diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 7a2298c7cb7..4fd5fec4412 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -219,8 +219,8 @@ fi ENCRYPTION_PROVIDER_CONFIG="${ENCRYPTION_PROVIDER_CONFIG:-}" if [[ -z "${ENCRYPTION_PROVIDER_CONFIG}" ]]; then ENCRYPTION_PROVIDER_CONFIG=$(cat << EOM | base64 | tr -d '\r\n' -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/BUILD b/staging/src/k8s.io/apiserver/pkg/apis/config/BUILD index eadb944d515..feaa8a3c370 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/config/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/BUILD @@ -4,13 +4,18 @@ go_library( name = "go_default_library", srcs = [ "doc.go", + "register.go", "types.go", "zz_generated.deepcopy.go", ], importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/apis/config", importpath = "k8s.io/apiserver/pkg/apis/config", visibility = ["//visibility:public"], - deps = ["//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library"], + deps = [ + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + ], ) filegroup( @@ -24,6 +29,7 @@ filegroup( name = "all-srcs", srcs = [ ":package-srcs", + "//staging/src/k8s.io/apiserver/pkg/apis/config/v1:all-srcs", "//staging/src/k8s.io/apiserver/pkg/apis/config/v1alpha1:all-srcs", "//staging/src/k8s.io/apiserver/pkg/apis/config/validation:all-srcs", ], diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/register.go b/staging/src/k8s.io/apiserver/pkg/apis/config/register.go new file mode 100644 index 00000000000..6a0aae8e560 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/register.go @@ -0,0 +1,53 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var ( + // SchemeBuilder points to a list of functions added to Scheme. + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // AddToScheme adds this group to a scheme. + AddToScheme = SchemeBuilder.AddToScheme +) + +// GroupName is the group name use in this package. +const GroupName = "apiserver.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} + +// Kind takes an unqualified kind and returns a Group qualified GroupKind. +func Kind(kind string) schema.GroupKind { + return SchemeGroupVersion.WithKind(kind).GroupKind() +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} + +func addKnownTypes(scheme *runtime.Scheme) error { + // TODO this will get cleaned up with the scheme types are fixed + scheme.AddKnownTypes(SchemeGroupVersion, + &EncryptionConfiguration{}, + ) + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/types.go b/staging/src/k8s.io/apiserver/pkg/apis/config/types.go index f6424ec4e8d..822806d7e5d 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/config/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/types.go @@ -56,3 +56,71 @@ type DebuggingConfiguration struct { // enableProfiling is true. EnableContentionProfiling bool } + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// EncryptionConfiguration stores the complete configuration for encryption providers. +type EncryptionConfiguration struct { + metav1.TypeMeta + // resources is a list containing resources, and their corresponding encryption providers. + Resources []ResourceConfiguration +} + +// ResourceConfiguration stores per resource configuration. +type ResourceConfiguration struct { + // resources is a list of kubernetes resources which have to be encrypted. + Resources []string + // providers is a list of transformers to be used for reading and writing the resources to disk. + // eg: aesgcm, aescbc, secretbox, identity. + Providers []ProviderConfiguration +} + +// ProviderConfiguration stores the provided configuration for an encryption provider. +type ProviderConfiguration struct { + // aesgcm is the configuration for the AES-GCM transformer. + AESGCM *AESConfiguration + // aescbc is the configuration for the AES-CBC transformer. + AESCBC *AESConfiguration + // secretbox is the configuration for the Secretbox based transformer. + Secretbox *SecretboxConfiguration + // identity is the (empty) configuration for the identity transformer. + Identity *IdentityConfiguration + // kms contains the name, cache size and path to configuration file for a KMS based envelope transformer. + KMS *KMSConfiguration +} + +// AESConfiguration contains the API configuration for an AES transformer. +type AESConfiguration struct { + // keys is a list of keys to be used for creating the AES transformer. + // Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM. + Keys []Key +} + +// SecretboxConfiguration contains the API configuration for an Secretbox transformer. +type SecretboxConfiguration struct { + // keys is a list of keys to be used for creating the Secretbox transformer. + // Each key has to be 32 bytes long. + Keys []Key +} + +// Key contains name and secret of the provided key for a transformer. +type Key struct { + // name is the name of the key to be used while storing data to disk. + Name string + // secret is the actual key, encoded in base64. + Secret string +} + +// IdentityConfiguration is an empty struct to allow identity transformer in provider configuration. +type IdentityConfiguration struct{} + +// KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer. +type KMSConfiguration struct { + // name is the name of the KMS plugin to be used. + Name string + // cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000. + // +optional + CacheSize int32 + // endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock". + Endpoint string +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/BUILD b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/BUILD new file mode 100644 index 00000000000..ca9eea027c4 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/BUILD @@ -0,0 +1,37 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = [ + "doc.go", + "register.go", + "types.go", + "zz_generated.conversion.go", + "zz_generated.deepcopy.go", + "zz_generated.defaults.go", + ], + importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/apis/config/v1", + importpath = "k8s.io/apiserver/pkg/apis/config/v1", + visibility = ["//visibility:public"], + deps = [ + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/doc.