Documentation
¶
Index ¶
- Constants
- func DataHash(data []byte) string
- func DecodeEncryptionConfiguration(data []byte) (*apiserverv1.EncryptionConfiguration, error)
- func FingerprintAESCBCKey(secretName string, dataHash string) string
- func FingerprintAWSKMSKey(arn string) string
- func FingerprintAzureKMSKey(key hyperv1.AzureKMSKey) string
- func FingerprintFromKeyStatus(status *hyperv1.SecretEncryptionKeyStatus) string
- func FingerprintIBMCloudKMSKeyList(entries []hyperv1.IBMCloudKMSKeyEntry) string
- func KeyReferenceFromStatus(status *hyperv1.SecretEncryptionKeyStatus) hyperv1.EncryptionKeyReference
- func KeyStatusFromAESCBCSpec(secretName string, dataHash string) *hyperv1.SecretEncryptionKeyStatus
- func KeyStatusFromAWSSpec(key hyperv1.AWSKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus
- func KeyStatusFromAzureSpec(key hyperv1.AzureKMSKey) *hyperv1.SecretEncryptionKeyStatus
- func KeyStatusFromIBMCloudSpec(entries []hyperv1.IBMCloudKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus
- func KeyStatusFromSpec(spec *hyperv1.SecretEncryptionSpec, aescbcDataHash string) *hyperv1.SecretEncryptionKeyStatus
- func ShouldPromoteTargetKey(cfg *apiserverv1.EncryptionConfiguration, targetName string, ...) bool
- type TargetKeyRole
Constants ¶
const ( // EncryptionConfigurationKey is the data key used in the Secret that holds the EncryptionConfiguration YAML. EncryptionConfigurationKey = "config.yaml" // EncryptionConfigurationKind is the Kind used in EncryptionConfiguration manifests. EncryptionConfigurationKind = "EncryptionConfiguration" )
Variables ¶
This section is empty.
Functions ¶
func DecodeEncryptionConfiguration ¶
func DecodeEncryptionConfiguration(data []byte) (*apiserverv1.EncryptionConfiguration, error)
DecodeEncryptionConfiguration parses raw YAML bytes into an EncryptionConfiguration.
func FingerprintAESCBCKey ¶
FingerprintAESCBCKey computes the SHA-256 fingerprint for an AESCBC key. The dataHash parameter should be the hex-encoded SHA-256 of the secret's "key" data field.
func FingerprintAWSKMSKey ¶
FingerprintAWSKMSKey computes the SHA-256 fingerprint for an AWS KMS key.
func FingerprintAzureKMSKey ¶
func FingerprintAzureKMSKey(key hyperv1.AzureKMSKey) string
FingerprintAzureKMSKey computes the SHA-256 fingerprint for an Azure KMS key.
func FingerprintFromKeyStatus ¶
func FingerprintFromKeyStatus(status *hyperv1.SecretEncryptionKeyStatus) string
FingerprintFromKeyStatus computes the fingerprint from a SecretEncryptionKeyStatus.
func FingerprintIBMCloudKMSKeyList ¶
func FingerprintIBMCloudKMSKeyList(entries []hyperv1.IBMCloudKMSKeyEntry) string
FingerprintIBMCloudKMSKeyList computes the SHA-256 fingerprint for an IBM Cloud KMS key list. Only identity-relevant fields are included; CorrelationID and URL are excluded.
func KeyReferenceFromStatus ¶
func KeyReferenceFromStatus(status *hyperv1.SecretEncryptionKeyStatus) hyperv1.EncryptionKeyReference
KeyReferenceFromStatus extracts an EncryptionKeyReference from a SecretEncryptionKeyStatus.
func KeyStatusFromAESCBCSpec ¶
func KeyStatusFromAESCBCSpec(secretName string, dataHash string) *hyperv1.SecretEncryptionKeyStatus
KeyStatusFromAESCBCSpec creates a SecretEncryptionKeyStatus from an AESCBC spec.
func KeyStatusFromAWSSpec ¶
func KeyStatusFromAWSSpec(key hyperv1.AWSKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus
KeyStatusFromAWSSpec creates a SecretEncryptionKeyStatus from an AWS KMS key spec.
func KeyStatusFromAzureSpec ¶
func KeyStatusFromAzureSpec(key hyperv1.AzureKMSKey) *hyperv1.SecretEncryptionKeyStatus
KeyStatusFromAzureSpec creates a SecretEncryptionKeyStatus from an Azure KMS key spec.
func KeyStatusFromIBMCloudSpec ¶
func KeyStatusFromIBMCloudSpec(entries []hyperv1.IBMCloudKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus
KeyStatusFromIBMCloudSpec creates a SecretEncryptionKeyStatus from IBM Cloud KMS key entries. Uses the first entry in the key list as the representative key.
func KeyStatusFromSpec ¶
func KeyStatusFromSpec(spec *hyperv1.SecretEncryptionSpec, aescbcDataHash string) *hyperv1.SecretEncryptionKeyStatus
KeyStatusFromSpec creates a SecretEncryptionKeyStatus from a SecretEncryptionSpec. For AESCBC, the caller must provide the dataHash (SHA-256 of the secret's "key" data field).
func ShouldPromoteTargetKey ¶
func ShouldPromoteTargetKey(cfg *apiserverv1.EncryptionConfiguration, targetName string, encType hyperv1.SecretEncryptionType, kasConverged bool) bool
ShouldPromoteTargetKey determines whether the target key should be promoted to write provider based on the current EncryptionConfiguration and KAS convergence state.
Returns true when the target key should be the write key (WritePromote/Migrating stage). Returns false when the old key should remain the write key (ReadOnlyDeploy stage).
Types ¶
type TargetKeyRole ¶
type TargetKeyRole int
TargetKeyRole represents where the target key appears in the EncryptionConfiguration.
const ( TargetKeyAbsent TargetKeyRole = iota // target key not in config TargetKeyReadOnly // target key is a read-only provider (not first) TargetKeyWrite // target key is the write provider (first) )
func FindKeyRole ¶
func FindKeyRole(cfg *apiserverv1.EncryptionConfiguration, targetName string, encType hyperv1.SecretEncryptionType) TargetKeyRole
FindKeyRole locates the target key name in the EncryptionConfiguration and returns its role. For KMS, each key is a separate provider entry; the first KMS provider is the write key. For AESCBC, keys are entries inside a single AESCBC provider; the first key is the write key.