├── Dockerfile ├── go.mod ├── deployment ├── encryption-provider-config.yaml └── tke-kms-plugin.yaml ├── Makefile ├── v1beta1 ├── service.proto └── service.pb.go ├── .gitignore ├── test └── client_test.go ├── main.go ├── README.md ├── go.sum ├── plugin └── server.go └── LICENSE.TXT /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | 3 | COPY tke-kms-plugin / 4 | 5 | CMD ["/tke-kms-plugin"] 6 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module tke-kms-plugin 2 | 3 | go 1.13 4 | 5 | require ( 6 | github.com/gogo/protobuf v1.3.1 7 | github.com/tencentcloud/tencentcloud-sdk-go v3.0.152+incompatible 8 | golang.org/x/net v0.0.0-20190311183353-d8887717615a 9 | golang.org/x/sys v0.0.0-20200217220822-9197077df867 10 | google.golang.org/grpc v1.28.0 11 | k8s.io/klog v1.0.0 12 | ) 13 | -------------------------------------------------------------------------------- /deployment/encryption-provider-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiserver.config.k8s.io/v1 2 | kind: EncryptionConfiguration 3 | resources: 4 | - resources: 5 | - secrets 6 | providers: 7 | - kms: 8 | name: tke-kms-plugin 9 | timeout: 3s 10 | cachesize: 1000 11 | endpoint: unix:///var/run/tke-kms-plugin/server.sock 12 | - identity: {} 13 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. 2 | # 3 | # TKE KMS Plugin 腾讯云TKE KMS插件 is licensed under the Apache License Version 2.0. 4 | 5 | REGISTRY ?= "" 6 | VERSION ?= 1.0.0 7 | 8 | ifeq ($(REGISTRY), "") 9 | IMAGE=tke-kms-plugin:$(VERSION) 10 | else 11 | IMAGE=$(REGISTRY)/tke-kms-plugin:$(VERSION) 12 | endif 13 | 14 | OUTPUT_DIR = _output 15 | BINARY = tke-kms-plugin 16 | 17 | all: fmt vet 18 | @echo "building $(BINARY)..." 19 | @GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o $(OUTPUT_DIR)/$(BINARY) . 20 | 21 | # Run go fmt against code 22 | fmt: 23 | go fmt ./... 24 | 25 | # Run go vet against code 26 | vet: 27 | go vet ./... 28 | 29 | # Build the docker image 30 | image: Dockerfile all 31 | @docker build -f Dockerfile -t ${IMAGE} $(OUTPUT_DIR) 32 | 33 | clean: 34 | @echo "cleaning..." 35 | @rm -rf $(OUTPUT_DIR) 36 | 37 | -------------------------------------------------------------------------------- /deployment/tke-kms-plugin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: tke-kms-plugin 5 | namespace: kube-system 6 | spec: 7 | selector: 8 | matchLabels: 9 | name: tke-kms-plugin 10 | template: 11 | metadata: 12 | labels: 13 | name: tke-kms-plugin 14 | spec: 15 | nodeSelector: 16 | node-role.kubernetes.io/master: "true" 17 | hostNetwork: true 18 | restartPolicy: Always 19 | volumes: 20 | - name: tke-kms-plugin-dir 21 | hostPath: 22 | path: /var/run/tke-kms-plugin 23 | type: DirectoryOrCreate 24 | tolerations: 25 | - key: node-role.kubernetes.io/master 26 | effect: NoSchedule 27 | containers: 28 | - name: tke-kms-plugin 29 | image: tkeplugin/tke-kms-plugin:1.0.0 30 | command: 31 | - /tke-kms-plugin 32 | - --region={{REGION}} 33 | - --key-id={{KEY_ID}} 34 | - --unix-socket=/var/run/tke-kms-plugin/server.sock 35 | - --v=2 36 | livenessProbe: 37 | exec: 38 | command: 39 | - /tke-kms-plugin 40 | - health-check 41 | - --unix-socket=/var/run/tke-kms-plugin/server.sock 42 | initialDelaySeconds: 5 43 | failureThreshold: 3 44 | timeoutSeconds: 5 45 | periodSeconds: 30 46 | env: 47 | - name: SECRET_ID 48 | value: {{SECRET_ID}} 49 | - name: SECRET_KEY 50 | value: {{SECRET_KEY}} 51 | volumeMounts: 52 | - name: tke-kms-plugin-dir 53 | mountPath: /var/run/tke-kms-plugin 54 | readOnly: false 55 | -------------------------------------------------------------------------------- /v1beta1/service.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2018 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // To regenerate service.pb.go run hack/update-generated-kms.sh 18 | syntax = "proto3"; 19 | 20 | package v1beta1; 21 | 22 | // This service defines the public APIs for remote KMS provider. 23 | service KeyManagementService { 24 | // Version returns the runtime name and runtime version of the KMS provider. 25 | rpc Version(VersionRequest) returns (VersionResponse) {} 26 | 27 | // Execute decryption operation in KMS provider. 28 | rpc Decrypt(DecryptRequest) returns (DecryptResponse) {} 29 | // Execute encryption operation in KMS provider. 30 | rpc Encrypt(EncryptRequest) returns (EncryptResponse) {} 31 | } 32 | 33 | message VersionRequest { 34 | // Version of the KMS plugin API. 35 | string version = 1; 36 | } 37 | 38 | message VersionResponse { 39 | // Version of the KMS plugin API. 40 | string version = 1; 41 | // Name of the KMS provider. 42 | string runtime_name = 2; 43 | // Version of the KMS provider. The string must be semver-compatible. 44 | string runtime_version = 3; 45 | } 46 | 47 | message DecryptRequest { 48 | // Version of the KMS plugin API. 49 | string version = 1; 50 | // The data to be decrypted. 51 | bytes cipher = 2; 52 | } 53 | 54 | message DecryptResponse { 55 | // The decrypted data. 56 | bytes plain = 1; 57 | } 58 | 59 | message EncryptRequest { 60 | // Version of the KMS plugin API. 61 | string version = 1; 62 | // The data to be encrypted. 63 | bytes plain = 2; 64 | } 65 | 66 | message EncryptResponse { 67 | // The encrypted data. 68 | bytes cipher = 1; 69 | } 70 | 71 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | SX leaves these everywhere on SMB shares 2 | ._* 3 | 4 | # OSX trash 5 | .DS_Store 6 | 7 | # Eclipse files 8 | .classpath 9 | .project 10 | .settings/** 11 | 12 | # Files generated by JetBrains IDEs, e.g. IntelliJ IDEA 13 | .idea/ 14 | *.iml 15 | 16 | # Vscode files 17 | .vscode 18 | 19 | # This is where the result of the go build goes 20 | /output*/ 21 | /_output*/ 22 | /_output 23 | 24 | # Emacs save files 25 | *~ 26 | \#*\# 27 | .\#* 28 | 29 | # Vim-related files 30 | [._]*.s[a-w][a-z] 31 | [._]s[a-w][a-z] 32 | *.un~ 33 | Session.vim 34 | .netrwhist 35 | 36 | # cscope-related files 37 | cscope.* 38 | 39 | # Go test binaries 40 | *.test 41 | /hack/.test-cmd-auth 42 | 43 | # JUnit test output from ginkgo e2e tests 44 | /junit*.xml 45 | 46 | # Mercurial files 47 | **/.hg 48 | **/.hg* 49 | 50 | # Vagrant 51 | .vagrant 52 | network_closure.sh 53 | 54 | # Local cluster env variables 55 | /cluster/env.sh 56 | 57 | # Compiled binaries in third_party 58 | /third_party/pkg 59 | 60 | # Also ignore etcd installed by hack/install-etcd.sh 61 | /third_party/etcd* 62 | /default.etcd 63 | 64 | # User cluster configs 65 | .kubeconfig 66 | 67 | .tags* 68 | 69 | # Version file for dockerized build 70 | .dockerized-kube-version-defs 71 | 72 | # Web UI 73 | /www/master/node_modules/ 74 | /www/master/npm-debug.log 75 | /www/master/shared/config/development.json 76 | 77 | # Karma output 78 | /www/test_out 79 | 80 | # precommit temporary directories created by ./hack/verify-generated-docs.sh and ./hack/lib/util.sh 81 | /_tmp/ 82 | /doc_tmp/ 83 | 84 | # Test artifacts produced by Jenkins jobs 85 | /_artifacts/ 86 | 87 | # Go dependencies installed on Jenkins 88 | /_gopath/ 89 | 90 | # Config directories created by gcloud and gsutil on Jenkins 91 | /.config/gcloud*/ 92 | /.gsutil/ 93 | 94 | # CoreOS stuff 95 | /cluster/libvirt-coreos/coreos_*.img 96 | 97 | # Juju Stuff 98 | /cluster/juju/charms/* 99 | /cluster/juju/bundles/local.yaml 100 | 101 | # Downloaded Kubernetes binary release 102 | /kubernetes/ 103 | 104 | # direnv .envrc files 105 | .envrc 106 | 107 | # Downloaded kubernetes binary release tar ball 108 | kubernetes.tar.gz 109 | 110 | # generated files in any directory 111 | # TODO(thockin): uncomment this when we stop committing the generated files. 