UPSTREAM: Add AES-CBC and Secretbox encryption

[smarterclayton]

Completes the pick of the upstream changes for Kube 1.7 for encryption at rest of secrets. Includes the new config loading.

[smarterclayton]

[test]

[mfojtik]

@php-coder FYI

[mfojtik]

flake: #14496

[test]

[mfojtik]

@smarterclayton you need to tweak the pick for vendor/golang.org/x/crypto to pass the commit checker.

[mfojtik]

LGTM after fixing commits //cc @php-coder for the config changes

[smarterclayton]

Of of Memory building network [test]

[smarterclayton]

Router flake, no route to host from integration TestRouter [test]

[openshift-bot]

Evaluated for origin test up to a8fec68

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/2045/) (Base Commit: 2458531)

[smarterclayton]

[merge] (since this is pure upstream code)

I think we want to use the upstream config.

[openshift-bot]

Evaluated for origin merge up to a8fec68

[openshift-bot]

continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/959/) (Base Commit: 7f9567a)

[smarterclayton]

Dind flake fedora:25 not found? Merging

[0xmichalis]

Dind flake fedora:25 not found? Merging

Yeah, seen that elsewhere and it seems to block the queue now

[0xmichalis]

Opened #14573

[php-coder]

@smarterclayton I see that we haven't backported fix for this: kubernetes/kubernetes#47537 Do we need it to be backported?

[smarterclayton]

Yup On Jun 19, 2017, at 1:03 PM, Vyacheslav Semushin <[email protected]> wrote: *@php-coder* commented on this pull request. ------------------------------ In vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go <#14517 (comment)>:

+ "io/ioutil"

+ "os" + + yaml "github.com/ghodss/yaml" + + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/storage/value" + aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes" + "k8s.io/apiserver/pkg/storage/value/encrypt/identity" + "k8s.io/apiserver/pkg/storage/value/encrypt/secretbox" +) + +const ( + aesCBCTransformerPrefixV1 = "k8s:enc:aescbc:v1:" + aesGCMTransformerPrefixV1 = "k8s:enc:aesgcm:v1:" + secretboxTransformerPrefixV1 = "k8s:enc:secretbox:v1" @smarterclayton <https://github.com/smarterclayton> I see that we haven't backported fix for this: #47537 Do we need it to be backported? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#14517 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p4VUz8CUWkQRsvqgASqRU76Me6NQks5sFqnngaJpZM4Nzlt0> .

[php-coder]

@smarterclayton Ok, I'll create a PR for that.

[php-coder]

[security] [SCCFSI] Encrypt secrets at REST in etcd