From 31fb539f1735debd38e705fcb96a05ea0313c5f5 Mon Sep 17 00:00:00 2001 From: Wu Qiang Date: Tue, 14 Nov 2017 09:05:52 +0000 Subject: [PATCH] Update kms provider config for gRPC client service --- .../server/options/encryptionconfig/config.go | 41 ++++++++++++++----- .../server/options/encryptionconfig/types.go | 18 ++++++++ 2 files changed, 48 insertions(+), 11 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go index ad2f0927c6a..c78f3490c6d 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go @@ -150,18 +150,37 @@ func GetPrefixTransformers(config *ResourceConfig) ([]value.PrefixTransformer, e if found == true { return nil, fmt.Errorf("more than one provider specified in a single element, should split into different list elements") } - f, err := os.Open(provider.KMS.ConfigFile) - if err != nil { - return nil, fmt.Errorf("error opening KMS provider configuration file %q: %v", provider.KMS.ConfigFile, err) - } - defer f.Close() - envelopeService, pluginFound, err := KMSPluginRegistry.getPlugin(provider.KMS.Name, f) - if err != nil { - return nil, fmt.Errorf("could not configure KMS plugin %q, %v", provider.KMS.Name, err) - } - if pluginFound == false { - return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name) + + var envelopeService envelope.Service + remoteConfig := provider.KMS.RemoteServer + if remoteConfig == nil { + // There should be no KMS provider plugins on API server side in future. + f, err := os.Open(provider.KMS.ConfigFile) + if err != nil { + return nil, fmt.Errorf("error opening KMS provider configuration file %q: %v", provider.KMS.ConfigFile, err) + } + defer f.Close() + pluginFound := false + envelopeService, pluginFound, err = KMSPluginRegistry.getPlugin(provider.KMS.Name, f) + if err != nil { + return nil, fmt.Errorf("could not configure KMS plugin %q, %v", provider.KMS.Name, err) + } + if pluginFound == false { + return nil, fmt.Errorf("KMS plugin %q not found", provider.KMS.Name) + } + } else { + // Get gRPC client service with remote config + envelopeService, err = envelope.NewEnvelopeService( + remoteConfig.Endpoint, + remoteConfig.ServerCACert, + remoteConfig.ClientCert, + remoteConfig.ClientKey, + ) + if err != nil { + return nil, fmt.Errorf("could not configure KMS plugin %q, error: %v", provider.KMS.Name, err) + } } + transformer, err = getEnvelopePrefixTransformer(provider.KMS, envelopeService, kmsTransformerPrefixV1) found = true } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go index 1603e044a31..7f37238d9e4 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/types.go @@ -83,4 +83,22 @@ type KMSConfig struct { CacheSize int `json:"cachesize,omitempty"` // configfile is the path to the configuration file for the named KMS provider. ConfigFile string `json:"configfile"` + // remoteServer is the configuration for connection gRPC server. + RemoteServer *RemoteServerConfig `json:"remoteServer"` +} + +// RemoteServerConfig contains the connection informations that connect remote +// gRPC server for envelope transformer. +type RemoteServerConfig struct { + // gRPC server listen address, for example tcp://localhost:3735, + // unix:///var/run/kmsprovider.sock + Endpoint string `json:"endpoint"` + + // CACert is the path to a PEM-encoded CA cert file to use to verify the + // gRPC server SSL certificate. + ServerCACert string `json:"serverCACert"` + + // TLS certificate authentication information + ClientCert string `json:"clientCert"` + ClientKey string `json:"clientKey"` }