From 54b5aa5a416d9f581ad3132f1513894ef48fdf31 Mon Sep 17 00:00:00 2001 From: haoranleo Date: Thu, 30 Oct 2025 11:15:05 -0700 Subject: [PATCH 01/18] Categorize explicit deny policy in IAM role as user induced --- pkg/kmsplugin/kms.go | 8 +++++--- pkg/kmsplugin/kms_test.go | 5 +++++ pkg/plugin/plugin_test.go | 13 +++++++++++++ pkg/plugin/plugin_v2_test.go | 13 +++++++++++++ 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/pkg/kmsplugin/kms.go b/pkg/kmsplugin/kms.go index 8d85d33a..530d0aeb 100644 --- a/pkg/kmsplugin/kms.go +++ b/pkg/kmsplugin/kms.go @@ -92,13 +92,15 @@ func ParseError(err error) (errorType KMSErrorType) { // AWS SDK Go for KMS does not "yet" define specific error code for a case where a customer specifies the deleted key // "AccessDeniedException" error code may be returned when (1) CMK does not exist (not pending delete), - // or (2) corresponding IAM role is not allowed to access the key. - // Thus we only want to mark "AccessDeniedException" as user-induced for the case (1). + // or (2) user explicitly denied access to the key via resource policy, + // or (3) corresponding IAM role is not allowed to access the key. + // Thus we only want to mark "AccessDeniedException" as user-induced for the case (1) and (2). // e.g., "AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access." // or "AccessDeniedException: User xxx is not authorized to perform: xxx on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access" + // or "AccessDeniedException: User xxx is not authorized to perform: xxx on this resource with an explicit deny in a resource control policy" // KMS service may change the error message, so we do the string match. case "AccessDeniedException": - if strings.Contains(ae.ErrorMessage(), "does not exist") { + if strings.Contains(ae.ErrorMessage(), "does not exist") || strings.Contains(ae.ErrorMessage(), "explicit deny in a resource control policy") { return KMSErrorTypeUserInduced } // Sometimes this error message is returned as part of KMSInvalidStateException or KMSInternalException diff --git a/pkg/kmsplugin/kms_test.go b/pkg/kmsplugin/kms_test.go index d1ef80d8..21087dd3 100644 --- a/pkg/kmsplugin/kms_test.go +++ b/pkg/kmsplugin/kms_test.go @@ -98,6 +98,11 @@ func TestParseError(t *testing.T) { err: &mockAPIError{code: "AccessDeniedException", message: "User dummy is not authorized to perform: kms:Decrypt on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access"}, expected: KMSErrorTypeUserInduced, }, + { + name: "AccessDeniedException caused by explicit deny in resource policy", + err: &mockAPIError{code: "AccessDeniedException", message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy"}, + expected: KMSErrorTypeUserInduced, + }, { name: "Other AccessDeniedException", err: &mockAPIError{code: "AccessDeniedException", message: "access denied for some other reason"}, diff --git a/pkg/plugin/plugin_test.go b/pkg/plugin/plugin_test.go index 7e1064e3..2867ecc9 100644 --- a/pkg/plugin/plugin_test.go +++ b/pkg/plugin/plugin_test.go @@ -111,6 +111,19 @@ func TestEncrypt(t *testing.T) { healthErr: true, checkErr: false, }, + { + input: plainMessage, + ctx: nil, + output: "", + err: &smithy.GenericAPIError{ + Code: "AccessDeniedException", + Message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy", + Fault: 0, + }, + errType: kmsplugin.KMSErrorTypeUserInduced, + healthErr: true, + checkErr: false, + }, { input: plainMessage, ctx: nil, diff --git a/pkg/plugin/plugin_v2_test.go b/pkg/plugin/plugin_v2_test.go index b5ff12ff..df9c94b6 100644 --- a/pkg/plugin/plugin_v2_test.go +++ b/pkg/plugin/plugin_v2_test.go @@ -103,6 +103,19 @@ func TestEncryptV2(t *testing.T) { healthErr: true, checkErr: false, }, + { + input: plainMessage, + ctx: nil, + output: "", + err: &smithy.GenericAPIError{ + Code: "AccessDeniedException", + Message: "User dummy is not authorized to perform: kms:Decrypt on this resource with an explicit deny in a resource control policy", + Fault: 0, + }, + errType: