pax_global_header00006660000000000000000000000064147261440400014514gustar00rootroot0000000000000052 comment=f7e1a5d274420a7e8fce9a15ec412ea04b999b51 kms-0.31.4/000077500000000000000000000000001472614404000123735ustar00rootroot00000000000000kms-0.31.4/.github/000077500000000000000000000000001472614404000137335ustar00rootroot00000000000000kms-0.31.4/.github/PULL_REQUEST_TEMPLATE.md000066400000000000000000000002251472614404000175330ustar00rootroot00000000000000Sorry, we do not accept changes directly against this repository. Please see CONTRIBUTING.md for information on where and how to contribute instead. kms-0.31.4/CONTRIBUTING.md000066400000000000000000000013271472614404000146270ustar00rootroot00000000000000# Contributing guidelines Do not open pull requests directly against this repository, they will be ignored. Instead, please open pull requests against [kubernetes/kubernetes](https://git.k8s.io/kubernetes/). Please follow the same [contributing guide](https://git.k8s.io/kubernetes/CONTRIBUTING.md) you would follow for any other pull request made to kubernetes/kubernetes. This repository is published from [kubernetes/kubernetes/staging/src/k8s.io/kms](https://git.k8s.io/kubernetes/staging/src/k8s.io/kms) by the [kubernetes publishing-bot](https://git.k8s.io/publishing-bot). Please see [Staging Directory and Publishing](https://git.k8s.io/community/contributors/devel/sig-architecture/staging.md) for more information kms-0.31.4/LICENSE000066400000000000000000000261351472614404000134070ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. kms-0.31.4/OWNERS000066400000000000000000000002621472614404000133330ustar00rootroot00000000000000# See the OWNERS docs at https://go.k8s.io/owners approvers: - sig-auth-encryption-at-rest-approvers reviewers: - sig-auth-encryption-at-rest-reviewers labels: - sig/auth kms-0.31.4/README.md000066400000000000000000000016031472614404000136520ustar00rootroot00000000000000# KMS This repository contains the KMS proto APIs. See https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements for more details. ## Community, discussion, contribution, and support KMS a sub-project of [SIG-Auth](https://github.com/kubernetes/community/tree/master/sig-auth). You can reach the maintainers of this project at: - Slack: [#sig-auth](https://kubernetes.slack.com/messages/sig-auth) - Mailing List: [kubernetes-sig-auth](https://groups.google.com/forum/#!forum/kubernetes-sig-auth) Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/). ### Code of conduct Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md). kms-0.31.4/SECURITY_CONTACTS000066400000000000000000000010311472614404000150560ustar00rootroot00000000000000# Defined below are the security contacts for this repo. # # They are the contact point for the Product Security Committee to reach out # to for triaging and handling of incoming issues. # # The below names agree to abide by the # [Embargo Policy](https://git.k8s.io/security/private-distributors-list.md#embargo-policy) # and will be removed and replaced if they violate that agreement. # # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE # INSTRUCTIONS AT https://kubernetes.io/security/ aramase enj ritazh kms-0.31.4/apis/000077500000000000000000000000001472614404000133275ustar00rootroot00000000000000kms-0.31.4/apis/OWNERS000066400000000000000000000003141472614404000142650ustar00rootroot00000000000000# See the OWNERS docs at https://go.k8s.io/owners # Disable inheritance as this is an api owners file options: no_parent_owners: true approvers: - api-approvers reviewers: - sig-auth-api-reviewers kms-0.31.4/apis/v1beta1/000077500000000000000000000000001472614404000145725ustar00rootroot00000000000000kms-0.31.4/apis/v1beta1/api.pb.go000066400000000000000000000461601472614404000163010ustar00rootroot00000000000000/* Copyright The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Code generated by protoc-gen-gogo. DO NOT EDIT. // api.proto is a deprecated file. package v1beta1 import ( context "context" fmt "fmt" proto "github.com/gogo/protobuf/proto" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" math "math" ) // Reference imports to suppress errors if they are not otherwise used. var _ = proto.Marshal var _ = fmt.Errorf var _ = math.Inf // This is a compile-time assertion to ensure that this generated file // is compatible with the proto package it is being compiled against. // A compilation error at this line likely means your copy of the // proto package needs to be updated. const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type VersionRequest struct { // Version of the KMS plugin API. Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *VersionRequest) Reset() { *m = VersionRequest{} } func (m *VersionRequest) String() string { return proto.CompactTextString(m) } func (*VersionRequest) ProtoMessage() {} func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{0} } func (m *VersionRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionRequest.Unmarshal(m, b) } func (m *VersionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_VersionRequest.Marshal(b, m, deterministic) } func (m *VersionRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_VersionRequest.Merge(m, src) } func (m *VersionRequest) XXX_Size() int { return xxx_messageInfo_VersionRequest.Size(m) } func (m *VersionRequest) XXX_DiscardUnknown() { xxx_messageInfo_VersionRequest.DiscardUnknown(m) } var xxx_messageInfo_VersionRequest proto.InternalMessageInfo func (m *VersionRequest) GetVersion() string { if m != nil { return m.Version } return "" } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type VersionResponse struct { // Version of the KMS plugin API. Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` // Name of the KMS provider. RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName,proto3" json:"runtime_name,omitempty"` // Version of the KMS provider. The string must be semver-compatible. RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion,proto3" json:"runtime_version,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *VersionResponse) Reset() { *m = VersionResponse{} } func (m *VersionResponse) String() string { return proto.CompactTextString(m) } func (*VersionResponse) ProtoMessage() {} func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{1} } func (m *VersionResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_VersionResponse.Unmarshal(m, b) } func (m *VersionResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_VersionResponse.Marshal(b, m, deterministic) } func (m *VersionResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_VersionResponse.Merge(m, src) } func (m *VersionResponse) XXX_Size() int { return xxx_messageInfo_VersionResponse.Size(m) } func (m *VersionResponse) XXX_DiscardUnknown() { xxx_messageInfo_VersionResponse.DiscardUnknown(m) } var xxx_messageInfo_VersionResponse proto.InternalMessageInfo func (m *VersionResponse) GetVersion() string { if m != nil { return m.Version } return "" } func (m *VersionResponse) GetRuntimeName() string { if m != nil { return m.RuntimeName } return "" } func (m *VersionResponse) GetRuntimeVersion() string { if m != nil { return m.RuntimeVersion } return "" } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type DecryptRequest struct { // Version of the KMS plugin API. Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` // The data to be decrypted. Cipher []byte `protobuf:"bytes,2,opt,name=cipher,proto3" json:"cipher,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *DecryptRequest) Reset() { *m = DecryptRequest{} } func (m *DecryptRequest) String() string { return proto.CompactTextString(m) } func (*DecryptRequest) ProtoMessage() {} func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{2} } func (m *DecryptRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_DecryptRequest.Unmarshal(m, b) } func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_DecryptRequest.Marshal(b, m, deterministic) } func (m *DecryptRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_DecryptRequest.Merge(m, src) } func (m *DecryptRequest) XXX_Size() int { return xxx_messageInfo_DecryptRequest.Size(m) } func (m *DecryptRequest) XXX_DiscardUnknown() { xxx_messageInfo_DecryptRequest.DiscardUnknown(m) } var xxx_messageInfo_DecryptRequest proto.InternalMessageInfo func (m *DecryptRequest) GetVersion() string { if m != nil { return m.Version } return "" } func (m *DecryptRequest) GetCipher() []byte { if m != nil { return m.Cipher } return nil } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type DecryptResponse struct { // The decrypted data. Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *DecryptResponse) Reset() { *m = DecryptResponse{} } func (m *DecryptResponse) String() string { return proto.CompactTextString(m) } func (*DecryptResponse) ProtoMessage() {} func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{3} } func (m *DecryptResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_DecryptResponse.Unmarshal(m, b) } func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_DecryptResponse.Marshal(b, m, deterministic) } func (m *DecryptResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_DecryptResponse.Merge(m, src) } func (m *DecryptResponse) XXX_Size() int { return xxx_messageInfo_DecryptResponse.Size(m) } func (m *DecryptResponse) XXX_DiscardUnknown() { xxx_messageInfo_DecryptResponse.DiscardUnknown(m) } var xxx_messageInfo_DecryptResponse proto.InternalMessageInfo func (m *DecryptResponse) GetPlain() []byte { if m != nil { return m.Plain } return nil } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type EncryptRequest struct { // Version of the KMS plugin API. Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` // The data to be encrypted. Plain []byte `protobuf:"bytes,2,opt,name=plain,proto3" json:"plain,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *EncryptRequest) Reset() { *m = EncryptRequest{} } func (m *EncryptRequest) String() string { return proto.CompactTextString(m) } func (*EncryptRequest) ProtoMessage() {} func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{4} } func (m *EncryptRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_EncryptRequest.Unmarshal(m, b) } func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_EncryptRequest.Marshal(b, m, deterministic) } func (m *EncryptRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_EncryptRequest.Merge(m, src) } func (m *EncryptRequest) XXX_Size() int { return xxx_messageInfo_EncryptRequest.Size(m) } func (m *EncryptRequest) XXX_DiscardUnknown() { xxx_messageInfo_EncryptRequest.DiscardUnknown(m) } var xxx_messageInfo_EncryptRequest proto.InternalMessageInfo func (m *EncryptRequest) GetVersion() string { if m != nil { return m.Version } return "" } func (m *EncryptRequest) GetPlain() []byte { if m != nil { return m.Plain } return nil } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. type EncryptResponse struct { // The encrypted data. Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *EncryptResponse) Reset() { *m = EncryptResponse{} } func (m *EncryptResponse) String() string { return proto.CompactTextString(m) } func (*EncryptResponse) ProtoMessage() {} func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{5} } func (m *EncryptResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_EncryptResponse.Unmarshal(m, b) } func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_EncryptResponse.Marshal(b, m, deterministic) } func (m *EncryptResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_EncryptResponse.Merge(m, src) } func (m *EncryptResponse) XXX_Size() int { return xxx_messageInfo_EncryptResponse.Size(m) } func (m *EncryptResponse) XXX_DiscardUnknown() { xxx_messageInfo_EncryptResponse.DiscardUnknown(m) } var xxx_messageInfo_EncryptResponse proto.InternalMessageInfo func (m *EncryptResponse) GetCipher() []byte { if m != nil { return m.Cipher } return nil } func init() { proto.RegisterType((*VersionRequest)(nil), "v1beta1.VersionRequest") proto.RegisterType((*VersionResponse)(nil), "v1beta1.VersionResponse") proto.RegisterType((*DecryptRequest)(nil), "v1beta1.DecryptRequest") proto.RegisterType((*DecryptResponse)(nil), "v1beta1.DecryptResponse") proto.RegisterType((*EncryptRequest)(nil), "v1beta1.EncryptRequest") proto.RegisterType((*EncryptResponse)(nil), "v1beta1.EncryptResponse") } func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) } var fileDescriptor_00212fb1f9d3bf1c = []byte{ // 314 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0xcf, 0x4a, 0xf3, 0x40, 0x10, 0xef, 0xf6, 0xe3, 0x6b, 0xe9, 0x58, 0x12, 0x58, 0x8a, 0x0d, 0xe2, 0x41, 0xf7, 0x52, 0xf5, 0x90, 0x52, 0xbd, 0x78, 0x12, 0x29, 0x7a, 0x12, 0x3d, 0x44, 0xf0, 0xe0, 0x45, 0xb6, 0x61, 0xd0, 0xa5, 0x66, 0xb3, 0xee, 0x6e, 0x23, 0x7d, 0x33, 0x9f, 0xc4, 0xe7, 0x11, 0x93, 0x4d, 0xdc, 0x54, 0x44, 0x8f, 0x33, 0xfb, 0xfb, 0x33, 0xbf, 0x99, 0x85, 0x01, 0x57, 0x22, 0x56, 0x3a, 0xb7, 0x39, 0xed, 0x17, 0xb3, 0x05, 0x5a, 0x3e, 0x63, 0x47, 0x10, 0xdc, 0xa1, 0x36, 0x22, 0x97, 0x09, 0xbe, 0xac, 0xd0, 0x58, 0x1a, 0x41, 0xbf, 0xa8, 0x3a, 0x11, 0xd9, 0x23, 0x07, 0x83, 0xa4, 0x2e, 0xd9, 0x2b, 0x84, 0x0d, 0xd6, 0xa8, 0x5c, 0x1a, 0xfc, 0x19, 0x4c, 0xf7, 0x61, 0xa8, 0x57, 0xd2, 0x8a, 0x0c, 0x1f, 0x24, 0xcf, 0x30, 0xea, 0x96, 0xcf, 0x5b, 0xae, 0x77, 0xc3, 0x33, 0xa4, 0x13, 0x08, 0x6b, 0x48, 0x2d, 0xf2, 0xaf, 0x44, 0x05, 0xae, 0xed, 0xdc, 0xd8, 0x1c, 0x82, 0x0b, 0x4c, 0xf5, 0x5a, 0xd9, 0x5f, 0x87, 0xa4, 0xdb, 0xd0, 0x4b, 0x85, 0x7a, 0x42, 0x5d, 0x3a, 0x0e, 0x13, 0x57, 0xb1, 0x09, 0x84, 0x8d, 0x86, 0x1b, 0x7e, 0x04, 0xff, 0xd5, 0x33, 0x17, 0x95, 0xc4, 0x30, 0xa9, 0x0a, 0x76, 0x0e, 0xc1, 0xa5, 0xfc, 0xa3, 0x59, 0xa3, 0xd0, 0xf5, 0x15, 0x0e, 0x21, 0x6c, 0x14, 0x9c, 0xd5, 0xd7, 0x54, 0xc4, 0x9f, 0xea, 0xf8, 0x9d, 0xc0, 0xe8, 0x0a, 0xd7, 0xd7, 0x5c, 0xf2, 0x47, 0xcc, 0x50, 0xda, 0x5b, 0xd4, 0x85, 0x48, 0x91, 0x9e, 0x41, 0xdf, 0xa5, 0xa7, 0xe3, 0xd8, 0x1d, 0x2b, 0x6e, 0x5f, 0x6a, 0x27, 0xfa, 0xfe, 0x50, 0xd9, 0xb1, 0xce, 0x27, 0xdf, 0xc5, 0xf5, 0xf8, 0xed, 0x25, 0x7a, 0xfc, 0x8d, 0xcd, 0x54, 0x7c, 0x97, 0xc1, 0xe3, 0xb7, 0xf7, 0xe2, 0xf1, 0x37, 0xe2, 0xb2, 0xce, 0x7c, 0xf7, 0x7e, 0xbc, 0x3c, 0x35, 0xb1, 0xc8, 0xa7, 0xcb, 0xcc, 0x4c, 0xb9, 0x12, 0x66, 0xea, 0xc0, 0x6f, 0x84, 0x2c, 0x7a, 0xe5, 0x2f, 0x3c, 0xf9, 0x08, 0x00, 0x00, 0xff, 0xff, 0x18, 0x47, 0x93, 0xb2, 0x92, 0x02, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. var _ context.Context var _ grpc.ClientConn // This is a compile-time assertion to ensure that this generated file // is compatible with the grpc package it is being compiled against. const _ = grpc.SupportPackageIsVersion4 // KeyManagementServiceClient is the client API for KeyManagementService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. type KeyManagementServiceClient interface { // Version returns the runtime name and runtime version of the KMS provider. Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) // Execute decryption operation in KMS provider. Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) } type keyManagementServiceClient struct { cc *grpc.ClientConn } func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClient { return &keyManagementServiceClient{cc} } func (c *keyManagementServiceClient) Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) { out := new(VersionResponse) err := c.cc.Invoke(ctx, "/v1beta1.KeyManagementService/Version", in, out, opts...) if err != nil { return nil, err } return out, nil } func (c *keyManagementServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { out := new(DecryptResponse) err := c.cc.Invoke(ctx, "/v1beta1.KeyManagementService/Decrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } func (c *keyManagementServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { out := new(EncryptResponse) err := c.cc.Invoke(ctx, "/v1beta1.KeyManagementService/Encrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } // KeyManagementServiceServer is the server API for KeyManagementService service. type KeyManagementServiceServer interface { // Version returns the runtime name and runtime version of the KMS provider. Version(context.Context, *VersionRequest) (*VersionResponse, error) // Execute decryption operation in KMS provider. Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) } // UnimplementedKeyManagementServiceServer can be embedded to have forward compatible implementations. type UnimplementedKeyManagementServiceServer struct { } func (*UnimplementedKeyManagementServiceServer) Version(ctx context.Context, req *VersionRequest) (*VersionResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Version not implemented") } func (*UnimplementedKeyManagementServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented") } func (*UnimplementedKeyManagementServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented") } func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer) { s.RegisterService(&_KeyManagementService_serviceDesc, srv) } func _KeyManagementService_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(VersionRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Version(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v1beta1.KeyManagementService/Version", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Version(ctx, req.(*VersionRequest)) } return interceptor(ctx, in, info, handler) } func _KeyManagementService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(DecryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Decrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v1beta1.KeyManagementService/Decrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Decrypt(ctx, req.(*DecryptRequest)) } return interceptor(ctx, in, info, handler) } func _KeyManagementService_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(EncryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Encrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v1beta1.KeyManagementService/Encrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Encrypt(ctx, req.(*EncryptRequest)) } return interceptor(ctx, in, info, handler) } var _KeyManagementService_serviceDesc = grpc.ServiceDesc{ ServiceName: "v1beta1.KeyManagementService", HandlerType: (*KeyManagementServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Version", Handler: _KeyManagementService_Version_Handler, }, { MethodName: "Decrypt", Handler: _KeyManagementService_Decrypt_Handler, }, { MethodName: "Encrypt", Handler: _KeyManagementService_Encrypt_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "api.proto", } kms-0.31.4/apis/v1beta1/api.proto000066400000000000000000000052341472614404000164340ustar00rootroot00000000000000/* Copyright 2018 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // To regenerate api.pb.go run `hack/update-codegen.sh protobindings` syntax = "proto3"; package v1beta1; option go_package = "k8s.io/kms/apis/v1beta1"; option deprecated = true; // This service defines the public APIs for remote KMS provider. service KeyManagementService { // Version returns the runtime name and runtime version of the KMS provider. rpc Version(VersionRequest) returns (VersionResponse) {} // Execute decryption operation in KMS provider. rpc Decrypt(DecryptRequest) returns (DecryptResponse) {} // Execute encryption operation in KMS provider. rpc Encrypt(EncryptRequest) returns (EncryptResponse) {} } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message VersionRequest { // Version of the KMS plugin API. string version = 1; } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message VersionResponse { // Version of the KMS plugin API. string version = 1; // Name of the KMS provider. string runtime_name = 2; // Version of the KMS provider. The string must be semver-compatible. string runtime_version = 3; } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message DecryptRequest { // Version of the KMS plugin API. string version = 1; // The data to be decrypted. bytes cipher = 2; } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message DecryptResponse { // The decrypted data. bytes plain = 1; } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message EncryptRequest { // Version of the KMS plugin API. string version = 1; // The data to be encrypted. bytes plain = 2; } // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. message EncryptResponse { // The encrypted data. bytes cipher = 1; } kms-0.31.4/apis/v1beta1/v1beta1.go000066400000000000000000000017301472614404000163650ustar00rootroot00000000000000/* Copyright 2019 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Package v1beta1 contains definition of kms-plugin's gRPC service. // Deprecated: KMSv1 is deprecated in v1.28 and will only receive security updates going forward. Use KMSv2 instead. package v1beta1 // IsVersionCheckMethod determines whether the supplied method is a version check against kms-plugin. func IsVersionCheckMethod(method string) bool { return method == "/v1beta1.KeyManagementService/Version" } kms-0.31.4/apis/v2/000077500000000000000000000000001472614404000136565ustar00rootroot00000000000000kms-0.31.4/apis/v2/api.pb.go000066400000000000000000000522001472614404000153550ustar00rootroot00000000000000/* Copyright The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Code generated by protoc-gen-gogo. DO NOT EDIT. // source: api.proto package v2 import ( context "context" fmt "fmt" proto "github.com/gogo/protobuf/proto" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" math "math" ) // Reference imports to suppress errors if they are not otherwise used. var _ = proto.Marshal var _ = fmt.Errorf var _ = math.Inf // This is a compile-time assertion to ensure that this generated file // is compatible with the proto package it is being compiled against. // A compilation error at this line likely means your copy of the // proto package needs to be updated. const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package type StatusRequest struct { XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *StatusRequest) Reset() { *m = StatusRequest{} } func (m *StatusRequest) String() string { return proto.CompactTextString(m) } func (*StatusRequest) ProtoMessage() {} func (*StatusRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{0} } func (m *StatusRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatusRequest.Unmarshal(m, b) } func (m *StatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_StatusRequest.Marshal(b, m, deterministic) } func (m *StatusRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_StatusRequest.Merge(m, src) } func (m *StatusRequest) XXX_Size() int { return xxx_messageInfo_StatusRequest.Size(m) } func (m *StatusRequest) XXX_DiscardUnknown() { xxx_messageInfo_StatusRequest.DiscardUnknown(m) } var xxx_messageInfo_StatusRequest proto.InternalMessageInfo type StatusResponse struct { // Version of the KMS gRPC plugin API. Must equal v2 to v2beta1 (v2 is recommended, but both are equivalent). Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` // Any value other than "ok" is failing healthz. On failure, the associated API server healthz endpoint will contain this value as part of the error message. Healthz string `protobuf:"bytes,2,opt,name=healthz,proto3" json:"healthz,omitempty"` // the current write key, used to determine staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. KeyId string `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *StatusResponse) Reset() { *m = StatusResponse{} } func (m *StatusResponse) String() string { return proto.CompactTextString(m) } func (*StatusResponse) ProtoMessage() {} func (*StatusResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{1} } func (m *StatusResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_StatusResponse.Unmarshal(m, b) } func (m *StatusResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_StatusResponse.Marshal(b, m, deterministic) } func (m *StatusResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_StatusResponse.Merge(m, src) } func (m *StatusResponse) XXX_Size() int { return xxx_messageInfo_StatusResponse.Size(m) } func (m *StatusResponse) XXX_DiscardUnknown() { xxx_messageInfo_StatusResponse.DiscardUnknown(m) } var xxx_messageInfo_StatusResponse proto.InternalMessageInfo func (m *StatusResponse) GetVersion() string { if m != nil { return m.Version } return "" } func (m *StatusResponse) GetHealthz() string { if m != nil { return m.Healthz } return "" } func (m *StatusResponse) GetKeyId() string { if m != nil { return m.KeyId } return "" } type DecryptRequest struct { // The data to be decrypted. Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` // UID is a unique identifier for the request. Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"` // The keyID that was provided to the apiserver during encryption. // This represents the KMS KEK that was used to encrypt the data. KeyId string `protobuf:"bytes,3,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` // Additional metadata that was sent by the KMS plugin during encryption. Annotations map[string][]byte `protobuf:"bytes,4,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *DecryptRequest) Reset() { *m = DecryptRequest{} } func (m *DecryptRequest) String() string { return proto.CompactTextString(m) } func (*DecryptRequest) ProtoMessage() {} func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{2} } func (m *DecryptRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_DecryptRequest.Unmarshal(m, b) } func (m *DecryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_DecryptRequest.Marshal(b, m, deterministic) } func (m *DecryptRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_DecryptRequest.Merge(m, src) } func (m *DecryptRequest) XXX_Size() int { return xxx_messageInfo_DecryptRequest.Size(m) } func (m *DecryptRequest) XXX_DiscardUnknown() { xxx_messageInfo_DecryptRequest.DiscardUnknown(m) } var xxx_messageInfo_DecryptRequest proto.InternalMessageInfo func (m *DecryptRequest) GetCiphertext() []byte { if m != nil { return m.Ciphertext } return nil } func (m *DecryptRequest) GetUid() string { if m != nil { return m.Uid } return "" } func (m *DecryptRequest) GetKeyId() string { if m != nil { return m.KeyId } return "" } func (m *DecryptRequest) GetAnnotations() map[string][]byte { if m != nil { return m.Annotations } return nil } type DecryptResponse struct { // The decrypted data. Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *DecryptResponse) Reset() { *m = DecryptResponse{} } func (m *DecryptResponse) String() string { return proto.CompactTextString(m) } func (*DecryptResponse) ProtoMessage() {} func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{3} } func (m *DecryptResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_DecryptResponse.Unmarshal(m, b) } func (m *DecryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_DecryptResponse.Marshal(b, m, deterministic) } func (m *DecryptResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_DecryptResponse.Merge(m, src) } func (m *DecryptResponse) XXX_Size() int { return xxx_messageInfo_DecryptResponse.Size(m) } func (m *DecryptResponse) XXX_DiscardUnknown() { xxx_messageInfo_DecryptResponse.DiscardUnknown(m) } var xxx_messageInfo_DecryptResponse proto.InternalMessageInfo func (m *DecryptResponse) GetPlaintext() []byte { if m != nil { return m.Plaintext } return nil } type EncryptRequest struct { // The data to be encrypted. Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` // UID is a unique identifier for the request. Uid string `protobuf:"bytes,2,opt,name=uid,proto3" json:"uid,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *EncryptRequest) Reset() { *m = EncryptRequest{} } func (m *EncryptRequest) String() string { return proto.CompactTextString(m) } func (*EncryptRequest) ProtoMessage() {} func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{4} } func (m *EncryptRequest) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_EncryptRequest.Unmarshal(m, b) } func (m *EncryptRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_EncryptRequest.Marshal(b, m, deterministic) } func (m *EncryptRequest) XXX_Merge(src proto.Message) { xxx_messageInfo_EncryptRequest.Merge(m, src) } func (m *EncryptRequest) XXX_Size() int { return xxx_messageInfo_EncryptRequest.Size(m) } func (m *EncryptRequest) XXX_DiscardUnknown() { xxx_messageInfo_EncryptRequest.DiscardUnknown(m) } var xxx_messageInfo_EncryptRequest proto.InternalMessageInfo func (m *EncryptRequest) GetPlaintext() []byte { if m != nil { return m.Plaintext } return nil } func (m *EncryptRequest) GetUid() string { if m != nil { return m.Uid } return "" } type EncryptResponse struct { // The encrypted data. // ciphertext must satisfy the following constraints: // 1. The ciphertext is not empty. // 2. The ciphertext is less than 1 kB. Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` // The KMS key ID used to encrypt the data. This must always refer to the KMS KEK and not any local KEKs that may be in use. // This can be used to inform staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. KeyId string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` // Additional metadata to be stored with the encrypted data. // This data is stored in plaintext in etcd. KMS plugin implementations are responsible for pre-encrypting any sensitive data. // Annotations must satisfy the following constraints: // 1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123). // 2. The size of annotations keys + values is less than 32 kB. Annotations map[string][]byte `protobuf:"bytes,3,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` } func (m *EncryptResponse) Reset() { *m = EncryptResponse{} } func (m *EncryptResponse) String() string { return proto.CompactTextString(m) } func (*EncryptResponse) ProtoMessage() {} func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptor_00212fb1f9d3bf1c, []int{5} } func (m *EncryptResponse) XXX_Unmarshal(b []byte) error { return xxx_messageInfo_EncryptResponse.Unmarshal(m, b) } func (m *EncryptResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { return xxx_messageInfo_EncryptResponse.Marshal(b, m, deterministic) } func (m *EncryptResponse) XXX_Merge(src proto.Message) { xxx_messageInfo_EncryptResponse.Merge(m, src) } func (m *EncryptResponse) XXX_Size() int { return xxx_messageInfo_EncryptResponse.Size(m) } func (m *EncryptResponse) XXX_DiscardUnknown() { xxx_messageInfo_EncryptResponse.DiscardUnknown(m) } var xxx_messageInfo_EncryptResponse proto.InternalMessageInfo func (m *EncryptResponse) GetCiphertext() []byte { if m != nil { return m.Ciphertext } return nil } func (m *EncryptResponse) GetKeyId() string { if m != nil { return m.KeyId } return "" } func (m *EncryptResponse) GetAnnotations() map[string][]byte { if m != nil { return m.Annotations } return nil } func init() { proto.RegisterType((*StatusRequest)(nil), "v2.StatusRequest") proto.RegisterType((*StatusResponse)(nil), "v2.StatusResponse") proto.RegisterType((*DecryptRequest)(nil), "v2.DecryptRequest") proto.RegisterMapType((map[string][]byte)(nil), "v2.DecryptRequest.AnnotationsEntry") proto.RegisterType((*DecryptResponse)(nil), "v2.DecryptResponse") proto.RegisterType((*EncryptRequest)(nil), "v2.EncryptRequest") proto.RegisterType((*EncryptResponse)(nil), "v2.EncryptResponse") proto.RegisterMapType((map[string][]byte)(nil), "v2.EncryptResponse.AnnotationsEntry") } func