mirror of https://github.com/k3s-io/k3s
0d17e9deb7
Automatic merge from submit-queue Add Google cloud KMS service for envelope encryption transformer This adds the required pieces which will allow addition of KMS based encryption providers (envelope transformer). For now, we will be implementing it using Google Cloud KMS, but the code should make it easy to add support for any other such provider which can expose Decrypt and Encrypt calls. Writing tests for Google Cloud KMS Service may cause a significant overhead to the testing framework. It has been tested locally and on GKE though. Upcoming after this PR: * Complete implementation of the envelope transformer, which uses LRU cache to maintain decrypted DEKs in memory. * Track key version to assist in data re-encryption after a KEK rotation. Development branch containing the changes described above: https://github.com/sakshamsharma/kubernetes/pull/4 Envelope transformer used by this PR was merged in #49350 Concerns #48522 Planned configuration: ``` kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - kms: cachesize: 100 configfile: gcp-cloudkms.conf name: gcp-cloudkms - identity: {} ``` gcp-cloudkms.conf: ``` [GoogleCloudKMS] kms-location: global kms-keyring: google-container-engine kms-cryptokey: example-key ``` |
||
|---|---|---|
| .. | ||
| aws | ||
| azure | ||
| cloudstack | ||
| fake | ||
| gce | ||
| openstack | ||
| ovirt | ||
| photon | ||
| rackspace | ||
| vsphere | ||
| BUILD | ||
| providers.go | ||