encryption

package
v0.0.0-...-61990a0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2026 License: Apache-2.0 Imports: 43 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	SupportedStaticEncryptionProviders = []EncryptionProvider{
		{APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionTypeAESGCM}},
		{APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionTypeAESCBC}},
	}
)
View Source
var WellKnownAuthTargetGRs = []schema.GroupResource{
	{Group: "oauth.openshift.io", Resource: "oauthaccesstokens"},
	{Group: "oauth.openshift.io", Resource: "oauthauthorizetokens"},
}
View Source
var WellKnownKASTargetGRs = []schema.GroupResource{
	{Group: "", Resource: "secrets"},
	{Group: "", Resource: "configmaps"},
}
View Source
var WellKnownOASTargetGRs = []schema.GroupResource{
	{Group: "route.openshift.io", Resource: "routes"},
}

Functions

func ApplyEncryption

func ApplyEncryption(ctx context.Context, t testing.TB, encryption configv1.APIServerEncryption)

ApplyEncryption applies the given encryption config to apiserver/cluster without waiting for completion.

func AssertEncryptionConfig

func AssertEncryptionConfig(t testing.TB, clientSet ClientSet, encryptionConfigSecretName string, namespace string, targetGRs []schema.GroupResource)

AssertEncryptionConfig checks if the encryption config holds only targetGRs, this ensures that only those resources were encrypted, we don't check the keys because e2e tests are run randomly and we would have to consider all encryption secrets to get the right order of the keys. We test the content of the encryption config in more detail in unit and integration tests

func AssertLastMigratedKey

func AssertLastMigratedKey(t testing.TB, kubeClient kubernetes.Interface, targetGRs []schema.GroupResource, namespace, labelSelector string)

func AssertWellKnownRouteOfLifeEncrypted

func AssertWellKnownRouteOfLifeEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)

func AssertWellKnownRouteOfLifeEncryptedWithKMS

func AssertWellKnownRouteOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, resource runtime.Object)

func AssertWellKnownRouteOfLifeNotEncrypted

func AssertWellKnownRouteOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)

func AssertWellKnownRoutes

func AssertWellKnownRoutes(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string)

func AssertWellKnownSecretOfLifeEncrypted

func AssertWellKnownSecretOfLifeEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)

func AssertWellKnownSecretOfLifeEncryptedWithKMS

func AssertWellKnownSecretOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, resource runtime.Object)

func AssertWellKnownSecretOfLifeNotEncrypted

func AssertWellKnownSecretOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object)

func AssertWellKnownSecretsAndConfigMaps

func AssertWellKnownSecretsAndConfigMaps(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string)

func AssertWellKnownTokenOfLifeEncrypted

func AssertWellKnownTokenOfLifeEncrypted(t testing.TB, clientSet ClientSet, _ runtime.Object)

func AssertWellKnownTokenOfLifeEncryptedWithKMS

func AssertWellKnownTokenOfLifeEncryptedWithKMS(t testing.TB, clientSet ClientSet, namespace, labelSelector string, resource runtime.Object)

func AssertWellKnownTokenOfLifeNotEncrypted

func AssertWellKnownTokenOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, _ runtime.Object)

func AssertWellKnownTokens

func AssertWellKnownTokens(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string)

func CreateAndStoreWellKnownRouteOfLife

func CreateAndStoreWellKnownRouteOfLife(ctx context.Context, t testing.TB, cs ClientSet, ns string) runtime.Object

func CreateAndStoreWellKnownSecretOfLife

func CreateAndStoreWellKnownSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) runtime.Object

func CreateAndStoreWellKnownTokenOfLife

func CreateAndStoreWellKnownTokenOfLife(ctx context.Context, t testing.TB, cs ClientSet) runtime.Object

func ForceKeyRotation

func ForceKeyRotation(t testing.TB, updateUnsupportedConfig UpdateUnsupportedConfigFunc, reason string) error

func GetRawWellKnownRouteOfLife

func GetRawWellKnownRouteOfLife(t testing.TB, clientSet ClientSet, ns string) string

func GetRawWellKnownSecretOfLife

func GetRawWellKnownSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) string

func GetRawWellKnownTokenOfLife

func GetRawWellKnownTokenOfLife(t testing.TB, clientSet ClientSet) string

func PrintEventsOnFailure

func PrintEventsOnFailure(namespace string) func(*E)

func TestEncryptionProvidersMigration

func TestEncryptionProvidersMigration(ctx context.Context, t testing.TB, scenario ProvidersMigrationScenario)