init() { proto.RegisterFile("api.proto", fileDescriptor_00212fb1f9d3bf1c) } var fileDescriptor_00212fb1f9d3bf1c = []byte{ // 403 bytes of a gzipped FileDescriptorProto 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x93, 0xcd, 0x6e, 0xda, 0x40, 0x10, 0xc7, 0xb1, 0x5d, 0x40, 0x0c, 0x14, 0xe8, 0x96, 0x4a, 0x16, 0xaa, 0x2a, 0xb4, 0xed, 0x81, 0x93, 0xad, 0xba, 0x3d, 0xa0, 0x1e, 0xaa, 0xb6, 0x2a, 0x95, 0xaa, 0xaa, 0x17, 0x73, 0x6b, 0x0f, 0xd1, 0x06, 0x46, 0x61, 0x65, 0x58, 0x3b, 0xde, 0xb5, 0x15, 0xe7, 0xbd, 0xf2, 0x1e, 0x79, 0x84, 0x3c, 0x4a, 0x64, 0x7b, 0x01, 0x1b, 0x94, 0xe4, 0x94, 0x9b, 0xe7, 0xf3, 0x3f, 0xf3, 0xdb, 0x31, 0x74, 0x58, 0xc4, 0x9d, 0x28, 0x0e, 0x55, 0x48, 0xcc, 0xd4, 0xa3, 0x03, 0x78, 0xb9, 0x50, 0x4c, 0x25, 0xd2, 0xc7, 0xcb, 0x04, 0xa5, 0xa2, 0xff, 0xa1, 0xbf, 0x73, 0xc8, 0x28, 0x14, 0x12, 0x89, 0x0d, 0xed, 0x14, 0x63, 0xc9, 0x43, 0x61, 0x1b, 0x13, 0x63, 0xda, 0xf1, 0x77, 0x66, 0x1e, 0x59, 0x23, 0xdb, 0xa8, 0xf5, 0xb5, 0x6d, 0x96, 0x11, 0x6d, 0x92, 0x37, 0xd0, 0x0a, 0x30, 0x3b, 0xe3, 0x2b, 0xdb, 0x2a, 0x02, 0xcd, 0x00, 0xb3, 0xdf, 0x2b, 0x7a, 0x67, 0x40, 0xff, 0x27, 0x2e, 0xe3, 0x2c, 0x52, 0x5a, 0x8f, 0xbc, 0x03, 0x58, 0xf2, 0x68, 0x8d, 0xb1, 0xc2, 0x2b, 0x55, 0x08, 0xf4, 0xfc, 0x8a, 0x87, 0x0c, 0xc1, 0x4a, 0xf8, 0x4a, 0xf7, 0xcf, 0x3f, 0x1f, 0xe8, 0x4d, 0xe6, 0xd0, 0x65, 0x42, 0x84, 0x8a, 0x29, 0x1e, 0x0a, 0x69, 0xbf, 0x98, 0x58, 0xd3, 0xae, 0xf7, 0xde, 0x49, 0x3d, 0xa7, 0xae, 0xe8, 0x7c, 0x3f, 0x64, 0xcd, 0x85, 0x8a, 0x33, 0xbf, 0x5a, 0x37, 0xfe, 0x0a, 0xc3, 0xe3, 0x84, 0x7c, 0x86, 0x00, 0x33, 0xbd, 0x7d, 0xfe, 0x49, 0x46, 0xd0, 0x4c, 0xd9, 0x26, 0xc1, 0x62, 0xae, 0x9e, 0x5f, 0x1a, 0x5f, 0xcc, 0x99, 0x41, 0x5d, 0x18, 0xec, 0xf5, 0x34, 0xc0, 0xb7, 0xd0, 0x89, 0x36, 0x8c, 0x8b, 0xca, 0x86, 0x07, 0x07, 0xfd, 0x06, 0xfd, 0xb9, 0xa8, 0x21, 0x79, 0x34, 0xff, 0x14, 0x08, 0xbd, 0x35, 0x60, 0xb0, 0x6f, 0xa1, 0x35, 0x9f, 0xc2, 0x7a, 0x80, 0x68, 0x56, 0x21, 0xfe, 0xaa, 0x43, 0xb4, 0x0a, 0x88, 0x1f, 0x72, 0x88, 0x47, 0x02, 0xcf, 0x4b, 0xd1, 0xbb, 0x31, 0x60, 0xf4, 0x07, 0xb3, 0xbf, 0x4c, 0xb0, 0x0b, 0xdc, 0xa2, 0x50, 0x0b, 0x8c, 0x53, 0xbe, 0x44, 0xf2, 0x11, 0x5a, 0xe5, 0x79, 0x92, 0x57, 0xf9, 0x54, 0xb5, 0xdb, 0x1d, 0x93, 0xaa, 0xab, 0x9c, 0x93, 0x36, 0xc8, 0x67, 0x68, 0xeb, 0x17, 0x21, 0xe4, 0xf4, 0x1c, 0xc6, 0xaf, 0x6b, 0xbe, 0x6a, 0x95, 0x5e, 0xb9, 0xac, 0xaa, 0xbf, 0x51, 0x59, 0x75, 0xc4, 0x84, 0x36, 0x7e, 0x8c, 0xfe, 0x91, 0x60, 0x26, 0x1d, 0x1e, 0xba, 0xc1, 0x56, 0xba, 0x2c, 0xe2, 0xd2, 0x4d, 0xbd, 0xf3, 0x56, 0xf1, 0xbf, 0x7d, 0xba, 0x0f, 0x00, 0x00, 0xff, 0xff, 0x5f, 0xf8, 0x49, 0x17, 0x7c, 0x03, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. var _ context.Context var _ grpc.ClientConn // This is a compile-time assertion to ensure that this generated file // is compatible with the grpc package it is being compiled against. const _ = grpc.SupportPackageIsVersion4 // KeyManagementServiceClient is the client API for KeyManagementService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. type KeyManagementServiceClient interface { // this API is meant to be polled Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) // Execute decryption operation in KMS provider. Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) } type keyManagementServiceClient struct { cc *grpc.ClientConn } func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClient { return &keyManagementServiceClient{cc} } func (c *keyManagementServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) { out := new(StatusResponse) err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Status", in, out, opts...) if err != nil { return nil, err } return out, nil } func (c *keyManagementServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { out := new(DecryptResponse) err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Decrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } func (c *keyManagementServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { out := new(EncryptResponse) err := c.cc.Invoke(ctx, "/v2.KeyManagementService/Encrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } // KeyManagementServiceServer is the server API for KeyManagementService service. type KeyManagementServiceServer interface { // this API is meant to be polled Status(context.Context, *StatusRequest) (*StatusResponse, error) // Execute decryption operation in KMS provider. Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) // Execute encryption operation in KMS provider. Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) } // UnimplementedKeyManagementServiceServer can be embedded to have forward compatible implementations. type UnimplementedKeyManagementServiceServer struct { } func (*UnimplementedKeyManagementServiceServer) Status(ctx context.Context, req *StatusRequest) (*StatusResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Status not implemented") } func (*UnimplementedKeyManagementServiceServer) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented") } func (*UnimplementedKeyManagementServiceServer) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented") } func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer) { s.RegisterService(&_KeyManagementService_serviceDesc, srv) } func _KeyManagementService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(StatusRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Status(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v2.KeyManagementService/Status", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Status(ctx, req.(*StatusRequest)) } return interceptor(ctx, in, info, handler) } func _KeyManagementService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(DecryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Decrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v2.KeyManagementService/Decrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Decrypt(ctx, req.(*DecryptRequest)) } return interceptor(ctx, in, info, handler) } func _KeyManagementService_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(EncryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyManagementServiceServer).Encrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/v2.KeyManagementService/Encrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyManagementServiceServer).Encrypt(ctx, req.(*EncryptRequest)) } return interceptor(ctx, in, info, handler) } var _KeyManagementService_serviceDesc = grpc.ServiceDesc{ ServiceName: "v2.KeyManagementService", HandlerType: (*KeyManagementServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Status", Handler: _KeyManagementService_Status_Handler, }, { MethodName: "Decrypt", Handler: _KeyManagementService_Decrypt_Handler, }, { MethodName: "Encrypt", Handler: _KeyManagementService_Encrypt_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "api.proto", } kms-0.31.4/apis/v2/api.proto000066400000000000000000000067571472614404000155330ustar00rootroot00000000000000/* Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // To regenerate api.pb.go run `hack/update-codegen.sh protobindings` syntax = "proto3"; package v2; option go_package = "k8s.io/kms/apis/v2"; // This service defines the public APIs for remote KMS provider. service KeyManagementService { // this API is meant to be polled rpc Status(StatusRequest) returns (StatusResponse) {} // Execute decryption operation in KMS provider. rpc Decrypt(DecryptRequest) returns (DecryptResponse) {} // Execute encryption operation in KMS provider. rpc Encrypt(EncryptRequest) returns (EncryptResponse) {} } message StatusRequest {} message StatusResponse { // Version of the KMS gRPC plugin API. Must equal v2 to v2beta1 (v2 is recommended, but both are equivalent). string version = 1; // Any value other than "ok" is failing healthz. On failure, the associated API server healthz endpoint will contain this value