112 | #zz_generated.* 113 | zz_generated.openapi.go 114 | zz_generated_*_test.go 115 | 116 | # TODO(roycaihw): remove this when we stop committing the generated definition 117 | !staging/src/k8s.io/apiextensions-apiserver/pkg/generated/openapi/zz_generated.openapi.go 118 | # low-change blueprint in code-generator to notice changes 119 | !staging/src/k8s.io/code-generator/_examples/apiserver/openapi/zz_generated.openapi.go 120 | # low-change sample-apiserver spec to be compilable when published 121 | !staging/src/k8s.io/sample-apiserver/pkg/generated/openapi/zz_generated.openapi.go 122 | 123 | # make-related metadata 124 | /.make/ 125 | 126 | # Just in time generated data in the source, should never be committed 127 | /test/e2e/generated/bindata.go 128 | 129 | # This file used by some vendor repos (e.g. github.com/go-openapi/...) to store secret variables and should not be ignored 130 | !\.drone\.sec 131 | 132 | # Godeps workspace 133 | /Godeps/_workspace 134 | 135 | /bazel-* 136 | *.pyc 137 | 138 | # generated by verify-vendor.sh 139 | vendordiff.patch 140 | 141 | -------------------------------------------------------------------------------- /test/client_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. 3 | * 4 | * TKE KMS Plugin 腾讯云TKE KMS插件 is licensed under the Apache License Version 2.0. 5 | */ 6 | 7 | package test 8 | 9 | import ( 10 | "testing" 11 | 12 | "fmt" 13 | "net" 14 | "time" 15 | 16 | k8spb "tke-kms-plugin/v1beta1" 17 | 18 | "golang.org/x/net/context" 19 | "google.golang.org/grpc" 20 | ) 21 | 22 | const ( 23 | pathToUnixSocket = "/var/run/tke-kms-plugin/server.sock" 24 | version = "v1beta1" 25 | ) 26 | 27 | var ( 28 | client k8spb.KeyManagementServiceClient 29 | connection *grpc.ClientConn 30 | err error 31 | ) 32 | 33 | func setupTestCase(t *testing.T) func(t *testing.T) { 34 | t.Log("setup test case") 35 | connection, err = dialUnix(pathToUnixSocket) 36 | if err != nil { 37 | fmt.Printf("%s", err) 38 | } 39 | client = k8spb.NewKeyManagementServiceClient(connection) 40 | return func(t *testing.T) { 41 | t.Log("test case") 42 | connection.Close() 43 | } 44 | } 45 | 46 | func TestEncryptDecrypt(t *testing.T) { 47 | cases := []struct { 48 | name string 49 | want []byte 50 | expected []byte 51 | }{ 52 | {"text", []byte("tke-test"), []byte("tke-test")}, 53 | {"number", []byte("tencent-20200202"), []byte("tencent-20200202")}, 54 | {"symbol", []byte("!@#$%^&*()_+"), []byte("!@#$%^&*()_+")}, 55 | } 56 | 57 | teardownTestCase := setupTestCase(t) 58 | defer teardownTestCase(t) 59 | 60 | for _, tc := range cases { 61 | t.Run(tc.name, func(t *testing.T) { 62 | encryptRequest := k8spb.EncryptRequest{Version: version, Plain: tc.want} 63 | encryptResponse, err := client.Encrypt(context.Background(), &encryptRequest) 64 | if err != nil { 65 | t.Fatalf("failed encrypt from remote KMS provider: %v", err) 66 | } 67 | decryptRequest := k8spb.DecryptRequest{Version: version, Cipher: encryptResponse.Cipher} 68 | decryptResponse, err := client.Decrypt(context.Background(), &decryptRequest) 69 | if err != nil { 70 | t.Fatalf("failed decrypt from remote KMS provider: %v", err) 71 | } 72 | if string(decryptResponse.Plain) != string(tc.want) { 73 | t.Fatalf("Expected secret, but got %s - %v", string(decryptResponse.Plain), err) 74 | } 75 | }) 76 | } 77 | } 78 | 79 | // Verify the KMS plugin version. 80 | func TestVersion(t *testing.T) { 81 | cases := []struct { 82 | name string 83 | want string 84 | expected string 85 | }{ 86 | {"v1beta1", "v1beta1", "v1beta1"}, 87 | } 88 | 89 | teardownTestCase := setupTestCase(t) 90 | defer teardownTestCase(t) 91 | 92 | for _, tc := range cases { 93 | t.Run(tc.name, func(t *testing.T) { 94 | 95 | request := &k8spb.VersionRequest{Version: tc.want} 96 | response, err := client.Version(context.Background(), request) 97 | if err != nil { 98 | t.Fatalf("failed get version from remote KMS provider: %v", err) 99 | } 100 | if response.Version != tc.want { 101 | t.Fatalf("KMS provider api version %s is not supported, only %s is supported now", tc.want, version) 102 | } 103 | }) 104 | } 105 | } 106 | 107 | func dialUnix(unixSocketPath string) (*grpc.ClientConn, error) { 108 | protocol, addr := "unix", unixSocketPath 109 | dialer := func(addr string, timeout time.Duration) (net.Conn, error) { 110 | return net.DialTimeout(protocol, addr, timeout) 111 | } 112 | return grpc.Dial(addr, grpc.WithInsecure(), grpc.WithDialer(dialer)) 113 | } 114 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. 3 | * 4 | * TKE KMS Plugin 腾讯云TKE KMS插件 is licensed under the Apache License Version 2.0. 5 | */ 6 | 7 | package main 8 | 9 | import ( 10 | "context" 11 | "flag" 12 | "fmt" 13 | "net" 14 | "os" 15 | "os/signal" 16 | "strings" 17 | "syscall" 18 | "time" 19 | 20 | "tke-kms-plugin/plugin" 21 | kmspb "tke-kms-plugin/v1beta1" 22 | 23 | "google.golang.org/grpc" 24 | 25 | "k8s.io/klog" 26 | ) 27 | 28 | const ( 29 | healthCheckCmdName = "health-check" 30 | ) 31 | 32 | var ( 33 | region, unixSocket, keyID string 34 | ) 35 | 36 | var healthCheckCmd = flag.NewFlagSet(healthCheckCmdName, flag.ExitOnError) 37 | 38 | func init() { 39 | // start kms plugin server: tke-kms-plugin --listen-unix-socket= 40 | flag.StringVar(®ion, "region", "ap-beijing", 41 | "the region of Tencent KMS service(supported regions: ap-beijing, ap-guangzhou, "+ 42 | "ap-shanghai)") 43 | flag.StringVar(&unixSocket, "unix-socket", "/var/run/tke-kms-plugin/server.sock", 44 | "the unix socket that tke kms plugin listens on") 45 | flag.StringVar(&keyID, "key-id", "", 46 | "the Tencent KMS key ID used for tke kms plugin to do encrption and decryption."+ 47 | " The key must be created before use") 48 | 49 | // check kms plugin health: tke-kms-plugin health-check --listen-unix-socket= 50 | healthCheckCmd.StringVar(&unixSocket, "unix-socket", "/var/run/tke-kms-plugin/server.sock", 51 | "the socket used to connection with kmsServer") 52 | } 53 | 54 | func main() { 55 | // health-check for liveness probe 56 | if len(os.Args) > 1 && os.Args[1] == healthCheckCmdName { 57 | healthCheckCmd.Parse(os.Args[2:]) 58 | 59 | err := doHealthCheck(unixSocket) 60 | if err != nil { 61 | klog.Errorf("health-check failed: %v", err) 62 | os.Exit(1) 63 | } 64 | return 65 | } 66 | 67 | klog.InitFlags(nil) 68 | flag.Parse() 69 | 70 | validateFlags() 71 | 72 | kmsServer, err := plugin.NewKMSServer(unixSocket, region, keyID) 73 | if err != nil { 74 | klog.Fatalf("unable to create KMS server: %v", err) 75 | } 76 | 77 | s, err := kmsServer.StartRPCServer() 78 | if err != nil { 79 | klog.Fatalf("unable to start KMS RPC server: %v", err) 80 | } 81 | defer func() { 82 | s.GracefulStop() 83 | klog.Info("KMS RPC server gracefully stopped") 84 | }() 85 | 86 | signalCh := make(chan os.Signal, 1) 87 | signal.Notify(signalCh, os.Interrupt, syscall.SIGTERM) 88 | select { 89 | case s := <-signalCh: 90 | klog.Infof("got signal %s, exiting...", s) 91 | } 92 | } 93 | 94 | func doHealthCheck(unixSocket string) error { 95 | Version := "v1beta1" 96 | 97 | connection, err := dialUnix(unixSocket) 98 | if err != nil { 99 | return fmt.Errorf("unable to connect with grpc socket: %v", err) 100 | } 101 | 102 | client := kmspb.NewKeyManagementServiceClient(connection) 103 | 104 | request := &kmspb.VersionRequest{Version: Version} 105 | _, err = client.Version(context.Background(), request) 106 | if err != nil { 107 | return fmt.Errorf("unable to get version from tke-kms-plgin grpc endpoing %s: %v", 108 | unixSocket, err) 109 | } 110 | 111 | encryptRequest := kmspb.EncryptRequest{Version: Version, Plain: []byte("test")} 112 | encryptResponse, err := client.Encrypt(context.Background(), &encryptRequest) 113 | if err != nil { 114 | return fmt.Errorf("unable to do encryption with remote KMS provider: %v", err) 115 | } 116 | 117 | decryptRequest := kmspb.DecryptRequest{Version: Version, Cipher: encryptResponse.Cipher} 118 | _, err = client.Decrypt(context.Background(), &decryptRequest) 119 | if err != nil { 120 | return fmt.Errorf("unable to do decryption with remote KMS provider: %v", err) 121 | } 122 | 123 | return nil 124 | } 125 | 126 | func dialUnix(unixSocketPath string) (*grpc.ClientConn, error) { 127 | protocol, addr := "unix", unixSocketPath 128 | dialer := func(addr string, timeout time.Duration) (net.Conn, error) { 129 | return net.DialTimeout(protocol, addr, timeout) 130 | } 131 | return grpc.Dial(addr, grpc.WithInsecure(), grpc.WithDialer(dialer)) 132 | } 133 | 134 | func validateFlags() { 135 | if strings.TrimSpace(keyID) == "" { 136 | klog.Fatal("--key-id is not specified") 137 | } 138 | 139 | secretID := strings.TrimSpace(os.Getenv("SECRET_ID")) 140 | secretKey := strings.TrimSpace(os.Getenv("SECRET_KEY")) 141 | if secretID == "" || secretKey == "" { 142 | klog.Fatal("SECRET_ID and SECRET_KEY must be set in env") 143 | } 144 | } 145 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # !!! Deprecated !!! 2 | Now Tecnet TKE supporting KMS integration as an option, no need to install the plugin separately. 3 | 4 | For details, refer to [使用 KMS 进行 Kubernetes 数据加密](https://cloud.tencent.com/document/product/457/45594) 5 | 6 | # Kubernetes KMS provider plugin, backed by Tencent Cloud KMS service 7 | 8 | ## Overview 9 | 10 | [Kubernetes KMS provider](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) plugin for Tencent Cloud - Enable encryption/decryption for Kubernetes secrets by Tencent Cloud Key Management Service 11 | 12 | ## Prerequisites 13 | 14 | - Kubernetes cluster of version 1.10.0 or later(e.g. TKE standalone clusters of version v1.10.5+) 15 | - Etcd v3 or later 16 | 17 | ## Build image 18 | 19 | 1. Clone this repo and cd to `tke-kms-plugin` 20 | 2. Build and push image 21 | ```bash 22 | #such as ccr.ccs.tencentyun.com/ 23 | REGISTRY= 24 | VERSION=1.0.0 25 | REGISTRY=$REGISTRY VERSION=$VERSION make image 26 | 27 | docker push $REGISTRY/tke-kms-plugin:$VERSION 28 | ``` 29 | 30 | ## Configuring the KMS provider 31 | ### Deploy KMS provider plugin 32 | 1. Create a new key of type `ENCRYPT_DECRYPT`(对称加解密) at [KMS Console](https://console.cloud.tencent.com/kms2) 33 | 2. Create a new CAM Secret at [CAM console](https://console.cloud.tencent.com/cam) or use an existing one(The secret should at least be allowed do the following actions : `"kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt"`). 34 | 3. Replace following placeholders in [tke-kms-plugin.yaml](deployment/tke-kms-plugin.yaml): 35 | - `{{REGION}}`: the region of KMS service, valid values: `ap-beijing`, `ap-guangzhou`, `ap-shanghai` 36 | - `{{KEY_ID}}`: the id (in UUID format) of the KMS key you just created 37 | - `{{SECRET_ID}}` and `{{SECRET_KEY}}`: the CAM Secret ID and Key you just created 38 | ```bash 39 | REGION= 40 | KEY_ID= 41 | SECRET_ID= 42 | SECRET_KEY= 43 | 44 | sed "s/{{REGION}}/$REGION/g; s/{{KEY_ID}}/$KEY_ID/g; s/{{SECRET_ID}}/$SECRET_ID/g; s/{{SECRET_KEY}}/$SECRET_KEY/g" deployment/tke-kms-plugin.yaml > ds-tke-kms-plugin.yaml 45 | 46 | ``` 47 | 4. (Optional) If you prefer to use your own docker image, replace `images: ccr.ccs.tencentyun.com/tke-plugin/tke-kms-plugin:1.0.0` with your own image. 48 | 5. Create the tke-kms-plugin daemonset: `kubectl apply -f ds-tke-kms-plugin.yaml` 49 | 6. Ensure all tke-kms-plugin pods are running: `kubectl get po -n kube-system -l name=tke-kms-plugin` 50 | 51 | ### Configuring kube-apiserver 52 | **On all masters:** 53 | 54 | 1. Create `/etc/kubernetes/encryption-provider-config.yaml` with following content: 55 | 56 | **Note**: For K8s v1.10~v1.13, you can specify the `timeout` parameter, although it is not supported. 57 | 58 | + for K8s v1.13+ 59 | ```yaml 60 | apiVersion: apiserver.config.k8s.io/v1 61 | kind: EncryptionConfiguration 62 | resources: 63 | - resources: 64 | - secrets 65 | providers: 66 | - kms: 67 | name: tke-kms-plugin 68 | timeout: 3s 69 | cachesize: 1000 70 | endpoint: unix:///var/run/tke-kms-plugin/server.sock 71 | - identity: {} 72 | ``` 73 | 74 | + for K8s v1.10~v1.12 75 | ```yaml 76 | apiVersion: v1 77 | kind: EncryptionConfig 78 | resources: 79 | - resources: 80 | - secrets 81 | providers: 82 | - kms: 83 | name: tke-kms-plugin 84 | timeout: 3s 85 | cachesize: 1000 86 | endpoint: unix:///var/run/tke-kms-plugin/server.sock 87 | - identity: {} 88 | 89 | ``` 90 | 91 | 2. Edit `/etc/kubernetes/manifests/kube-apiserver.yaml` (for TKE standalone clusters. And for TKE v1.10.5, you need to move `kube-apiserver.yaml` out of `/etc/kubernetes/manifests` directory, edit and move it back): 92 | 93 | + Add the following flag to `args` array: 94 | - for K8s v1.13+ : `--encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml` 95 | - for K8s v1.10~v1.12: `--experimental-encryption-provider-config=/etc/kubernetes/encryption-provider-config.yaml` 96 | 97 | + Add volume directives for `/var/run/tke-kms-plugin/server.sock`: 98 | 99 | ```yaml 100 | ... 101 | volumeMounts: 102 | - mountPath: /var/run/tke-kms-plugin 103 | name: tke-kms-plugin-dir 104 | ... 105 | volumes: 106 | - hostPath: 107 | path: /var/run/tke-kms-plugin 108 | name: tke-kms-plugin-dir 109 | ... 110 | ``` 111 | 112 | kube-apiserver will restart after you finish editing and save the file `/etc/kubernetes/manifests/kube-apiserver.yaml`. 113 | 114 | ## Verifying 115 | 116 | 1 Create a new secret 117 | 118 | ``` 119 | kubectl create secret generic secret1 -n default --from-literal=mykey=mydata 120 | ``` 121 | 122 | 2 Verify the secret is correctly decrypted: 123 | 124 | ``` 125 | kubectl get secret secret1 -o=jsonpath='{.data.mykey}' | base64 -d 126 | ``` 127 | The output should be `mydata`, the same as the value we used to create the secret. 128 | 129 | ## Reference 130 | 131 | For more infomation about Kubernetes KMS provider, please refer to [Using a KMS provider for data encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) 132 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 3 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 4 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 5 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= 6 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 7 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= 8 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 9 | github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= 10 | github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= 11 | github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= 12 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 13 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 14 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 15 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 16 | github.com/golang/protobuf v1.3.3 h1:gyjaxf+svBWX08ZjK86iN9geUJF0H6gp2IRKX6Nf6/I= 17 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 18 | github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= 19 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 20 | github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= 21 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 22 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 23 | github.com/tencentcloud/tencentcloud-sdk-go v3.0.152+incompatible h1:XPgbr1nA5kF10pdR1AcckpTlVzGoxk/rfQqJBRY98vw= 24 | github.com/tencentcloud/tencentcloud-sdk-go v3.0.152+incompatible/go.mod h1:0PfYow01SHPMhKY31xa+EFz2RStxIqj6JFAJS+IkCi4= 25 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 26 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 27 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 28 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 29 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 30 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 31 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 32 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 33 | golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628= 34 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 35 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 36 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 37 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 38 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 39 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 40 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 41 | golang.org/x/sys v0.0.0-20200217220822-9197077df867 h1:JoRuNIf+rpHl+VhScRQQvzbHed86tKkqwPMV34T8myw= 42 | golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 43 | golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= 44 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 45 | golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 46 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 47 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 48 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 49 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 50 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 51 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 52 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 53 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE= 54 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 55 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 56 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 57 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= 58 | google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4= 59 | google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= 60 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 61 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 62 | k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= 63 | k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= 64 | -------------------------------------------------------------------------------- /plugin/server.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. 3 | * 4 | * TKE KMS Plugin 腾讯云TKE KMS插件 is licensed under the Apache License Version 2.0. 5 | */ 6 | 7 | package plugin 8 | 9 | import ( 10 | "context" 11 | "encoding/base64" 12 | "fmt" 13 | "net" 14 | "os" 15 | "strings" 16 | 17 | kmspb "tke-kms-plugin/v1beta1" 18 | 19 | "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common" 20 | "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/errors" 21 | "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile" 22 | kms "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/kms/v20190118" 23 | "golang.org/x/sys/unix" 24 | "google.golang.org/grpc" 25 | 26 | "k8s.io/klog" 27 | ) 28 | 29 | const ( 30 | // Unix Domain Socket 31 | netProtocol = "unix" 32 | 33 | // Version is the current kms api version 34 | Version = "v1beta1" 35 | runtime = "Tencent Cloud KMS" 36 | runtimeVersion = "0.1.0" 37 | ) 38 | 39 | // KMSServer is the struct containing config and the tke-kms-plugin gRPC server 40 | type KMSServer struct { 41 | client *kms.Client 42 | domain string 43 | region string 44 | KeyID string 45 | unixSocket string 46 | net.Listener 47 | *grpc.Server 48 | lastCreds *common.Credential 49 | //todo: get role auth 50 | } 51 | 52 | // NewKMSServer creates a new KMSServer instance 53 | func NewKMSServer(unixSocket, region, keyID string) (*KMSServer, error) { 54 | kmsServer := new(KMSServer) 55 | kmsServer.KeyID = keyID 56 | kmsServer.unixSocket = unixSocket 57 | kmsServer.region = region 58 | 59 | cpf := profile.NewClientProfile() 60 | //cpf.HttpProfile.Endpoint = "kms.tencentcloudapi.com" 61 | 62 | // TODO: role auth 63 | secretID := strings.TrimSpace(os.Getenv("SECRET_ID")) 64 | secretKey := strings.TrimSpace(os.Getenv("SECRET_KEY")) 65 | kmsServer.lastCreds = common.NewCredential(secretID, secretKey) 66 | 67 | client, err := kms.NewClient(kmsServer.lastCreds, kmsServer.region, cpf) 68 | if err != nil { 69 | return nil, err 70 | } 71 | kmsServer.client = client 72 | 73 | err = validateKeyID(client, keyID, region) 74 | if err != nil { 75 | return nil, err 76 | } 77 | 78 | return kmsServer, nil 79 | } 80 | 81 | // TODO: prepare for STS instance role func 82 | func (s *KMSServer) getRoleCreds(seconds int) { 83 | 84 | } 85 | 86 | func (s *KMSServer) setupRPCServer() error { 87 | if err := s.Clean(); err != nil { 88 | return err 89 | } 90 | 91 | listener, err := net.Listen(netProtocol, s.unixSocket) 92 | if err != nil { 93 | return fmt.Errorf("failed to start listener, error: %v", err) 94 | } 95 | s.Listener = listener 96 | 97 | server := grpc.NewServer() 98 | kmspb.RegisterKeyManagementServiceServer(server, s) 99 | s.Server = server 100 | 101 | go s.Server.Serve(s.Listener) 102 | 103 | klog.Infof("tke-kms-plugin gRPC server started and listening on %s", s.unixSocket) 104 | 105 | return nil 106 | } 107 | 108 | // StartRPCServer sets up and starts the tke-kms-plugin gPRC server 109 | func (s *KMSServer) StartRPCServer() (*grpc.Server, error) { 110 | if err := s.setupRPCServer(); err != nil { 111 | return nil, err 112 | } 113 | return s.Server, nil 114 | } 115 | 116 | // Clean removes the unix socket 117 | func (s *KMSServer) Clean() error { 118 | err := unix.Unlink(s.unixSocket) 119 | if err != nil && !os.IsNotExist(err) { 120 | return fmt.Errorf("failed to delete socket file, error: %v", err) 121 | } 122 | return nil 123 | } 124 | 125 | //Version return the current api version 126 | func (s *KMSServer) Version(ctx context.Context, 127 | request *kmspb.VersionRequest) (*kmspb.VersionResponse, error) { 128 | klog.V(4).Info("new request for Version") 129 | return &kmspb.VersionResponse{ 130 | Version: Version, 131 | RuntimeName: runtime, 132 | RuntimeVersion: runtimeVersion, 133 | }, nil 134 | } 135 | 136 | //Encrypt execute encryption operation in KMS providers. 137 | func (s *KMSServer) Encrypt(ctx context.Context, 138 | request *kmspb.EncryptRequest) (*kmspb.EncryptResponse, error) { 139 | klog.V(4).Info("new encrypt request") 140 | encReq := kms.NewEncryptRequest() 141 | params := `{"KeyId":"` + s.KeyID + `","Plaintext":"` + 142 | base64.StdEncoding.EncodeToString(request.Plain) + `"}` 143 | 144 | err := encReq.FromJsonString(params) 145 | if err != nil { 146 | panic(err) 147 | } 148 | response, err := s.client.Encrypt(encReq) 149 | if _, ok := err.(*errors.TencentCloudSDKError); ok { 150 | klog.Errorf("got API error when doing encryption: %v", err) 151 | } 152 | if err != nil { 153 | panic(err) 154 | } 155 | klog.V(4).Info("encrypt successfully") 156 | return &kmspb.EncryptResponse{Cipher: []byte(*response.Response.CiphertextBlob)}, nil 157 | } 158 | 159 | //Decrypt execute decryption operation in KMS providers. 160 | func (s *KMSServer) Decrypt(ctx context.Context, 161 | request *kmspb.DecryptRequest) (*kmspb.DecryptResponse, error) { 162 | klog.V(4).Info("new decrypt request") 163 | 164 | decReq := kms.NewDecryptRequest() 165 | params := `{"CiphertextBlob":"` + string(request.Cipher) + `"}` 166 | err := decReq.FromJsonString(params) 167 | if err != nil { 168 | panic(err) 169 | } 170 | response, err := s.client.Decrypt(decReq) 171 | if _, ok := err.(*errors.TencentCloudSDKError); ok { 172 | klog.Errorf("got API error when doing decryption: %v", err) 173 | } 174 | if err != nil { 175 | panic(err) 176 | } 177 | plaintext, _ := base64.StdEncoding.DecodeString(*response.Response.Plaintext) 178 | 179 | klog.V(4).Info("decrypt successfully") 180 | 181 | return &kmspb.DecryptResponse{Plain: []byte(plaintext)}, nil 182 | } 183 | 184 | func validateKeyID(client *kms.Client, keyID, region string) error { 185 | req := kms.NewDescribeKeyRequest() 186 | err := req.FromJsonString(`{"keyId":"` + keyID + `"}`) 187 | if err != nil { 188 | return err 189 | } 190 | 191 | resp, err := client.DescribeKey(req) 192 | if err != nil { 193 | return err 194 | } 195 | 196 | // This situation should not happen, since TencentCloudSDKError with 197 | // code ResourceUnavailable.CmkNotFound will be caugth if key does not exist 198 | if resp.Response == nil { 199 | return fmt.Errorf("Key %s does not exist in region %s. Please create it before "+ 200 | "using tke-kms-plugin", keyID, region) 201 | } 202 | 203 | if *resp.Response.KeyMetadata.KeyState != "Enabled" { 204 | return fmt.Errorf("Key %s in region %s is not enabled", keyID, region) 205 | } 206 | 207 | if *resp.Response.KeyMetadata.KeyUsage != "ENCRYPT_DECRYPT" { 208 | return fmt.Errorf("Key %s in region %s is of type %s, not ENCRYPT_DECRYPT", keyID, region, 209 | *resp.Response.KeyMetadata.KeyUsage) 210 | } 211 | 212 | return nil 213 | } 214 | -------------------------------------------------------------------------------- /LICENSE.TXT: -------------------------------------------------------------------------------- 1 | Tencent is pleased to support the open source community by making TKE KMS Plugin 腾讯云TKE KMS插件 available. 2 | 3 | Copyright (C) 2020 THL A29 Limited, a Tencent company. All rights reserved. 4 | 5 | TKE KMS Plugin 腾讯云TKE KMS插件 is licensed under the Apache License Version 2.0. 6 | 7 | Terms of the Apache License, Version 2.0: 8 | --------------------------------------------------- 9 | Apache License 10 | Version 2.0, January 2004 11 | http://www.apache.org/licenses/ 12 | 13 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 14 | 15 | 1. Definitions. 16 | 17 | "License" shall mean the terms and conditions for use, reproduction, 18 | and distribution as defined by Sections 1 through 9 of this document. 19 | 20 | "Licensor" shall mean the copyright owner or entity authorized by 21 | the copyright owner that is granting the License. 22 | 23 | "Legal Entity" shall mean the union of the acting entity and all 24 | other entities that control, are controlled by, or are under common 25 | control with that entity. For the purposes of this definition, 26 | "control" means (i) the power, direct or indirect, to cause the 27 | direction or management of such entity, whether by contract or 28 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 29 | outstanding shares, or (iii) beneficial ownership of such entity. 30 | 31 | "You" (or "Your") shall mean an individual or Legal Entity 32 | exercising permissions granted by this License. 33 | 34 | "Source" form shall mean the preferred form for making modifications, 35 | including but not limited to software source code, documentation 36 | source, and configuration files. 37 | 38 | "Object" form shall mean any form resulting from mechanical 39 | transformation or translation of a Source form, including but 40 | not limited to compiled object code, generated documentation, 41 | and conversions to other media types. 42 | 43 | "Work" shall mean the work of authorship, whether in Source or 44 | Object form, made available under the License, as indicated by a 45 | copyright notice that is included in or attached to the work 46 | (an example is provided in the Appendix below). 47 | 48 | "Derivative Works" shall mean any work, whether in Source or Object 49 | form, that is based on (or derived from) the Work and for which the 50 | editorial revisions, annotations, elaborations, or other modifications 51 | represent, as a whole, an original work of authorship. For the purposes 52 | of this License, Derivative Works shall not include works that remain 53 | separable from, or merely link (or bind by name) to the interfaces of, 54 | the Work and Derivative Works thereof. 55 | 56 | "Contribution" shall mean any work of authorship, including 57 | the original version of the Work and any modifications or additions 58 | to that Work or Derivative Works thereof, that is intentionally 59 | submitted to Licensor for inclusion in the Work by the copyright owner 60 | or by an individual or Legal Entity authorized to submit on behalf of 61 | the copyright owner. For the purposes of this definition, "submitted" 62 | means any form of electronic, verbal, or written communication sent 63 | to the Licensor or its representatives, including but not limited to 64 | communication on electronic mailing lists, source code control systems, 65 | and issue tracking systems that are managed by, or on behalf of, the 66 | Licensor for the purpose of discussing and improving the Work, but 67 | excluding communication that is conspicuously marked or otherwise 68 | designated in writing by the copyright owner as "Not a Contribution." 69 | 70 | "Contributor" shall mean Licensor and any individual or Legal Entity 71 | on behalf of whom a Contribution has been received by Licensor and 72 | subsequently incorporated within the Work. 73 | 74 | 2. Grant of Copyright License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | copyright license to reproduce, prepare Derivative Works of, 78 | publicly display, publicly perform, sublicense, and distribute the 79 | Work and such Derivative Works in Source or Object form. 80 | 81 | 3. Grant of Patent License. Subject to the terms and conditions of 82 | this License, each Contributor hereby grants to You a perpetual, 83 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 84 | (except as stated in this section) patent license to make, have made, 85 | use, offer to sell, sell, import, and otherwise transfer the Work, 86 | where such license applies only to those patent claims licensable 87 | by such Contributor that are necessarily infringed by their 88 | Contribution(s) alone or by combination of their Contribution(s) 89 | with the Work to which such Contribution(s) was submitted. If You 90 | institute patent litigation against any entity (including a 91 | cross-claim or counterclaim in a lawsuit) alleging that the Work 92 | or a Contribution incorporated within the Work constitutes direct 93 | or contributory patent infringement, then any patent licenses 94 | granted to You under this License for that Work shall terminate 95 | as of the date such litigation is filed. 96 | 97 | 4. Redistribution. You may reproduce and distribute copies of the 98 | Work or Derivative Works thereof in any medium, with or without 99 | modifications, and in Source or Object form, provided that You 100 | meet the following conditions: 101 | 102 | (a) You must give any other recipients of the Work or 103 | Derivative Works a copy of this License; and 104 | 105 | (b) You must cause any modified files to carry prominent notices 106 | stating that You changed the files; and 107 | 108 | (c) You must retain, in the Source form of any Derivative Works 109 | that You distribute, all copyright, patent, trademark, and 110 | attribution notices from the Source form of the Work, 111 | excluding those notices that do not pertain to any part of 112 | the Derivative Works; and 113 | 114 | (d) If the Work includes a "NOTICE" text file as part of its 115 | distribution, then any Derivative Works that You distribute must 116 | include a readable copy of the attribution notices contained 117 | within such NOTICE file, excluding those notices that do not 118 | pertain to any part of the Derivative Works, in at least one 119 | of the following places: within a NOTICE text file distributed 120 | as part of the Derivative Works; within the Source form or 121 | documentation, if provided along with the Derivative Works; or, 122 | within a display generated by the Derivative Works, if and 123 | wherever such third-party notices normally appear. The contents 124 | of the NOTICE file are for informational purposes only and 125 | do not modify the License. You may add Your own attribution 126 | notices within Derivative Works that You distribute, alongside 127 | or as an addendum to the NOTICE text from the Work, provided 128 | that such additional attribution notices cannot be construed 129 | as modifying the License. 130 | 131 | You may add Your own copyright statement to Your modifications and 132 | may provide additional or different license terms and conditions 133 | for use, reproduction, or distribution of Your modifications, or 134 | for any such Derivative Works as a whole, provided Your use, 135 | reproduction, and distribution of the Work otherwise complies with 136 | the conditions stated in this License. 137 | 138 | 5. Submission of Contributions. Unless You explicitly state otherwise, 139 | any Contribution intentionally submitted for inclusion in the Work 140 | by You to the Licensor shall be under the terms and conditions of 141 | this License, without any additional terms or conditions. 142 | Notwithstanding the above, nothing herein shall supersede or modify 143 | the terms of any separate license agreement you may have executed 144 | with Licensor regarding such Contributions. 145 | 146 | 6. Trademarks. This License does not grant permission to use the trade 147 | names, trademarks, service marks, or product names of the Licensor, 148 | except as required for reasonable and customary use in describing the 149 | origin of the Work and reproducing the content of the NOTICE file. 150 | 151 | 7. Disclaimer of Warranty. Unless required by applicable law or 152 | agreed to in writing, Licensor provides the Work (and each 153 | Contributor provides its Contributions) on an "AS IS" BASIS, 154 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 155 | implied, including, without limitation, any warranties or conditions 156 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 157 | PARTICULAR PURPOSE. You are solely responsible for determining the 158 | appropriateness of using or redistributing the Work and assume any 159 | risks associated with Your exercise of permissions under this License. 160 | 161 | 8. Limitation of Liability. In no event and under no legal theory, 162 | whether in tort (including negligence), contract, or otherwise, 163 | unless required by applicable law (such as deliberate and grossly 164 | negligent acts) or agreed to in writing, shall any Contributor be 165 | liable to You for damages, including any direct, indirect, special, 166 | incidental, or consequential damages of any character arising as a 167 | result of this License or out of the use or inability to use the 168 | Work (including but not limited to damages for loss of goodwill, 169 | work stoppage, computer failure or malfunction, or any and all 170 | other commercial damages or losses), even if such Contributor 171 | has been advised of the possibility of such damages. 172 | 173 | 9. Accepting Warranty or Additional Liability. While redistributing 174 | the Work or Derivative Works thereof, You may choose to offer, 175 | and charge a fee for, acceptance of support, warranty, indemnity, 176 | or other liability obligations and/or rights consistent with this 177 | License. However, in accepting such obligations, You may act only 178 | on Your own behalf and on Your sole responsibility, not on behalf 179 | of any other Contributor, and only if You agree to indemnify, 180 | defend, and hold each Contributor harmless for any liability 181 | incurred by, or claims asserted against, such Contributor by reason 182 | of your accepting any such warranty or additional liability. 183 | 184 | END OF TERMS AND CONDITIONS 185 | 186 | APPENDIX: How to apply the Apache License to your work. 187 | 188 | To apply the Apache License to your work, attach the following 189 | boilerplate notice, with the fields enclosed by brackets "[]" 190 | replaced with your own identifying information. (Don't include 191 | the brackets!) The text should be enclosed in the appropriate 192 | comment syntax for the file format. We also recommend that a 193 | file or class name and description of purpose be included on the 194 | same "printed page" as the copyright notice for easier 195 | identification within third-party archives. 196 | 197 | Copyright [yyyy] [name of copyright owner] 198 | 199 | Licensed under the Apache License, Version 2.0 (the "License"); 200 | you may not use this file except in compliance with the License. 201 | You may obtain a copy of the License at 202 | 203 | http://www.apache.org/licenses/LICENSE-2.0 204 | 205 | Unless required by applicable law or agreed to in writing, software 206 | distributed under the License is distributed on an "AS IS" BASIS, 207 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 208 | See the License for the specific language governing permissions and 209 | limitations under the License. -------------------------------------------------------------------------------- /v1beta1/service.pb.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Code generated by protoc-gen-gogo. DO NOT EDIT. 18 | // source: service.proto 19 | 20 | /* 21 | Package v1beta1 is a generated protocol buffer package. 22 | 23 | It is generated from these files: 24 | service.proto 25 | 26 | It has these top-level messages: 27 | VersionRequest 28 | VersionResponse 29 | DecryptRequest 30 | DecryptResponse 31 | EncryptRequest 32 | EncryptResponse 33 | */ 34 | package v1beta1 35 | 36 | import ( 37 | fmt "fmt" 38 | math "math" 39 | 40 | proto "github.com/gogo/protobuf/proto" 41 | context "golang.org/x/net/context" 42 | grpc "google.golang.org/grpc" 43 | ) 44 | 45 | // Reference imports to suppress errors if they are not otherwise used. 46 | var _ = proto.Marshal 47 | var _ = fmt.Errorf 48 | var _ = math.Inf 49 | 50 | // This is a compile-time assertion to ensure that this generated file 51 | // is compatible with the proto package it is being compiled against. 52 | // A compilation error at this line likely means your copy of the 53 | // proto package needs to be updated. 54 | const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package 55 | 56 | type VersionRequest struct { 57 | // Version of the KMS plugin API. 58 | Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` 59 | } 60 | 61 | func (m *VersionRequest) Reset() { *m = VersionRequest{} } 62 | func (m *VersionRequest) String() string { return proto.CompactTextString(m) } 63 | func (*VersionRequest) ProtoMessage() {} 64 | func (*VersionRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{0} } 65 | 66 | func (m *VersionRequest) GetVersion() string { 67 | if m != nil { 68 | return m.Version 69 | } 70 | return "" 71 | } 72 | 73 | type VersionResponse struct { 74 | // Version of the KMS plugin API. 75 | Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` 76 | // Name of the KMS provider. 77 | RuntimeName string `protobuf:"bytes,2,opt,name=runtime_name,json=runtimeName,proto3" json:"runtime_name,omitempty"` 78 | // Version of the KMS provider. The string must be semver-compatible. 79 | RuntimeVersion string `protobuf:"bytes,3,opt,name=runtime_version,json=runtimeVersion,proto3" json:"runtime_version,omitempty"` 80 | } 81 | 82 | func (m *VersionResponse) Reset() { *m = VersionResponse{} } 83 | func (m *VersionResponse) String() string { return proto.CompactTextString(m) } 84 | func (*VersionResponse) ProtoMessage() {} 85 | func (*VersionResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{1} } 86 | 87 | func (m *VersionResponse) GetVersion() string { 88 | if m != nil { 89 | return m.Version 90 | } 91 | return "" 92 | } 93 | 94 | func (m *VersionResponse) GetRuntimeName() string { 95 | if m != nil { 96 | return m.RuntimeName 97 | } 98 | return "" 99 | } 100 | 101 | func (m *VersionResponse) GetRuntimeVersion() string { 102 | if m != nil { 103 | return m.RuntimeVersion 104 | } 105 | return "" 106 | } 107 | 108 | type DecryptRequest struct { 109 | // Version of the KMS plugin API. 110 | Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` 111 | // The data to be decrypted. 112 | Cipher []byte `protobuf:"bytes,2,opt,name=cipher,proto3" json:"cipher,omitempty"` 113 | } 114 | 115 | func (m *DecryptRequest) Reset() { *m = DecryptRequest{} } 116 | func (m *DecryptRequest) String() string { return proto.CompactTextString(m) } 117 | func (*DecryptRequest) ProtoMessage() {} 118 | func (*DecryptRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{2} } 119 | 120 | func (m *DecryptRequest) GetVersion() string { 121 | if m != nil { 122 | return m.Version 123 | } 124 | return "" 125 | } 126 | 127 | func (m *DecryptRequest) GetCipher() []byte { 128 | if m != nil { 129 | return m.Cipher 130 | } 131 | return nil 132 | } 133 | 134 | type DecryptResponse struct { 135 | // The decrypted data. 136 | Plain []byte `protobuf:"bytes,1,opt,name=plain,proto3" json:"plain,omitempty"` 137 | } 138 | 139 | func (m *DecryptResponse) Reset() { *m = DecryptResponse{} } 140 | func (m *DecryptResponse) String() string { return proto.CompactTextString(m) } 141 | func (*DecryptResponse) ProtoMessage() {} 142 | func (*DecryptResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{3} } 143 | 144 | func (m *DecryptResponse) GetPlain() []byte { 145 | if m != nil { 146 | return m.Plain 147 | } 148 | return nil 149 | } 150 | 151 | type EncryptRequest struct { 152 | // Version of the KMS plugin API. 153 | Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` 154 | // The data to be encrypted. 155 | Plain []byte `protobuf:"bytes,2,opt,name=plain,proto3" json:"plain,omitempty"` 156 | } 157 | 158 | func (m *EncryptRequest) Reset() { *m = EncryptRequest{} } 159 | func (m *EncryptRequest) String() string { return proto.CompactTextString(m) } 160 | func (*EncryptRequest) ProtoMessage() {} 161 | func (*EncryptRequest) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{4} } 162 | 163 | func (m *EncryptRequest) GetVersion() string { 164 | if m != nil { 165 | return m.Version 166 | } 167 | return "" 168 | } 169 | 170 | func (m *EncryptRequest) GetPlain() []byte { 171 | if m != nil { 172 | return m.Plain 173 | } 174 | return nil 175 | } 176 | 177 | type EncryptResponse struct { 178 | // The encrypted data. 179 | Cipher []byte `protobuf:"bytes,1,opt,name=cipher,proto3" json:"cipher,omitempty"` 180 | } 181 | 182 | func (m *EncryptResponse) Reset() { *m = EncryptResponse{} } 183 | func (m *EncryptResponse) String() string { return proto.CompactTextString(m) } 184 | func (*EncryptResponse) ProtoMessage() {} 185 | func (*EncryptResponse) Descriptor() ([]byte, []int) { return fileDescriptorService, []int{5} } 186 | 187 | func (m *EncryptResponse) GetCipher() []byte { 188 | if m != nil { 189 | return m.Cipher 190 | } 191 | return nil 192 | } 193 | 194 | func init() { 195 | proto.RegisterType((*VersionRequest)(nil), "v1beta1.VersionRequest") 196 | proto.RegisterType((*VersionResponse)(nil), "v1beta1.VersionResponse") 197 | proto.RegisterType((*DecryptRequest)(nil), "v1beta1.DecryptRequest") 198 | proto.RegisterType((*DecryptResponse)(nil), "v1beta1.DecryptResponse") 199 | proto.RegisterType((*EncryptRequest)(nil), "v1beta1.EncryptRequest") 200 | proto.RegisterType((*EncryptResponse)(nil), "v1beta1.EncryptResponse") 201 | } 202 | 203 | // Reference imports to suppress errors if they are not otherwise used. 204 | var _ context.Context 205 | var _ grpc.ClientConn 206 | 207 | // This is a compile-time assertion to ensure that this generated file 208 | // is compatible with the grpc package it is being compiled against. 