kmsplugin.KMSErrorTypeUserInduced, + healthErr: true, + checkErr: false, + }, { input: plainMessage, ctx: nil, From fcb752daf7bb423d20cf2b145e2f0865c922aa71 Mon Sep 17 00:00:00 2001 From: haoranleo Date: Tue, 11 Nov 2025 16:25:42 -0800 Subject: [PATCH 02/18] Bump go version to 1.24.9 --- .go-version | 2 +- Dockerfile | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.go-version b/.go-version index 8407e260..eb716f77 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.7 +1.24.9 diff --git a/Dockerfile b/Dockerfile index 2e4bd746..a80e5f83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.24.7-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.24.9-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-34-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build diff --git a/go.mod b/go.mod index 7779421f..43c5f912 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.24.7 +go 1.24.9 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 From 21f5862ecab17fa4243c1609f9d3d4bfcafba84e Mon Sep 17 00:00:00 2001 From: EKS Distro PR Bot Date: Mon, 8 Dec 2025 17:04:21 +0000 Subject: [PATCH 03/18] Creating PR to update Go version to 1.24.11 --- .go-version | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.go-version b/.go-version index eb716f77..d6c68ad2 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.9 +1.24.11 diff --git a/Dockerfile b/Dockerfile index a80e5f83..456d3956 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.24.9-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.24.11-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-34-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build From 80b35ee76b12719b04c6966fc95758bc31147115 Mon Sep 17 00:00:00 2001 From: Charan Madu Date: Fri, 12 Dec 2025 18:39:04 +0000 Subject: [PATCH 04/18] Add confused deputy protection for KMS calls --- cmd/server/main.go | 3 ++- pkg/cloud/cloud.go | 60 ++++++++++++++++++++++++++++++++++++++++- pkg/cloud/cloud_test.go | 30 ++++++++++++++++++--- 3 files changed, 88 insertions(+), 5 deletions(-) diff --git a/cmd/server/main.go b/cmd/server/main.go index b77ea90f..b54388a1 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -48,6 +48,7 @@ func main() { burstLimit = flag.Int("burst-limit", 0, "(deprecated) number of tokens that can be consumed in a single call, use --retry-token-capacity instead") retryTokenCapacity = flag.Int("retry-token-capacity", 0, "number of tokens for client-side AWS rate-limiting on retries") encryptionCtxsArr = flag.StringArray("encryption-context", []string{}, "AWS KMS Encryption Context (e.g. 'a=b,c=d')") + sourceArn = flag.String("source-arn", "", "AWS source ARN for confused deputy protection") debug = flag.Bool("debug", false, "Print debug level logs") ) flag.Parse() @@ -92,7 +93,7 @@ func main() { zap.Int("burst-limit", *burstLimit), zap.Int("retry-token-capacity", *retryTokenCapacity), ) - c, err := cloud.New(*region, *kmsEndpoint, *qpsLimit, *burstLimit, *retryTokenCapacity) + c, err := cloud.New(*region, *kmsEndpoint, *qpsLimit, *burstLimit, *retryTokenCapacity, *sourceArn) if err != nil { zap.L().Fatal("Failed to create new KMS service", zap.Error(err)) } diff --git a/pkg/cloud/cloud.go b/pkg/cloud/cloud.go index e06e02f6..ff8aae85 100644 --- a/pkg/cloud/cloud.go +++ b/pkg/cloud/cloud.go @@ -18,20 +18,28 @@ import ( "fmt" "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/aws/arn" "github.com/aws/aws-sdk-go-v2/aws/ratelimit" "github.com/aws/aws-sdk-go-v2/aws/retry" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" "github.com/aws/aws-sdk-go-v2/service/kms" + smithymiddleware "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" "go.uber.org/zap" ) +const ( + headerSourceArn = "x-amz-source-arn" + headerSourceAccount = "x-amz-source-account" +) + type AWSKMSv2 interface { Encrypt(ctx context.Context, params *kms.EncryptInput, optFns ...func(*kms.Options)) (*kms.EncryptOutput, error) Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error) } -func New(region, kmsEndpoint string, qps, burst, retryTokenCapacity