TestEncryptionProvidersMigration tests migration between given encryption providers. It creates a resource, migrates through each provider, verifies the resource is encrypted after each migration, and finally switches to identity (off).

func TestEncryptionRotation

func TestEncryptionRotation(ctx context.Context, t testing.TB, scenario RotationScenario)

TestEncryptionRotation encrypts data, forces a provider-specific key rotation, waits for re-migration to complete, and verifies the resource was re-encrypted with different content.

func TestEncryptionTurnOnAndOff

func TestEncryptionTurnOnAndOff(ctx context.Context, t testing.TB, scenario OnOffScenario)

func TestEncryptionType

func TestEncryptionType(ctx context.Context, t testing.TB, scenario BasicScenario, provider EncryptionProvider)

func TestEncryptionTypeAESCBC

func TestEncryptionTypeAESCBC(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)

func TestEncryptionTypeAESGCM

func TestEncryptionTypeAESGCM(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)

func TestEncryptionTypeIdentity

func TestEncryptionTypeIdentity(ctx context.Context, t testing.TB, scenario BasicScenario)

func TestEncryptionTypeKMS

func TestEncryptionTypeKMS(ctx context.Context, t testing.TB, scenario BasicScenario, providers ...EncryptionProvider)

func TestEncryptionTypeUnset

func TestEncryptionTypeUnset(ctx context.Context, t testing.TB, scenario BasicScenario)

func TestKMSInPlaceUpdate

func TestKMSInPlaceUpdate(ctx context.Context, t testing.TB, scenario KMSInPlaceUpdateScenario)

TestKMSInPlaceUpdate validates in-place KMS config field updates:

  1. Apply valid provider and verify migration
  2. Update in-place field and verify no new encryption key is created
  3. WaitForPropagation — caller verifies the change took effect

func TestPerfEncryption

func TestPerfEncryption(ctx context.Context, t testing.TB, scenario PerfScenario)

func VerifyResources

func VerifyResources(t testing.TB, etcdClient EtcdClient, etcdKeyPreifx string, expectedMode string, allowEmpty bool) (int, error)

func WaitForCurrentKeyMigrated

func WaitForCurrentKeyMigrated(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, targetGRs []schema.GroupResource, namespace, labelSelector string)

WaitForCurrentKeyMigrated waits until the current (latest) encryption key has completed migration for all target group resources. It fails if the key changes unexpectedly (i.e. a different key than prevKeyMeta appears).

func WaitForEncryptionKeyBasedOn

func WaitForEncryptionKeyBasedOn(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, encryptionType configv1.EncryptionType, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string)

func WaitForNextMigratedKey

func WaitForNextMigratedKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string)

func WaitForNoNewEncryptionKey

func WaitForNoNewEncryptionKey(t testing.TB, kubeClient kubernetes.Interface, prevKeyMeta EncryptionKeyMeta, namespace, labelSelector string)

func WaitForPodContainerCondition

func WaitForPodContainerCondition(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector, keyName string, match func(pod corev1.Pod, keyName string) bool)

WaitForPodContainerCondition polls pods until at least one pod satisfies the given condition. keyName is the current encryption key secret name, passed to match so callers can correlate pod container names with the active key (e.g. vault-kms-plugin-42).

func WaitForPodImagePullBackOff

func WaitForPodImagePullBackOff(ctx context.Context, t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector string, timeout time.Duration)

WaitForPodImagePullBackOff polls pods in the given namespace until at least one pod has a container stuck in ImagePullBackOff or ErrImagePull. When a KMS plugin image is invalid, the operator cannot progress because the sidecar container fails to start. The operator does not report Degraded in this case — it only gets stuck in Progressing. This function detects that stuck state by observing the pod-level image pull failure, which is the earliest signal that the invalid config has taken effect.

