mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-27 13:37:30 +00:00
Merge pull request #126698 from enj/enj/i/del_kms_v2_gates
Remove KMSv2 and KMSv2KDF feature gates
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
cd5f208315
@ -1274,10 +1274,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
|
|
||||||
genericfeatures.KMSv1: {Default: false, PreRelease: featuregate.Deprecated},
|
genericfeatures.KMSv1: {Default: false, PreRelease: featuregate.Deprecated},
|
||||||
|
|
||||||
genericfeatures.KMSv2: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.31
|
|
||||||
|
|
||||||
genericfeatures.KMSv2KDF: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.31
|
|
||||||
|
|
||||||
genericfeatures.MutatingAdmissionPolicy: {Default: false, PreRelease: featuregate.Alpha},
|
genericfeatures.MutatingAdmissionPolicy: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
|
||||||
genericfeatures.OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
|
genericfeatures.OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
|
||||||
|
|||||||
@ -137,23 +137,6 @@ const (
|
|||||||
// Enables KMS v1 API for encryption at rest.
|
// Enables KMS v1 API for encryption at rest.
|
||||||
KMSv1 featuregate.Feature = "KMSv1"
|
KMSv1 featuregate.Feature = "KMSv1"
|
||||||
|
|
||||||
// owner: @aramase
|
|
||||||
// kep: https://kep.k8s.io/3299
|
|
||||||
// alpha: v1.25
|
|
||||||
// beta: v1.27
|
|
||||||
// stable: v1.29
|
|
||||||
//
|
|
||||||
// Enables KMS v2 API for encryption at rest.
|
|
||||||
KMSv2 featuregate.Feature = "KMSv2"
|
|
||||||
|
|
||||||
// owner: @enj
|
|
||||||
// kep: https://kep.k8s.io/3299
|
|
||||||
// beta: v1.28
|
|
||||||
// stable: v1.29
|
|
||||||
//
|
|
||||||
// Enables the use of derived encryption keys with KMS v2.
|
|
||||||
KMSv2KDF featuregate.Feature = "KMSv2KDF"
|
|
||||||
|
|
||||||
// owner: @alexzielenski, @cici37, @jiahuif
|
// owner: @alexzielenski, @cici37, @jiahuif
|
||||||
// kep: https://kep.k8s.io/3962
|
// kep: https://kep.k8s.io/3962
|
||||||
// alpha: v1.30
|
// alpha: v1.30
|
||||||
@ -380,10 +363,6 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
|
|
||||||
KMSv1: {Default: false, PreRelease: featuregate.Deprecated},
|
KMSv1: {Default: false, PreRelease: featuregate.Deprecated},
|
||||||
|
|
||||||
KMSv2: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.31
|
|
||||||
|
|
||||||
KMSv2KDF: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.31
|
|
||||||
|
|
||||||
OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
|
OpenAPIEnums: {Default: true, PreRelease: featuregate.Beta},
|
||||||
|
|
||||||
RemainingItemCount: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32
|
RemainingItemCount: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32
|
||||||
|
|||||||
@ -760,10 +760,6 @@ func kmsPrefixTransformer(ctx context.Context, config *apiserver.KMSConfiguratio
|
|||||||
}, nil
|
}, nil
|
||||||
|
|
||||||
case kmsAPIVersionV2:
|
case kmsAPIVersionV2:
|
||||||
if !utilfeature.DefaultFeatureGate.Enabled(features.KMSv2) {
|
|
||||||
return storagevalue.PrefixTransformer{}, nil, nil, fmt.Errorf("could not configure KMSv2 plugin %q, KMSv2 feature is not enabled", kmsName)
|
|
||||||
}
|
|
||||||
|
|
||||||
envelopeService, err := EnvelopeKMSv2ServiceFactory(ctx, config.Endpoint, config.Name, config.Timeout.Duration)
|
envelopeService, err := EnvelopeKMSv2ServiceFactory(ctx, config.Endpoint, config.Name, config.Timeout.Duration)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return storagevalue.PrefixTransformer{}, nil, nil, fmt.Errorf("could not configure KMSv2-Plugin's probe %q, error: %w", kmsName, err)
