37, 0xfe, 0x0a,
+	0xc3, 0xe3, 0x84, 0x7c, 0x86, 0x00, 0x33, 0xbd, 0x7d, 0xfe, 0x49, 0x46, 0xd0, 0x4c, 0xd9, 0x26,
+	0xc1, 0x62, 0xae, 0x9e, 0x5f, 0x1a, 0x5f, 0xcc, 0x99, 0x41, 0x5d, 0x18, 0xec, 0xf5, 0x34, 0xc0,
+	0xb7, 0xd0, 0x89, 0x36, 0x8c, 0x8b, 0xca, 0x86, 0x07, 0x07, 0xfd, 0x06, 0xfd, 0xb9, 0xa8, 0x21,
+	0x79, 0x34, 0xff, 0x14, 0x08, 0xbd, 0x35, 0x60, 0xb0, 0x6f, 0xa1, 0x35, 0x9f, 0xc2, 0x7a, 0x80,
+	0x68, 0x56, 0x21, 0xfe, 0xaa, 0x43, 0xb4, 0x0a, 0x88, 0x1f, 0x72, 0x88, 0x47, 0x02, 0xcf, 0x4b,
+	0xd1, 0xbb, 0x31, 0x60, 0xf4, 0x07, 0xb3, 0xbf, 0x4c, 0xb0, 0x0b, 0xdc, 0xa2, 0x50, 0x0b, 0x8c,
+	0x53, 0xbe, 0x44, 0xf2, 0x11, 0x5a, 0xe5, 0x79, 0x92, 0x57, 0xf9, 0x54, 0xb5, 0xdb, 0x1d, 0x93,
+	0xaa, 0xab, 0x9c, 0x93, 0x36, 0xc8, 0x67, 0x68, 0xeb, 0x17, 0x21, 0xe4, 0xf4, 0x1c, 0xc6, 0xaf,
+	0x6b, 0xbe, 0x6a, 0x95, 0x5e, 0xb9, 0xac, 0xaa, 0xbf, 0x51, 0x59, 0x75, 0xc4, 0x84, 0x36, 0x7e,
+	0x8c, 0xfe, 0x91, 0x60, 0x26, 0x1d, 0x1e, 0xba, 0xc1, 0x56, 0xba, 0x2c, 0xe2, 0xd2, 0x4d, 0xbd,
+	0xf3, 0x56, 0xf1, 0xbf, 0x7d, 0xba, 0x0f, 0x00, 0x00, 0xff, 0xff, 0x5f, 0xf8, 0x49, 0x17, 0x7c,
+	0x03, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -414,7 +414,7 @@ func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClie
 
 func (c *keyManagementServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
 	out := new(StatusResponse)
-	err := c.cc.Invoke(ctx, "/v2alpha1.KeyManagementService/Status", in, out, opts...)
+	err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Status", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -423,7 +423,7 @@ func (c *keyManagementServiceClient) Status(ctx context.Context, in *StatusReque
 
 func (c *keyManagementServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) {
 	out := new(DecryptResponse)
-	err := c.cc.Invoke(ctx, "/v2alpha1.KeyManagementService/Decrypt", in, out, opts...)
+	err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Decrypt", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -432,7 +432,7 @@ func (c *keyManagementServiceClient) Decrypt(ctx context.Context, in *DecryptReq
 
 func (c *keyManagementServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) {
 	out := new(EncryptResponse)
-	err := c.cc.Invoke(ctx, "/v2alpha1.KeyManagementService/Encrypt", in, out, opts...)
+	err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Encrypt", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -477,7 +477,7 @@ func _KeyManagementService_Status_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/v2alpha1.KeyManagementService/Status",
+		FullMethod: "/v2.KeyManagementService/Status",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(KeyManagementServiceServer).Status(ctx, req.(*StatusRequest))
@@ -495,7 +495,7 @@ func _KeyManagementService_Decrypt_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/v2alpha1.KeyManagementService/Decrypt",
+		FullMethod: "/v2.KeyManagementService/Decrypt",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(KeyManagementServiceServer).Decrypt(ctx, req.(*DecryptRequest))
@@ -513,7 +513,7 @@ func _KeyManagementService_Encrypt_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/v2alpha1.KeyManagementService/Encrypt",
+		FullMethod: "/v2.KeyManagementService/Encrypt",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(KeyManagementServiceServer).Encrypt(ctx, req.(*EncryptRequest))
@@ -522,7 +522,7 @@ func _KeyManagementService_Encrypt_Handler(srv interface{}, ctx context.Context,
 }
 
 var _KeyManagementService_serviceDesc = grpc.ServiceDesc{
-	ServiceName: "v2alpha1.KeyManagementService",
+	ServiceName: "v2.KeyManagementService",
 	HandlerType: (*KeyManagementServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
 		{

staging/src/k8s.io/kms/apis/v2/api.proto

@@ -17,8 +17,8 @@ limitations under the License.
 // To regenerate api.pb.go run `hack/update-codegen.sh protobindings`
 syntax = "proto3";
 