int) (AWSKMSv2, error) { +func New(region, kmsEndpoint string, qps, burst, retryTokenCapacity int, sourceArn string) (AWSKMSv2, error) { var optFns []func(*config.LoadOptions) error if region != "" { optFns = append(optFns, config.WithRegion(region)) @@ -69,6 +77,11 @@ func New(region, kmsEndpoint string, qps, burst, retryTokenCapacity int) (AWSKMS return nil, fmt.Errorf("failed to create AWS config: %w", err) } + err = addConfusedDeputyHeaders(&cfg, sourceArn) + if err != nil { + return nil, err + } + if cfg.Region == "" { ec2 := imds.NewFromConfig(cfg) region, err := ec2.GetRegion(context.Background(), &imds.GetRegionInput{}) @@ -88,3 +101,48 @@ func New(region, kmsEndpoint string, qps, burst, retryTokenCapacity int) (AWSKMS client := kms.NewFromConfig(cfg, kmsOptFns...) return client, nil } + +func addConfusedDeputyHeaders(cfg *aws.Config, sourceArn string) error { + if sourceArn != "" { + sourceAccount, err := getSourceAccount(sourceArn) + if err != nil { + return err + } + + cfg.APIOptions = append(cfg.APIOptions, func(stack *smithymiddleware.Stack) error { + return stack.Build.Add(smithymiddleware.BuildMiddlewareFunc("KMSConfusedDeputyHeaders", func( + ctx context.Context, in smithymiddleware.BuildInput, next smithymiddleware.BuildHandler, + ) (smithymiddleware.BuildOutput, smithymiddleware.Metadata, error) { + req, ok := in.Request.(*smithyhttp.Request) + if ok { + req.Header.Set(headerSourceAccount, sourceAccount) + req.Header.Set(headerSourceArn, sourceArn) + } + return next.HandleBuild(ctx, in) + }), smithymiddleware.Before) + }) + + zap.L().Info("configuring KMS client with confused deputy headers", + zap.String("sourceArn", sourceArn), + zap.String("sourceAccount", sourceAccount), + ) + } + return nil +} + +// getSourceAccount constructs source account and return them for use +func getSourceAccount(sourceArn string) (string, error) { + // ARN format (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) + // arn:partition:service:region:account-id:resource-type/resource-id + // arn:aws:eks:region:account:cluster/cluster-name + if !arn.IsARN(sourceArn) { + return "", fmt.Errorf("incorrect ARN format for source arn: %s", sourceArn) + } + + parsedArn, err := arn.Parse(sourceArn) + if err != nil { + return "", err + } + + return parsedArn.AccountID, nil +} diff --git a/pkg/cloud/cloud_test.go b/pkg/cloud/cloud_test.go index e3204ada..0a6edea7 100644 --- a/pkg/cloud/cloud_test.go +++ b/pkg/cloud/cloud_test.go @@ -25,7 +25,7 @@ zssmrkdYYvn9aUhjc3XK3tjAoDpsPpeBeTBamuUKDHoH/dNRXxerZ8vu6uPR3Pgs `) func TestNewSessionClientWithoutEnv(t *testing.T) { - kmsObjet, err := New("us-west-2", "https://kms.us-west-2.amazonaws.com", 0, 0, 500) + kmsObjet, err := New("us-west-2", "https://kms.us-west-2.amazonaws.com", 0, 0, 500, "") assert.NoError(t, err, "Failed to create object with error (%v)", err) assert.NotNil(t, kmsObjet, "Failed to create object with error (%v)", err) } @@ -36,7 +36,7 @@ func TestNewSessionClientWithEnv(t *testing.T) { defer os.Remove(tempFile) //nolint:errcheck os.Setenv("AWS_CA_BUNDLE", tempFile) //nolint:errcheck defer os.Unsetenv("AWS_CA_BUNDLE") //nolint:errcheck - kmsObjet, err := New("us-west-2", "https://kms.us-west-2.amazonaws.com", 0, 0, 500) + kmsObjet, err := New("us-west-2", "https://kms.us-west-2.amazonaws.com", 0, 0, 500, "") assert.NoError(t, err, "Failed to create object with error (%v)", err) assert.NotNil(t, kmsObjet, "Failed to create object with error (%v)", err) } @@ -95,7 +95,7 @@ func TestNewConfig(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { - _, err := New(test.region, test.endpoint, test.qps, test.burst, test.retryTokenCapacity) + _, err := New(test.region, test.endpoint, test.qps, test.burst, test.retryTokenCapacity, "") if test.expectErr { assert.Error(t, err) } else { @@ -104,3 +104,27 @@ func TestNewConfig(t *testing.T) { }) } } + +func TestNewWithSourceArn(t *testing.T) { + client, err := New("us-east-1", "", 0, 0, 0, "arn:aws:eks:us-east-1:123456789012:cluster/test") + assert.NoError(t, err) + assert.NotNil(t, client) +} + +func