github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #85828 from shihan9/master

Browse Source 
ping kmsplugin gentely when in good state
This commit is contained in:
Kubernetes Prow Robot 2019-12-06 18:11:53 -08:00 committed by GitHub
commit cfb1389524
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go
View File

@ -48,7 +48,8 @@ const (
aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:" aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:"
secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:" secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1:"
kmsTransformerPrefixV1 = "k8s:enc:kms:v1:" kmsTransformerPrefixV1 = "k8s:enc:kms:v1:"
kmsPluginHealthzTTL = 3 * time.Second kmsPluginHealthzNegativeTTL = 3 * time.Second
kmsPluginHealthzPositiveTTL = 20 * time.Second
) )
type kmsPluginHealthzResponse struct { type kmsPluginHealthzResponse struct {
@ -58,6 +59,7 @@ type kmsPluginHealthzResponse struct {
type kmsPluginProbe struct { type kmsPluginProbe struct {
name string name string
ttl time.Duration
envelope.Service envelope.Service
lastResponse *kmsPluginHealthzResponse lastResponse *kmsPluginHealthzResponse
l *sync.Mutex l *sync.Mutex
@ -112,6 +114,7 @@ func getKMSPluginProbes(reader io.Reader) ([]*kmsPluginProbe, error) {
result = append(result, &kmsPluginProbe{ result = append(result, &kmsPluginProbe{
name: p.KMS.Name, name: p.KMS.Name,
ttl: kmsPluginHealthzNegativeTTL,
Service: s, Service: s,
l: &sync.Mutex{}, l: &sync.Mutex{},
lastResponse: &kmsPluginHealthzResponse{}, lastResponse: &kmsPluginHealthzResponse{},
@ -128,22 +131,25 @@ func (h *kmsPluginProbe) Check() error {
h.l.Lock() h.l.Lock()
defer h.l.Unlock() defer h.l.Unlock()
if (time.Since(h.lastResponse.received)) < kmsPluginHealthzTTL { if (time.Since(h.lastResponse.received)) < h.ttl {
return h.lastResponse.err return h.lastResponse.err
} }
p, err := h.Service.Encrypt([]byte("ping")) p, err := h.Service.Encrypt([]byte("ping"))
if err != nil { if err != nil {
h.lastResponse = &kmsPluginHealthzResponse{err: err, received: time.Now()} h.lastResponse = &kmsPluginHealthzResponse{err: err, received: time.Now()}
h.ttl = kmsPluginHealthzNegativeTTL
return fmt.Errorf("failed to perform encrypt section of the healthz check for KMS Provider %s, error: %v", h.name, err) return fmt.Errorf("failed to perform encrypt section of the healthz check for KMS Provider %s, error: %v", h.name, err)
} }
if _, err := h.Service.Decrypt(p); err != nil { if _, err := h.Service.Decrypt(p); err != nil {
h.lastResponse = &kmsPluginHealthzResponse{err: err, received: time.Now()} h.lastResponse = &kmsPluginHealthzResponse{err: err, received: time.Now()}
h.ttl = kmsPluginHealthzNegativeTTL
return fmt.Errorf("failed to perform decrypt section of the healthz check for KMS Provider %s, error: %v", h.name, err) return fmt.Errorf("failed to perform decrypt section of the healthz check for KMS Provider %s, error: %v", h.name, err)
} }
h.lastResponse = &kmsPluginHealthzResponse{err: nil, received: time.Now()} h.lastResponse = &kmsPluginHealthzResponse{err: nil, received: time.Now()}
h.ttl = kmsPluginHealthzPositiveTTL
return nil return nil
} }

59
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config_test.go
View File

@ -19,9 +19,11 @@ package encryptionconfig
import ( import (
"bytes" "bytes"
"encoding/base64" "encoding/base64"
"errors"
"io" "io"
"io/ioutil" "io/ioutil"
"os" "os"
"sync"
"testing" "testing"
"time" "time"
@ -61,19 +63,31 @@ func mustConfigReader(t *testing.T, path string) io.Reader {
// testEnvelopeService is a mock envelope service which can be used to simulate remote Envelope services // testEnvelopeService is a mock envelope service which can be used to simulate remote Envelope services
// for testing of the envelope transformer with other transformers. // for testing of the envelope transformer with other transformers.
type testEnvelopeService struct { type testEnvelopeService struct {
err error
} }
func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) { func (t *testEnvelopeService) Decrypt(data []byte) ([]byte, error) {
if t.err != nil {
return nil, t.err
}
return base64.StdEncoding.DecodeString(string(data)) return base64.StdEncoding.DecodeString(string(data))
} }
func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) { func (t *testEnvelopeService) Encrypt(data []byte) ([]byte, error) {
if t.err != nil {
return nil, t.err
}
return []byte(base64.StdEncoding.EncodeToString(data)), nil return []byte(base64.StdEncoding.EncodeToString(data)), nil
} }
// The factory method to create mock envelope service. // The factory method to create mock envelope service.
func newMockEnvelopeService(endpoint string, timeout time.Duration) (envelope.Service, error) { func newMockEnvelopeService(endpoint string, timeout time.Duration) (envelope.Service, error) {
return &testEnvelopeService{}, nil return &testEnvelopeService{nil}, nil
}
// The factory method to create mock envelope service which always returns error.
func newMockErrorEnvelopeService(endpoint string, timeout time.Duration) (envelope.Service, error) {
return &testEnvelopeService{errors.New("test")}, nil
} }
func TestLegacyConfig(t *testing.T) { func TestLegacyConfig(t *testing.T) {
@ -261,6 +275,49 @@ func TestKMSPluginHealthz(t *testing.T) {
} }
} }
func TestKMSPluginHealthzTTL(t *testing.T) {
service, _ := newMockEnvelopeService("unix:///tmp/testprovider.sock", 3*time.Second)
errService, _ := newMockErrorEnvelopeService("unix:///tmp/testprovider.sock", 3*time.Second)
testCases := []struct {
desc string
probe *kmsPluginProbe
wantTTL time.Duration
}{
{
desc: "kms provider in good state",
probe: &kmsPluginProbe{
name: "test",
ttl: kmsPluginHealthzNegativeTTL,
Service: service,
l: &sync.Mutex{},
lastResponse: &kmsPluginHealthzResponse{},
},
wantTTL: kmsPluginHealthzPositiveTTL,
},
{
desc: "kms provider in bad state",
probe: &kmsPluginProbe{
name: "test",
ttl: kmsPluginHealthzPositiveTTL,
Service: errService,
l: &sync.Mutex{},
lastResponse: &kmsPluginHealthzResponse{},
},
wantTTL: kmsPluginHealthzNegativeTTL,
},
}
for _, tt := range testCases {
t.Run(tt.desc, func(t *testing.T) {
tt.probe.Check()
if tt.probe.ttl != tt.wantTTL {
t.Fatalf("want ttl %v, got ttl %v", tt.wantTTL, tt.probe.ttl)
}
})
}
}
// As long as got and want contain envelope.Service we will return true. // As long as got and want contain envelope.Service we will return true.
// If got has an envelope.Service and want does note (or vice versa) this will return false. // If got has an envelope.Service and want does note (or vice versa) this will return false.
func serviceComparer(_, _ envelope.Service) bool { func serviceComparer(_, _ envelope.Service) bool {