From a16808f353afb6abf402c862d5f859b949d2027a Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Sun, 15 Dec 2019 23:30:36 -0500
Subject: [PATCH] kms: use negative cachesize value to disable caching

This change relaxes the KMS config cache size validation to allow
for negative values.  The KMS code already treats all values <= 0 to
mean that the cache is disabled (zero is still a validation error).

Signed-off-by: Monis Khan <mok@vmware.com>
---
 staging/src/k8s.io/apiserver/pkg/apis/config/types.go     | 5 +++--
 staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go  | 5 +++--
 .../apiserver/pkg/apis/config/validation/validation.go    | 6 +++---
 .../pkg/apis/config/validation/validation_test.go         | 8 +++-----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/types.go b/staging/src/k8s.io/apiserver/pkg/apis/config/types.go
index 4277c3da769..5dddc97f964 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/config/types.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/config/types.go
@@ -88,12 +88,13 @@ type IdentityConfiguration struct{}
 type KMSConfiguration struct {
 	// name is the name of the KMS plugin to be used.
 	Name string
-	// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// Set to a negative value to disable caching.
 	// +optional
 	CacheSize *int32
 	// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
 	Endpoint string
-	// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
+	// timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
 	// +optional
 	Timeout *metav1.Duration
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go
index 7ee20ba2419..d7d68d2584d 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go
@@ -88,12 +88,13 @@ type IdentityConfiguration struct{}
 type KMSConfiguration struct {
 	// name is the name of the KMS plugin to be used.
 	Name string `json:"name"`
-	// cacheSize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
+	// Set to a negative value to disable caching.
 	// +optional
 	CacheSize *int32 `json:"cachesize,omitempty"`
 	// endpoint is the gRPC server listening address, for example "unix:///var/run/kms-provider.sock".
 	Endpoint string `json:"endpoint"`
-	// Timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
+	// timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go
index ec22f9ae958..d911d05972c 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation.go
@@ -34,7 +34,7 @@ const (
 	mandatoryFieldErrFmt     = "%s is a mandatory field for a %s"
 	base64EncodingErr        = "secrets must be base64 encoded"
 	zeroOrNegativeErrFmt     = "%s should be a positive value"
-	negativeValueErrFmt      = "%s can't be negative"
+	nonZeroErrFmt            = "%s should be a positive value, or negative to disable"
 	encryptionConfigNilErr   = "EncryptionConfiguration can't be nil"
 )
 
@@ -184,8 +184,8 @@ func validateKMSConfiguration(c *config.KMSConfiguration, fieldPath *field.Path)
 
 func validateKMSCacheSize(c *config.KMSConfiguration, fieldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
-	if *c.CacheSize <= 0 {
-		allErrs = append(allErrs, field.Invalid(fieldPath, *c.CacheSize, fmt.Sprintf(zeroOrNegativeErrFmt, "cachesize")))
+	if *c.CacheSize == 0 {
+		allErrs = append(allErrs, field.Invalid(fieldPath, *c.CacheSize, fmt.Sprintf(nonZeroErrFmt, "cachesize")))
 	}
 
 	return allErrs
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation_test.go
index 0cf3fa25130..03192c83731 100644
--- a/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/apis/config/validation/validation_test.go
@@ -331,15 +331,13 @@ func TestKMSProviderCacheSize(t *testing.T) {
 			desc: "invalid zero cache size",
 			in:   &config.KMSConfiguration{CacheSize: &zeroCacheSize},
 			want: field.ErrorList{
-				field.Invalid(cacheField, int32(0), fmt.Sprintf(zeroOrNegativeErrFmt, "cachesize")),
+				field.Invalid(cacheField, int32(0), fmt.Sprintf(nonZeroErrFmt, "cachesize")),
 			},
 		},
 		{
-			desc: "negative caches size",
+			desc: "valid negative caches size",
 			in:   &config.KMSConfiguration{CacheSize: &negativeCacheSize},
-			want: field.ErrorList{
-				field.Invalid(cacheField, negativeCacheSize, fmt.Sprintf(zeroOrNegativeErrFmt, "cachesize")),
-			},
+			want: field.ErrorList{},
 		},
 	}