gardener: github.com/gardener/gardener/pkg/operation/etcdencryption Index | Files

package etcdencryption

import "github.com/gardener/gardener/pkg/operation/etcdencryption"

Index

Package Files

encryptionconfiguration.go etcdencryptiondata.go etcdencryptioninfodata.go

Constants

const ETCDEncryptionDataType = infodata.TypeVersion("etcdEncryption")

ETCDEncryptionDataType is the type used to denote an ETCDKeyData structure in the ShootState

func GetSecretKeyForResources Uses

func GetSecretKeyForResources(config *apiserverconfigv1.EncryptionConfiguration, resources string) (string, string, error)

GetSecretKeyForResources returns the AESCBC key name and AESCBC key secret which is used to encrypt the resource. If the AESCBC is not found then it returns empty strings.

func IsConfigurationNotFoundError Uses

func IsConfigurationNotFoundError(err error) bool

IsConfigurationNotFoundError checks if the given error is an error when the encryption configuration is not found at the common.EtcdEncryptionSecretFileName key of the data section of a secret.

func Load Uses

func Load(data []byte) (*apiserverconfigv1.EncryptionConfiguration, error)

Load decodes an EncryptionConfiguration from the given data.

func NewEncryptionConfiguration Uses

func NewEncryptionConfiguration(encryptionConfig *EncryptionConfig) *apiserverconfigv1.EncryptionConfiguration

NewEncryptionConfiguration creates an EncryptionConfiguration from the key and state

func NewEncryptionKey Uses

func NewEncryptionKey(t time.Time, r io.Reader) (*apiserverconfigv1.Key, error)

NewEncryptionKey creates a new random encryption key with a name containing the timestamp. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func NewEncryptionKeyName Uses

func NewEncryptionKeyName(t time.Time) string

NewEncryptionKeyName creates a new key with the given timestamp.

func NewEncryptionKeySecret Uses

func NewEncryptionKeySecret(r io.Reader) (string, error)

NewEncryptionKeySecret reads common.EtcdEncryptionSecretLen bytes from the given reader and base-64 encodes the data. The reader should return random data suitable for cryptographic use, otherwise the security of encryption might be compromised.

func ReadSecret Uses

func ReadSecret(secret *corev1.Secret) (*apiserverconfigv1.EncryptionConfiguration, error)

ReadSecret reads and validates the EncryptionConfiguration of the given secret.

func Unmarshal Uses

func Unmarshal(bytes []byte) (infodata.InfoData, error)

Unmarshal unmarshals an ETCDKeyData json.

func UpdateSecret Uses

func UpdateSecret(secret *corev1.Secret, conf *apiserverconfigv1.EncryptionConfiguration) error

UpdateSecret writes the EncryptionConfiguration to the common.EtcdEncryptionSecretFileName key in the data section of the given secret.

func Write Uses

func Write(ec *apiserverconfigv1.EncryptionConfiguration) ([]byte, error)

Write encodes an EncryptionConfiguration.

type EncryptionConfig Uses

type EncryptionConfig struct {
    EncryptionKeys          []EncryptionKey
    ForcePlainTextResources bool
    RewriteResources        bool
}

EncryptionConfig holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

func GetEncryptionConfig Uses

func GetEncryptionConfig(gardenerResourceDataList gardencorev1alpha1helper.GardenerResourceDataList) (*EncryptionConfig, error)

GetEncryptionConfig retrieves the ETCDEncryptionConfig from the gardenerResourceDataList.

func NewEncryptionConfig Uses

func NewEncryptionConfig(keys []EncryptionKey, forcePlainTextResources, rewriteResources bool) (*EncryptionConfig, error)

NewEncryptionConfig creates a new ETCDEncryptionKey from a given key and name

func (*EncryptionConfig) AddEncryptionKeyFromSecret Uses

func (e *EncryptionConfig) AddEncryptionKeyFromSecret(secret *corev1.Secret) error

AddEncryptionKeyFromSecret gets the active etcd encryption key from the secret object and adds it to the ETCDEncryptionConfig. TODO: this function can be removed in a future version when all the encryption configurations have been synced to the ShootState.

func (*EncryptionConfig) AddNewEncryptionKey Uses

func (e *EncryptionConfig) AddNewEncryptionKey() error

AddNewEncryptionKey generates a new etcd encryption key and adds it to the ETCDEncryptionConfig.

func (*EncryptionConfig) Marshal Uses

func (e *EncryptionConfig) Marshal() ([]byte, error)

Marshal ETCDEncryption InfoData

func (*EncryptionConfig) SetForcePlainTextResources Uses

func (e *EncryptionConfig) SetForcePlainTextResources(forcePlainTextResources bool)

SetForcePlainTextResources sets whether resources should be encrypted or not. If the configuration changes RewriteResource is set to true.

func (*EncryptionConfig) TypeVersion Uses

func (e *EncryptionConfig) TypeVersion() infodata.TypeVersion

TypeVersion implements InfoData

type EncryptionConfigData Uses

type EncryptionConfigData struct {
    EncryptionKeys          []EncryptionKeyData `json:"encryptionKeys"`
    ForcePlainTextResources bool                `json:"forcePlainTextResources"`
    RewriteResources        bool                `json:"rewriteResources"`
}

EncryptionConfigData holds a list of keys and information whether resources should be forcefully persisted in plain text and rewritten if the configuration changes.

type EncryptionKey Uses

type EncryptionKey struct {
    Key  string
    Name string
}

EncryptionKey holds the the key and its name used to encrypt resources in ETCD.

type EncryptionKeyData Uses

type EncryptionKeyData struct {
    Key  string `json:"key"`
    Name string `json:"name"`
}

EncryptionKeyData holds the key and its name used to encrypt resources in ETCD

Package etcdencryption imports 15 packages (graph) and is imported by 3 packages. Updated 2020-05-06. Refresh now. Tools for package owners.