func WellKnownRouteOfLife

func WellKnownRouteOfLife(_ testing.TB, ns string) runtime.Object

func WellKnownSecretOfLife

func WellKnownSecretOfLife(_ testing.TB, namespace string) runtime.Object

func WellKnownTokenOfLife

func WellKnownTokenOfLife(_ testing.TB, _ string) runtime.Object

Types

type BasicScenario

type BasicScenario struct {
	Namespace                       string
	LabelSelector                   string
	EncryptionConfigSecretName      string
	EncryptionConfigSecretNamespace string
	OperatorNamespace               string
	TargetGRs                       []schema.GroupResource
	AssertFunc                      func(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string)
}

type ClientSet

type ClientSet struct {
	Etcd            EtcdClient
	ApiServerConfig configv1client.APIServerInterface
	Kube            kubernetes.Interface
	DynamicClient   dynamic.Interface
}

func GetClients

func GetClients(t testing.TB) ClientSet

func SetAndWaitForEncryptionType

func SetAndWaitForEncryptionType(ctx context.Context, t testing.TB, provider EncryptionProvider, defaultTargetGRs []schema.GroupResource, namespace, labelSelector string) ClientSet

type DBLoaderFuncType

type DBLoaderFuncType func(kubernetes.Interface, string, func(error), func(string)) error

func DBLoaderRepeat

func DBLoaderRepeat(times int, genNamespaceName bool, workToRepeatFunc ...DBLoaderFuncType) DBLoaderFuncType

func DBLoaderRepeatParallel

func DBLoaderRepeatParallel(times int, workers int, genNamespaceName bool, workToRepeatFunc ...DBLoaderFuncType) DBLoaderFuncType

type E

type E struct {
	testing.TB
	// contains filtered or unexported fields
}

E is like testing.T except it overloads some methods to print to stdout when the encryption tests are run from a local machine

func NewE

func NewE(t testing.TB, options ...func(*E)) *E

func (*E) Error

func (e *E) Error(args ...interface{})

func (*E) Errorf

func (e *E) Errorf(format string, args ...interface{})

func (*E) Fatal

func (e *E) Fatal(args ...interface{})

func (*E) Fatalf

func (e *E) Fatalf(format string, args ...interface{})

func (*E) Log

func (e *E) Log(args ...interface{})

func (*E) Logf

func (e *E) Logf(format string, args ...interface{})

type EncryptionKeyMeta

type EncryptionKeyMeta struct {
	Name     string
	Migrated []schema.GroupResource
	Mode     string
}

func GetLastKeyMeta

func GetLastKeyMeta(t testing.TB, kubeClient kubernetes.Interface, namespace, labelSelector string) (EncryptionKeyMeta, error)

type EncryptionProvider

type EncryptionProvider struct {
	configv1.APIServerEncryption
	// Setup is called once before the provider is first used. May be nil.
	Setup func(ctx context.Context, t testing.TB)
}

EncryptionProvider pairs an encryption config with an optional setup function that ensures prerequisites (secrets, credentials, infrastructure) are in place.

func ShuffleEncryptionProviders

func ShuffleEncryptionProviders(providers []EncryptionProvider) []EncryptionProvider

ShuffleEncryptionProviders returns a new slice with the providers in random order, leaving the original slice unchanged. Use this to test different migration orderings.

type EtcdClient

type EtcdClient interface {
	Get(ctx context.Context, key string, opts ...clientv3.OpOption) (*clientv3.GetResponse, error)
}

func NewEtcdClient

func NewEtcdClient(kubeClient kubernetes.Interface) EtcdClient

type ForceRotationFunc

type ForceRotationFunc func(t testing.TB, ctx context.Context)

ForceRotationFunc triggers a key rotation in a provider-specific way. Static encryption (AES-CBC/AES-GCM) sets encryption.reason in unsupported config; KMS rotates the external KMS key (for example Vault transit).

func StaticEncryptionForceRotation

func StaticEncryptionForceRotation(updateUnsupportedConfig UpdateUnsupportedConfigFunc) ForceRotationFunc