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/doc.go new file mode 100644 index 00000000000..b1a18ccab57 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/doc.go @@ -0,0 +1,23 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:conversion-gen=k8s.io/apiserver/pkg/apis/config +// +k8s:deepcopy-gen=package +// +k8s:defaulter-gen=TypeMeta +// +groupName=apiserver.config.k8s.io + +// Package v1 is the v1 version of the API. +package v1 diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/register.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/register.go new file mode 100644 index 00000000000..2e3ecfff2ea --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/register.go @@ -0,0 +1,52 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name use in this package. +const GroupName = "apiserver.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"} + +var ( + // SchemeBuilder points to a list of functions added to Scheme. + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + // AddToScheme adds this group to a scheme. + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &EncryptionConfiguration{}, + ) + // also register into the v1 group as EncryptionConfig (due to a docs bug) + scheme.AddKnownTypeWithName(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "EncryptionConfig"}, &EncryptionConfiguration{}) + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go similarity index 58% rename from staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go rename to staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go index 67dfa6c9fce..e2c123d1dc2 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go @@ -14,50 +14,51 @@ See the License for the specific language governing permissions and limitations under the License. */ -package encryptionconfig +package v1 -// EncryptionConfig stores the complete configuration for encryption providers. -type EncryptionConfig struct { - // kind is the type of configuration file. - Kind string `json:"kind"` - // apiVersion is the API version this file has to be parsed as. - APIVersion string `json:"apiVersion"` +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// EncryptionConfiguration stores the complete configuration for encryption providers. +type EncryptionConfiguration struct { + metav1.TypeMeta // resources is a list containing resources, and their corresponding encryption providers. - Resources []ResourceConfig `json:"resources"` + Resources []ResourceConfiguration `json:"resources"` } -// ResourceConfig stores per resource configuration. -type ResourceConfig struct { +// ResourceConfiguration stores per resource configuration. +type ResourceConfiguration struct { // resources is a list of kubernetes resources which have to be encrypted. Resources []string `json:"resources"` // providers is a list of transformers to be used for reading and writing the resources to disk. // eg: aesgcm, aescbc, secretbox, identity. - Providers []ProviderConfig `json:"providers"` + Providers []ProviderConfiguration `json:"providers"` } -// ProviderConfig stores the provided configuration for an encryption provider. -type ProviderConfig struct { +// ProviderConfiguration stores the provided configuration for an encryption provider. +type ProviderConfiguration struct { // aesgcm is the configuration for the AES-GCM transformer. - AESGCM *AESConfig `json:"aesgcm,omitempty"` + AESGCM *AESConfiguration `json:"aesgcm,omitempty"` // aescbc is the configuration for the AES-CBC transformer. - AESCBC *AESConfig `json:"aescbc,omitempty"` + AESCBC *AESConfiguration `json:"aescbc,omitempty"` // secretbox is the configuration for the Secretbox based transformer. - Secretbox *SecretboxConfig `json:"secretbox,omitempty"` + Secretbox *SecretboxConfiguration `json:"secretbox,omitempty"` // identity is the (empty) configuration for the identity transformer. - Identity *IdentityConfig `json:"identity,omitempty"` + Identity *IdentityConfiguration `json:"identity,omitempty"` // kms contains the name, cache size and path to configuration file for a KMS based envelope transformer. - KMS *KMSConfig `json:"kms,omitempty"` + KMS *KMSConfiguration `json:"kms,omitempty"` } -// AESConfig contains the API configuration for an AES transformer. -type AESConfig struct { +// AESConfiguration contains the API configuration for an AES transformer. +type AESConfiguration struct { // keys is a list of keys to be used for creating the AES transformer. // Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM. Keys []Key `json:"keys"` } -// SecretboxConfig contains the API configuration for an Secretbox transformer. -type SecretboxConfig struct { +// SecretboxConfiguration contains the API configuration for an Secretbox transformer. +type SecretboxConfiguration struct { // keys is a list of keys to be used for creating the Secretbox transformer. // Each key has to be 32 bytes long. Keys []Key `json:"keys"` @@ -71,16 +72,16 @@ type Key struct { Secret string `json:"secret"` } -// IdentityConfig is an empty struct to allow identity transformer in provider configuration. -type IdentityConfig struct{} +// IdentityConfiguration is an empty struct to allow identity transformer in provider configuration. +type IdentityConfiguration struct{} -// KMSConfig contains the name, cache size and path to configuration file for a KMS based envelope transformer. -type KMSConfig struct { +// KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer. +type KMSConfiguration struct { // name is the name of the KMS plugin to be used. Name string `json:"name"` // cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000. // +optional - CacheSize int `json:"cachesize,omitempty"` - // the gRPC server listening address, for example "unix:///var/run/kms-provider.sock". + CacheSize int32 `json:"cachesize,omitempty"` + // endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock". Endpoint string `json:"endpoint"` } diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.conversion.go new file mode 100644 index 00000000000..27fb16d3183 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.conversion.go @@ -0,0 +1,293 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1 + +import ( + unsafe "unsafe" + + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + config "k8s.io/apiserver/pkg/apis/config" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*AESConfiguration)(nil), (*config.AESConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_AESConfiguration_To_config_AESConfiguration(a.