as part of the error message. string healthz = 2; // the current write key, used to determine staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. string key_id = 3; } message DecryptRequest { // The data to be decrypted. bytes ciphertext = 1; // UID is a unique identifier for the request. string uid = 2; // The keyID that was provided to the apiserver during encryption. // This represents the KMS KEK that was used to encrypt the data. string key_id = 3; // Additional metadata that was sent by the KMS plugin during encryption. map annotations = 4; } message DecryptResponse { // The decrypted data. bytes plaintext = 1; } message EncryptRequest { // The data to be encrypted. bytes plaintext = 1; // UID is a unique identifier for the request. string uid = 2; } message EncryptResponse { // The encrypted data. // ciphertext must satisfy the following constraints: // 1. The ciphertext is not empty. // 2. The ciphertext is less than 1 kB. bytes ciphertext = 1; // The KMS key ID used to encrypt the data. This must always refer to the KMS KEK and not any local KEKs that may be in use. // This can be used to inform staleness of data updated via value.Transformer.TransformFromStorage. // keyID must satisfy the following constraints: // 1. The keyID is not empty. // 2. The size of keyID is less than 1 kB. string key_id = 2; // Additional metadata to be stored with the encrypted data. // This data is stored in plaintext in etcd. KMS plugin implementations are responsible for pre-encrypting any sensitive data. // Annotations must satisfy the following constraints: // 1. Annotation key must be a fully qualified domain name that conforms to the definition in DNS (RFC 1123). // 2. The size of annotations keys + values is less than 32 kB. map annotations = 3; } kms-0.31.4/apis/v2/v2.go000066400000000000000000000012061472614404000145330ustar00rootroot00000000000000/* Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Package v2 contains definition of kms-plugin's gRPC service. package v2 kms-0.31.4/code-of-conduct.md000066400000000000000000000002241472614404000156640ustar00rootroot00000000000000# Kubernetes Community Code of Conduct Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md) kms-0.31.4/doc.go000066400000000000000000000012351472614404000134700ustar00rootroot00000000000000/* Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // Package kms contains the proto definitions for the kms API. package kms // import "k8s.io/kms" kms-0.31.4/go.mod000066400000000000000000000006511472614404000135030ustar00rootroot00000000000000// This is a generated file. Do not edit directly. module k8s.io/kms go 1.22.0 require ( github.com/gogo/protobuf v1.3.2 google.golang.org/grpc v1.65.0 ) require ( golang.org/x/net v0.26.0 // indirect golang.org/x/sys v0.21.0 // indirect golang.org/x/text v0.16.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/protobuf v1.34.2 // indirect ) kms-0.31.4/go.sum000066400000000000000000000103701472614404000135270ustar00rootroot00000000000000github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= kms-0.31.4/internal/000077500000000000000000000000001472614404000142075ustar00rootroot00000000000000kms-0.31.4/internal/plugins/000077500000000000000000000000001472614404000156705ustar00rootroot00000000000000kms-0.31.4/internal/plugins/_mock/000077500000000000000000000000001472614404000167605ustar00rootroot00000000000000kms-0.31.4/internal/plugins/_mock/.gitignore000066400000000000000000000001221472614404000207430ustar00rootroot00000000000000# avoid constant churn as this file is not kept in sync with the root go.work.sum kms-0.31.4/internal/plugins/_mock/Dockerfile000066400000000000000000000021751472614404000207570ustar00rootroot00000000000000# Copyright 2023 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. FROM golang:1.22.0-bullseye as builder WORKDIR /workspace # Copy the source COPY apimachinery/ apimachinery/ COPY kms/ kms/ WORKDIR /workspace/kms/internal/plugins/_mock ARG TARGETARCH ARG TARGETPLATFORM RUN CGO_ENABLED=1 GOOS=linux GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o mock-kms-plugin plugin.go FROM alpine:latest RUN apk add --update --no-cache ca-certificates gcompat RUN apk add --no-cache softhsm COPY --from=builder /workspace/kms/internal/plugins/_mock/mock-kms-plugin /usr/local/bin/mock-kms-plugin ENTRYPOINT [ "mock-kms-plugin" ] kms-0.31.4/internal/plugins/_mock/README.md000066400000000000000000000005361472614404000202430ustar00rootroot00000000000000# Mock KMS Plugin This is a mock KMS plugin for testing purposes. It implements the KMS plugin using PKCS#11 interface backed by [SoftHSM](https://www.opendnssec.org/softhsm/). It is intended to be used for testing only and not for production use. The directory is named `_mock` so that it is ignored by the `go mod` tooling in the root directory. kms-0.31.4/internal/plugins/_mock/go.mod000066400000000000000000000013031472614404000200630ustar00rootroot00000000000000module k8s.io/kms/plugins/mock go 1.22.0 require ( github.com/ThalesIgnite/crypto11 v1.2.5 k8s.io/kms v0.0.0-00010101000000-000000000000 ) require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f // indirect github.com/pkg/errors v0.9.1 // indirect github.com/thales-e-security/pool v0.0.2 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/sys v0.21.0 // indirect golang.org/x/text v0.16.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect ) replace k8s.io/kms => ../../../../kms kms-0.31.4/internal/plugins/_mock/go.sum000066400000000000000000000132361472614404000201200ustar00rootroot00000000000000github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f h1:eVB9ELsoq5ouItQBr5Tj334bhPJG/MX+m7rTchmzVUQ= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= kms-0.31.4/internal/plugins/_mock/go.work000066400000000000000000000002421472614404000202670ustar00rootroot00000000000000// This is a hack, but it prevents go from climbing further and trying to // reconcile the various deps across the "real" modules and this one. go 1.22.0 use . kms-0.31.4/internal/plugins/_mock/kms.yaml000066400000000000000000000040071472614404000204370ustar00rootroot00000000000000apiVersion: v1 kind: Pod metadata: name: mock-kmsv2-provider namespace: kube-system labels: tier: control-plane component: mock-kmsv2-provider spec: # hostNetwork: true is required because the plugin is run as a static pod # on the control plane node and needs to run before the CNI plugins are initialized. hostNetwork: true initContainers: - args: - | #!/bin/sh set -e set -x # if token exists, skip initialization if [ $(ls -1 /var/lib/softhsm/tokens | wc -l) -ge 1 ]; then echo "Skipping initialization of softhsm" exit 0 fi mkdir -p /var/lib/softhsm/tokens apk add --update --no-cache ca-certificates jq apk add --no-cache ccid opensc softhsm TOKEN_LABEL=$(jq -r '.tokenLabel' /etc/softhsm-config.json) PIN=$(jq -r '.pin' /etc/softhsm-config.json) MODULE_PATH=$(jq -r '.path' /etc/softhsm-config.json) softhsm2-util --init-token --free --label $TOKEN_LABEL --pin $PIN --so-pin $PIN pkcs11-tool --module $MODULE_PATH --keygen --key-type aes:32 --pin $PIN --token-label $TOKEN_LABEL --label kms-test command: - /bin/sh - -c image: alpine:latest imagePullPolicy: IfNotPresent name: init-mock-kmsv2-provider volumeMounts: - mountPath: /var/lib/softhsm/tokens name: softhsm-tokens - mountPath: /etc/softhsm-config.json name: softhsm-config containers: - name: mock-kmsv2-provider image: localhost:5000/mock-kms-provider:e2e imagePullPolicy: IfNotPresent volumeMounts: - name: sock mountPath: /tmp - name: softhsm-config mountPath: /etc/softhsm-config.json - name: softhsm-tokens mountPath: /var/lib/softhsm/tokens volumes: - name: sock hostPath: path: /tmp - name: softhsm-config hostPath: path: /etc/softhsm-config.json type: File - name: softhsm-tokens hostPath: path: /var/lib/softhsm/tokens