Merge pull request #118888 from enj/enj/i/kms_interface_split

kmsv2: no-op: split transformer interface

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/cache.go

@@ -18,7 +18,6 @@ limitations under the License.
 package kmsv2
 
 import (
-	"context"
 	"crypto/sha256"
 	"hash"
 	"sync"
@@ -30,17 +29,10 @@ import (
 	"k8s.io/utils/clock"
 )
 
-// prevent decryptTransformer from drifting from value.Transformer
+// simpleCache stores the decryption subset of value.Transformer (value.Read).
-var _ decryptTransformer = value.Transformer(nil)
+// this statically enforces that transformers placed in the cache are not used for encryption.
-
-// decryptTransformer is the decryption subset of value.Transformer.
-// this exists purely to statically enforce that transformers placed in the cache are not used for encryption.
 // this is relevant in the context of nonce collision since transformers that are created
 // from encrypted DEKs retrieved from etcd cannot maintain their nonce counter state.
-type decryptTransformer interface {
-	TransformFromStorage(ctx context.Context, data []byte, dataCtx value.Context) (out []byte, stale bool, err error)
-}
-
 type simpleCache struct {
 	cache *utilcache.Expiring
 	ttl   time.Duration
@@ -64,16 +56,16 @@ func newSimpleCache(clock clock.Clock, ttl time.Duration) *simpleCache {
 }
 
 // given a key, return the transformer, or nil if it does not exist in the cache
-func (c *simpleCache) get(key []byte) decryptTransformer {
+func (c *simpleCache) get(key []byte) value.Read {
 	record, ok := c.cache.Get(c.keyFunc(key))
 	if !ok {
 		return nil
 	}
-	return record.(decryptTransformer)
+	return record.(value.Read)
 }
 
 // set caches the record for the key
-func (c *simpleCache) set(key []byte, transformer decryptTransformer) {
+func (c *simpleCache) set(key []byte, transformer value.Read) {
 	if len(key) == 0 {
 		panic("key must not be empty")
 	}

staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go

@@ -227,7 +227,7 @@ func (t *envelopeTransformer) TransformToStorage(ctx context.Context, data []byt
 }
 
 // addTransformerForDecryption inserts a new transformer to the Envelope cache of DEKs for future reads.
-func (t *envelopeTransformer) addTransformerForDecryption(cacheKey []byte, key []byte) (decryptTransformer, error) {
+func (t *envelopeTransformer) addTransformerForDecryption(cacheKey []byte, key []byte) (value.Read, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err

staging/src/k8s.io/apiserver/pkg/storage/value/transformer.go

@@ -40,17 +40,25 @@ type Context interface {
 	AuthenticatedData() []byte
 }
 
-// Transformer allows a value to be transformed before being read from or written to the underlying store. The methods
+type Read interface {
-// must be able to undo the transformation caused by the other.
-type Transformer interface {
 	// TransformFromStorage may transform the provided data from its underlying storage representation or return an error.
 	// Stale is true if the object on disk is stale and a write to etcd should be issued, even if the contents of the object
 	// have not changed.
 	TransformFromStorage(ctx context.Context, data []byte, dataCtx Context) (out []byte, stale bool, err error)
+}
+
+type Write interface {
 	// TransformToStorage may transform the provided data into the appropriate form in storage or return an error.
 	TransformToStorage(ctx context.Context, data []byte, dataCtx Context) (out []byte, err error)
 }
 
+// Transformer allows a value to be transformed before being read from or written to the underlying store. The methods
+// must be able to undo the transformation caused by the other.
+type Transformer interface {
+	Read
+	Write
+}
+
 // ResourceTransformers returns a transformer for the provided resource.
 type ResourceTransformers interface {
 	TransformerForResource(resource schema.GroupResource) Transformer