storage: transformers: pass a context.Context

When an envelope transformer calls out to KMS (for instance), it will be very helpful to pass a `context.Context` to allow for cancellation. This patch does that, while passing the previously-expected additional data via a context value. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
2025-09-10 21:50:05 +00:00 · 2022-02-17 07:29:44 -08:00
parent aa0e6320d5
commit 27312feb99
17 changed files with 180 additions and 150 deletions
--- a/test/integration/controlplane/kms_transformation_test.go
+++ b/test/integration/controlplane/kms_transformation_test.go
@@ -24,7 +24,6 @@ import (
 	"context"
 	"crypto/aes"
 	"encoding/binary"
-
 	"fmt"
 	"net/http"
 	"strings"
@@ -83,9 +82,10 @@ func (r envelope) plainTextPayload(secretETCDPath string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to initialize AES Cipher: %v", err)
 	}
 	// etcd path of the key is used as the authenticated context - need to pass it to decrypt
-	ctx := value.DefaultContext([]byte(secretETCDPath))
+	ctx := context.Background()
+	dataCtx := value.DefaultContext([]byte(secretETCDPath))
 	aescbcTransformer := aestransformer.NewCBCTransformer(block)
-	plainSecret, _, err := aescbcTransformer.TransformFromStorage(r.cipherTextPayload(), ctx)
+	plainSecret, _, err := aescbcTransformer.TransformFromStorage(ctx, r.cipherTextPayload(), dataCtx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to transform from storage via AESCBC, err: %v", err)
 	}
--- a/test/integration/controlplane/secrets_transformation_test.go
+++ b/test/integration/controlplane/secrets_transformation_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package controlplane

 import (
+	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/base64"
@@ -131,7 +132,7 @@ func runBenchmark(b *testing.B, transformerConfig string) {
 	test.printMetrics()
 }

-func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
+func unSealWithGCMTransformer(ctx context.Context, cipherText []byte, dataCtx value.Context,
 	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

 	block, err := newAESCipher(transformerConfig.AESGCM.Keys[0].Secret)
@@ -141,7 +142,7 @@ func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,

 	gcmTransformer := aestransformer.NewGCMTransformer(block)

-	clearText, _, err := gcmTransformer.TransformFromStorage(cipherText, ctx)
+	clearText, _, err := gcmTransformer.TransformFromStorage(ctx, cipherText, dataCtx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decypt secret: %v", err)
 	}
@@ -149,7 +150,7 @@ func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
 	return clearText, nil
 }

-func unSealWithCBCTransformer(cipherText []byte, ctx value.Context,
+func unSealWithCBCTransformer(ctx context.Context, cipherText []byte, dataCtx value.Context,
 	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

 	block, err := newAESCipher(transformerConfig.AESCBC.Keys[0].Secret)
@@ -159,7 +160,7 @@ func unSealWithCBCTransformer(cipherText []byte, ctx value.Context,

 	cbcTransformer := aestransformer.NewCBCTransformer(block)

-	clearText, _, err := cbcTransformer.TransformFromStorage(cipherText, ctx)
+	clearText, _, err := cbcTransformer.TransformFromStorage(ctx, cipherText, dataCtx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decypt secret: %v", err)
 	}
--- a/test/integration/controlplane/transformation_testcase.go
+++ b/test/integration/controlplane/transformation_testcase.go
@@ -52,7 +52,7 @@ const (
 	metricsPrefix            = "apiserver_storage_"
 )

-type unSealSecret func(cipherText []byte, ctx value.Context, config apiserverconfigv1.ProviderConfiguration) ([]byte, error)
+type unSealSecret func(ctx context.Context, cipherText []byte, dataCtx value.Context, config apiserverconfigv1.ProviderConfiguration) ([]byte, error)

 type transformTest struct {
 	logger            kubeapiservertesting.Logger
@@ -115,14 +115,15 @@ func (e *transformTest) run(unSealSecretFunc unSealSecret, expectedEnvelopePrefi
 	}

 	// etcd path of the key is used as the authenticated context - need to pass it to decrypt
-	ctx := value.DefaultContext([]byte(e.getETCDPath()))
+	ctx := context.Background()
+	dataCtx := value.DefaultContext([]byte(e.getETCDPath()))
 	// Envelope header precedes the cipherTextPayload
 	sealedData := response.Kvs[0].Value[len(expectedEnvelopePrefix):]
 	transformerConfig, err := e.getEncryptionConfig()
 	if err != nil {
 		e.logger.Errorf("failed to parse transformer config: %v", err)
 	}
-	v, err := unSealSecretFunc(sealedData, ctx, *transformerConfig)
+	v, err := unSealSecretFunc(ctx, sealedData, dataCtx, *transformerConfig)
 	if err != nil {
 		e.logger.Errorf("failed to unseal secret: %v", err)
 		return