type: DirectoryOrCreate kms-0.31.4/internal/plugins/_mock/pkcs11/000077500000000000000000000000001472614404000200625ustar00rootroot00000000000000kms-0.31.4/internal/plugins/_mock/pkcs11/pkcs11.go000066400000000000000000000060531472614404000215170ustar00rootroot00000000000000/* Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package pkcs11 import ( "context" "crypto/cipher" "crypto/rand" "fmt" crypot11 "github.com/ThalesIgnite/crypto11" "k8s.io/kms/pkg/service" ) const ( mockAnnotationKey = "version.encryption.remote.io" ) var _ service.Service = &pkcs11RemoteService{} type pkcs11RemoteService struct { keyID string aead cipher.AEAD } // NewPKCS11RemoteService creates a new PKCS11 remote service with SoftHSMv2 configuration file and keyID func NewPKCS11RemoteService(configFilePath, keyID string) (service.Service, error) { ctx, err := crypot11.ConfigureFromFile(configFilePath) if err != nil { return nil, err } if len(keyID) == 0 { return nil, fmt.Errorf("invalid keyID") } remoteService := &pkcs11RemoteService{ keyID: keyID, } key, err := ctx.FindKey(nil, []byte(keyID)) if err != nil { return nil, err } if key == nil { return nil, fmt.Errorf("key not found") } if remoteService.aead, err = key.NewGCM(); err != nil { return nil, err } return remoteService, nil } func (s *pkcs11RemoteService) Encrypt(ctx context.Context, uid string, plaintext []byte) (*service.EncryptResponse, error) { nonceSize := s.aead.NonceSize() result := make([]byte, nonceSize+s.aead.Overhead()+len(plaintext)) n, err := rand.Read(result[:nonceSize]) if err != nil { return nil, err } if n != nonceSize { return nil, fmt.Errorf("unable to read sufficient random bytes") } cipherText := s.aead.Seal(result[nonceSize:nonceSize], result[:nonceSize], plaintext, []byte(s.keyID)) return &service.EncryptResponse{ Ciphertext: result[:nonceSize+len(cipherText)], KeyID: s.keyID, Annotations: map[string][]byte{ mockAnnotationKey: []byte("1"), }, }, nil } func (s *pkcs11RemoteService) Decrypt(ctx context.Context, uid string, req *service.DecryptRequest) ([]byte, error) { if len(req.Annotations) != 1 { return nil, fmt.Errorf("invalid annotations") } if v, ok := req.Annotations[mockAnnotationKey]; !ok || string(v) != "1" { return nil, fmt.Errorf("invalid version in annotations") } if req.KeyID != s.keyID { return nil, fmt.Errorf("invalid keyID") } nonceSize := s.aead.NonceSize() data := req.Ciphertext if len(data) < nonceSize { return nil, fmt.Errorf("the stored data was shorter than the required size") } return s.aead.Open(nil, data[:nonceSize], data[nonceSize:], []byte(s.keyID)) } func (s *pkcs11RemoteService) Status(ctx context.Context) (*service.StatusResponse, error) { return &service.StatusResponse{ Version: "v2", Healthz: "ok", KeyID: s.keyID, }, nil } kms-0.31.4/internal/plugins/_mock/plugin.go000066400000000000000000000037571472614404000206210ustar00rootroot00000000000000/* Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package main import ( "context" "flag" "os" "os/signal" "syscall" "time" "k8s.io/kms/pkg/service" "k8s.io/kms/pkg/util" "k8s.io/kms/plugins/mock/pkcs11" ) var ( listenAddr = flag.String("listen-addr", "unix:///tmp/kms.socket", "gRPC listen address") timeout = flag.Duration("timeout", 5*time.Second, "gRPC timeout") configFilePath = flag.String("config-file-path", "/etc/softhsm-config.json", "SoftHSM config file path") ) func main() { flag.Parse() addr, err := util.ParseEndpoint(*listenAddr) if err != nil { panic("failed to parse endpoint: " + err.Error()) } remoteKMSService, err := pkcs11.NewPKCS11RemoteService(*configFilePath, "kms-test") if err != nil { panic("failed to create remote service: " + err.Error()) } ctx := withShutdownSignal(context.Background()) grpcService := service.NewGRPCService( addr, *timeout, remoteKMSService, ) go func() { if err := grpcService.ListenAndServe(); err != nil { panic("failed to serve: " + err.Error()) } }() <-ctx.Done() grpcService.Shutdown() } // withShutdownSignal returns a copy of the parent context that will close if // the process receives termination signals. func withShutdownSignal(ctx context.Context) context.Context { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGINT, os.Interrupt) nctx, cancel := context.WithCancel(ctx) go func() { <-signalChan cancel() }() return nctx } kms-0.31.4/pkg/000077500000000000000000000000001472614404000131545ustar00rootroot00000000000000kms-0.31.4/pkg/service/000077500000000000000000000000001472614404000146145ustar00rootroot00000000000000kms-0.31.4/pkg/service/grpc_service.go000066400000000000000000000062501472614404000176210ustar00rootroot00000000000000/* Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package service import ( "context" "net" "time" "google.golang.org/grpc" kmsapi "k8s.io/kms/apis/v2" ) // GRPCService is a grpc server that runs the kms v2 alpha1 API. type GRPCService struct { addr string timeout time.Duration server *grpc.Server kmsService Service } var _ kmsapi.KeyManagementServiceServer = (*GRPCService)(nil) // NewGRPCService creates an instance of GRPCService. func NewGRPCService( address string, timeout time.Duration, kmsService Service, ) *GRPCService { return &GRPCService{ addr: address, timeout: timeout, kmsService: kmsService, } } // ListenAndServe accepts incoming connections on a Unix socket. It is a blocking method. // Returns non-nil error unless Close or Shutdown is called. func (s *GRPCService) ListenAndServe() error { ln, err := net.Listen("unix", s.addr) if err != nil { return err } defer ln.Close() gs := grpc.NewServer( grpc.ConnectionTimeout(s.timeout), ) s.server = gs kmsapi.RegisterKeyManagementServiceServer(gs, s) return gs.Serve(ln) } // Shutdown performs a graceful shutdown. Doesn't accept new connections and // blocks until all pending RPCs are finished. func (s *GRPCService) Shutdown() { if s.server != nil { s.server.GracefulStop() } } // Close stops the server by closing all connections immediately and cancels // all active RPCs. func (s *GRPCService) Close() { if s.server != nil { s.server.Stop() } } // Status sends a status request to specified kms service. func (s *GRPCService) Status(ctx context.Context, _ *kmsapi.StatusRequest) (*kmsapi.StatusResponse, error) { res, err := s.kmsService.Status(ctx) if err != nil { return nil, err } return &kmsapi.StatusResponse{ Version: res.Version, Healthz: res.Healthz, KeyId: res.KeyID, }, nil } // Decrypt sends a decryption request to specified kms service. func (s *GRPCService) Decrypt(ctx context.Context, req *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) { plaintext, err := s.kmsService.Decrypt(ctx, req.Uid, &DecryptRequest{ Ciphertext: req.Ciphertext, KeyID: req.KeyId, Annotations: req.Annotations, }) if err != nil { return nil, err } return &kmsapi.DecryptResponse{ Plaintext: plaintext, }, nil } // Encrypt sends an encryption request to specified kms service. func (s *GRPCService) Encrypt(ctx context.Context, req *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) { encRes, err := s.kmsService.Encrypt(ctx, req.Uid, req.Plaintext) if err != nil { return nil, err } return &kmsapi.EncryptResponse{ Ciphertext: encRes.Ciphertext, KeyId: encRes.KeyID, Annotations: encRes.Annotations, }, nil } kms-0.31.4/pkg/service/grpc_service_test.go000066400000000000000000000122121472614404000206530ustar00rootroot00000000000000/* Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package service import ( "bytes" "context" "encoding/base64" "fmt" "math/rand" "net" "os" "path/filepath" "testing" "time" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" kmsapi "k8s.io/kms/apis/v2" ) const version = "v2" func TestGRPCService(t *testing.T) { t.Parallel() defaultTimeout := 30 * time.Second ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout) t.Cleanup(cancel) address := filepath.Join(os.TempDir(), "kmsv2.sock") plaintext := []byte("lorem ipsum dolor sit amet") r := rand.New(rand.NewSource(time.Now().Unix())) id, err := makeID(r.Read) if err != nil { t.Fatal(err) } kmsService := newBase64Service(id) server := NewGRPCService(address, defaultTimeout, kmsService) go func() { if err := server.ListenAndServe(); err != nil { panic(err) } }() t.Cleanup(server.Shutdown) client := newClient(t, address) // make sure the gRPC server is up before running tests ready: for { select { case <-ctx.Done(): t.Fatalf("server failed to start in time: %v", ctx.Err()) default: if done := func() bool { ctx, cancel := context.WithTimeout(ctx, 3*time.Second) defer cancel() _, err := client.Status(ctx, &kmsapi.StatusRequest{}) if err != nil { t.Logf("failed to get kms status: %v", err) } return err == nil }(); done { break ready } time.Sleep(time.Second) } } t.Run("should be able to encrypt and decrypt through unix domain sockets", func(t *testing.T) { t.Parallel() encRes, err := client.Encrypt(ctx, &kmsapi.EncryptRequest{ Plaintext: plaintext, Uid: id, }) if err != nil { t.Fatal(err) } if bytes.Equal(plaintext, encRes.Ciphertext) { t.Fatal("plaintext and ciphertext shouldn't be equal!") } decRes, err := client.Decrypt(ctx, &kmsapi.DecryptRequest{ Ciphertext: encRes.Ciphertext, KeyId: encRes.KeyId, Annotations: encRes.Annotations, Uid: id, }) if err != nil { t.Fatal(err) } if !bytes.Equal(decRes.Plaintext, plaintext) { t.Errorf("want: %q, have: %q", plaintext, decRes.Plaintext) } }) t.Run("should return status data", func(t *testing.T) { t.Parallel() status, err := client.Status(ctx, &kmsapi.StatusRequest{}) if err != nil { t.Fatal(err) } if status.Healthz != "ok" { t.Errorf("want: %q, have: %q", "ok", status.Healthz) } if len(status.KeyId) == 0 { t.Errorf("want: len(keyID) > 0, have: %d", len(status.KeyId)) } if status.Version != version { t.Errorf("want %q, have: %q", version, status.Version) } }) } func newClient(t *testing.T, address string) kmsapi.KeyManagementServiceClient { t.Helper() cnn, err := grpc.Dial( address, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDialer(func(addr string, t time.Duration) (net.Conn, error) { return net.Dial("unix", addr) }), ) if err != nil { t.Fatal(err) } t.Cleanup(func() { _ = cnn.Close() }) return kmsapi.NewKeyManagementServiceClient(cnn) } type testService struct { decrypt func(ctx context.Context, uid string, req *DecryptRequest) ([]byte, error) encrypt func(ctx context.Context, uid string, data []byte) (*EncryptResponse, error) status func(ctx context.Context) (*StatusResponse, error) } var _ Service = (*testService)(nil) func (s *testService) Decrypt(ctx context.Context, uid string, req *DecryptRequest) ([]byte, error) { return s.decrypt(ctx, uid, req) } func (s *testService) Encrypt(ctx context.Context, uid string, data []byte) (*EncryptResponse, error) { return s.encrypt(ctx, uid, data) } func (s *testService) Status(ctx context.Context) (*StatusResponse, error) { return s.status(ctx) } func makeID(rand func([]byte) (int, error)) (string, error) { b := make([]byte, 10) if _, err := rand(b); err != nil { return "", err } return base64.StdEncoding.EncodeToString(b), nil } func newBase64Service(keyID string) *testService { decrypt := func(_ context.Context, _ string, req *DecryptRequest) ([]byte, error) { if req.KeyID != keyID { return nil, fmt.Errorf("keyID mismatch. want: %q, have: %q", keyID, req.KeyID) } return base64.StdEncoding.DecodeString(string(req.Ciphertext)) } encrypt := func(_ context.Context, _ string, data []byte) (*EncryptResponse, error) { return &EncryptResponse{ Ciphertext: []byte(base64.StdEncoding.EncodeToString(data)), KeyID: keyID, }, nil } status := func(_ context.Context) (*StatusResponse, error) { return &StatusResponse{ Version: version, Healthz: "ok", KeyID: keyID, }, nil } return &testService{ decrypt: decrypt, encrypt: encrypt, status: status, } } kms-0.31.4/pkg/service/interface.go000066400000000000000000000031401472614404000171010ustar00rootroot00000000000000/* Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package service import "context" // Service allows encrypting and decrypting data using an external Key Management Service. type Service interface { // Decrypt a given bytearray to obtain the original data as bytes. Decrypt(ctx context.Context, uid string, req *DecryptRequest) ([]byte, error) // Encrypt bytes to a ciphertext. Encrypt(ctx context.Context, uid string, data []byte) (*EncryptResponse, error) // Status returns the status of the KMS. Status(ctx context.Context) (*StatusResponse, error) } // EncryptResponse is the response from the Envelope service when encrypting data. type EncryptResponse struct { Ciphertext []byte KeyID string Annotations map[string][]byte } // DecryptRequest is the request to the Envelope service when decrypting data. type DecryptRequest struct { Ciphertext []byte KeyID string Annotations map[string][]byte } // StatusResponse is the response from the Envelope service when getting the status of the service. type StatusResponse struct { Version string Healthz string KeyID string } kms-0.31.4/pkg/util/000077500000000000000000000000001472614404000141315ustar00rootroot00000000000000kms-0.31.4/pkg/util/util.go000066400000000000000000000032301472614404000154330ustar00rootroot00000000000000/* Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package util import ( "fmt" "net/url" "strings" ) const ( // unixProtocol is the only supported protocol for remote KMS provider. unixProtocol = "unix" ) // ParseEndpoint parses the endpoint to extract schema, host or path. func ParseEndpoint(endpoint string) (string, error) { if len(endpoint) == 0 { return "", fmt.Errorf("remote KMS provider can't use empty string as endpoint") } u, err := url.Parse(endpoint) if err != nil { return "", fmt.Errorf("invalid endpoint %q for remote KMS provider, error: %v", endpoint, err) } if u.Scheme != unixProtocol { return "", fmt.Errorf("unsupported scheme %q for remote KMS provider", u.Scheme) } // Linux abstract namespace socket - no physical file required // Warning: Linux Abstract sockets have not concept of ACL (unlike traditional file based sockets). // However, Linux Abstract sockets are subject to Linux networking namespace, so will only be accessible to // containers within the same pod (unless host networking is used). if strings.HasPrefix(u.Path, "/@") { return strings.TrimPrefix(u.Path, "/"), nil } return u.Path, nil } kms-0.31.4/pkg/util/util_test.go000066400000000000000000000036771472614404000165110ustar00rootroot00000000000000/* Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package util import ( "strings" "testing" ) func TestParseEndpoint(t *testing.T) { testCases := []struct { desc string endpoint string want string }{ { desc: "path with prefix", endpoint: "unix:///@path", want: "@path", }, { desc: "path without prefix", endpoint: "unix:///path", want: "/path", }, } for _, tt := range testCases { t.Run(tt.desc, func(t *testing.T) { got, err := ParseEndpoint(tt.endpoint) if err != nil { t.Errorf("ParseEndpoint(%q) error: %v", tt.endpoint, err) } if got != tt.want { t.Errorf("ParseEndpoint(%q) = %q, want %q", tt.endpoint, got, tt.want) } }) } } func TestParseEndpointError(t *testing.T) { testCases := []struct { desc string endpoint string wantErr string }{ { desc: "empty endpoint", endpoint: "", wantErr: "remote KMS provider can't use empty string as endpoint", }, { desc: "invalid scheme", endpoint: "http:///path", wantErr: "unsupported scheme \"http\" for remote KMS provider", }, } for _, tt := range testCases { t.Run(tt.desc, func(t *testing.T) { _, err := ParseEndpoint(tt.endpoint) if err == nil { t.Errorf("ParseEndpoint(%q) error: %v", tt.endpoint, err) } if !strings.Contains(err.Error(), tt.wantErr) { t.Errorf("ParseEndpoint(%q) = %q, want %q", tt.endpoint, err, tt.wantErr) } }) } }