TestNewWithEmptySourceArn(t *testing.T) { + client, err := New("us-east-1", "", 0, 0, 0, "") + assert.NoError(t, err) + assert.NotNil(t, client) +} + +func TestNewWithMalformedSourceArn(t *testing.T) { + cfg, err := New("us-east-1", "", 0, 0, 0, "invalid-arn-format") + assert.Nil(t, cfg) + assert.Error(t, err) +} + +func TestGetSourceAccount(t *testing.T) { + account, err := getSourceAccount("arn:aws:eks:us-east-1:123456789012:cluster/test") + assert.NoError(t, err) + assert.Equal(t, "123456789012", account) +} From 8ac875b89eef8688e1bb109c32979d9f005d474d Mon Sep 17 00:00:00 2001 From: Keerthan Reddy Mala Date: Mon, 22 Dec 2025 10:18:03 -0800 Subject: [PATCH 05/18] Add kmala as the owner of the project --- OWNERS_ALIASES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index dedfd502..72d7ea7f 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -7,6 +7,7 @@ aliases: - xdu31 - yue9944882 - haoranleo + - kmala maintainers: - justinsb - micahhausler @@ -15,3 +16,4 @@ aliases: - xdu31 - yue9944882 - haoranleo + - kmala From 8e2b7aab4519576885e09396d781bb31d64855b7 Mon Sep 17 00:00:00 2001 From: Ganesh Putta Date: Thu, 18 Dec 2025 10:52:36 -0600 Subject: [PATCH 06/18] 1.35.0 dependency update --- .go-version | 2 +- .golangci.yml | 15 ++++++ .travis.yml | 2 +- Dockerfile | 4 +- cmd/client/main.go | 5 +- go.mod | 17 ++++--- go.sum | 71 ++++++++-------------------- pkg/plugin/metrics_test.go | 1 - pkg/plugin/plugin.go | 16 +++---- pkg/plugin/plugin_test.go | 6 +-- pkg/plugin/plugin_v2.go | 1 + test/integration/integration_test.go | 2 - 12 files changed, 59 insertions(+), 83 deletions(-) create mode 100644 .golangci.yml diff --git a/.go-version b/.go-version index d6c68ad2..b45fe310 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.11 +1.25.5 diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..4dcea172 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,15 @@ +version: "2" + +# golangci-lint configuration +# https://golangci-lint.run/usage/configuration/ + +linters: + enable: + - staticcheck + exclusions: + rules: + # Exclude SA1019 (deprecated) warnings for v1beta1 KMS API + # v1beta1 KMS API is intentionally used for backwards compatibility + - linters: + - staticcheck + text: "SA1019:" diff --git a/.travis.yml b/.travis.yml index 11ea7e35..cce23c76 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: go go_import_path: sigs.k8s.io/aws-encryption-provider go: - - 1.24.x + - 1.25.x sudo: false diff --git a/Dockerfile b/Dockerfile index 456d3956..585c9187 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.24.11-gcc -ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-34-latest +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.5-gcc +ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build WORKDIR /go/src/sigs.k8s.io/aws-encryption-provider diff --git a/cmd/client/main.go b/cmd/client/main.go index 2e5e947f..7ccb1069 100644 --- a/cmd/client/main.go +++ b/cmd/client/main.go @@ -47,7 +47,6 @@ func main() { ctx := context.Background() - //nolint:staticcheck vReq := &pb.VersionRequest{} vRes, err := client.Version(ctx, vReq) if err != nil { @@ -67,7 +66,7 @@ func main() { switch splits[0] { case "encrypt": - //nolint:staticcheck + eReq := &pb.EncryptRequest{Plain: []byte(splits[1])} res, err := client.Encrypt(ctx, eReq) if err != nil { @@ -79,7 +78,7 @@ func main() { if err != nil { log.Fatalf("Failed to decode: %v", err) } - //nolint:staticcheck + dReq := &pb.DecryptRequest{Cipher: b} res, err := client.Decrypt(ctx, dReq) if err != nil { diff --git a/go.mod b/go.mod index 43c5f912..3cb24a44 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.24.9 +go 1.25.5 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 @@ -12,8 +12,8 @@ require ( github.com/spf13/pflag v1.0.6 github.com/stretchr/testify v1.10.0 go.uber.org/zap v1.27.0 - google.golang.org/grpc v1.71.0 - k8s.io/kms v0.33.0 + google.golang.org/grpc v1.72.2 + k8s.io/kms v0.35.0 ) require ( @@ -29,7 +29,6 @@ require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/gogo/protobuf v1.3.2 // indirect github.com/klauspost/compress v1.17.11 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect @@ -37,10 +36,10 @@ require ( github.com/prometheus/common v0.62.