rebase: update all k8s packages to 0.27.2

Signed-off-by: Niels de Vos <ndevos@ibm.com>

vendor/k8s.io/kms/pkg/service/grpc_service.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"google.golang.org/grpc"
+
+	"k8s.io/klog/v2"
+	kmsapi "k8s.io/kms/apis/v2"
+)
+
+// GRPCService is a grpc server that runs the kms v2 alpha1 API.
+type GRPCService struct {
+	addr    string
+	timeout time.Duration
+	server  *grpc.Server
+
+	kmsService Service
+}
+
+var _ kmsapi.KeyManagementServiceServer = (*GRPCService)(nil)
+
+// NewGRPCService creates an instance of GRPCService.
+func NewGRPCService(
+	address string,
+	timeout time.Duration,
+
+	kmsService Service,
+) *GRPCService {
+	klog.V(4).InfoS("KMS plugin configured", "address", address, "timeout", timeout)
+
+	return &GRPCService{
+		addr:       address,
+		timeout:    timeout,
+		kmsService: kmsService,
+	}
+}
+
+// ListenAndServe accepts incoming connections on a Unix socket. It is a blocking method.
+// Returns non-nil error unless Close or Shutdown is called.
+func (s *GRPCService) ListenAndServe() error {
+	ln, err := net.Listen("unix", s.addr)
+	if err != nil {
+		return err
+	}
+	defer ln.Close()
+
+	gs := grpc.NewServer(
+		grpc.ConnectionTimeout(s.timeout),
+	)
+	s.server = gs
+
+	kmsapi.RegisterKeyManagementServiceServer(gs, s)
+
+	klog.V(4).InfoS("kms plugin serving", "address", s.addr)
+	return gs.Serve(ln)
+}
+
+// Shutdown performs a graceful shutdown. Doesn't accept new connections and
+// blocks until all pending RPCs are finished.
+func (s *GRPCService) Shutdown() {
+	klog.V(4).InfoS("kms plugin shutdown", "address", s.addr)
+	if s.server != nil {
+		s.server.GracefulStop()
+	}
+}
+
+// Close stops the server by closing all connections immediately and cancels
+// all active RPCs.
+func (s *GRPCService) Close() {
+	klog.V(4).InfoS("kms plugin close", "address", s.addr)
+	if s.server != nil {
+		s.server.Stop()
+	}
+}
+
+// Status sends a status request to specified kms service.
+func (s *GRPCService) Status(ctx context.Context, _ *kmsapi.StatusRequest) (*kmsapi.StatusResponse, error) {
+	res, err := s.kmsService.Status(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &kmsapi.StatusResponse{
+		Version: res.Version,
+		Healthz: res.Healthz,
+		KeyId:   res.KeyID,
+	}, nil
+}
+
+// Decrypt sends a decryption request to specified kms service.
+func (s *GRPCService) Decrypt(ctx context.Context, req *kmsapi.DecryptRequest) (*kmsapi.DecryptResponse, error) {
+	klog.V(4).InfoS("decrypt request received", "id", req.Uid)
+
+	plaintext, err := s.kmsService.Decrypt(ctx, req.Uid, &DecryptRequest{
+		Ciphertext:  req.Ciphertext,
+		KeyID:       req.KeyId,
+		Annotations: req.Annotations,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &kmsapi.DecryptResponse{
+		Plaintext: plaintext,
+	}, nil
+}
+
+// Encrypt sends an encryption request to specified kms service.
+func (s *GRPCService) Encrypt(ctx context.Context, req *kmsapi.EncryptRequest) (*kmsapi.EncryptResponse, error) {
+	klog.V(4).InfoS("encrypt request received", "id", req.Uid)
+
+	encRes, err := s.kmsService.Encrypt(ctx, req.Uid, req.Plaintext)
+	if err != nil {
+		return nil, err
+	}
+
+	return &kmsapi.EncryptResponse{
+		Ciphertext:  encRes.Ciphertext,
+		KeyId:       encRes.KeyID,
+		Annotations: encRes.Annotations,
+	}, nil
+}

vendor/k8s.io/kms/pkg/service/interface.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import "context"
+
+// Service allows encrypting and decrypting data using an external Key Management Service.
+type Service interface {
+	// Decrypt a given bytearray to obtain the original data as bytes.
+	Decrypt(ctx context.Context, uid string, req *DecryptRequest) ([]byte, error)
+	// Encrypt bytes to a ciphertext.
+	Encrypt(ctx context.Context, uid string, data []byte) (*EncryptResponse, error)
+	// Status returns the status of the KMS.
+	Status(ctx context.Context) (*StatusResponse, error)
+}
+
+// EncryptResponse is the response from the Envelope service when encrypting data.
+type EncryptResponse struct {
+	Ciphertext  []byte
+	KeyID       string
+	Annotations map[string][]byte
+}
+
+// DecryptRequest is the request to the Envelope service when decrypting data.
+type DecryptRequest struct {
+	Ciphertext  []byte
+	KeyID       string
+	Annotations map[string][]byte
+}
+
+// StatusResponse is the response from the Envelope service when getting the status of the service.
+type StatusResponse struct {
+	Version string
+	Healthz string
+	KeyID   string
+}

vendor/k8s.io/kms/pkg/util/util.go

@@ -0,0 +1,54 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+)
+
+const (
+	// unixProtocol is the only supported protocol for remote KMS provider.
+	unixProtocol = "unix"
+)
+
+// ParseEndpoint parses the endpoint to extract schema, host or path.
+func ParseEndpoint(endpoint string) (string, error) {
+	if len(endpoint) == 0 {
+		return "", fmt.Errorf("remote KMS provider can't use empty string as endpoint")
+	}
+
+	u, err := url.Parse(endpoint)
+	if err != nil {
+		return "", fmt.Errorf("invalid endpoint %q for remote KMS provider, error: %v", endpoint, err)
+	}
+
+	if u.Scheme != unixProtocol {
+		return "", fmt.Errorf("unsupported scheme %q for remote KMS provider", u.Scheme)
+	}
+
+	// Linux abstract namespace socket - no physical file required
+	// Warning: Linux Abstract sockets have not concept of ACL (unlike traditional file based sockets).
+	// However, Linux Abstract sockets are subject to Linux networking namespace, so will only be accessible to
+	// containers within the same pod (unless host networking is used).
+	if strings.HasPrefix(u.Path, "/@") {
+		return strings.TrimPrefix(u.Path, "/"), nil
+	}
+
+	return u.Path, nil
+}