(*AESConfiguration), b.(*config.AESConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.AESConfiguration)(nil), (*AESConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_AESConfiguration_To_v1_AESConfiguration(a.(*config.AESConfiguration), b.(*AESConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*EncryptionConfiguration)(nil), (*config.EncryptionConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_EncryptionConfiguration_To_config_EncryptionConfiguration(a.(*EncryptionConfiguration), b.(*config.EncryptionConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.EncryptionConfiguration)(nil), (*EncryptionConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_EncryptionConfiguration_To_v1_EncryptionConfiguration(a.(*config.EncryptionConfiguration), b.(*EncryptionConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*IdentityConfiguration)(nil), (*config.IdentityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_IdentityConfiguration_To_config_IdentityConfiguration(a.(*IdentityConfiguration), b.(*config.IdentityConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.IdentityConfiguration)(nil), (*IdentityConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_IdentityConfiguration_To_v1_IdentityConfiguration(a.(*config.IdentityConfiguration), b.(*IdentityConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*KMSConfiguration)(nil), (*config.KMSConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_KMSConfiguration_To_config_KMSConfiguration(a.(*KMSConfiguration), b.(*config.KMSConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.KMSConfiguration)(nil), (*KMSConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_KMSConfiguration_To_v1_KMSConfiguration(a.(*config.KMSConfiguration), b.(*KMSConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*Key)(nil), (*config.Key)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Key_To_config_Key(a.(*Key), b.(*config.Key), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.Key)(nil), (*Key)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_Key_To_v1_Key(a.(*config.Key), b.(*Key), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ProviderConfiguration)(nil), (*config.ProviderConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ProviderConfiguration_To_config_ProviderConfiguration(a.(*ProviderConfiguration), b.(*config.ProviderConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.ProviderConfiguration)(nil), (*ProviderConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_ProviderConfiguration_To_v1_ProviderConfiguration(a.(*config.ProviderConfiguration), b.(*ProviderConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*ResourceConfiguration)(nil), (*config.ResourceConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_ResourceConfiguration_To_config_ResourceConfiguration(a.(*ResourceConfiguration), b.(*config.ResourceConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.ResourceConfiguration)(nil), (*ResourceConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_ResourceConfiguration_To_v1_ResourceConfiguration(a.(*config.ResourceConfiguration), b.(*ResourceConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*SecretboxConfiguration)(nil), (*config.SecretboxConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_SecretboxConfiguration_To_config_SecretboxConfiguration(a.(*SecretboxConfiguration), b.(*config.SecretboxConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*config.SecretboxConfiguration)(nil), (*SecretboxConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_config_SecretboxConfiguration_To_v1_SecretboxConfiguration(a.(*config.SecretboxConfiguration), b.(*SecretboxConfiguration), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1_AESConfiguration_To_config_AESConfiguration(in *AESConfiguration, out *config.AESConfiguration, s conversion.Scope) error { + out.Keys = *(*[]config.Key)(unsafe.Pointer(&in.Keys)) + return nil +} + +// Convert_v1_AESConfiguration_To_config_AESConfiguration is an autogenerated conversion function. +func Convert_v1_AESConfiguration_To_config_AESConfiguration(in *AESConfiguration, out *config.AESConfiguration, s conversion.Scope) error { + return autoConvert_v1_AESConfiguration_To_config_AESConfiguration(in, out, s) +} + +func autoConvert_config_AESConfiguration_To_v1_AESConfiguration(in *config.AESConfiguration, out *AESConfiguration, s conversion.Scope) error { + out.Keys = *(*[]Key)(unsafe.Pointer(&in.Keys)) + return nil +} + +// Convert_config_AESConfiguration_To_v1_AESConfiguration is an autogenerated conversion function. +func Convert_config_AESConfiguration_To_v1_AESConfiguration(in *config.AESConfiguration, out *AESConfiguration, s conversion.Scope) error { + return autoConvert_config_AESConfiguration_To_v1_AESConfiguration(in, out, s) +} + +func autoConvert_v1_EncryptionConfiguration_To_config_EncryptionConfiguration(in *EncryptionConfiguration, out *config.EncryptionConfiguration, s conversion.Scope) error { + out.Resources = *(*[]config.ResourceConfiguration)(unsafe.Pointer(&in.Resources)) + return nil +} + +// Convert_v1_EncryptionConfiguration_To_config_EncryptionConfiguration is an autogenerated conversion function. +func Convert_v1_EncryptionConfiguration_To_config_EncryptionConfiguration(in *EncryptionConfiguration, out *config.EncryptionConfiguration, s conversion.Scope) error { + return autoConvert_v1_EncryptionConfiguration_To_config_EncryptionConfiguration(in, out, s) +} + +func autoConvert_config_EncryptionConfiguration_To_v1_EncryptionConfiguration(in *config.EncryptionConfiguration, out *EncryptionConfiguration, s conversion.Scope) error { + out.Resources = *(*[]ResourceConfiguration)(unsafe.Pointer(&in.Resources)) + return nil +} + +// Convert_config_EncryptionConfiguration_To_v1_EncryptionConfiguration is an autogenerated conversion function. +func Convert_config_EncryptionConfiguration_To_v1_EncryptionConfiguration(in *config.EncryptionConfiguration, out *EncryptionConfiguration, s conversion.Scope) error { + return autoConvert_config_EncryptionConfiguration_To_v1_EncryptionConfiguration(in, out, s) +} + +func autoConvert_v1_IdentityConfiguration_To_config_IdentityConfiguration(in *IdentityConfiguration, out *config.IdentityConfiguration, s conversion.Scope) error { + return nil +} + +// Convert_v1_IdentityConfiguration_To_config_IdentityConfiguration is an autogenerated conversion function. +func Convert_v1_IdentityConfiguration_To_config_IdentityConfiguration(in *IdentityConfiguration, out *config.IdentityConfiguration, s conversion.Scope) error { + return autoConvert_v1_IdentityConfiguration_To_config_IdentityConfiguration(in, out, s) +} + +func autoConvert_config_IdentityConfiguration_To_v1_IdentityConfiguration(in *config.IdentityConfiguration, out *IdentityConfiguration, s conversion.Scope) error { + return nil +} + +// Convert_config_IdentityConfiguration_To_v1_IdentityConfiguration is an autogenerated conversion function. +func Convert_config_IdentityConfiguration_To_v1_IdentityConfiguration(in *config.IdentityConfiguration, out *IdentityConfiguration, s conversion.Scope) error { + return autoConvert_config_IdentityConfiguration_To_v1_IdentityConfiguration(in, out, s) +} + +func autoConvert_v1_KMSConfiguration_To_config_KMSConfiguration(in *KMSConfiguration, out *config.KMSConfiguration, s conversion.Scope) error { + out.Name = in.Name + out.CacheSize = in.CacheSize + out.Endpoint = in.Endpoint + return nil +} + +// Convert_v1_KMSConfiguration_To_config_KMSConfiguration is an autogenerated conversion function. +func Convert_v1_KMSConfiguration_To_config_KMSConfiguration(in *KMSConfiguration, out *config.KMSConfiguration, s conversion.Scope) error { + return autoConvert_v1_KMSConfiguration_To_config_KMSConfiguration(in, out, s) +} + +func autoConvert_config_KMSConfiguration_To_v1_KMSConfiguration(in *config.KMSConfiguration, out *KMSConfiguration, s conversion.Scope) error { + out.Name = in.Name + out.CacheSize = in.CacheSize + out.Endpoint = in.Endpoint + return nil +} + +// Convert_config_KMSConfiguration_To_v1_KMSConfiguration is an autogenerated conversion function. +func Convert_config_KMSConfiguration_To_v1_KMSConfiguration(in *config.KMSConfiguration, out *KMSConfiguration, s conversion.Scope) error { + return autoConvert_config_KMSConfiguration_To_v1_KMSConfiguration(in, out, s) +} + +func autoConvert_v1_Key_To_config_Key(in *Key, out *config.Key, s conversion.Scope) error { + out.Name = in.Name + out.Secret = in.Secret + return nil +} + +// Convert_v1_Key_To_config_Key is an autogenerated conversion function. +func Convert_v1_Key_To_config_Key(in *Key, out *config.Key, s conversion.Scope) error { + return autoConvert_v1_Key_To_config_Key(in, out, s) +} + +func autoConvert_config_Key_To_v1_Key(in *config.Key, out *Key, s conversion.Scope) error { + out.Name = in.Name + out.Secret = in.Secret + return nil +} + +// Convert_config_Key_To_v1_Key is an autogenerated conversion function. +func Convert_config_Key_To_v1_Key(in *config.Key, out *Key, s conversion.Scope) error { + return autoConvert_config_Key_To_v1_Key(in, out, s) +} + +func autoConvert_v1_ProviderConfiguration_To_config_ProviderConfiguration(in *ProviderConfiguration, out *config.ProviderConfiguration, s conversion.Scope) error { + out.AESGCM = (*config.AESConfiguration)(unsafe.Pointer(in.AESGCM)) + out.AESCBC = (*config.AESConfiguration)(unsafe.Pointer(in.AESCBC)) + out.Secretbox = (*config.SecretboxConfiguration)(unsafe.Pointer(in.Secretbox)) + out.Identity = (*config.IdentityConfiguration)(unsafe.Pointer(in.Identity)) + out.KMS = (*config.KMSConfiguration)(unsafe.Pointer(in.KMS)) + return nil +} + +// Convert_v1_ProviderConfiguration_To_config_ProviderConfiguration is an autogenerated conversion function. +func Convert_v1_ProviderConfiguration_To_config_ProviderConfiguration(in *ProviderConfiguration, out *config.ProviderConfiguration, s conversion.Scope) error { + return autoConvert_v1_ProviderConfiguration_To_config_ProviderConfiguration(in, out, s) +} + +func autoConvert_config_ProviderConfiguration_To_v1_ProviderConfiguration(in *config.ProviderConfiguration, out *ProviderConfiguration, s conversion.Scope) error { + out.AESGCM = (*AESConfiguration)(unsafe.Pointer(in.AESGCM)) + out.AESCBC = (*AESConfiguration)(unsafe.Pointer(in.AESCBC)) + out.Secretbox = (*SecretboxConfiguration)(unsafe.Pointer(in.Secretbox)) + out.Identity = (*IdentityConfiguration)(unsafe.Pointer(in.Identity)) + out.KMS = (*KMSConfiguration)(unsafe.Pointer(in.KMS)) + return nil +} + +// Convert_config_ProviderConfiguration_To_v1_ProviderConfiguration is an autogenerated conversion function. +func Convert_config_ProviderConfiguration_To_v1_ProviderConfiguration(in *config.ProviderConfiguration, out *ProviderConfiguration, s conversion.Scope) error { + return autoConvert_config_ProviderConfiguration_To_v1_ProviderConfiguration(in, out, s) +} + +func autoConvert_v1_ResourceConfiguration_To_config_ResourceConfiguration(in *ResourceConfiguration, out *config.ResourceConfiguration, s conversion.Scope) error { + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.Providers = *(*[]config.ProviderConfiguration)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_v1_ResourceConfiguration_To_config_ResourceConfiguration is an autogenerated conversion function. +func Convert_v1_ResourceConfiguration_To_config_ResourceConfiguration(in *ResourceConfiguration, out *config.ResourceConfiguration, s conversion.Scope) error { + return autoConvert_v1_ResourceConfiguration_To_config_ResourceConfiguration(in, out, s) +} + +func autoConvert_config_ResourceConfiguration_To_v1_ResourceConfiguration(in *config.ResourceConfiguration, out *ResourceConfiguration, s conversion.Scope) error { + out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources)) + out.Providers = *(*[]ProviderConfiguration)(unsafe.Pointer(&in.Providers)) + return nil +} + +// Convert_config_ResourceConfiguration_To_v1_ResourceConfiguration is an autogenerated conversion function. +func Convert_config_ResourceConfiguration_To_v1_ResourceConfiguration(in *config.ResourceConfiguration, out *ResourceConfiguration, s conversion.Scope) error { + return autoConvert_config_ResourceConfiguration_To_v1_ResourceConfiguration(in, out, s) +} + +func autoConvert_v1_SecretboxConfiguration_To_config_SecretboxConfiguration(in *SecretboxConfiguration, out *config.SecretboxConfiguration, s conversion.Scope) error { + out.Keys = *(*[]config.Key)(unsafe.Pointer(&in.Keys)) + return nil +} + +// Convert_v1_SecretboxConfiguration_To_config_SecretboxConfiguration is an autogenerated conversion function. +func Convert_v1_SecretboxConfiguration_To_config_SecretboxConfiguration(in *SecretboxConfiguration, out *config.SecretboxConfiguration, s conversion.Scope) error { + return autoConvert_v1_SecretboxConfiguration_To_config_SecretboxConfiguration(in, out, s) +} + +func autoConvert_config_SecretboxConfiguration_To_v1_SecretboxConfiguration(in *config.SecretboxConfiguration, out *SecretboxConfiguration, s conversion.Scope) error { + out.Keys = *(*[]Key)(unsafe.Pointer(&in.Keys)) + return nil +} + +// Convert_config_SecretboxConfiguration_To_v1_SecretboxConfiguration is an autogenerated conversion function. +func Convert_config_SecretboxConfiguration_To_v1_SecretboxConfiguration(in *config.SecretboxConfiguration, out *SecretboxConfiguration, s conversion.Scope) error { + return autoConvert_config_SecretboxConfiguration_To_v1_SecretboxConfiguration(in, out, s) +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..e5f28d46a3d --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.deepcopy.go @@ -0,0 +1,216 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AESConfiguration) DeepCopyInto(out *AESConfiguration) { + *out = *in + if in.Keys != nil { + in, out := &in.Keys, &out.Keys + *out = make([]Key, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AESConfiguration. +func (in *AESConfiguration) DeepCopy() *AESConfiguration { + if in == nil { + return nil + } + out := new(AESConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EncryptionConfiguration) DeepCopyInto(out *EncryptionConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ResourceConfiguration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfiguration. +func (in *EncryptionConfiguration) DeepCopy() *EncryptionConfiguration { + if in == nil { + return nil + } + out := new(EncryptionConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *EncryptionConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IdentityConfiguration) DeepCopyInto(out *IdentityConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityConfiguration. +func (in *IdentityConfiguration) DeepCopy() *IdentityConfiguration { + if in == nil { + return nil + } + out := new(IdentityConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfiguration) DeepCopyInto(out *KMSConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfiguration. +func (in *KMSConfiguration) DeepCopy() *KMSConfiguration { + if in == nil { + return nil + } + out := new(KMSConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Key) DeepCopyInto(out *Key) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Key. +func (in *Key) DeepCopy() *Key { + if in == nil { + return nil + } + out := new(Key) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderConfiguration) DeepCopyInto(out *ProviderConfiguration) { + *out = *in + if in.AESGCM != nil { + in, out := &in.AESGCM, &out.AESGCM + *out = new(AESConfiguration) + (*in).DeepCopyInto(*out) + } + if in.AESCBC != nil { + in, out := &in.AESCBC, &out.AESCBC + *out = new(AESConfiguration) + (*in).DeepCopyInto(*out) + } + if in.Secretbox != nil { + in, out := &in.Secretbox, &out.Secretbox + *out = new(SecretboxConfiguration) + (*in).DeepCopyInto(*out) + } + if in.Identity != nil { + in, out := &in.Identity, &out.Identity + *out = new(IdentityConfiguration) + **out = **in + } + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfiguration) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfiguration. +func (in *ProviderConfiguration) DeepCopy() *ProviderConfiguration { + if in == nil { + return nil + } + out := new(ProviderConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceConfiguration) DeepCopyInto(out *ResourceConfiguration) { + *out = *in + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]ProviderConfiguration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceConfiguration. +func (in *ResourceConfiguration) DeepCopy() *ResourceConfiguration { + if in == nil { + return nil + } + out := new(ResourceConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretboxConfiguration) DeepCopyInto(out *SecretboxConfiguration) { + *out = *in + if in.Keys != nil { + in, out := &in.Keys, &out.Keys + *out = make([]Key, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretboxConfiguration. +func (in *SecretboxConfiguration) DeepCopy() *SecretboxConfiguration { + if in == nil { + return nil + } + out := new(SecretboxConfiguration) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.defaults.