|
return storagevalue.PrefixTransformer{}, nil, nil, fmt.Errorf("could not configure KMSv2-Plugin's probe %q, error: %w", kmsName, err)
|
||||||
|
|||||||
@ -391,7 +391,6 @@ func TestKMSvsEnablement(t *testing.T) {
|
|||||||
}
|
}
|
||||||
tts := []struct {
|
tts := []struct {
|
||||||
name string
|
name string
|
||||||
kmsv2Enabled bool
|
|
||||||
expectedErr string
|
expectedErr string
|
||||||
expectedTimeout time.Duration
|
expectedTimeout time.Duration
|
||||||
config apiserver.EncryptionConfiguration
|
config apiserver.EncryptionConfiguration
|
||||||
@ -399,7 +398,6 @@ func TestKMSvsEnablement(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "with kmsv1 and kmsv2, KMSv2=true",
|
name: "with kmsv1 and kmsv2, KMSv2=true",
|
||||||
kmsv2Enabled: true,
|
|
||||||
config: apiserver.EncryptionConfiguration{
|
config: apiserver.EncryptionConfiguration{
|
||||||
Resources: []apiserver.ResourceConfiguration{
|
Resources: []apiserver.ResourceConfiguration{
|
||||||
{
|
{
|
||||||
@ -441,8 +439,6 @@ func TestKMSvsEnablement(t *testing.T) {
|
|||||||
// Just testing KMSv2 feature flag
|
// Just testing KMSv2 feature flag
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)
|
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)
|
||||||
|
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv2, tt.kmsv2Enabled)
|
|
||||||
|
|
||||||
ctx, cancel := context.WithCancel(context.Background())
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
cancel() // cancel this upfront so the kms v2 checks do not block
|
cancel() // cancel this upfront so the kms v2 checks do not block
|
||||||
|
|
||||||
|
|||||||
@ -26,7 +26,6 @@ nodes:
|
|||||||
apiServer:
|
apiServer:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
|
encryption-provider-config: "/etc/kubernetes/encryption-config.yaml"
|
||||||
feature-gates: "KMSv2=true"
|
|
||||||
v: "5"
|
v: "5"
|
||||||
extraVolumes:
|
extraVolumes:
|
||||||
- name: encryption-config
|
- name: encryption-config
|
||||||
|
|||||||
@ -376,18 +376,6 @@
|
|||||||
lockToDefault: false
|
lockToDefault: false
|
||||||
preRelease: Deprecated
|
preRelease: Deprecated
|
||||||
version: ""
|
version: ""
|
||||||
- name: KMSv2
|
|
||||||
versionedSpecs:
|
|
||||||
- default: true
|
|
||||||
lockToDefault: true
|
|
||||||
preRelease: GA
|
|
||||||
version: ""
|
|
||||||
- name: KMSv2KDF
|
|
||||||
versionedSpecs:
|
|
||||||
- default: true
|
|
||||||
lockToDefault: true
|
|
||||||
preRelease: GA
|
|
||||||
version: ""
|
|
||||||
- name: KubeletCgroupDriverFromCRI
|
- name: KubeletCgroupDriverFromCRI
|
||||||
versionedSpecs:
|
versionedSpecs:
|
||||||
- default: true
|
- default: true
|
||||||
|
|||||||
@ -168,9 +168,6 @@ func TestDefaultValues(t *testing.T) {
|
|||||||
if encryptionconfig.GetKDF() != true {
|
if encryptionconfig.GetKDF() != true {
|
||||||
t.Fatalf("without updating the feature flags, default value of KMSv2KDF should be enabled.")
|
t.Fatalf("without updating the feature flags, default value of KMSv2KDF should be enabled.")
|
||||||
}
|
}
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.KMSv2) != true {
|
|
||||||
t.Fatalf("without updating the feature flags, default value of KMSv2 should be enabled.")
|
|
||||||
}
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.KMSv1) != false {
|
if utilfeature.DefaultFeatureGate.Enabled(features.KMSv1) != false {
|
||||||
t.Fatalf("without updating the feature flags, default value of KMSv1 should be disabled.")
|
t.Fatalf("without updating the feature flags, default value of KMSv1 should be disabled.")
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user