Update kms provider config for gRPC client service

2025-07-29 22:46:12 +00:00 · 2017-11-14 09:05:52 +00:00 · 2017-11-14 09:05:52 +00:00 · 31fb539f17
commit 31fb539f17
parent 772fa0f62f
2 changed files with 48 additions and 11 deletions
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
@ -150,18 +150,37 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
 			if found == true {
 				return nil, fmt.Errorf("more than one provider specified in a single element, should split into different list elements")
 			}
-			f, err := os.Open(provider.KMS.ConfigFile)
-			if err != nil {
-				return nil, fmt.Errorf("error opening KMS provider configuration file %q: %v", provider.KMS.ConfigFile, err)
-			}
-			defer f.Close()
-			envelopeService, pluginFound, err := KMSPluginRegistry.getPlugin(provider.KMS.Name, f)
-			if err != nil {
-				return nil, fmt.Errorf("could not configure KMS plugin %q, %v", provider.KMS.Name, err)
-			}
-			if pluginFound == false {
-				return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name)
+
+			var envelopeService envelope.Service
+			remoteConfig := provider.KMS.RemoteServer
+			if remoteConfig == nil {
+				// There should be no KMS provider plugins on API server side in future.
+				f, err := os.Open(provider.KMS.ConfigFile)
+				if err != nil {
+					return nil, fmt.Errorf("error opening KMS provider configuration file %q: %v", provider.KMS.ConfigFile, err)
+				}
+				defer f.Close()
+				pluginFound := false
+				envelopeService, pluginFound, err = KMSPluginRegistry.getPlugin(provider.KMS.Name, f)
+				if err != nil {
+					return nil, fmt.Errorf("could not configure KMS plugin %q, %v", provider.KMS.Name, err)
+				}
+				if pluginFound == false {
+					return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name)
+				}
+			} else {
+				// Get gRPC client service with remote config
+				envelopeService, err = envelope.NewEnvelopeService(
+					remoteConfig.Endpoint,
+					remoteConfig.ServerCACert,
+					remoteConfig.ClientCert,
+					remoteConfig.ClientKey,
+				)
+				if err != nil {
+					return nil, fmt.Errorf("could not configure KMS plugin %q, error: %v", provider.KMS.Name, err)
+				}
 			}
+
 			transformer, err = getEnvelopePrefixTransformer(provider.KMS, envelopeService, kmsTransformerPrefixV1)
 			found = true
 		}
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go
@ -83,4 +83,22 @@ type KMSConfig struct {
 	CacheSize int `json:"cachesize,omitempty"`
 	// configfile is the path to the configuration file for the named KMS provider.
 	ConfigFile string `json:"configfile"`
+	// remoteServer is the configuration for connection gRPC server.
+	RemoteServer *RemoteServerConfig `json:"remoteServer"`
+}
+
+// RemoteServerConfig contains the connection informations that connect remote
+// gRPC server for envelope transformer.
+type RemoteServerConfig struct {
+	// gRPC server listen address, for example tcp://localhost:3735,
+	// unix:///var/run/kmsprovider.sock
+	Endpoint string `json:"endpoint"`
+
+	// CACert is the path to a PEM-encoded CA cert file to use to verify the
+	// gRPC server SSL certificate.
+	ServerCACert string `json:"serverCACert"`
+
+	// TLS certificate authentication information
+	ClientCert string `json:"clientCert"`
+	ClientKey  string `json:"clientKey"`
 }