secretencryption

package
v0.1.78 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// EncryptionConfigurationKey is the data key used in the Secret that holds the EncryptionConfiguration YAML.
	EncryptionConfigurationKey = "config.yaml"

	// EncryptionConfigurationKind is the Kind used in EncryptionConfiguration manifests.
	EncryptionConfigurationKind = "EncryptionConfiguration"
)

Variables

This section is empty.

Functions

func DataHash

func DataHash(data []byte) string

DataHash computes the hex-encoded SHA-256 hash of raw data.

func DecodeEncryptionConfiguration

func DecodeEncryptionConfiguration(data []byte) (*apiserverv1.EncryptionConfiguration, error)

DecodeEncryptionConfiguration parses raw YAML bytes into an EncryptionConfiguration.

func FingerprintAESCBCKey

func FingerprintAESCBCKey(secretName string, dataHash string) string

FingerprintAESCBCKey computes the SHA-256 fingerprint for an AESCBC key. The dataHash parameter should be the hex-encoded SHA-256 of the secret's "key" data field.

func FingerprintAWSKMSKey

func FingerprintAWSKMSKey(arn string) string

FingerprintAWSKMSKey computes the SHA-256 fingerprint for an AWS KMS key.

func FingerprintAzureKMSKey

func FingerprintAzureKMSKey(key hyperv1.AzureKMSKey) string

FingerprintAzureKMSKey computes the SHA-256 fingerprint for an Azure KMS key.

func FingerprintFromKeyStatus

func FingerprintFromKeyStatus(status *hyperv1.SecretEncryptionKeyStatus) string

FingerprintFromKeyStatus computes the fingerprint from a SecretEncryptionKeyStatus.

func FingerprintIBMCloudKMSKeyList

func FingerprintIBMCloudKMSKeyList(entries []hyperv1.IBMCloudKMSKeyEntry) string

FingerprintIBMCloudKMSKeyList computes the SHA-256 fingerprint for an IBM Cloud KMS key list. Only identity-relevant fields are included; CorrelationID and URL are excluded.

func KeyReferenceFromStatus

func KeyReferenceFromStatus(status *hyperv1.SecretEncryptionKeyStatus) hyperv1.EncryptionKeyReference

KeyReferenceFromStatus extracts an EncryptionKeyReference from a SecretEncryptionKeyStatus.

func KeyStatusFromAESCBCSpec

func KeyStatusFromAESCBCSpec(secretName string, dataHash string) *hyperv1.SecretEncryptionKeyStatus

KeyStatusFromAESCBCSpec creates a SecretEncryptionKeyStatus from an AESCBC spec.

func KeyStatusFromAWSSpec

func KeyStatusFromAWSSpec(key hyperv1.AWSKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus

KeyStatusFromAWSSpec creates a SecretEncryptionKeyStatus from an AWS KMS key spec.

func KeyStatusFromAzureSpec

func KeyStatusFromAzureSpec(key hyperv1.AzureKMSKey) *hyperv1.SecretEncryptionKeyStatus

KeyStatusFromAzureSpec creates a SecretEncryptionKeyStatus from an Azure KMS key spec.

func KeyStatusFromIBMCloudSpec

func KeyStatusFromIBMCloudSpec(entries []hyperv1.IBMCloudKMSKeyEntry) *hyperv1.SecretEncryptionKeyStatus

KeyStatusFromIBMCloudSpec creates a SecretEncryptionKeyStatus from IBM Cloud KMS key entries. Uses the first entry in the key list as the representative key.

func KeyStatusFromSpec

func KeyStatusFromSpec(spec *hyperv1.SecretEncryptionSpec, aescbcDataHash string) *hyperv1.SecretEncryptionKeyStatus

KeyStatusFromSpec creates a SecretEncryptionKeyStatus from a SecretEncryptionSpec. For AESCBC, the caller must provide the dataHash (SHA-256 of the secret's "key" data field).

func ShouldPromoteTargetKey

func ShouldPromoteTargetKey(cfg *apiserverv1.EncryptionConfiguration, targetName string, encType hyperv1.SecretEncryptionType, kasConverged bool) bool

ShouldPromoteTargetKey determines whether the target key should be promoted to write provider based on the current EncryptionConfiguration and KAS convergence state.

Returns true when the target key should be the write key (WritePromote/Migrating stage). Returns false when the old key should remain the write key (ReadOnlyDeploy stage).

Types

type TargetKeyRole

type TargetKeyRole int

TargetKeyRole represents where the target key appears in the EncryptionConfiguration.

const (
	TargetKeyAbsent   TargetKeyRole = iota // target key not in config
	TargetKeyReadOnly                      // target key is a read-only provider (not first)
	TargetKeyWrite                         // target key is the write provider (first)
)

func FindKeyRole

FindKeyRole locates the target key name in the EncryptionConfiguration and returns its role. For KMS, each key is a separate provider entry; the first KMS provider is the write key. For AESCBC, keys are entries inside a single AESCBC provider; the first key is the write key.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL