From a6368bb04c1100d1dce1c6bf680056882835b395 Mon Sep 17 00:00:00 2001 From: Wu Qiang Date: Mon, 18 Dec 2017 09:29:56 +0000 Subject: [PATCH] Only support unix socket for kms gRPC, also add Version method --- hack/.golint_failures | 1 - .../server/options/encryptionconfig/config.go | 12 +- .../server/options/encryptionconfig/types.go | 18 +- .../pkg/storage/value/encrypt/envelope/BUILD | 7 +- .../value/encrypt/envelope/grpc_service.go | 104 ++++----- .../encrypt/envelope/grpc_service_test.go | 219 ------------------ .../envelope/grpc_service_unix_test.go | 130 +++++++++-- .../value/encrypt/envelope/testdata/ca.crt | 22 -- .../encrypt/envelope/testdata/client.crt | 19 -- .../encrypt/envelope/testdata/client.key | 5 - .../encrypt/envelope/testdata/server.crt | 19 -- .../encrypt/envelope/testdata/server.key | 5 - .../encrypt/envelope/v1beta1/service.pb.go | 197 +++++++++++++--- .../encrypt/envelope/v1beta1/service.proto | 36 ++- 14 files changed, 360 insertions(+), 434 deletions(-) delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_test.go delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/ca.crt delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.crt delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.key delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.crt delete mode 100644 staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.key diff --git a/hack/.golint_failures b/hack/.golint_failures index 4f14f014fac..19c8badcf11 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -605,7 +605,6 @@ staging/src/k8s.io/apiserver/pkg/storage/storagebackend staging/src/k8s.io/apiserver/pkg/storage/testing staging/src/k8s.io/apiserver/pkg/storage/tests staging/src/k8s.io/apiserver/pkg/storage/value -staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1 staging/src/k8s.io/apiserver/pkg/util/feature staging/src/k8s.io/apiserver/pkg/util/flag staging/src/k8s.io/apiserver/pkg/util/proxy diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go index b0c553befcb..650b8a37c36 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go @@ -152,8 +152,7 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e } var envelopeService envelope.Service - remoteConfig := provider.KMS.RemoteServer - if remoteConfig == nil { + if len(provider.KMS.ConfigFile) > 0 { // There should be no KMS provider plugins on API server side in future. f, err := os.Open(provider.KMS.ConfigFile) if err != nil { @@ -169,13 +168,8 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name) } } else { - // Get gRPC client service with remote config - envelopeService, err = envelope.NewGRPCService( - remoteConfig.Endpoint, - remoteConfig.ServerCACert, - remoteConfig.ClientCert, - remoteConfig.ClientKey, - ) + // Get gRPC client service with endpoint. + envelopeService, err = envelope.NewGRPCService(provider.KMS.Endpoint) if err != nil { return nil, fmt.Errorf("could not configure KMS plugin %q, error: %v", provider.KMS.Name, err) } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go index 7f37238d9e4..02c604ce272 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go @@ -83,22 +83,6 @@ type KMSConfig struct { CacheSize int `json:"cachesize,omitempty"` // configfile is the path to the configuration file for the named KMS provider. ConfigFile string `json:"configfile"` - // remoteServer is the configuration for connection gRPC server. - RemoteServer *RemoteServerConfig `json:"remoteServer"` -} - -// RemoteServerConfig contains the connection informations that connect remote -// gRPC server for envelope transformer. -type RemoteServerConfig struct { - // gRPC server listen address, for example tcp://localhost:3735, - // unix:///var/run/kmsprovider.sock + // the gRPC server listening address, for example "unix:///var/run/kms-provider.sock". Endpoint string `json:"endpoint"` - - // CACert is the path to a PEM-encoded CA cert file to use to verify the - // gRPC server SSL certificate. - ServerCACert string `json:"serverCACert"` - - // TLS certificate authentication information - ClientCert string `json:"clientCert"` - ClientKey string `json:"clientKey"` } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD index 0f0e568053b..0984fd2088c 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD @@ -14,10 +14,10 @@ go_library( ], importpath = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope", deps = [ + "//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/hashicorp/golang-lru:go_default_library", "//vendor/golang.org/x/net/context:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", - "//vendor/google.golang.org/grpc/credentials:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", ], @@ -27,21 +27,16 @@ go_test( name = "go_default_test", srcs = [ "envelope_test.go", - "grpc_service_test.go", "grpc_service_unix_test.go", ], - data = glob(["testdata/**"]), embed = [":go_default_library"], importpath = "k8s.io/apiserver/pkg/storage/value/encrypt/envelope", deps = [ - "//vendor/golang.org/x/net/context:go_default_library", "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", - "//vendor/google.golang.org/grpc/credentials:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/k8s.io/client-go/util/cert:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go index 17fed2d9afa..8d68a23a3ce 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go @@ -18,16 +18,14 @@ limitations under the License. package envelope import ( - "crypto/tls" - "crypto/x509" "fmt" - "io/ioutil" "net" "net/url" "time" + "github.com/golang/glog" + "google.golang.org/grpc" - "google.golang.org/grpc/credentials" "golang.org/x/net/context" @@ -35,14 +33,14 @@ import ( ) const ( - // Supportied protocol schema for gRPC. - tcpProtocol = "tcp" + // Now only supportied unix domain socket. unixProtocol = "unix" // Current version for the protocal interface definition. - version = "v1beta1" + kmsapiVersion = "v1beta1" ) +// The gRPC implementation for envelope.Service. type gRPCService struct { // gRPC client instance kmsClient kmsapi.KMSServiceClient @@ -50,7 +48,9 @@ type gRPCService struct { } // NewGRPCService returns an envelope.Service which use gRPC to communicate the remote KMS provider. -func NewGRPCService(endpoint, serverCert, clientCert, clientKey string) (Service, error) { +func NewGRPCService(endpoint string) (Service, error) { + glog.Infof("Configure KMS provider with endpoint: %s", endpoint) + protocol, addr, err := parseEndpoint(endpoint) if err != nil { return nil, err @@ -60,18 +60,20 @@ func NewGRPCService(endpoint, serverCert, clientCert, clientKey string) (Service return net.DialTimeout(protocol, addr, timeout) } - // With or without TLS/SSL support - tlsOption, err := getTLSDialOption(serverCert, clientCert, clientKey) + connection, err := grpc.Dial(addr, grpc.WithInsecure(), grpc.WithDialer(dialer)) if err != nil { - return nil, err + return nil, fmt.Errorf("connect remote KMS provider %q failed, error: %v", addr, err) } - conn, err := grpc.Dial(addr, tlsOption, grpc.WithDialer(dialer)) + kmsClient := kmsapi.NewKMSServiceClient(connection) + + err = checkAPIVersion(kmsClient) if err != nil { - return nil, fmt.Errorf("connect remote image service %s failed, error: %v", addr, err) + connection.Close() + return nil, fmt.Errorf("failed check version for %q, error: %v", addr, err) } - return &gRPCService{kmsClient: kmsapi.NewKMSServiceClient(conn), connection: conn}, nil + return &gRPCService{kmsClient: kmsClient, connection: connection}, nil } // Parse the endpoint to extract schema, host or path. @@ -82,63 +84,35 @@ func parseEndpoint(endpoint string) (string, string, error) { u, err := url.Parse(endpoint) if err != nil { - return "", "", fmt.Errorf("invalid kms provider endpoint %q, error: %v", endpoint, err) + return "", "", fmt.Errorf("invalid endpoint %q for remote KMS provider, error: %v", endpoint, err) } - switch u.Scheme { - case tcpProtocol: - return tcpProtocol, u.Host, nil - case unixProtocol: - return unixProtocol, u.Path, nil - default: - return "", "", fmt.Errorf("invalid endpoint %q for remote KMS provider", endpoint) + if u.Scheme != unixProtocol { + return "", "", fmt.Errorf("unsupported scheme %q for remote KMS provider", u.Scheme) } + return unixProtocol, u.Path, nil } -// Build the TLS/SSL options for gRPC client. -func getTLSDialOption(serverCert, clientCert, clientKey string) (grpc.DialOption, error) { - // No TLS/SSL support. - if len(serverCert) == 0 && len(clientCert) == 0 && len(clientKey) == 0 { - return grpc.WithInsecure(), nil +// Check the KMS provider API version. +// Only matching kubeRuntimeAPIVersion is supported now. +func checkAPIVersion(kmsClient kmsapi.KMSServiceClient) error { + request := &kmsapi.VersionRequest{Version: kmsapiVersion} + response, err := kmsClient.Version(context.Background(), request) + if err != nil { + return fmt.Errorf("failed get version from remote KMS provider: %v", err) + } + if response.Version != kmsapiVersion { + return fmt.Errorf("KMS provider api version %s is not supported, only %s is supported now", + response.Version, kmsapiVersion) } - // Set the CA that verify the certificate from the gRPC server. - certPool := x509.NewCertPool() - if len(serverCert) > 0 { - ca, err := ioutil.ReadFile(serverCert) - if err != nil { - return nil, fmt.Errorf("kms provider invalid server cert, error: %v", err) - } - if !certPool.AppendCertsFromPEM(ca) { - return nil, fmt.Errorf("can't append server cert for kms provider") - } - } - - // Set client authenticate certificate. - certificates := make([]tls.Certificate, 0, 1) - if len(clientCert) != 0 || len(clientKey) != 0 { - if len(clientCert) == 0 || len(clientKey) == 0 { - return nil, fmt.Errorf("both client cert and key must be provided for kms provider") - } - - cert, err := tls.LoadX509KeyPair(clientCert, clientKey) - if err != nil { - return nil, fmt.Errorf("kms provider invalid client cert or key, error: %v", err) - } - certificates = append(certificates, cert) - } - - tlsConfig := tls.Config{ - Certificates: certificates, - RootCAs: certPool, - } - transportCreds := credentials.NewTLS(&tlsConfig) - return grpc.WithTransportCredentials(transportCreds), nil + glog.Infof("KMS provider %s initialized, version: %s", response.RuntimeName, response.RuntimeVersion) + return nil } // Decrypt a given data string to obtain the original byte data. -func (g *gRPCService) Decrypt(cipher string) ([]byte, error) { - request := &kmsapi.DecryptRequest{Cipher: []byte(cipher), Version: version} +func (g *gRPCService) Decrypt(cipher []byte) ([]byte, error) { + request := &kmsapi.DecryptRequest{Cipher: cipher, Version: kmsapiVersion} response, err := g.kmsClient.Decrypt(context.Background(), request) if err != nil { return nil, err @@ -147,11 +121,11 @@ func (g *gRPCService) Decrypt(cipher string) ([]byte, error) { } // Encrypt bytes to a string ciphertext. -func (g *gRPCService) Encrypt(plain []byte) (string, error) { - request := &kmsapi.EncryptRequest{Plain: plain, Version: version} +func (g *gRPCService) Encrypt(plain []byte) ([]byte, error) { + request := &kmsapi.EncryptRequest{Plain: plain, Version: kmsapiVersion} response, err := g.kmsClient.Encrypt(context.Background(), request) if err != nil { - return "", err + return nil, err } - return string(response.Cipher), nil + return response.Cipher, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_test.go deleted file mode 100644 index c4ff79ba204..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_test.go +++ /dev/null @@ -1,219 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package envelope transforms values for storage at rest using a Envelope provider -package envelope - -import ( - "crypto/tls" - "encoding/base64" - "fmt" - "net" - "reflect" - "testing" - - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - - "golang.org/x/net/context" - kmsapi "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1" - "k8s.io/client-go/util/cert" -) - -const ( - // Port 0 to select any available port - listenerAddr = "127.0.0.1:0" - - cafile = "testdata/ca.crt" - serverCert = "testdata/server.crt" - serverKey = "testdata/server.key" - clientCert = "testdata/client.crt" - clientKey = "testdata/client.key" -) - -func TestTCPEndpoint(t *testing.T) { - // Start the gRPC server that listens on tcp socket. - listener, err := tcpListner() - if err != nil { - t.Fatal(err) - } - - server := startTestKMSProvider(listener) - defer server.Stop() - - endpoint := tcpProtocol + "://" + listener.Addr().String() - verifyService(t, endpoint, "", "", "") -} - -func TestTLSEndpoint(t *testing.T) { - // Start the gRPC server that listens on tcp socket. - listener, err := tcpListner() - if err != nil { - t.Fatal(err) - } - - tlsOption, err := tlsServerOption() - if err != nil { - t.Fatal(err) - } - - server := startTestKMSProvider(listener, tlsOption) - defer server.Stop() - - // There are 2 TLS case: no auth and client auth. - endpoint := tcpProtocol + "://" + listener.Addr().String() - certConfigs := []struct { - name string - serverCACert string - clientCert string - clientKey string - }{ - {"noAuth", cafile, "", ""}, - {"clientAuth", cafile, clientCert, clientKey}, - } - for _, testCase := range certConfigs { - t.Run(testCase.name, func(t *testing.T) { - verifyService(t, endpoint, testCase.serverCACert, testCase.clientCert, testCase.clientKey) - }) - } -} - -func TestInvalidConfiguration(t *testing.T) { - // Start the gRPC server that listens on tcp socket. - listener, err := tcpListner() - if err != nil { - t.Fatal(err) - } - - tlsOption, err := tlsServerOption() - if err != nil { - t.Fatal(err) - } - - server := startTestKMSProvider(listener, tlsOption) - defer server.Stop() - endpoint := tcpProtocol + "://" + listener.Addr().String() - - invalidConfigs := []struct { - name string - endpoint string - serverCACert string - clientCert string - clientKey string - }{ - {"emptyConfiguration", "", "", "", ""}, - {"invalidEndpoint", "http://localhost:80", "", "", ""}, - {"invalidServerCACert", endpoint, "non-exits.pem", "", ""}, - {"missClientKey", endpoint, cafile, clientCert, ""}, - {"invalidClientCert", endpoint, cafile, "non-exists.pem", clientKey}, - } - - for _, testCase := range invalidConfigs { - t.Run(testCase.name, func(t *testing.T) { - _, err := NewGRPCService( - testCase.endpoint, - testCase.serverCACert, - testCase.clientCert, - testCase.clientKey, - ) - if err == nil { - t.Fatalf("should fail to create envelope service for %s.", testCase.name) - } - }) - } -} - -func verifyService(t *testing.T, endpoint, serverCACert, clientCert, clientKey string) { - service, err := NewGRPCService(endpoint, serverCACert, clientCert, clientKey) - if err != nil { - t.Fatalf("failed to create envelope service, error: %v", err) - } - defer destroyService(service) - - data := []byte("test data") - cipher, err := service.Encrypt(data) - if err != nil { - t.Fatalf("failed when execute encrypt, error: %v", err) - } - - result, err := service.Decrypt(cipher) - if err != nil { - t.Fatalf("failed when execute decrypt, error: %v", err) - } - - if !reflect.DeepEqual(data, result) { - t.Errorf("expect: %v, but: %v", data, result) - } -} - -func destroyService(service Service) { - gs := service.