Skip to content

Commit

Permalink
Additional encryption config refactors (#646)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mallardduck
mallardduck authored Jan 15, 2025
1 parent 5647b15 commit 8692b6f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 23 deletions.
21 changes: 5 additions & 16 deletions pkg/util/encryptionconfig/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@ import (
"k8s.io/apiserver/pkg/storage/value/encrypt/identity"
)

type contextKey string

var tempConfigPathKey = contextKey("tmpConfigPath")

const EncryptionProviderConfigKey = "encryption-provider-config.yaml"

func GetEncryptionConfigSecret(secrets v1.SecretController, encryptionConfigSecretName string) (*v1core.Secret, error) {
Expand All @@ -35,33 +31,26 @@ func GetEncryptionConfigSecret(secrets v1.SecretController, encryptionConfigSecr
}

func GetEncryptionTransformersFromSecret(ctx context.Context, encryptionConfigSecret *v1core.Secret) (k8sEncryptionconfig.StaticTransformers, error) {
fileHandle, err := PrepareEncryptionConfigSecretTempConfig(encryptionConfigSecret)
err := prepareEncryptionConfigSecretTempConfig(encryptionConfigSecret)
// we defer file removal till here to ensure it's around for all of PrepareEncryptionTransformersFromConfig
defer os.Remove(EncryptionProviderConfigKey)
if err != nil {
return nil, err
}
ctx = context.WithValue(ctx, tempConfigPathKey, fileHandle.Name())
return PrepareEncryptionTransformersFromConfig(ctx, EncryptionProviderConfigKey)
}

func PrepareEncryptionConfigSecretTempConfig(encryptionConfigSecret *v1core.Secret) (*os.File, error) {
func prepareEncryptionConfigSecretTempConfig(encryptionConfigSecret *v1core.Secret) error {
encryptionConfigBytes, ok := encryptionConfigSecret.Data[EncryptionProviderConfigKey]
if !ok {
return nil, fmt.Errorf("no encryptionConfig provided")
return fmt.Errorf("no encryptionConfig provided")
}
err := os.WriteFile(EncryptionProviderConfigKey, encryptionConfigBytes, os.ModePerm)
if err != nil {
return nil, err
}

// Open the file for reading (or other operations) and return the handle
file, err := os.Open(EncryptionProviderConfigKey)
if err != nil {
return nil, err
return err
}

return file, nil
return nil
}

func PrepareEncryptionTransformersFromConfig(ctx context.Context, encryptionProviderPath string) (k8sEncryptionconfig.StaticTransformers, error) {
Expand Down
17 changes: 10 additions & 7 deletions pkg/util/encryptionconfig/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,18 @@ func TestPrepareEncryptionConfigSecretTempConfig_ValidSecretKeySillyData(t *test
EncryptionProviderConfigKey: []byte(sillyTestData),
},
}
fileHandle, err := PrepareEncryptionConfigSecretTempConfig(&testSecret)
err := prepareEncryptionConfigSecretTempConfig(&testSecret)
defer os.Remove(EncryptionProviderConfigKey)
// Assert that no error is returned
assert.Nil(t, err)
file, err := os.Open(EncryptionProviderConfigKey)
if err != nil {
t.FailNow()
}

// Read the file written by PrepareEncryptionConfigSecretTempConfig
// Read the file written by prepareEncryptionConfigSecretTempConfig
actualBytes := make([]byte, 1024)
n, err := fileHandle.Read(actualBytes)
n, err := file.Read(actualBytes)
if err != nil {
t.Fatal(err)
}
Expand All @@ -72,7 +76,7 @@ func TestPrepareEncryptionConfigSecretTempConfig_ValidSecretKeySillyData(t *test

func TestPrepareEncryptionConfigSecretTempConfig_EmptySecret(t *testing.T) {
testSecret := v1.Secret{}
_, err := PrepareEncryptionConfigSecretTempConfig(&testSecret)
err := prepareEncryptionConfigSecretTempConfig(&testSecret)
assert.NotNil(t, err)
assert.Error(t, err)
assert.ErrorContains(t, err, "no encryptionConfig provided")
Expand All @@ -86,7 +90,7 @@ func TestPrepareEncryptionConfigSecretTempConfig_IncorrectSecretKey(t *testing.T
"key": []byte("value"),
},
}
_, err := PrepareEncryptionConfigSecretTempConfig(&testSecret)
err := prepareEncryptionConfigSecretTempConfig(&testSecret)
assert.NotNil(t, err)
assert.Error(t, err)
assert.ErrorContains(t, err, "no encryptionConfig provided")
Expand Down Expand Up @@ -127,8 +131,7 @@ func TestIsDefaultEncryptionTransformer_Wildcard(t *testing.T) {

func TestIsDefaultEncryptionTransformer_PartialWildcard(t *testing.T) {
encryptionConfigFilepath := filepath.Join("testdata", "encryption-provider-config-partial-wildcard.yaml")
ctx := context.WithValue(context.Background(), tempConfigPathKey, encryptionConfigFilepath)
transformers, err := PrepareEncryptionTransformersFromConfig(ctx, encryptionConfigFilepath)
transformers, err := PrepareEncryptionTransformersFromConfig(context.Background(), encryptionConfigFilepath)
assert.Nil(t, err)

serviceAccountTransformer := transformers.TransformerForResource(serviceAccountGVR.GroupResource())
Expand Down

0 comments on commit 8692b6f

Please sign in to comment.