gardener: github.com/gardener/gardener/pkg/operation/etcdencryption Index | Files

package encryptionconfiguration

import "github.com/gardener/gardener/pkg/operation/etcdencryption"

Index

Package Files

encryptionconfiguration.go

func IsConfigurationNotFoundError Uses

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load Uses

func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionKey Uses

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName Uses

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret Uses

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewPassiveConfiguration Uses

func NewPassiveConfiguration(t time.Time, r io.Reader) (*apiserverconfigv1.EncryptionConfiguration, error)

NewPassiveConfiguration creates an initial configuration for etcd encryption The list of encryption providers contains identity as first provider, which has the effect, that this configuration does not yet encrypt written secrets. The configuration has to be activated to actually encrypt written secrets. Nevertheless, an encryption provider aescbc is already contained in the configuration at the second position in the list of providers. A key is created for aescbc with the key's name containing the given time.

apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - providers:

- identity: {}
- aescbc:
    keys:
    - name: key1559747207815249000
      secret: Y8LEzbtK/2mdXrw6W/faAxNLu+mTCmcQeWojShAJGEg=
resources:
  metadata:
- secrets

func ParseEncryptionKeyName Uses

func ParseEncryptionKeyName(keyName string) (time.Time, error)

ParseEncryptionKeyName parses the key name.

func ReadSecret Uses

func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func SetResourceEncryption Uses

func SetResourceEncryption(c *apiserverconfigv1.EncryptionConfiguration, resource string, encrypted bool) error

SetResourceEncryption sets the EncryptionConfiguration to active or non-active (passive) state. State active means that provider aescbc is the first in the list of providers. State non-active (passive) means that provider identity is the first in the list of providers.

func UpdateSecret Uses

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write Uses

func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)

Write encodes an EncryptionConfiguration.

Package encryptionconfiguration imports 13 packages (graph) and is imported by 1 packages. Updated 2019-11-23. Refresh now. Tools for package owners.