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect go.uber.org/multierr v1.10.0 // indirect - golang.org/x/net v0.38.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/text v0.23.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect - google.golang.org/protobuf v1.36.5 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/text v0.31.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect + google.golang.org/protobuf v1.36.8 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 867563f2..ce656062 100644 --- a/go.sum +++ b/go.sum @@ -32,20 +32,16 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -72,18 +68,16 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= -go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= +go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= -go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= -go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= +go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -92,47 +86,22 @@ go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= -golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= -golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50= -google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg= -google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec= -google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= -google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= +google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= +google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/kms v0.33.0 h1:fhQSW/vyaWDhMp0vDuO/sLg2RlGZf4F77beSXcB4/eE= -k8s.io/kms v0.33.0/go.mod h1:C1I8mjFFBNzfUZXYt9FZVJ8MJl7ynFbGgZFbBzkBJ3E= +k8s.io/kms v0.35.0 h1:/x87FED2kDSo66csKtcYCEHsxF/DBlNl7LfJ1fVQs1o= +k8s.io/kms v0.35.0/go.mod h1:VT+4ekZAdrZDMgShK37vvlyHUVhwI9t/9tvh0AyCWmQ= diff --git a/pkg/plugin/metrics_test.go b/pkg/plugin/metrics_test.go index 6283131c..1f10979e 100644 --- a/pkg/plugin/metrics_test.go +++ b/pkg/plugin/metrics_test.go @@ -85,7 +85,6 @@ func TestMetrics(t *testing.T) { u := ts.URL + "/metrics" - //nolint:staticcheck _, err := p.Encrypt(context.Background(), &pb.EncryptRequest{Plain: []byte("hello")}) if err != nil { if entry.encryptErr == nil { diff --git a/pkg/plugin/plugin.go b/pkg/plugin/plugin.go index 9bc6a76d..dc10ab88 100644 --- a/pkg/plugin/plugin.go +++ b/pkg/plugin/plugin.go @@ -36,6 +36,7 @@ const ( // Plugin implements the KeyManagementServiceServer type V1Plugin struct { + pb.UnimplementedKeyManagementServiceServer svc cloud.AWSKMSv2 keyID string encryptionCtx map[string]string @@ -90,7 +91,7 @@ func newPlugin( func (p *V1Plugin) Health() error { recent, err := p.healthCheck.isRecentlyChecked() if !recent { - //nolint:staticcheck + _, err = p.Encrypt(context.Background(), &pb.EncryptRequest{Plain: []byte("foo")}) p.healthCheck.RecordErr(err) if err != nil { @@ -121,9 +122,9 @@ func (p *V1Plugin) Live() error { // Version returns the V1Plugin server version // -//nolint:staticcheck + func (p *V1Plugin) Version(ctx context.Context, request *pb.VersionRequest) (*pb.VersionResponse, error) { - //nolint:staticcheck + return &pb.VersionResponse{ Version: version.APIVersion, RuntimeName: version.Runtime, @@ -133,7 +134,7 @@ func (p *V1Plugin) Version(ctx context.Context, request *pb.VersionRequest) (*pb // Encrypt executes the encryption operation using AWS KMS // -//nolint:staticcheck + func (p *V1Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb.EncryptResponse, error) { zap.L().Debug("starting encrypt operation") @@ -164,13 +165,13 @@ func (p *V1Plugin) Encrypt(ctx context.Context, request *pb.EncryptRequest) (*pb zap.L().Debug("encrypt operation successful") kmsLatencyMetric.WithLabelValues(p.keyID, kmsplugin.StatusSuccess, kmsplugin.OperationEncrypt, GRPC_V1).Observe(kmsplugin.GetMillisecondsSince(startTime)) kmsOperationCounter.WithLabelValues(p.keyID, kmsplugin.StatusSuccess, kmsplugin.OperationEncrypt, GRPC_V1).Inc() - //nolint:staticcheck + return &pb.EncryptResponse{Cipher: append([]byte(kmsplugin.StorageVersion), result.CiphertextBlob...)