(*gRPCService) - gs.connection.Close() -} - -func tcpListner() (net.Listener, error) { - listener, err := net.Listen(tcpProtocol, listenerAddr) - if err != nil { - return nil, fmt.Errorf("failed to listen on the tcp address, error: %v", err) - } - - return listener, nil -} - -func startTestKMSProvider(listener net.Listener, options ...grpc.ServerOption) *grpc.Server { - server := grpc.NewServer(options...) - kmsapi.RegisterKMSServiceServer(server, &base64Server{}) - go server.Serve(listener) - return server -} - -func tlsServerOption() (grpc.ServerOption, error) { - certificate, err := tls.LoadX509KeyPair(serverCert, serverKey) - if err != nil { - return nil, fmt.Errorf("bad server cert or key, error: %v", err) - } - - certPool, err := cert.NewPool(cafile) - if err != nil { - return nil, fmt.Errorf("bad ca file, error: %v", err) - } - - tlsConfig := &tls.Config{ - ClientAuth: tls.VerifyClientCertIfGiven, - Certificates: []tls.Certificate{certificate}, - ClientCAs: certPool, - } - return grpc.Creds(credentials.NewTLS(tlsConfig)), nil -} - -// Fake gRPC sever for remote KMS provider. -type base64Server struct{} - -func (b *base64Server) Decrypt(ctx context.Context, request *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) { - buf := make([]byte, base64.StdEncoding.DecodedLen(len(request.Cipher))) - n, err := base64.StdEncoding.Decode(buf, request.Cipher) - if err != nil { - return nil, err - } - - return &kmsapi.DecryptResponse{Plain: buf[:n]}, nil -} - -func (b *base64Server) Encrypt(ctx context.Context, request *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) { - buf := make([]byte, base64.StdEncoding.EncodedLen(len(request.Plain))) - base64.StdEncoding.Encode(buf, request.Plain) - return &kmsapi.EncryptResponse{Cipher: buf}, nil -} diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go index befcb3e297b..500078cb252 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go @@ -20,38 +20,100 @@ limitations under the License. package envelope import ( + "context" + "encoding/base64" "fmt" "net" "os" + "reflect" "testing" + "google.golang.org/grpc" + "golang.org/x/sys/unix" + + kmsapi "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1" ) const ( sockFile = "/tmp/kms-provider.sock" ) -func TestUnixSockEndpoint(t *testing.T) { - // Start the gRPC server that listens on unix socket. - listener, err := unixSockListner() +// Normal encryption and decryption operation. +func TestGRPCService(t *testing.T) { + // Start a test gRPC server. + server, err := startTestKMSProvider() if err != nil { - t.Fatal(err) + t.Fatalf("failed to start test KMS provider server, error: %v", err) + } + defer stopTestKMSProvider(server) + + // Create the gRPC client service. + endpoint := unixProtocol + "://" + sockFile + service, err := NewGRPCService(endpoint) + if err != nil { + t.Fatalf("failed to create envelope service, error: %v", err) + } + defer destroyService(service) + + // Call service to encrypt data. + data := []byte("test data") + cipher, err := service.Encrypt(data) + if err != nil { + t.Fatalf("failed when execute encrypt, error: %v", err) } - server := startTestKMSProvider(listener) - defer func() { - server.Stop() - if err := cleanSockFile(); err != nil { - t.Fatal(err) - } - }() + // Call service to decrypt data. + result, err := service.Decrypt(cipher) + if err != nil { + t.Fatalf("failed when execute decrypt, error: %v", err) + } - endpoint := unixProtocol + "://" + sockFile - verifyService(t, endpoint, "", "", "") + if !reflect.DeepEqual(data, result) { + t.Errorf("expect: %v, but: %v", data, result) + } } -func unixSockListner() (net.Listener, error) { +func destroyService(service Service) { + s := service.(*gRPCService) + s.connection.Close() +} + +// Test all those invalid configuration for KMS provider. +func TestInvalidConfiguration(t *testing.T) { + // Start a test gRPC server. + server, err := startTestKMSProvider() + if err != nil { + t.Fatalf("failed to start test KMS provider server, error: %v", err) + } + defer stopTestKMSProvider(server) + + invalidConfigs := []struct { + name string + apiVersion string + endpoint string + }{ + {"emptyConfiguration", kmsapiVersion, ""}, + {"invalidScheme", kmsapiVersion, "tcp://localhost:6060"}, + {"unavailableEndpoint", kmsapiVersion, unixProtocol + "://" + sockFile + ".nonexist"}, + {"invalidAPIVersion", "invalidVersion", unixProtocol + "://" + sockFile}, + } + + for _, testCase := range invalidConfigs { + t.Run(testCase.name, func(t *testing.T) { + setAPIVersion(testCase.apiVersion) + defer setAPIVersion(kmsapiVersion) + + _, err := NewGRPCService(testCase.endpoint) + if err == nil { + t.Fatalf("should fail to create envelope service for %s.", testCase.name) + } + }) + } +} + +// Start the gRPC server that listens on unix socket. +func startTestKMSProvider() (*grpc.Server, error) { if err := cleanSockFile(); err != nil { return nil, err } @@ -61,7 +123,15 @@ func unixSockListner() (net.Listener, error) { return nil, fmt.Errorf("failed to listen on the unix socket, error: %v", err) } - return listener, nil + server := grpc.NewServer() + kmsapi.RegisterKMSServiceServer(server, &base64Server{}) + go server.Serve(listener) + return server, nil +} + +func stopTestKMSProvider(server *grpc.Server) { + server.Stop() + cleanSockFile() } func cleanSockFile() error { @@ -71,3 +141,33 @@ func cleanSockFile() error { } return nil } + +// Fake gRPC sever for remote KMS provider. +// Use base64 to simulate encrypt and decrypt. +type base64Server struct{} + +var testProviderAPIVersion = kmsapiVersion + +func setAPIVersion(apiVersion string) { + testProviderAPIVersion = apiVersion +} + +func (s *base64Server) Version(ctx context.Context, request *kmsapi.VersionRequest) (*kmsapi.VersionResponse, error) { + return &kmsapi.VersionResponse{Version: testProviderAPIVersion, RuntimeName: "testKMS", RuntimeVersion: "0.0.1"}, nil +} + +func (s *base64Server) Decrypt(ctx context.Context, request *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) { + buf := make([]byte, base64.StdEncoding.DecodedLen(len(request.Cipher))) + n, err := base64.StdEncoding.Decode(buf, request.Cipher) + if err != nil { + return nil, err + } + + return &kmsapi.DecryptResponse{Plain: buf[:n]}, nil +} + +func (s *base64Server) Encrypt(ctx context.Context, request *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) { + buf := make([]byte, base64.StdEncoding.EncodedLen(len(request.Plain))) + base64.StdEncoding.Encode(buf, request.Plain) + return &kmsapi.EncryptResponse{Cipher: buf}, nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/ca.crt b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/ca.crt deleted file mode 100644 index d1218631f6e..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/ca.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgIUASbBmHT/Y+wdxggFudEoKKgLXsYwDQYJKoZIhvcNAQEL -BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV -BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTMzMDBaFw0yMjA3 -MTYwNTMzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv -MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL -EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQC4c79AZIRgUjiE4ekjISLYw0nAH7c9FJf6+U22xwLe -X4Yc3uy94Md1lNhYyvNdba6qLLBKqThYCZYsXK2ZPRnmScYHS/edTmzhZ79tSXUA -+R0YJZK00taWyRCZm2tCgXWdWNebrDBwGL+b2P1bButw81CQVYzPQnZiTnnAOUMt -6qbMxGDXRhNydKGx43QtBuRWHS6wjJEjI50dGK8RBWDupBQrEQzaFt9gU3grTPlh -RWvClrM7LU3A1Ymz3Eq6l4tQhcUXSS3JJVhOLrvh4wujJv/tmIzYylrp7gbUvEYn -PW46UZHKrUM8tNthgTnvcychk73+ZZMoWIj5hsne0mTrAgMBAAGjQjBAMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBShLj7pyAcfeLfB -l6vyHo5uvY5WnjANBgkqhkiG9w0BAQsFAAOCAQEAUK7jmNOHmTs58f9fIj6hGppt -Lz/l5+C6KA+1P03cdo+KgQb6MnzvKmhGFHD4QM0envHilHBRNO7VWgA7PuO2JtY1 -NwWQfLoyWcft3OXLmJdWcUI9Che/UWFSxCmxC3U+Cb4+4bNq3j+ygt1T6/I9aTTo -/ymS8H+dXF4n69psY591PA8QeUbaQwc5SEWtIont/XWoq+NwXsrNYglPFzGiaoO6 -gF52I3Z0o0fCHtnOIhBDwrOr7oPJy/SEo49WdnxtG5FcN7qNBvFET7/gOI8TxJMr -gTW3G6jSTjBA8sEIhD4k4LOXxWGWwemP6I/LI849/uKd+DoqKjr5Y/BQvcLy+g== ------END CERTIFICATE----- diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.crt b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.crt deleted file mode 100644 index 1a01abb51f7..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDCzCCAfOgAwIBAgIUHqXu3n2P44f2JjHIKPV0m41URRowDQYJKoZIhvcNAQEL -BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV -BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTQ1MDBaFw0yMjA3 -MTYwNTQ1MDBaMEYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI -KoZIzj0DAQcDQgAE1na/uyZ4Za0+8letub+cQyqoz40NdouSbxcmb/EEv/rtPMmz -A3u+F8LeXt4SI2+ndQbL0DvpFAOBjJejb3jlfKOBjDCBiTAOBgNVHQ8BAf8EBAMC -BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU -856v+uMt0F4cgO0dk2k6HpaEa+IwHwYDVR0jBBgwFoAUoS4+6cgHH3i3wZer8h6O -br2OVp4wFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBt -5uNxxxhWFCGlGBrVr2J2KA2IJ3thoMSn6lV9/qU2KMBBYneHHE0FG/ubrP9urQhI -KGPwXsfOdS3iuABOBziiuge9iQisHVWQuNEOtbINbdau2ZLsB2BKKAPit1xG+8gn -7leSvyurcpXPc6QuPHCP5hI081y3w+1H4IUDF0qXoi0jYC/BDwl+lk8yHGFQReu2 -33QdhjXr9Wd20XBO8TJ3oQcAezYvb9bJFDgOkUEhSmMVf86YX0QkuphDvuuU3hQC -S4vVpIzM7xoH3xkvXgOMeReLV1df3J3iHyADhUWiS1RNskymGhFmUumlNUPimhUc -E0wqi62pL+kxg1zjXdXY ------END CERTIFICATE----- diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.key b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.key deleted file mode 100644 index da8ab3348f8..