Expose kms timeout value via encryption config.

[immutableT]

What type of PR is this?

/kind feature
What this PR does / why we need it:
Expose, via EncryptionConfiguration, the timeout value that kube-apiserver will use when awaiting responses from kms-plugin.

This is a followup to 68585, were a timeout was added to calls from kube-apiserver to kms-plugin. This PR exposes the value of the timeout via EncryptionConfiguration. Providing the appropriate value of the timeout should be left to cluster managers who are familiar with the environment in which the cluster and the plugin operate. For example, KMS rooted in in a hardware device like (HSM/TPM) may have fairly long delays (seconds), while in memory KMS implementations would have timeouts in the range of milliseconds.
Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kube-apiserver: When configuring integration with external KMS Providers, users  can supply timeout value (i.e. how long should kube-apiserver wait before giving up on a call to KMS).  (@immutableT )

[immutableT]

/assign @liggitt

[liggitt]

document the default if unspecified

[liggitt]

document the default if unspecified

[liggitt]

should be *metav1.Duration so we can tell the difference between "0" and unspecified

[liggitt]

should be +optional and omitempty, right?

[immutableT]

@liggitt PTAL.

[immutableT]

/test pull-kubernetes-verify

[liggitt]

The failure is legitimate. The generated files need to be regenerated and checked in

[immutableT]

/test pull-kubernetes-e2e-kops-aws

[immutableT]

thanks @liggitt

[liggitt]

one comment on validation, then squash, lgtm otherwise

[liggitt]

what does a zero timeout do?

[immutableT]

@liggitt good catch - zero seems to make gRPC calls to kms-plugin fail no matter what - even when plugin is up and running before kube-apiserver makes its first call.
Based on that, changed the validation logic to prohibit zero.
Added unit test to cover timeout test cases; let me know if I should put them on a separate PR.

[immutableT]

@liggitt PTAL.

[immutableT]

/test pull-kubernetes-e2e-gce-device-plugin-gpu
/test pull-kubernetes-kubemark-e2e-gce-big

[immutableT]

/test pull-kubernetes-integration

[liggitt]

/lgtm
/approve

please detail the config field in the release note and open a doc PR to update the encryption docs for 1.14

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: immutableT, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiserver/pkg/apis/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/OWNERS [immutableT,liggitt]
• staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/OWNERS [immutableT,liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[immutableT]

Documentation PR 12158 submitted.
kubernetes/website#12158

[rtheis]

@liggitt is this something that could be cherry-picked to 1.13?