}, nil } // Decrypt executes the decrypt operation using AWS KMS // -//nolint:staticcheck + func (p *V1Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb.DecryptResponse, error) { zap.L().Debug("starting decrypt operation") @@ -205,7 +206,7 @@ func (p *V1Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb zap.L().Debug("decrypt operation successful") kmsLatencyMetric.WithLabelValues(p.keyID, kmsplugin.StatusSuccess, kmsplugin.OperationDecrypt, GRPC_V1).Observe(kmsplugin.GetMillisecondsSince(startTime)) kmsOperationCounter.WithLabelValues(p.keyID, kmsplugin.StatusSuccess, kmsplugin.OperationDecrypt, GRPC_V1).Inc() - //nolint:staticcheck + return &pb.DecryptResponse{Plain: result.Plaintext}, nil } @@ -221,7 +222,6 @@ func WaitForReady(client pb.KeyManagementServiceClient, duration time.Duration) ctx, cancel := context.WithTimeout(context.Background(), duration) defer cancel() - //nolint:staticcheck _, err := client.Version(ctx, &pb.VersionRequest{}, grpc.WaitForReady(true)) if err != nil { return err diff --git a/pkg/plugin/plugin_test.go b/pkg/plugin/plugin_test.go index 2867ecc9..71eeb7a0 100644 --- a/pkg/plugin/plugin_test.go +++ b/pkg/plugin/plugin_test.go @@ -206,7 +206,6 @@ func TestEncrypt(t *testing.T) { sharedHealthCheck.Stop() }() - //nolint:staticcheck eReq := &pb.EncryptRequest{Plain: []byte(tc.input)} eRes, err := p.Encrypt(ctx, eReq) @@ -285,7 +284,6 @@ func TestDecrypt(t *testing.T) { sharedHealthCheck.Stop() }() - //nolint:staticcheck dReq := &pb.DecryptRequest{Cipher: []byte(tc.input)} dRes, err := p.Decrypt(ctx, dReq) @@ -332,7 +330,6 @@ func TestHealth(t *testing.T) { c.SetEncryptResp("foo", entry.encryptErr) c.SetDecryptResp("foo", entry.decryptErr) - //nolint:staticcheck _, encErr := p.Encrypt(context.Background(), &pb.EncryptRequest{Plain: []byte("foo")}) if entry.encryptErr == nil && encErr != nil { t.Fatalf("#%d: unexpected error from Encrypt %v", idx, encErr) @@ -346,7 +343,6 @@ func TestHealth(t *testing.T) { t.Fatalf("#%d: unexpected error from Health %v", idx, herr1) } - //nolint:staticcheck _, decErr := p.Decrypt(context.Background(), &pb.DecryptRequest{Cipher: []byte("foo")}) if entry.decryptErr == nil && decErr != nil { t.Fatalf("#%d: unexpected error from Encrypt %v", idx, decErr) @@ -379,7 +375,7 @@ func TestHealthManyRequests(t *testing.T) { for i := 0; i < 10; i++ { errc := make(chan error) go func() { - //nolint:staticcheck + _, err := p.Encrypt( context.Background(), &pb.EncryptRequest{Plain: []byte("foo")}, diff --git a/pkg/plugin/plugin_v2.go b/pkg/plugin/plugin_v2.go index 4216409a..2d83aa7d 100644 --- a/pkg/plugin/plugin_v2.go +++ b/pkg/plugin/plugin_v2.go @@ -35,6 +35,7 @@ const ( // Plugin implements the KeyManagementServiceServer type V2Plugin struct { + pb.UnimplementedKeyManagementServiceServer svc cloud.AWSKMSv2 keyID string encryptionCtx map[string]string diff --git a/test/integration/integration_test.go b/test/integration/integration_test.go index 34b23487..2b3eb3ea 100644 --- a/test/integration/integration_test.go +++ b/test/integration/integration_test.go @@ -101,7 +101,6 @@ func TestEncrypt(t *testing.T) { for _, tc := range tt { mock.SetEncryptResp(tc.output, tc.err) - //nolint:staticcheck eReq := &pb.EncryptRequest{Plain: []byte(tc.input)} eRes, err := client.Encrypt(ctx, eReq) @@ -164,7 +163,6 @@ func TestDecrypt(t *testing.T) { for _, tc := range tt { mock.SetDecryptResp(tc.output, tc.err) - //nolint:staticcheck dReq := &pb.DecryptRequest{Cipher: []byte(tc.input)} dRes, err := client.Decrypt(ctx, dReq) From 4fa318e754955da0f968b19b66d2a679b4692017 Mon Sep 17 00:00:00 2001 From: Ronald Ngounou Date: Mon, 2 Feb 2026 19:59:19 -0800 Subject: [PATCH 07/18] Update Go to 