no-op: drop baseTransformerFunc indirection

Signed-off-by: Monis Khan <mok@microsoft.com>
This commit is contained in:
Monis Khan 2023-02-24 12:39:14 -05:00
parent 54ec651ab5
commit 346f39e18b
No known key found for this signature in database
3 changed files with 17 additions and 20 deletions

View File

@ -616,7 +616,7 @@ func kmsPrefixTransformer(ctx context.Context, config *apiserverconfig.KMSConfig
// using AES-GCM by default for encrypting data with KMSv2
transformer := value.PrefixTransformer{
Transformer: envelopekmsv2.NewEnvelopeTransformer(envelopeService, kmsName, probe.getCurrentKeyID, probe.check, aestransformer.NewGCMTransformer),
Transformer: envelopekmsv2.NewEnvelopeTransformer(envelopeService, kmsName, probe.getCurrentKeyID, probe.check),
Prefix: []byte(kmsTransformerPrefixV2 + kmsName + ":"),
}

View File

@ -20,18 +20,19 @@ package kmsv2
import (
"context"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"fmt"
"time"
"github.com/gogo/protobuf/proto"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/apimachinery/pkg/util/validation"
"k8s.io/apimachinery/pkg/util/validation/field"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/klog/v2"
@ -71,8 +72,6 @@ type envelopeTransformer struct {
keyIDGetter KeyIDGetterFunc
probeHealthzCheck ProbeHealthzCheckFunc
// baseTransformerFunc creates a new transformer for encrypting the data with the DEK.
baseTransformerFunc func(cipher.Block) value.Transformer
// cache is a thread-safe expiring lru cache which caches decrypted DEKs indexed by their encrypted form.
cache *simpleCache
}
@ -80,18 +79,17 @@ type envelopeTransformer struct {
// NewEnvelopeTransformer returns a transformer which implements a KEK-DEK based envelope encryption scheme.
// It uses envelopeService to encrypt and decrypt DEKs. Respective DEKs (in encrypted form) are prepended to
// the data items they encrypt.
func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, baseTransformerFunc func(cipher.Block) value.Transformer) value.Transformer {
return newEnvelopeTransformerWithClock(envelopeService, providerName, keyIDGetter, probeHealthzCheck, baseTransformerFunc, cacheTTL, clock.RealClock{})
func NewEnvelopeTransformer(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc) value.Transformer {
return newEnvelopeTransformerWithClock(envelopeService, providerName, keyIDGetter, probeHealthzCheck, cacheTTL, clock.RealClock{})
}
func newEnvelopeTransformerWithClock(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, baseTransformerFunc func(cipher.Block) value.Transformer, cacheTTL time.Duration, clock clock.Clock) value.Transformer {
func newEnvelopeTransformerWithClock(envelopeService kmsservice.Service, providerName string, keyIDGetter KeyIDGetterFunc, probeHealthzCheck ProbeHealthzCheckFunc, cacheTTL time.Duration, clock clock.Clock) value.Transformer {
return &envelopeTransformer{
envelopeService: envelopeService,
providerName: providerName,
keyIDGetter: keyIDGetter,
probeHealthzCheck: probeHealthzCheck,
cache: newSimpleCache(clock, cacheTTL),
baseTransformerFunc: baseTransformerFunc,
envelopeService: envelopeService,
providerName: providerName,
keyIDGetter: keyIDGetter,
probeHealthzCheck: probeHealthzCheck,
cache: newSimpleCache(clock, cacheTTL),
}
}
@ -206,7 +204,7 @@ func (t *envelopeTransformer) addTransformer(encKey []byte, key []byte) (value.T
if err != nil {
return nil, err
}
transformer := t.baseTransformerFunc(block)
transformer := aestransformer.NewGCMTransformer(block)
// TODO(aramase): Add metrics for cache fill percentage with custom cache implementation.
t.cache.set(encKey, transformer)
return transformer, nil

View File

@ -32,7 +32,6 @@ import (
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/component-base/metrics/legacyregistry"
@ -151,7 +150,7 @@ func TestEnvelopeCaching(t *testing.T) {
func(ctx context.Context) error {
return nil
},
aestransformer.NewGCMTransformer, tt.cacheTTL, fakeClock)
tt.cacheTTL, fakeClock)
ctx := testContext(t)
dataCtx := value.DefaultContext([]byte(testContextText))
@ -233,7 +232,7 @@ func TestEnvelopeTransformerKeyIDGetter(t *testing.T) {
func(ctx context.Context) error {
return nil
},
aestransformer.NewGCMTransformer)
)
ctx := testContext(t)
dataCtx := value.DefaultContext([]byte(testContextText))
@ -304,7 +303,7 @@ func TestTransformToStorageError(t *testing.T) {
func(ctx context.Context) error {
return nil
},
aestransformer.NewGCMTransformer)
)
ctx := testContext(t)
dataCtx := value.DefaultContext([]byte(testContextText))
@ -599,7 +598,7 @@ func TestEnvelopeMetrics(t *testing.T) {
metrics.RecordInvalidKeyIDFromStatus(testProviderName, errCode)
return nil
},
aestransformer.NewGCMTransformer)
)
dataCtx := value.DefaultContext([]byte(testContextText))
@ -720,7 +719,7 @@ func TestEnvelopeLogging(t *testing.T) {
func(ctx context.Context) error {
return nil
},
aestransformer.NewGCMTransformer, 1*time.Second, fakeClock)
1*time.Second, fakeClock)
dataCtx := value.DefaultContext([]byte(testContextText))
originalText := []byte(testText)