From 4f265c3a6e744f64b53db35444d9c5659edb8b19 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Wed, 8 Jun 2022 17:50:54 -0700 Subject: [PATCH 1/4] address review comments - remove KMSv2Configuration - separate EncryptResponse from EncryptedObject Signed-off-by: Rita Zhang --- .../3299-kms-v2-improvements/README.md | 24 +++---------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/keps/sig-auth/3299-kms-v2-improvements/README.md b/keps/sig-auth/3299-kms-v2-improvements/README.md index 17ce59aa6ff..2f46c43e966 100644 --- a/keps/sig-auth/3299-kms-v2-improvements/README.md +++ b/keps/sig-auth/3299-kms-v2-improvements/README.md @@ -126,27 +126,9 @@ proposal will be implemented, this is the place to discuss them. index d7d68d2584d..84c1fa6546f 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go -@@ -51,7 +51,8 @@ type ProviderConfiguration struct { - // identity is the (empty) configuration for the identity transformer. - Identity *IdentityConfiguration `json:"identity,omitempty"` - // kms contains the name, cache size and path to configuration file for a KMS based envelope transformer. -- KMS *KMSConfiguration `json:"kms,omitempty"` -+ KMS *KMSConfiguration `json:"kms,omitempty"` -+ KMSv2 *KMSv2Configuration `json:"kmsv2,omitempty"` - } - - // AESConfiguration contains the API configuration for an AES transformer. @@ -98,3 +99,10 @@ type KMSConfiguration struct { - // +optional - Timeout *metav1.Duration `json:"timeout,omitempty"` - } -+ -+type KMSv2Configuration struct { -+ // name is the name of the KMSv2 plugin to be used. -+ Name string `json:"name"` -+ // endpoint is the gRPC server listening address, for example "unix:///var/run/kmsv2-provider.sock". -+ Endpoint string `json:"endpoint"` -+} ++ // apiversion of KeyManagementService ++ APIVersion string `json:"apiversion"` ``` Support key hierarchy in KMS plugin that generates local KEK and add v2alpha1 `KeyManagementService` proto service contract in Kubernetes to include `key_id`, `annotations`, and `status`. @@ -225,7 +207,7 @@ The last byte represents the encoding style, with 0 meaning that the rest of the type EncryptedObject struct { TypeMeta `json:",inline" protobuf:"bytes,1,opt,name=typeMeta"` - EncryptResponse EncryptResponse `protobuf:"bytes,2,opt,name=encryptResponse"` + KeyId string `protobuf:"bytes,2,opt,name=keyId"` PluginName string `protobuf:"bytes,3,opt,name=pluginName"` From 1442adb2f066822c48deb5b451465da23933184c Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Thu, 9 Jun 2022 08:05:46 -0700 Subject: [PATCH 2/4] update casing Signed-off-by: Rita Zhang --- keps/sig-auth/3299-kms-v2-improvements/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keps/sig-auth/3299-kms-v2-improvements/README.md b/keps/sig-auth/3299-kms-v2-improvements/README.md index 2f46c43e966..b62f0cb2556 100644 --- a/keps/sig-auth/3299-kms-v2-improvements/README.md +++ b/keps/sig-auth/3299-kms-v2-improvements/README.md @@ -128,7 +128,7 @@ index d7d68d2584d..84c1fa6546f 100644 +++ b/staging/src/k8s.io/apiserver/pkg/apis/config/v1/types.go @@ -98,3 +99,10 @@ type KMSConfiguration struct { + // apiversion of KeyManagementService -+ APIVersion string `json:"apiversion"` ++ APIVersion string `json:"apiVersion"` ``` Support key hierarchy in KMS plugin that generates local KEK and add v2alpha1 `KeyManagementService` proto service contract in Kubernetes to include `key_id`, `annotations`, and `status`. @@ -207,7 +207,7 @@ The last byte represents the encoding style, with 0 meaning that the rest of the type EncryptedObject struct { TypeMeta `json:",inline" protobuf:"bytes,1,opt,name=typeMeta"` - KeyId string `protobuf:"bytes,2,opt,name=keyId"` + KeyID string `protobuf:"bytes,2,opt,name=keyID"` PluginName string `protobuf:"bytes,3,opt,name=pluginName"` From a3d6c7eb6e8b842b7900cee2a03360662f8cf878 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Thu, 9 Jun 2022 22:43:22 -0700 Subject: [PATCH 3/4] add annotations to encryptedObject Signed-off-by: Rita Zhang --- keps/sig-auth/3299-kms-v2-improvements/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/keps/sig-auth/3299-kms-v2-improvements/README.md b/keps/sig-auth/3299-kms-v2-improvements/README.md index b62f0cb2556..e7f129ae6ce 100644 --- a/keps/sig-auth/3299-kms-v2-improvements/README.md +++ b/keps/sig-auth/3299-kms-v2-improvements/README.md @@ -212,6 +212,8 @@ type EncryptedObject struct { PluginName string `protobuf:"bytes,3,opt,name=pluginName"` Ciphertext []byte `protobuf:"bytes,4,opt,name=ciphertext"` + + Annotations map `protobuf:"bytes,5,opt,name=annotations` } ``` From 8fca627be9194536a0105cf0b64e8c63fec137c2 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Thu, 9 Jun 2022 22:53:31 -0700 Subject: [PATCH 4/4] add more test plan sections Signed-off-by: Rita Zhang --- .../3299-kms-v2-improvements/README.md | 34 ++++++------------- 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/keps/sig-auth/3299-kms-v2-improvements/README.md b/keps/sig-auth/3299-kms-v2-improvements/README.md index e7f129ae6ce..4d3be8089a4 100644 --- a/keps/sig-auth/3299-kms-v2-improvements/README.md +++ b/keps/sig-auth/3299-kms-v2-improvements/README.md @@ -213,7 +213,7 @@ type EncryptedObject struct { Ciphertext []byte `protobuf:"bytes,4,opt,name=ciphertext"` - Annotations map `protobuf:"bytes,5,opt,name=annotations` + Annotations map[string][]byte `protobuf:"bytes,5,opt,name=annotations"` } ``` @@ -329,37 +329,23 @@ sequenceDiagram ### Test Plan -This section is incomplete and will be updated before the beta milestone. - -Performance: - -Unit tests covering: - -… - -Integration test covering: - -… +[ ] I/we understand the owners of the involved components may require updates to existing tests to make this code solid enough prior to committing the changes necessary to implement this enhancement. -Rotation: +##### Prerequisite testing updates -Unit tests covering: - -… - -Integration test covering: +This section is incomplete and will be updated before the beta milestone. -… +##### Unit tests -Observability: +This section is incomplete and will be updated before the beta milestone. -Unit tests covering: +##### Integration tests -… +This section is incomplete and will be updated before the beta milestone. -Integration test covering: +##### e2e tests -… +This section is incomplete and will be updated before the beta milestone. ### Graduation Criteria