StaticEncryptionForceRotation returns a ForceRotationFunc that mints a new key via encryption.reason.

type GetOperatorConditionsFuncType

type GetOperatorConditionsFuncType func(t testing.TB) ([]v1.OperatorCondition, error)

type KMSInPlaceUpdateScenario

type KMSInPlaceUpdateScenario struct {
	BasicScenario
	Provider        EncryptionProvider
	UpdatedProvider EncryptionProvider
	// WaitForPropagation is called after the in-place update to verify the change
	// took effect. Receives the current encryption key so callers can match pod
	// container names to the active key. Same pattern as WaitForStuck in
	// KMSInvalidEncryptionRecoveryScenario.
	WaitForPropagation func(ctx context.Context, t testing.TB, keyMeta EncryptionKeyMeta)
}

KMSInPlaceUpdateScenario tests that updating an in-place KMS config field (e.g. kmsPluginImage) takes effect without creating a new encryption key. The caller supplies Provider (initial valid config) and UpdatedProvider (same config with one in-place field changed).

type OnOffScenario

type OnOffScenario struct {
	BasicScenario
	CreateResourceFunc             func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
	AssertResourceEncryptedFunc    func(t testing.TB, clientSet ClientSet, resource runtime.Object)
	AssertResourceNotEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
	ResourceFunc                   func(t testing.TB, namespace string) runtime.Object
	ResourceName                   string
	EncryptionProvider             EncryptionProvider
}

type PerfScenario

type PerfScenario struct {
	BasicScenario
	GetOperatorConditionsFunc GetOperatorConditionsFuncType

	DBLoaderFunc          DBLoaderFuncType
	AssertDBPopulatedFunc func(t testing.TB, errorStore map[string]int, statStore map[string]int)
	AssertMigrationTime   func(t testing.TB, migrationTime time.Duration)
	// DBLoaderWorker is the number of workers that will execute DBLoaderFunc
	DBLoaderWorkers    int
	EncryptionProvider EncryptionProvider
}

type ProvidersMigrationScenario

type ProvidersMigrationScenario struct {
	BasicScenario
	CreateResourceFunc             func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
	AssertResourceEncryptedFunc    func(t testing.TB, clientSet ClientSet, resource runtime.Object)
	AssertResourceNotEncryptedFunc func(t testing.TB, clientSet ClientSet, resource runtime.Object)
	ResourceFunc                   func(t testing.TB, namespace string) runtime.Object
	ResourceName                   string
	// EncryptionProviders is the list of encryption providers to migrate through.
	// The test will migrate through each provider in order, then always end by
	// switching to identity (off) to verify the resource is re-written unencrypted.
	EncryptionProviders []EncryptionProvider
}

ProvidersMigrationScenario defines a test scenario for migrating encryption between multiple providers.

See TestEncryptionProvidersMigration for more details.

type RotationScenario

type RotationScenario struct {
	BasicScenario
	CreateResourceFunc          func(t testing.TB, clientSet ClientSet, namespace string) runtime.Object
	GetRawResourceFunc          func(t testing.TB, clientSet ClientSet, namespace string) string
	EncryptionProvider          EncryptionProvider
	ForceRotationFunc           ForceRotationFunc
	WaitForRotationCompleteFunc WaitForRotationCompleteFunc
}

type UpdateUnsupportedConfigFunc

type UpdateUnsupportedConfigFunc func(raw []byte) error

type WaitForRotationCompleteFunc

type WaitForRotationCompleteFunc func(t testing.TB, clientSet ClientSet, prevKeyMeta EncryptionKeyMeta, scenario BasicScenario)

WaitForRotationCompleteFunc waits until re-migration after rotation has finished. Static encryption waits for the next encryption key secret to be migrated; KMS waits for a new finished entry in KeyRotationStatus, created by the rotation controller.

func WaitForNextEncryptionKeyRotation

func WaitForNextEncryptionKeyRotation() WaitForRotationCompleteFunc

WaitForNextEncryptionKeyRotation waits until a new encryption key secret is fully migrated.

Directories

Path Synopsis
kms

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL