mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 14:37:00 +00:00
Merge pull request #47738 from php-coder/code_simplification
Automatic merge from submit-queue (batch tested with PRs 47738, 49196, 48907, 48533, 48822) ParseEncryptionConfiguration: simplify code **What this PR does / why we need it**: Reorder `if`-s to make code a bit more readable. It also improves godoc comment and error message. **Release note**: ```release-note NONE ``` PTAL @sakshamsharma
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
85f19ec6e9
@ -657,7 +657,6 @@ staging/src/k8s.io/apiserver/pkg/server/healthz
|
||||
staging/src/k8s.io/apiserver/pkg/server/httplog
|
||||
staging/src/k8s.io/apiserver/pkg/server/openapi
|
||||
staging/src/k8s.io/apiserver/pkg/server/options
|
||||
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig
|
||||
staging/src/k8s.io/apiserver/pkg/server/routes/data/swagger
|
||||
staging/src/k8s.io/apiserver/pkg/server/storage
|
||||
staging/src/k8s.io/apiserver/pkg/storage
|
||||
|
||||
@ -68,12 +68,12 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T
|
||||
return nil, fmt.Errorf("error while parsing file: %v", err)
|
||||
}
|
||||
|
||||
if config.Kind != "EncryptionConfig" && config.Kind != "" {
|
||||
return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind)
|
||||
}
|
||||
if config.Kind == "" {
|
||||
return nil, fmt.Errorf("invalid configuration file, missing Kind")
|
||||
}
|
||||
if config.Kind != "EncryptionConfig" {
|
||||
return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind)
|
||||
}
|
||||
// TODO config.APIVersion is unchecked
|
||||
|
||||
resourceToPrefixTransformer := map[schema.GroupResource][]value.PrefixTransformer{}
|
||||
@ -100,7 +100,7 @@ func ParseEncryptionConfiguration(f io.Reader) (map[schema.GroupResource]value.T
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// GetPrefixTransformer constructs and returns the appropriate prefix transformers for the passed resource using its configuration
|
||||
// GetPrefixTransformers constructs and returns the appropriate prefix transformers for the passed resource using its configuration
|
||||
func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, error) {
|
||||
var result []value.PrefixTransformer
|
||||
for _, provider := range config.Providers {
|
||||
@ -150,13 +150,13 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e
|
||||
result = append(result, transformer)
|
||||
|
||||
if found == false {
|
||||
return result, fmt.Errorf("invalid provider configuration provided")
|
||||
return result, fmt.Errorf("invalid provider configuration: at least one provider must be specified")
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// BlockTransformerFunc taske an AES cipher block and returns a value transformer.
|
||||
// BlockTransformerFunc takes an AES cipher block and returns a value transformer.
|
||||
type BlockTransformerFunc func(cipher.Block) value.Transformer
|
||||
|
||||
// GetAESPrefixTransformer returns a prefix transformer from the provided configuration.
|
||||
@ -233,7 +233,7 @@ func GetSecretboxPrefixTransformer(config *SecretboxConfig) (value.PrefixTransfo
|
||||
}
|
||||
|
||||
if len(key) != 32 {
|
||||
return result, fmt.Errorf("expected key size 32 for aes-cbc provider, got %v", len(key))
|
||||
return result, fmt.Errorf("expected key size 32 for secretbox provider, got %v", len(key))
|
||||
}
|
||||
|
||||
keyArray := [32]byte{}
|
||||
|
||||
@ -31,7 +31,7 @@ type ResourceConfig struct {
|
||||
// resources is a list of kubernetes resources which have to be encrypted.
|
||||
Resources []string `json:"resources"`
|
||||
// providers is a list of transformers to be used for reading and writing the resources to disk.
|
||||
// eg: aes, identity.
|
||||
// eg: aesgcm, aescbc, secretbox, identity.
|
||||
Providers []ProviderConfig `json:"providers"`
|
||||
}
|
||||
|
||||
@ -50,20 +50,22 @@ type ProviderConfig struct {
|
||||
// AESConfig contains the API configuration for an AES transformer.
|
||||
type AESConfig struct {
|
||||
// keys is a list of keys to be used for creating the AES transformer.
|
||||
// Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.
|
||||
Keys []Key `json:"keys"`
|
||||
}
|
||||
|
||||
// SECRETBOXConfig contains the API configuration for an Secretbox transformer.
|
||||
// SecretboxConfig contains the API configuration for an Secretbox transformer.
|
||||
type SecretboxConfig struct {
|
||||
// keys is a list of keys to be used for creating the Secretbox transformer.
|
||||
// Each key has to be 32 bytes long.
|
||||
Keys []Key `json:"keys"`
|
||||
}
|
||||
|
||||
// Key contains name and secret of the provided key for AES transformer.
|
||||
// Key contains name and secret of the provided key for a transformer.
|
||||
type Key struct {
|
||||
// name is the name of the key to be used while storing data to disk.
|
||||
Name string `json:"name"`
|
||||
// secret is the actual AES key, encoded in base64. It has to be 16, 24 or 32 bytes long.
|
||||
// secret is the actual key, encoded in base64.
|
||||
Secret string `json:"secret"`
|
||||
}
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ import (
|
||||
"k8s.io/apiserver/pkg/storage/value"
|
||||
)
|
||||
|
||||
// encryptIdentityTransformer performs no transformation on provided data, but validates
|
||||
// identityTransformer performs no transformation on provided data, but validates
|
||||
// that the data is not encrypted data during TransformFromStorage
|
||||
type identityTransformer struct{}
|
||||
|
||||
@ -35,7 +35,7 @@ func NewEncryptCheckTransformer() value.Transformer {
|
||||
|
||||
// TransformFromStorage returns the input bytes if the data is not encrypted
|
||||
func (identityTransformer) TransformFromStorage(b []byte, context value.Context) ([]byte, bool, error) {
|
||||
// EncryptIdentityTransformer has to return an error if the data is encoded using another transformer.
|
||||
// identityTransformer has to return an error if the data is encoded using another transformer.
|
||||
// JSON data starts with '{'. Protobuf data has a prefix 'k8s[\x00-\xFF]'.
|
||||
// Prefix 'k8s:enc:' is reserved for encrypted data on disk.
|
||||
if bytes.HasPrefix(b, []byte("k8s:enc:")) {
|
||||
@ -44,7 +44,7 @@ func (identityTransformer) TransformFromStorage(b []byte, context value.Context)
|
||||
return b, false, nil
|
||||
}
|
||||
|
||||
// TransformToStorage implements the Transformer interface for encryptIdentityTransformer
|
||||
// TransformToStorage implements the Transformer interface for identityTransformer
|
||||
func (identityTransformer) TransformToStorage(b []byte, context value.Context) ([]byte, error) {
|
||||
return b, nil
|
||||
}
|
||||
|
||||
@ -145,7 +145,7 @@ func TestRoundTrip(t *testing.T) {
|
||||
context value.Context
|
||||
t value.Transformer
|
||||
}{
|
||||
{name: "GCM 16 byte key", t: NewSecretboxTransformer(key1)},
|
||||
{name: "Secretbox 32 byte key", t: NewSecretboxTransformer(key1)},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user