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.defaults.go new file mode 100644 index 00000000000..cce2e603a69 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/zz_generated.defaults.go @@ -0,0 +1,32 @@ +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go b/staging/src/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go index 0b81eb6919e..438dff997d5 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/zz_generated.deepcopy.go @@ -20,6 +20,31 @@ limitations under the License. package config +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AESConfiguration) DeepCopyInto(out *AESConfiguration) { + *out = *in + if in.Keys != nil { + in, out := &in.Keys, &out.Keys + *out = make([]Key, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AESConfiguration. +func (in *AESConfiguration) DeepCopy() *AESConfiguration { + if in == nil { + return nil + } + out := new(AESConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DebuggingConfiguration) DeepCopyInto(out *DebuggingConfiguration) { *out = *in @@ -36,6 +61,86 @@ func (in *DebuggingConfiguration) DeepCopy() *DebuggingConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EncryptionConfiguration) DeepCopyInto(out *EncryptionConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ResourceConfiguration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfiguration. +func (in *EncryptionConfiguration) DeepCopy() *EncryptionConfiguration { + if in == nil { + return nil + } + out := new(EncryptionConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *EncryptionConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IdentityConfiguration) DeepCopyInto(out *IdentityConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityConfiguration. +func (in *IdentityConfiguration) DeepCopy() *IdentityConfiguration { + if in == nil { + return nil + } + out := new(IdentityConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KMSConfiguration) DeepCopyInto(out *KMSConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KMSConfiguration. +func (in *KMSConfiguration) DeepCopy() *KMSConfiguration { + if in == nil { + return nil + } + out := new(KMSConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Key) DeepCopyInto(out *Key) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Key. +func (in *Key) DeepCopy() *Key { + if in == nil { + return nil + } + out := new(Key) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *LeaderElectionConfiguration) DeepCopyInto(out *LeaderElectionConfiguration) { *out = *in @@ -54,3 +159,93 @@ func (in *LeaderElectionConfiguration) DeepCopy() *LeaderElectionConfiguration { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderConfiguration) DeepCopyInto(out *ProviderConfiguration) { + *out = *in + if in.AESGCM != nil { + in, out := &in.AESGCM, &out.AESGCM + *out = new(AESConfiguration) + (*in).DeepCopyInto(*out) + } + if in.AESCBC != nil { + in, out := &in.AESCBC, &out.AESCBC + *out = new(AESConfiguration) + (*in).DeepCopyInto(*out) + } + if in.Secretbox != nil { + in, out := &in.Secretbox, &out.Secretbox + *out = new(SecretboxConfiguration) + (*in).DeepCopyInto(*out) + } + if in.Identity != nil { + in, out := &in.Identity, &out.Identity + *out = new(IdentityConfiguration) + **out = **in + } + if in.KMS != nil { + in, out := &in.KMS, &out.KMS + *out = new(KMSConfiguration) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfiguration. +func (in *ProviderConfiguration) DeepCopy() *ProviderConfiguration { + if in == nil { + return nil + } + out := new(ProviderConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResourceConfiguration) DeepCopyInto(out *ResourceConfiguration) { + *out = *in + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]ProviderConfiguration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceConfiguration. +func (in *ResourceConfiguration) DeepCopy() *ResourceConfiguration { + if in == nil { + return nil + } + out := new(ResourceConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretboxConfiguration) DeepCopyInto(out *SecretboxConfiguration) { + *out = *in + if in.Keys != nil { + in, out := &in.Keys, &out.Keys + *out = make([]Key, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretboxConfiguration. +func (in *SecretboxConfiguration) DeepCopy() *SecretboxConfiguration { + if in == nil { + return nil + } + out := new(SecretboxConfiguration) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD index 92ed2f9449d..5e4da1762f8 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD @@ -8,20 +8,20 @@ load( go_library( name = "go_default_library", - srcs = [ - "config.go", - "types.go", - ], + srcs = ["config.go"], importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig", importpath = "k8s.io/apiserver/pkg/server/options/encryptionconfig", deps = [ + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/aes:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/identity:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox:go_default_library", - "//vendor/sigs.k8s.io/yaml:go_default_library", ], ) @@ -31,6 +31,8 @@ go_test( embed = [":go_default_library"], deps = [ "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope:go_default_library", ], diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go index a8c7d0a8223..d86a3e10181 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go @@ -26,9 +26,11 @@ import ( "os" "time" - yaml "sigs.k8s.io/yaml" - + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer" + apiserverconfig "k8s.io/apiserver/pkg/apis/config" + apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1" "k8s.io/apiserver/pkg/storage/value" aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes" "k8s.io/apiserver/pkg/storage/value/encrypt/envelope" @@ -66,20 +68,11 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T return nil, fmt.Errorf("could not read contents: %v", err) } - var config EncryptionConfig - err = yaml.Unmarshal(configFileContents, &config) + config, err := loadConfig(configFileContents) if err != nil { return nil, fmt.Errorf("error while parsing file: %v", err) } - if config.Kind == "" { - return nil, fmt.Errorf("invalid configuration file, missing Kind") - } - if config.Kind != "EncryptionConfig" { - return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind) - } - // TODO config.APIVersion is unchecked - resourceToPrefixTransformer := map[schema.GroupResource][]value.PrefixTransformer{} // For each entry in the configuration @@ -102,13 +95,32 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T result[gr] = value.NewMutableTransformer(value.NewPrefixTransformers(fmt.Errorf("no matching prefix found"), transList...)) } return result, nil + +} + +// loadConfig decodes data as a EncryptionConfiguration object. +func loadConfig(data []byte) (*apiserverconfig.EncryptionConfiguration, error) { + scheme := runtime.NewScheme() + codecs := serializer.NewCodecFactory(scheme) + apiserverconfig.AddToScheme(scheme) + apiserverconfigv1.AddToScheme(scheme) + + configObj, gvk, err := codecs.UniversalDecoder().Decode(data, nil, nil) + if err != nil { + return nil, err + } + config, ok := configObj.