mirror of https://github.com/k3s-io/k3s
Merge pull request #48121 from sakshamsharma/add-kms-dep
Automatic merge from submit-queue (batch tested with PRs 48292, 48121) Add Google cloudkms dependency, add cloudkms service to GCE cloud provider Required to introduce a Google KMS based envelope encryption, which shall allow encrypting secrets at rest using KEK-DEK scheme. The above requires KMS API to create/delete KeyRings and CryptoKeys, and Encrypt/Decrypt data. Should target release 1.8 @jcbsmpsn Update: It appears that Godep only allows dependencies which are in use. We may have to modify this PR to include some Google KMS code. Progresses #48522pull/6/head
Kubernetes Submit Queue
GitHub
commit
d816555e44
|
|
@ -2783,6 +2783,10 @@
|
|||
"ImportPath": "golang.org/x/tools/container/intsets",
|
||||
"Rev": "2382e3994d48b1d22acc2c86bcad0a2aff028e32"
|
||||
},
|
||||
{
|
||||
"ImportPath": "google.golang.org/api/cloudkms/v1",
|
||||
"Rev": "e3824ed33c72bf7e81da0286772c34b987520914"
|
||||
},
|
||||
{
|
||||
"ImportPath": "google.golang.org/api/cloudmonitoring/v2beta2",
|
||||
"Rev": "e3824ed33c72bf7e81da0286772c34b987520914"
|
||||
|
|
|
|||
|
|
@ -84101,6 +84101,41 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|||
================================================================================
|
||||
|
||||
|
||||
================================================================================
|
||||
= vendor/google.golang.org/api/cloudkms/v1 licensed under: =
|
||||
|
||||
Copyright (c) 2011 Google Inc. All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above
|
||||
copyright notice, this list of conditions and the following disclaimer
|
||||
in the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of Google Inc. nor the names of its
|
||||
contributors may be used to endorse or promote products derived from
|
||||
this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
= vendor/google.golang.org/api/LICENSE a651bb3d8b1c412632e28823bb432b40 -
|
||||
================================================================================
|
||||
|
||||
|
||||
================================================================================
|
||||
= vendor/google.golang.org/api/cloudmonitoring/v2beta2 licensed under: =
|
||||
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ go_library(
|
|||
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
|
||||
"//vendor/golang.org/x/oauth2:go_default_library",
|
||||
"//vendor/golang.org/x/oauth2/google:go_default_library",
|
||||
"//vendor/google.golang.org/api/cloudkms/v1:go_default_library",
|
||||
"//vendor/google.golang.org/api/compute/v0.beta:go_default_library",
|
||||
"//vendor/google.golang.org/api/compute/v1:go_default_library",
|
||||
"//vendor/google.golang.org/api/container/v1:go_default_library",
|
||||
|
|
|
|||
|
|
@ -25,9 +25,9 @@ import (
|
|||
"sync"
|
||||
"time"
|
||||
|
||||
"cloud.google.com/go/compute/metadata"
|
||||
gcfg "gopkg.in/gcfg.v1"
|
||||
|
||||
"gopkg.in/gcfg.v1"
|
||||
"cloud.google.com/go/compute/metadata"
|
||||
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
|
|
@ -38,6 +38,7 @@ import (
|
|||
"github.com/golang/glog"
|
||||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/google"
|
||||
cloudkms "google.golang.org/api/cloudkms/v1"
|
||||
computebeta "google.golang.org/api/compute/v0.beta"
|
||||
compute "google.golang.org/api/compute/v1"
|
||||
container "google.golang.org/api/container/v1"
|
||||
|
|
@ -85,6 +86,7 @@ type GCECloud struct {
|
|||
service *compute.Service
|
||||
serviceBeta *computebeta.Service
|
||||
containerService *container.Service
|
||||
cloudkmsService *cloudkms.Service
|
||||
clientBuilder controller.ControllerClientBuilder
|
||||
projectID string
|
||||
region string
|
||||
|
|
@ -154,6 +156,16 @@ func (g *GCECloud) GetComputeService() *compute.Service {
|
|||
return g.service
|
||||
}
|
||||
|
||||
// Raw access to the cloudkmsService of GCE cloud. Required for encryption of etcd using Google KMS.
|
||||
func (g *GCECloud) GetKMSService() *cloudkms.Service {
|
||||
return g.cloudkmsService
|
||||
}
|
||||
|
||||
// Returns the ProjectID corresponding to the project this cloud is in.
|
||||
func (g *GCECloud) GetProjectID() string {
|
||||
return g.projectID
|
||||
}
|
||||
|
||||
// newGCECloud creates a new instance of GCECloud.
|
||||
func newGCECloud(config io.Reader) (*GCECloud, error) {
|
||||
apiEndpoint := ""
|
||||
|
|
@ -251,6 +263,11 @@ func CreateGCECloud(apiEndpoint, projectID, region, zone string, managedZones []
|
|||
return nil, err
|
||||
}
|
||||
|
||||
cloudkmsService, err := cloudkms.New(client)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if networkURL == "" {
|
||||
networkName, err := getNetworkNameViaAPICall(service, projectID)
|
||||
if err != nil {
|
||||
|
|
@ -281,6 +298,7 @@ func CreateGCECloud(apiEndpoint, projectID, region, zone string, managedZones []
|
|||
service: service,
|
||||
serviceBeta: serviceBeta,
|
||||
containerService: containerService,
|
||||
cloudkmsService: cloudkmsService,
|
||||
projectID: projectID,
|
||||
networkProjectID: networkProjectID,
|
||||
onXPN: onXPN,
|
||||
|
|
|
|||
|
|
@ -354,6 +354,7 @@ filegroup(
|
|||
"//vendor/golang.org/x/text/width:all-srcs",
|
||||
"//vendor/golang.org/x/time/rate:all-srcs",
|
||||
"//vendor/golang.org/x/tools/container/intsets:all-srcs",
|
||||
"//vendor/google.golang.org/api/cloudkms/v1:all-srcs",
|
||||
"//vendor/google.golang.org/api/cloudmonitoring/v2beta2:all-srcs",
|
||||
"//vendor/google.golang.org/api/compute/v0.beta:all-srcs",
|
||||
"//vendor/google.golang.org/api/compute/v1:all-srcs",
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["cloudkms-gen.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor/golang.org/x/net/context:go_default_library",
|
||||
"//vendor/golang.org/x/net/context/ctxhttp:go_default_library",
|
||||
"//vendor/google.golang.org/api/gensupport:go_default_library",
|
||||
"//vendor/google.golang.org/api/googleapi:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue