kubeapiserver: rename '--experimental-encryption-provider-config' to …

[marrrvin]

…'--encryption-provider-config'.

This change renames the '--experimental-encryption-provider-config' flag to '--encryption-provider-config'. The old flag is accepted but generates a warning.

In 1.12, we will drop support for '--experimental-encryption-provider-config' entirely.

What this PR does / why we need it:

Encryption at rest with static configs has been promoted to beta.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Updates #61420

Special notes for your reviewer:

Release note:

Encryption at rest with static configs has been promoted to beta.
API server flag `--experimental-encryption-provider-config` has been renamed to `--encryption-provider-config`. The old flag is accepted with a warning but will be removed in 1.12.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marrrvin
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approvers: deads2k, mwielgus

Assign the PR to them by writing /assign @deads2k @mwielgus in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• cluster/gce/OWNERS
• staging/src/k8s.io/apiserver/OWNERS
• test/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[marrrvin]

@php-coder FYI

[php-coder]

@marrrvin Thank you for your contribution!

Could you update PR title to make it shorter?

Also in the description, please, replace Fixes # by Fixes #61420 (in this case when PR will get merged, the related issue will be closed automatically).

And this issue deserves to be mentioned in the changelog, hence release note is needed. I'd suggest to something like:

Encryption at rest with static configs has been promoted to beta.
API server flag `--experimental-encryption-provider-config` has been renamed to `--encryption-provider-config`. The old flag is accepted with a warning but will be removed in 1.12

@ericchiang @liggitt PTAL. Do we need release note with required action in this case?

/sig auth
/ok-to-test

[php-coder]

@marrrvin Please, mention also that Encryption at rest with static configs has been promoted to beta. This is important message to users that it's not in Alpha anymore.

[liggitt]

before this can be merged, we have to fix the way the encryption config is parsed. currently it uses a non-standard parsing method that pays no attention to the version of the config:

kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go

Lines 67 to 79 in dce1b88

	var config EncryptionConfig
	err = yaml.Unmarshal(configFileContents, &config)
	if err != nil {
	return nil, fmt.Errorf("error while parsing file: %v", err)
	}
	if config.Kind == "" {
	return nil, fmt.Errorf("invalid configuration file, missing Kind")
	}
	if config.Kind != "EncryptionConfig" {
	return nil, fmt.Errorf("invalid configuration kind %q provided", config.Kind)
	}
	// TODO config.APIVersion is unchecked

the types must change to use standard methods for including kind/apiVersion (inlining metav1.TypeMeta like all other objects), define a versioned config (we can promote straight to v1beta1 if we don't require any structural changes), and parsing must require well-formed config files before this is promoted out of experimental mode.

[marrrvin]

@liggitt Thanks. Could you please put me an example of standard parsing method?

[php-coder]

Could you please put me an example of standard parsing method?

Looks like you may follow this example:

kubernetes/cmd/kube-proxy/app/server.go

Lines 292 to 314 in dce1b88

	// loadConfigFromFile loads the contents of file and decodes it as a
	// KubeProxyConfiguration object.
	func (o *Options) loadConfigFromFile(file string) (*kubeproxyconfig.KubeProxyConfiguration, error) {
	data, err := ioutil.ReadFile(file)
	if err != nil {
	return nil, err
	}
	return o.loadConfig(data)
	}
	// loadConfig decodes data as a KubeProxyConfiguration object.
	func (o *Options) loadConfig(data []byte) (*kubeproxyconfig.KubeProxyConfiguration, error) {
	configObj, gvk, err := o.codecs.UniversalDecoder().Decode(data, nil, nil)
	if err != nil {
	return nil, err
	}
	config, ok := configObj.(*kubeproxyconfig.KubeProxyConfiguration)
	if !ok {
	return nil, fmt.Errorf("got unexpected config type: %v", gvk)
	}
	return config, nil
	}

@liggitt Please, confirm.

[liggitt]

yes, roughly that.

1. fix type definition to actually be a runtime object, inline TypeMeta, etc
2. define v1beta1 API types, generate conversions/defaults
3. define scheme/codecs that have the external (v1beta1) and internal (existing) types registered
4. use that scheme/codec to load the config (handles decoding the v1beta1 version, conversion to internal version)

[php-coder]

@liggitt Thanks, Jordan! I've extracted this task to the separate issue: #61599

[k8s-ci-robot]

@marrrvin: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dims]

Looks like changes requested by @liggitt was done in another PR

[php-coder]

Looks like changes requested by @liggitt was done in another PR

Not yet, unfortunately (as now that PR requires another PR :) )

[php-coder]

Besides rebasing against the latest master, we need to also update another place that was introduced recently:

$ git grep 'experimental-encryption-provider-config'
...
cluster/gce/gci/apiserver_manifest_test.go:     return fmt.Sprintf("--experimental-encryption-provider-config=%s", path)
cluster/gce/gci/apiserver_manifest_test.go:// EncryptionProviderConfig file of type KMS and inject experimental-encryption-provider-config startup flag.

[marrrvin]

@php-coder ok. I'll try to do it on holidays.

[dims]

/milestone v1.12

Looks like this needs to be in 1.12 please drop the milestone if i am reading this wrong

[dims]

@marrrvin can you please rebase?

[liggitt]

/hold

while this is definitely desired, we shouldn't drop the experimental prefix until the config driving this graduates from alpha (in progress in #67383)

[shubheksha]

ping @marrrvin, @liggitt - is this on track for 1.13 since there hasn't been any update?

[dims]

@marrrvin this needs rebase ... code freeze is tomorrow! ( https://github.com/kubernetes/sig-release/tree/master/releases/release-1.13 )

[stlaz]

@dims should we just do the rebase ourselves? I've got it ready in https://github.com/stlaz/kubernetes/tree/enc_config_opt but won't be able to push it in this PR.
The hold could also be dropped since the alpha->stable PR was pushed already.

[dims]

@stlaz please open a fresh PR and we can discuss there.

[stlaz]

@dims Done in #71206

[stlaz]

This PR can now be closed as the above one was merged.

[php-coder]

/close

[k8s-ci-robot]

@php-coder: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.