(*apiserverconfig.EncryptionConfiguration) + if !ok { + return nil, fmt.Errorf("got unexpected config type: %v", gvk) + } + return config, nil } // The factory to create kms service. This is to make writing test easier. var envelopeServiceFactory = envelope.NewGRPCService -// GetPrefixTransformers constructs and returns the appropriate prefix transformers for the passed resource using its configuration -func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, error) { +// GetPrefixTransformers constructs and returns the appropriate prefix transformers for the passed resource using its configuration. +func GetPrefixTransformers(config *apiserverconfig.ResourceConfiguration) ([]value.PrefixTransformer, error) { var result []value.PrefixTransformer for _, provider := range config.Providers { found := false @@ -188,7 +200,7 @@ type BlockTransformerFunc func(cipher.Block) value.Transformer // GetAESPrefixTransformer returns a prefix transformer from the provided configuration. // Returns an AES transformer based on the provided prefix and block transformer. -func GetAESPrefixTransformer(config *AESConfig, fn BlockTransformerFunc, prefix string) (value.PrefixTransformer, error) { +func GetAESPrefixTransformer(config *apiserverconfig.AESConfiguration, fn BlockTransformerFunc, prefix string) (value.PrefixTransformer, error) { var result value.PrefixTransformer if len(config.Keys) == 0 { @@ -236,7 +248,7 @@ func GetAESPrefixTransformer(config *AESConfig, fn BlockTransformerFunc, prefix } // GetSecretboxPrefixTransformer returns a prefix transformer from the provided configuration -func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransformer, error) { +func GetSecretboxPrefixTransformer(config *apiserverconfig.SecretboxConfiguration) (value.PrefixTransformer, error) { var result value.PrefixTransformer if len(config.Keys) == 0 { @@ -288,8 +300,8 @@ func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransfo // getEnvelopePrefixTransformer returns a prefix transformer from the provided config. // envelopeService is used as the root of trust. -func getEnvelopePrefixTransformer(config *KMSConfig, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) { - envelopeTransformer, err := envelope.NewEnvelopeTransformer(envelopeService, config.CacheSize, aestransformer.NewCBCTransformer) +func getEnvelopePrefixTransformer(config *apiserverconfig.KMSConfiguration, envelopeService envelope.Service, prefix string) (value.PrefixTransformer, error) { + envelopeTransformer, err := envelope.NewEnvelopeTransformer(envelopeService, int(config.CacheSize), aestransformer.NewCBCTransformer) if err != nil { return value.PrefixTransformer{}, err } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go index 8cd6027e904..6ba28763749 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go @@ -19,11 +19,14 @@ package encryptionconfig import ( "bytes" "encoding/base64" + "reflect" "strings" "testing" "time" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/diff" + apiserverconfig "k8s.io/apiserver/pkg/apis/config" "k8s.io/apiserver/pkg/storage/value" "k8s.io/apiserver/pkg/storage/value/encrypt/envelope" ) @@ -33,9 +36,40 @@ const ( sampleContextText = "0123456789" + legacyV1Config = ` + kind: EncryptionConfig + apiVersion: v1 + resources: + - resources: + - secrets + - namespaces + providers: + - identity: {} + - aesgcm: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - kms: + name: testprovider + endpoint: unix:///tmp/testprovider.sock + cachesize: 10 + - aescbc: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - secretbox: + keys: + - name: key1 + secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY= + ` + correctConfigWithIdentityFirst = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -65,8 +99,8 @@ resources: ` correctConfigWithAesGcmFirst = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -95,8 +129,8 @@ resources: ` correctConfigWithAesCbcFirst = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -125,8 +159,8 @@ resources: ` correctConfigWithSecretboxFirst = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -155,8 +189,8 @@ resources: ` correctConfigWithKMSFirst = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -185,8 +219,8 @@ resources: ` incorrectConfigNoSecretForKey = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - namespaces @@ -198,8 +232,8 @@ resources: ` incorrectConfigInvalidKey = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - namespaces @@ -214,8 +248,8 @@ resources: ` incorrectConfigNoEndpointForKMS = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -244,6 +278,48 @@ func newMockEnvelopeService(endpoint string, timeout time.Duration) (envelope.Se return &testEnvelopeService{}, nil } +func TestLegacyConfig(t *testing.T) { + legacyConfigObject, err := loadConfig([]byte(legacyV1Config)) + if err != nil { + t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, legacyV1Config) + } + + expected := &apiserverconfig.EncryptionConfiguration{ + Resources: []apiserverconfig.ResourceConfiguration{ + { + Resources: []string{"secrets", "namespaces"}, + Providers: []apiserverconfig.ProviderConfiguration{ + {Identity: &apiserverconfig.IdentityConfiguration{}}, + {AESGCM: &apiserverconfig.AESConfiguration{ + Keys: []apiserverconfig.Key{ + {Name: "key1", Secret: "c2VjcmV0IGlzIHNlY3VyZQ=="}, + {Name: "key2", Secret: "dGhpcyBpcyBwYXNzd29yZA=="}, + }, + }}, + {KMS: &apiserverconfig.KMSConfiguration{ + Name: "testprovider", + Endpoint: "unix:///tmp/testprovider.sock", + CacheSize: 10, + }}, + {AESCBC: &apiserverconfig.AESConfiguration{ + Keys: []apiserverconfig.Key{ + {Name: "key1", Secret: "c2VjcmV0IGlzIHNlY3VyZQ=="}, + {Name: "key2", Secret: "dGhpcyBpcyBwYXNzd29yZA=="}, + }, + }}, + {Secretbox: &apiserverconfig.SecretboxConfiguration{ + Keys: []apiserverconfig.Key{ + {Name: "key1", Secret: "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY="}, + }, + }}, + }, + }, + }, + } + if !reflect.DeepEqual(legacyConfigObject, expected) { + t.Fatal(diff.ObjectReflectDiff(expected, legacyConfigObject)) + } +} func TestEncryptionProviderConfigCorrect(t *testing.T) { // Set factory for mock envelope service factory := envelopeServiceFactory diff --git a/test/integration/master/BUILD b/test/integration/master/BUILD index ff8f048bb6a..32d0f404631 100644 --- a/test/integration/master/BUILD +++ b/test/integration/master/BUILD @@ -43,6 +43,7 @@ go_test( "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/group:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", @@ -50,7 +51,6 @@ go_test( "//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library", "//staging/src/k8s.io/apiserver/pkg/features:go_default_library", "//staging/src/k8s.io/apiserver/pkg/registry/generic/registry:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/aes:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", @@ -127,7 +127,7 @@ go_library( "//cmd/kube-apiserver/app/testing:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/apis/config/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/value:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", diff --git a/test/integration/master/kms_transformation_test.go b/test/integration/master/kms_transformation_test.go index df7a70bd314..1b39b436efa 100644 --- a/test/integration/master/kms_transformation_test.go +++ b/test/integration/master/kms_transformation_test.go @@ -39,8 +39,8 @@ const ( dekKeySizeLen = 2 kmsConfigYAML = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets diff --git a/test/integration/master/secrets_transformation_test.go b/test/integration/master/secrets_transformation_test.go index a8d408435d5..98d19ad7a5b 100644 --- a/test/integration/master/secrets_transformation_test.go +++ b/test/integration/master/secrets_transformation_test.go @@ -23,7 +23,7 @@ import ( "fmt" "testing" - "k8s.io/apiserver/pkg/server/options/encryptionconfig" + apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1" "k8s.io/apiserver/pkg/storage/value" aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes" ) @@ -33,8 +33,8 @@ const ( aesCBCPrefix = "k8s:enc:aescbc:v1:key1:" aesGCMConfigYAML = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -46,8 +46,8 @@ resources: ` aesCBCConfigYAML = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -59,8 +59,8 @@ resources: ` identityConfigYAML = ` -kind: EncryptionConfig -apiVersion: v1 +kind: EncryptionConfiguration +apiVersion: apiserver.config.k8s.io/v1 resources: - resources: - secrets @@ -72,7 +72,7 @@ resources: // TestSecretsShouldBeEnveloped is an integration test between KubeAPI and etcd that checks: // 1. Secrets are encrypted on write // 2. Secrets are decrypted on read -// when EncryptionConfig is passed to KubeAPI server. +// when EncryptionConfiguration is passed to KubeAPI server. func TestSecretsShouldBeTransformed(t *testing.T) { var testCases = []struct { transformerConfigContent string @@ -128,7 +128,7 @@ func runBenchmark(b *testing.B, transformerConfig string) { } func unSealWithGCMTransformer(cipherText []byte, ctx value.Context, - transformerConfig encryptionconfig.ProviderConfig) ([]byte, error) { + transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) { block, err := newAESCipher(transformerConfig.AESGCM.Keys[0].Secret) if err != nil { @@ -146,7 +146,7 @@ func unSealWithGCMTransformer(cipherText []byte, ctx value.Context, } func unSealWithCBCTransformer(cipherText []byte, ctx value.Context, - transformerConfig encryptionconfig.ProviderConfig) ([]byte, error) { + transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) { block, err := newAESCipher(transformerConfig.AESCBC.Keys[0].Secret) if err != nil { diff --git a/test/integration/master/transformation_testcase.go b/test/integration/master/transformation_testcase.go index a23e7413af8..b5f4eb63179 100644 --- a/test/integration/master/transformation_testcase.go +++ b/test/integration/master/transformation_testcase.go @@ -33,7 +33,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apiserver/pkg/server/options/encryptionconfig" + apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1" "k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/value" "k8s.io/client-go/kubernetes" @@ -51,7 +51,7 @@ const ( metricsPrefix = "apiserver_storage_" ) -type unSealSecret func(cipherText []byte, ctx value.Context, config encryptionconfig.ProviderConfig) ([]byte, error) +type unSealSecret func(cipherText []byte, ctx value.Context, config apiserverconfigv1.ProviderConfiguration) ([]byte, error) type transformTest struct { logger kubeapiservertesting.Logger @@ -186,8 +186,8 @@ func (e *transformTest) createEncryptionConfig() (string, error) { return tempDir, nil } -func (e *transformTest) getEncryptionConfig() (*encryptionconfig.ProviderConfig, error) { - var config encryptionconfig.EncryptionConfig +func (e *transformTest) getEncryptionConfig() (*apiserverconfigv1.ProviderConfiguration, error) { + var config apiserverconfigv1.EncryptionConfiguration err := yaml.Unmarshal([]byte(e.transformerConfig), &config) if err != nil { return nil, fmt.Errorf("failed to extract transformer key: %v", err)