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/client.key +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEINjBFDLQH8NJxn/DBF1lOm92fbx2QGkpfWwwADcPE5p7oAoGCCqGSM49 -AwEHoUQDQgAE1na/uyZ4Za0+8letub+cQyqoz40NdouSbxcmb/EEv/rtPMmzA3u+ -F8LeXt4SI2+ndQbL0DvpFAOBjJejb3jlfA== ------END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.crt b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.crt deleted file mode 100644 index fdcf3fffa2f..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDETCCAfmgAwIBAgIUU5D4PeHC+zpmc/jwwa2c/6aHPbowDQYJKoZIhvcNAQEL -BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV -BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV -bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0xNzA3MTcwNTM3MDBaFw0yMjA3 -MTYwNTM3MDBaMEYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYI -KoZIzj0DAQcDQgAEd2CnjPbDOHsbR6CcMhzktDsBrRZAaLjpC/9IHtPH+ivDrey8 -jJzZnD+9aLp5E/QG5Rf1tzKDH+oRatQ43mViHKOBkjCBjzAOBgNVHQ8BAf8EBAMC -BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU -rkKlAy9PqK+TrUqApq4BVBSQgNQwHwYDVR0jBBgwFoAUoS4+6cgHH3i3wZer8h6O -br2OVp4wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA -A4IBAQCikDXkrB4dw8zBrkIA6plgdcgVm1zJbRDhjAVHxHlh/ISPP7Zu9faLmlEN -GC0KK1AmQQciCyoI84VoBQ5WMtyMfbEn0klJ4OOtGwMZtZfgWSD0LX9APIZEU9WH -nvjLLCHkxbq/cf01pAYIlyBhI5vl7/m8b1xVYarKcb2/Homr8guTzRSyJb0Gmeoo -vdiGIhHhvP186OGzOOQVlorZ/WWJTlhXviGJ0QWARthUi+wEHRhJ+STH2VtOrKhb -4tvG0/G9mYK1LOIbZesHtF9C35XThkh/W/rKRWe6/J8pOYh/vFB/aQL73HPvIcpD -tcmR7635hb+42P7raby70UC7nLWf ------END CERTIFICATE----- diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.key b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.key deleted file mode 100644 index fad778e5adc..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/testdata/server.key +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIN18H0TgTgqfYWVn2BtQym4mUfICD4XcuWE+nhn+fxSeoAoGCCqGSM49 -AwEHoUQDQgAEd2CnjPbDOHsbR6CcMhzktDsBrRZAaLjpC/9IHtPH+ivDrey8jJzZ -nD+9aLp5E/QG5Rf1tzKDH+oRatQ43mViHA== ------END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go index e2c13de9798..118d2e72faa 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.pb.go @@ -14,9 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Code generated by protoc-gen-go. +// Code generated by protoc-gen-go. DO NOT EDIT. // source: service.proto -// DO NOT EDIT! /* Package v1beta1 is a generated protocol buffer package. @@ -25,6 +24,8 @@ It is generated from these files: service.proto It has these top-level messages: + VersionRequest + VersionResponse DecryptRequest DecryptResponse EncryptRequest @@ -52,47 +53,147 @@ var _ = math.Inf // proto package needs to be updated. const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package +type VersionRequest struct { + // Version of the KMS plugin API. + Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"` +} + +func (m *VersionRequest) Reset() { *m = VersionRequest{} } +func (m *VersionRequest) String() string { return proto.CompactTextString(m) } +func (*VersionRequest) ProtoMessage() {} +func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } + +func (m *VersionRequest) GetVersion() string { + if m != nil { + return m.Version + } + return "" +} + +type VersionResponse struct { + // Version of the KMS plugin API. + Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"` + // Name of the KMS provider. + RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName" json:"runtime_name,omitempty"` + // Version of the KMS provider. The string must be semver-compatible. + RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion" json:"runtime_version,omitempty"` +} + +func (m *VersionResponse) Reset() { *m = VersionResponse{} } +func (m *VersionResponse) String() string { return proto.CompactTextString(m) } +func (*VersionResponse) ProtoMessage() {} +func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } + +func (m *VersionResponse) GetVersion() string { + if m != nil { + return m.Version + } + return "" +} + +func (m *VersionResponse) GetRuntimeName() string { + if m != nil { + return m.RuntimeName + } + return "" +} + +func (m *VersionResponse) GetRuntimeVersion() string { + if m != nil { + return m.RuntimeVersion + } + return "" +} + type DecryptRequest struct { - Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"` - // Version of the KMS plugin API, now use “v1beta1” - Version string `protobuf:"bytes,2,opt,name=version" json:"version,omitempty"` + // Version of the KMS plugin API. + Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"` + // The data to be decrypted. + Cipher []byte `protobuf:"bytes,2,opt,name=cipher,proto3" json:"cipher,omitempty"` } func (m *DecryptRequest) Reset() { *m = DecryptRequest{} } func (m *DecryptRequest) String() string { return proto.CompactTextString(m) } func (*DecryptRequest) ProtoMessage() {} -func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } +func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } + +func (m *DecryptRequest) GetVersion() string { + if m != nil { + return m.Version + } + return "" +} + +func (m *DecryptRequest) GetCipher() []byte { + if m != nil { + return m.Cipher + } + return nil +} type DecryptResponse struct { + // The decrypted data. Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"` } func (m *DecryptResponse) Reset() { *m = DecryptResponse{} } func (m *DecryptResponse) String() string { return proto.CompactTextString(m) } func (*DecryptResponse) ProtoMessage() {} -func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } +func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } + +func (m *DecryptResponse) GetPlain() []byte { + if m != nil { + return m.Plain + } + return nil +} type EncryptRequest struct { - Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"` - // Version of the KMS plugin API, now use “v1beta1” - Version string `protobuf:"bytes,2,opt,name=version" json:"version,omitempty"` + // Version of the KMS plugin API. + Version string `protobuf:"bytes,1,opt,name=version" json:"version,omitempty"` + // The data to be encrypted. + Plain []byte `protobuf:"bytes,2,opt,name=plain,proto3" json:"plain,omitempty"` } func (m *EncryptRequest) Reset() { *m = EncryptRequest{} } func (m *EncryptRequest) String() string { return proto.CompactTextString(m) } func (*EncryptRequest) ProtoMessage() {} -func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } +func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} } + +func (m *EncryptRequest) GetVersion() string { + if m != nil { + return m.Version + } + return "" +} + +func (m *EncryptRequest) GetPlain() []byte { + if m != nil { + return m.Plain + } + return nil +} type EncryptResponse struct { + // The encrypted data. Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"` } func (m *EncryptResponse) Reset() { *m = EncryptResponse{} } func (m *EncryptResponse) String() string { return proto.CompactTextString(m) } func (*EncryptResponse) ProtoMessage() {} -func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } +func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} } + +func (m *EncryptResponse) GetCipher() []byte { + if m != nil { + return m.Cipher + } + return nil +} func init() { + proto.RegisterType((*VersionRequest)(nil), "v1beta1.VersionRequest") + proto.RegisterType((*VersionResponse)(nil), "v1beta1.VersionResponse") proto.RegisterType((*DecryptRequest)(nil), "v1beta1.DecryptRequest") proto.RegisterType((*DecryptResponse)(nil), "v1beta1.DecryptResponse") proto.RegisterType((*EncryptRequest)(nil), "v1beta1.EncryptRequest") @@ -110,7 +211,11 @@ const _ = grpc.SupportPackageIsVersion4 // Client API for KMSService service type KMSServiceClient interface { + // Version returns the runtime name and runtime version. + Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) + // Execute decryption operation in KMS provider. Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) + // Execute encryption operation in KMS provider. Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) } @@ -122,6 +227,15 @@ func NewKMSServiceClient(cc *grpc.ClientConn) KMSServiceClient { return &kMSServiceClient{cc} } +func (c *kMSServiceClient) Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) { + out := new(VersionResponse) + err := grpc.Invoke(ctx, "/v1beta1.KMSService/Version", in, out, c.cc, opts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *kMSServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { out := new(DecryptResponse) err := grpc.Invoke(ctx, "/v1beta1.KMSService/Decrypt", in, out, c.cc, opts...) @@ -143,7 +257,11 @@ func (c *kMSServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts // Server API for KMSService service type KMSServiceServer interface { + // Version returns the runtime name and runtime version. + Version(context.Context, *VersionRequest) (*VersionResponse, error) + // Execute decryption operation in KMS provider. Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) + // Execute encryption operation in KMS provider. Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) } @@ -151,6 +269,24 @@ func RegisterKMSServiceServer(s *grpc.Server, srv KMSServiceServer) { s.RegisterService(&_KMSService_serviceDesc, srv) } +func _KMSService_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(VersionRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(KMSServiceServer).Version(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/v1beta1.KMSService/Version", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(KMSServiceServer).Version(ctx, req.(*VersionRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _KMSService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(DecryptRequest) if err := dec(in); err != nil { @@ -191,6 +327,10 @@ var _KMSService_serviceDesc = grpc.ServiceDesc{ ServiceName: "v1beta1.KMSService", HandlerType: (*KMSServiceServer)(nil), Methods: []grpc.MethodDesc{ + { + MethodName: "Version", + Handler: _KMSService_Version_Handler, + }, { MethodName: "Decrypt", Handler: _KMSService_Decrypt_Handler, @@ -207,18 +347,23 @@ var _KMSService_serviceDesc = grpc.ServiceDesc{ func init() { proto.RegisterFile("service.proto", fileDescriptor0) } var fileDescriptor0 = []byte{ - // 207 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x2d, 0x4e, 0x2d, 0x2a, - 0xcb, 0x4c, 0x4e, 0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x2f, 0x33, 0x4c, 0x4a, 0x2d, - 0x49, 0x34, 0x54, 0x72, 0xe2, 0xe2, 0x73, 0x49, 0x4d, 0x2e, 0xaa, 0x2c, 0x28, 0x09, 0x4a, 0x2d, - 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12, 0xe3, 0x62, 0x4b, 0xce, 0x2c, 0xc8, 0x48, 0x2d, 0x92, 0x60, - 0x54, 0x60, 0xd4, 0xe0, 0x09, 0x82, 0xf2, 0x84, 0x24, 0xb8, 0xd8, 0xcb, 0x52, 0x8b, 0x8a, 0x33, - 0xf3, 0xf3, 0x24, 0x98, 0x14, 0x18, 0x35, 0x38, 0x83, 0x60, 0x5c, 0x25, 0x75, 0x2e, 0x7e, 0xb8, - 0x19, 0xc5, 0x05, 0xf9, 0x79, 0xc5, 0xa9, 0x42, 0x22, 0x5c, 0xac, 0x05, 0x39, 0x89, 0x99, 0x79, - 0x50, 0x33, 0x20, 0x1c, 0x25, 0x07, 0x2e, 0x3e, 0xd7, 0x3c, 0x14, 0xcb, 0xb0, 0xaa, 0xc3, 0x63, - 0x95, 0x26, 0x17, 0x3f, 0xdc, 0x04, 0xa8, 0x55, 0x38, 0xdc, 0x6b, 0xd4, 0xc3, 0xc8, 0xc5, 0xe5, - 0xed, 0x1b, 0x1c, 0x0c, 0xf1, 0xb7, 0x90, 0x1d, 0x17, 0x3b, 0xd4, 0x91, 0x42, 0xe2, 0x7a, 0x50, - 0xdf, 0xeb, 0xa1, 0x7a, 0x5d, 0x4a, 0x02, 0x53, 0x02, 0x62, 0x89, 0x12, 0x03, 0x48, 0x3f, 0xd4, - 0x66, 0x24, 0xfd, 0xa8, 0xbe, 0x41, 0xd2, 0x8f, 0xe6, 0x48, 0x25, 0x86, 0x24, 0x36, 0x70, 0xc0, - 0x1b, 0x03, 0x02, 0x00, 0x00, 0xff, 0xff, 0xd2, 0x95, 0x8d, 0x5c, 0x89, 0x01, 0x00, 0x00, + // 279 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0xcd, 0x4a, 0xc4, 0x30, + 0x10, 0xde, 0xae, 0xb8, 0xc5, 0xb1, 0xb6, 0x10, 0x44, 0x8b, 0x27, 0xcd, 0x65, 0xd5, 0x43, 0x61, + 0xf5, 0x2e, 0x22, 0x7a, 0x12, 0x3d, 0x74, 0xc1, 0xab, 0x74, 0xcb, 0x80, 0x01, 0x9b, 0xc6, 0x24, + 0x5b, 0xf1, 0x1d, 0x7d, 0x28, 0xb1, 0x99, 0xd6, 0xb4, 0x22, 0xee, 0x71, 0x26, 0xdf, 0xdf, 0xcc, + 0x04, 0xf6, 0x0c, 0xea, 0x46, 0x94, 0x98, 0x29, 0x5d, 0xdb, 0x9a, 0x85, 0xcd, 0x62, 0x85, 0xb6, + 0x58, 0xf0, 0x73, 0x88, 0x9f, 0x50, 0x1b, 0x51, 0xcb, 0x1c, 0xdf, 0xd6, 0x68, 0x2c, 0x4b, 0x21, + 0x6c, 0x5c, 0x27, 0x0d, 0x8e, 0x83, 0xd3, 0x9d, 0xbc, 0x2b, 0xf9, 0x3b, 0x24, 0x3d, 0xd6, 0xa8, + 0x5a, 0x1a, 0xfc, 0x1b, 0xcc, 0x4e, 0x20, 0xd2, 0x6b, 0x69, 0x45, 0x85, 0xcf, 0xb2, 0xa8, 0x30, + 0x9d, 0xb6, 0xcf, 0xbb, 0xd4, 0x7b, 0x2c, 0x2a, 0x64, 0x73, 0x48, 0x3a, 0x48, 0x27, 0xb2, 0xd5, + 0xa2, 0x62, 0x6a, 0x93, 0x1b, 0xbf, 0x81, 0xf8, 0x16, 0x4b, 0xfd, 0xa1, 0xec, 0xbf, 0x21, 0xd9, + 0x01, 0xcc, 0x4a, 0xa1, 0x5e, 0x50, 0xb7, 0x8e, 0x51, 0x4e, 0x15, 0x9f, 0x43, 0xd2, 0x6b, 0x50, + 0xf8, 0x7d, 0xd8, 0x56, 0xaf, 0x85, 0x70, 0x12, 0x51, 0xee, 0x0a, 0x7e, 0x0d, 0xf1, 0x9d, 0xdc, + 0xd0, 0xac, 0x57, 0x98, 0xfa, 0x0a, 0x67, 0x90, 0xf4, 0x0a, 0x64, 0xf5, 0x93, 0x2a, 0xf0, 0x53, + 0x5d, 0x7c, 0x06, 0x00, 0xf7, 0x0f, 0xcb, 0xa5, 0x3b, 0x0e, 0xbb, 0x82, 0x90, 0x66, 0x66, 0x87, + 0x19, 0x9d, 0x28, 0x1b, 0xde, 0xe7, 0x28, 0xfd, 0xfd, 0xe0, 0x4c, 0xf8, 0xe4, 0x9b, 0x4f, 0x43, + 0x7a, 0xfc, 0xe1, 0xea, 0x3c, 0xfe, 0x68, 0x1f, 0x8e, 0x4f, 0xc9, 0x3d, 0xfe, 0x70, 0x1b, 0x1e, + 0x7f, 0x34, 0x24, 0x9f, 0xac, 0x66, 0xed, 0xef, 0xba, 0xfc, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x28, + 0x69, 0xfc, 0xea, 0x6e, 0x02, 0x00, 0x00, } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto index 68b5bd0a091..489ff5f8308 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1/service.proto @@ -2,28 +2,52 @@ syntax = "proto3"; package v1beta1; +// This service defines the public APIs for remote KMS provider. service KMSService { + // Version returns the runtime name and runtime version of the KMS provider. + rpc Version(VersionRequest) returns (VersionResponse) {} + + // Execute decryption operation in KMS provider. rpc Decrypt(DecryptRequest) returns (DecryptResponse) {} + // Execute encryption operation in KMS provider. rpc Encrypt(EncryptRequest) returns (EncryptResponse) {} } +message VersionRequest { + // Version of the KMS plugin API. + string version = 1; +} + +message VersionResponse { + // Version of the KMS plugin API. + string version = 1; + // Name of the KMS provider. + string runtime_name = 2; + // Version of the KMS provider. The string must be semver-compatible. + string runtime_version = 3; +} + message DecryptRequest { - bytes cipher = 1; - // Version of the KMS plugin API, now use “v1beta1” - string version = 2; + // Version of the KMS plugin API. + string version = 1; + // The data to be decrypted. + bytes cipher = 2; } message DecryptResponse { + // The decrypted data. bytes plain = 1; } message EncryptRequest { - bytes plain = 1; - // Version of the KMS plugin API, now use “v1beta1” - string version = 2; + // Version of the KMS plugin API. + string version = 1; + // The data to be encrypted. + bytes plain = 2; } message EncryptResponse { + // The encrypted data. bytes cipher = 1; }