209 | const _ = grpc.SupportPackageIsVersion4 210 | 211 | // Client API for KeyManagementService service 212 | 213 | type KeyManagementServiceClient interface { 214 | // Version returns the runtime name and runtime version of the KMS provider. 215 | Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) 216 | // Execute decryption operation in KMS provider. 217 | Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) 218 | // Execute encryption operation in KMS provider. 219 | Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) 220 | } 221 | 222 | type keyManagementServiceClient struct { 223 | cc *grpc.ClientConn 224 | } 225 | 226 | func NewKeyManagementServiceClient(cc *grpc.ClientConn) KeyManagementServiceClient { 227 | return &keyManagementServiceClient{cc} 228 | } 229 | 230 | func (c *keyManagementServiceClient) Version(ctx context.Context, in *VersionRequest, opts ...grpc.CallOption) (*VersionResponse, error) { 231 | out := new(VersionResponse) 232 | err := grpc.Invoke(ctx, "/v1beta1.KeyManagementService/Version", in, out, c.cc, opts...) 233 | if err != nil { 234 | return nil, err 235 | } 236 | return out, nil 237 | } 238 | 239 | func (c *keyManagementServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { 240 | out := new(DecryptResponse) 241 | err := grpc.Invoke(ctx, "/v1beta1.KeyManagementService/Decrypt", in, out, c.cc, opts...) 242 | if err != nil { 243 | return nil, err 244 | } 245 | return out, nil 246 | } 247 | 248 | func (c *keyManagementServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { 249 | out := new(EncryptResponse) 250 | err := grpc.Invoke(ctx, "/v1beta1.KeyManagementService/Encrypt", in, out, c.cc, opts...) 251 | if err != nil { 252 | return nil, err 253 | } 254 | return out, nil 255 | } 256 | 257 | // Server API for KeyManagementService service 258 | 259 | type KeyManagementServiceServer interface { 260 | // Version returns the runtime name and runtime version of the KMS provider. 261 | Version(context.Context, *VersionRequest) (*VersionResponse, error) 262 | // Execute decryption operation in KMS provider. 263 | Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) 264 | // Execute encryption operation in KMS provider. 265 | Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) 266 | } 267 | 268 | func RegisterKeyManagementServiceServer(s *grpc.Server, srv KeyManagementServiceServer) { 269 | s.RegisterService(&_KeyManagementService_serviceDesc, srv) 270 | } 271 | 272 | func _KeyManagementService_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 273 | in := new(VersionRequest) 274 | if err := dec(in); err != nil { 275 | return nil, err 276 | } 277 | if interceptor == nil { 278 | return srv.(KeyManagementServiceServer).Version(ctx, in) 279 | } 280 | info := &grpc.UnaryServerInfo{ 281 | Server: srv, 282 | FullMethod: "/v1beta1.KeyManagementService/Version", 283 | } 284 | handler := func(ctx context.Context, req interface{}) (interface{}, error) { 285 | return srv.(KeyManagementServiceServer).Version(ctx, req.(*VersionRequest)) 286 | } 287 | return interceptor(ctx, in, info, handler) 288 | } 289 | 290 | func _KeyManagementService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 291 | in := new(DecryptRequest) 292 | if err := dec(in); err != nil { 293 | return nil, err 294 | } 295 | if interceptor == nil { 296 | return srv.(KeyManagementServiceServer).Decrypt(ctx, in) 297 | } 298 | info := &grpc.UnaryServerInfo{ 299 | Server: srv, 300 | FullMethod: "/v1beta1.KeyManagementService/Decrypt", 301 | } 302 | handler := func(ctx context.Context, req interface{}) (interface{}, error) { 303 | return srv.(KeyManagementServiceServer).Decrypt(ctx, req.(*DecryptRequest)) 304 | } 305 | return interceptor(ctx, in, info, handler) 306 | } 307 | 308 | func _KeyManagementService_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { 309 | in := new(EncryptRequest) 310 | if err := dec(in); err != nil { 311 | return nil, err 312 | } 313 | if interceptor == nil { 314 | return srv.(KeyManagementServiceServer).Encrypt(ctx, in) 315 | } 316 | info := &grpc.UnaryServerInfo{ 317 | Server: srv, 318 | FullMethod: "/v1beta1.KeyManagementService/Encrypt", 319 | } 320 | handler := func(ctx context.Context, req interface{}) (interface{}, error) { 321 | return srv.(KeyManagementServiceServer).Encrypt(ctx, req.(*EncryptRequest)) 322 | } 323 | return interceptor(ctx, in, info, handler) 324 | } 325 | 326 | var _KeyManagementService_serviceDesc = grpc.ServiceDesc{ 327 | ServiceName: "v1beta1.KeyManagementService", 328 | HandlerType: (*KeyManagementServiceServer)(nil), 329 | Methods: []grpc.MethodDesc{ 330 | { 331 | MethodName: "Version", 332 | Handler: _KeyManagementService_Version_Handler, 333 | }, 334 | { 335 | MethodName: "Decrypt", 336 | Handler: _KeyManagementService_Decrypt_Handler, 337 | }, 338 | { 339 | MethodName: "Encrypt", 340 | Handler: _KeyManagementService_Encrypt_Handler, 341 | }, 342 | }, 343 | Streams: []grpc.StreamDesc{}, 344 | Metadata: "service.proto", 345 | } 346 | 347 | func init() { proto.RegisterFile("service.proto", fileDescriptorService) } 348 | 349 | var fileDescriptorService = []byte{ 350 | // 287 bytes of a gzipped FileDescriptorProto 351 | 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0xcd, 0x4a, 0xc4, 0x30, 352 | 0x10, 0xde, 0xae, 0xb8, 0xc5, 0xb1, 0xb6, 0x10, 0x16, 0x2d, 0x9e, 0x34, 0x97, 0x55, 0x0f, 0x85, 353 | 0xd5, 0xbb, 0x88, 0xe8, 0x49, 0xf4, 0x50, 0xc1, 0xab, 0x64, 0xcb, 0xa0, 0x05, 0x9b, 0xc6, 0x24, 354 | 0x5b, 0xd9, 0x17, 0xf5, 0x79, 0xc4, 0x66, 0x5a, 0xd3, 0x15, 0x71, 0x8f, 0x33, 0x99, 0xef, 0x6f, 355 | 0x26, 0xb0, 0x67, 0x50, 0x37, 0x65, 0x81, 0x99, 0xd2, 0xb5, 0xad, 0x59, 0xd8, 0xcc, 0x17, 0x68, 356 | 0xc5, 0x9c, 0x9f, 0x41, 0xfc, 0x84, 0xda, 0x94, 0xb5, 0xcc, 0xf1, 0x7d, 0x89, 0xc6, 0xb2, 0x14, 357 | 0xc2, 0xc6, 0x75, 0xd2, 0xe0, 0x28, 0x38, 0xd9, 0xc9, 0xbb, 0x92, 0x7f, 0x40, 0xd2, 0xcf, 0x1a, 358 | 0x55, 0x4b, 0x83, 0x7f, 0x0f, 0xb3, 0x63, 0x88, 0xf4, 0x52, 0xda, 0xb2, 0xc2, 0x67, 0x29, 0x2a, 359 | 0x4c, 0xc7, 0xed, 0xf3, 0x2e, 0xf5, 0x1e, 0x44, 0x85, 0x6c, 0x06, 0x49, 0x37, 0xd2, 0x91, 0x6c, 360 | 0xb5, 0x53, 0x31, 0xb5, 0x49, 0x8d, 0x5f, 0x43, 0x7c, 0x83, 0x85, 0x5e, 0x29, 0xfb, 0xaf, 0x49, 361 | 0xb6, 0x0f, 0x93, 0xa2, 0x54, 0xaf, 0xa8, 0x5b, 0xc5, 0x28, 0xa7, 0x8a, 0xcf, 0x20, 0xe9, 0x39, 362 | 0xc8, 0xfc, 0x14, 0xb6, 0xd5, 0x9b, 0x28, 0x1d, 0x45, 0x94, 0xbb, 0x82, 0x5f, 0x41, 0x7c, 0x2b, 363 | 0x37, 0x14, 0xeb, 0x19, 0xc6, 0x3e, 0xc3, 0x29, 0x24, 0x3d, 0x03, 0x49, 0xfd, 0xb8, 0x0a, 0x7c, 364 | 0x57, 0xe7, 0x9f, 0x01, 0x4c, 0xef, 0x70, 0x75, 0x2f, 0xa4, 0x78, 0xc1, 0x0a, 0xa5, 0x7d, 0x74, 365 | 0x67, 0x62, 0x97, 0x10, 0x52, 0x7a, 0x76, 0x90, 0xd1, 0xb1, 0xb2, 0xe1, 0xa5, 0x0e, 0xd3, 0xdf, 366 | 0x0f, 0x4e, 0x8e, 0x8f, 0xbe, 0xf1, 0x14, 0xd7, 0xc3, 0x0f, 0x97, 0xe8, 0xe1, 0xd7, 0x36, 0xe3, 367 | 0xf0, 0x94, 0xc1, 0xc3, 0x0f, 0xf7, 0xe2, 0xe1, 0xd7, 0xe2, 0xf2, 0xd1, 0x62, 0xd2, 0xfe, 0xb3, 368 | 0x8b, 0xaf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x33, 0x8d, 0x09, 0xe1, 0x78, 0x02, 0x00, 0x00, 369 | } 370 | --------------------------------------------------------------------------------