-package v2alpha1;
-option go_package = "k8s.io/kms/apis/v2alpha1";
+package v2;
+option go_package = "k8s.io/kms/apis/v2";
 
 // This service defines the public APIs for remote KMS provider.
 service KeyManagementService {

staging/src/k8s.io/kms/apis/v2/v2.go

@@ -14,5 +14,5 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v2alpha1 contains definition of kms-plugin's serialized types.
-package v2alpha1
+// Package v2 contains definition of kms-plugin's gRPC service.
+package v2

staging/src/k8s.io/kms/internal/mock_aes_remote_service.go

@@ -72,7 +72,7 @@ func (s *mockAESRemoteService) Decrypt(ctx context.Context, uid string, req *ser
 
 func (s *mockAESRemoteService) Status(ctx context.Context) (*service.StatusResponse, error) {
 	resp := &service.StatusResponse{
-		Version: "v2alpha1",
+		Version: "v2beta1",
 		Healthz: "ok",
 		KeyID:   s.keyID,
 	}

staging/src/k8s.io/kms/internal/mock_aes_remote_service_test.go

@@ -25,7 +25,7 @@ import (
 )
 
 const (
-	version       = "v2alpha1"
+	version       = "v2beta1"
 	testAESKey    = "abcdefghijklmnop"
 	testKeyID     = "test-key-id"
 	testPlaintext = "lorem ipsum dolor sit amet"

staging/src/k8s.io/kms/pkg/service/grpc_service.go

@@ -24,7 +24,7 @@ import (
 	"google.golang.org/grpc"
 
 	"k8s.io/klog/v2"
-	kmsapi "k8s.io/kms/apis/v2alpha1"
+	kmsapi "k8s.io/kms/apis/v2"
 )
 
 // GRPCService is a grpc server that runs the kms v2 alpha1 API.

staging/src/k8s.io/kms/pkg/service/grpc_service_test.go

@@ -32,7 +32,7 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	"k8s.io/apimachinery/pkg/util/wait"
-	kmsapi "k8s.io/kms/apis/v2alpha1"
+	kmsapi "k8s.io/kms/apis/v2"
 )
 
 const version = "v2alpha1"

test/integration/controlplane/transformation/kmsv2_transformation_test.go

@@ -46,13 +46,13 @@ import (
 	"k8s.io/apiserver/pkg/storage/value"
 	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
 	"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"
-	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
-	kmsv2mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1"
+	kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
+	kmsv2mock "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
-	kmsv2api "k8s.io/kms/apis/v2alpha1"
+	kmsv2api "k8s.io/kms/apis/v2"
 	kmsv2svc "k8s.io/kms/pkg/service"
 	"k8s.io/kubernetes/test/integration"
 	"k8s.io/kubernetes/test/integration/etcd"

vendor/modules.txt

@@ -1517,10 +1517,10 @@ k8s.io/apiserver/pkg/storage/value
 k8s.io/apiserver/pkg/storage/value/encrypt/aes
 k8s.io/apiserver/pkg/storage/value/encrypt/envelope
 k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2
-k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1
+k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2
 k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics
 k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v1beta1
-k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2alpha1
+k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testing/v2
 k8s.io/apiserver/pkg/storage/value/encrypt/identity
 k8s.io/apiserver/pkg/storage/value/encrypt/secretbox
 k8s.io/apiserver/pkg/storageversion
@@ -2052,7 +2052,7 @@ k8s.io/klog/v2/textlogger
 # k8s.io/kms v0.0.0 => ./staging/src/k8s.io/kms
 ## explicit; go 1.20
 k8s.io/kms/apis/v1beta1
-k8s.io/kms/apis/v2alpha1
+k8s.io/kms/apis/v2
 k8s.io/kms/pkg/service
 k8s.io/kms/pkg/util
 # k8s.io/kube-aggregator v0.0.0 => ./staging/src/k8s.io/kube-aggregator