1.25.6 to fix crypto/x509 CVEs Fixes security vulnerabilities in crypto/x509: [CVE-2025-61727](https://github.com/advisories/GHSA-5mh9-3jwc-rp59): Excluded subdomain constraint doesn't preclude wildcard SAN Signed-off-by: Ronald Ngounou --- .go-version | 2 +- Dockerfile | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.go-version b/.go-version index b45fe310..198ec23c 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.5 +1.25.6 diff --git a/Dockerfile b/Dockerfile index 585c9187..8f206e4e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.5-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.6-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build diff --git a/go.mod b/go.mod index 3cb24a44..ed7bd106 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.25.5 +go 1.25.6 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 From 03e260390a5de3c1ba18a1dcbd3003bbe6d44823 Mon Sep 17 00:00:00 2001 From: EKS Distro PR Bot Date: Thu, 19 Feb 2026 16:47:06 +0000 Subject: [PATCH 08/18] Creating PR to update Go version to 1.25.7 --- .go-version | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.go-version b/.go-version index 198ec23c..f1968aa8 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.6 +1.25.7 diff --git a/Dockerfile b/Dockerfile index 8f206e4e..486c2208 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.6-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.7-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build From 007dd0d7c791597df16d014f7d738a97cfe8880e Mon Sep 17 00:00:00 2001 From: "Mengqi (David) Yu" Date: Thu, 19 Mar 2026 22:46:53 +0000 Subject: [PATCH 09/18] bump go to 1.25.7 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index ed7bd106..c8dea924 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.25.6 +go 1.25.7 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 From d2d26dcd1d6ab4237c2e1a5d01825bb4ad518e63 Mon Sep 17 00:00:00 2001 From: Aditya Potdar Date: Tue, 10 Mar 2026 18:25:56 +0000 Subject: [PATCH 10/18] Upgrade Go version to 1.25.8 --- .go-version | 2 +- Dockerfile | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.go-version b/.go-version index f1968aa8..e6a6e7cd 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.7 +1.25.8 diff --git a/Dockerfile b/Dockerfile index 486c2208..1cf18e16 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.7-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.8-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build diff --git a/go.mod b/go.mod index c8dea924..a12a6e5a 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.25.7 +go 1.25.8 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 From 86f064376d657b18663304ec78b8c8c182e50128 Mon Sep 17 00:00:00 2001 From: Dheeraj Mohan Date: Tue, 14 Apr 2026 21:43:08 +0000 Subject: [PATCH 11/18] fix: bump go version for CVE fix --- .go-version | 2 +- Dockerfile | 4 ++-- go.mod | 14 +++++++------- go.sum | 50 ++++++++++++++++++++++++++------------------------ 4 files changed, 36 insertions(+), 34 deletions(-) diff --git a/.go-version b/.go-version index e6a6e7cd..0e0c284d 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.8 +1.25.9 diff --git a/Dockerfile b/Dockerfile index 1cf18e16..25046621 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.8-gcc +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.9-gcc ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest FROM --platform=$BUILDPLATFORM ${BUILDER} AS build @@ -17,7 +17,7 @@ ARG TAG COPY . ./ ENV GO111MODULE=on ARG TARGETOS TARGETARCH -RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags \ +RUN GOPROXY=direct GOSUMDB=off GONOSUMDB="*" CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags \ "-w -s -X sigs.k8s.io/aws-encryption-provider/pkg/version.Version=$TAG" \ -o bin/aws-encryption-provider cmd/server/main.go diff --git a/go.mod b/go.mod index a12a6e5a..8f4b81ce 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.25.8 +go 1.25.9 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 @@ -12,7 +12,7 @@ require ( github.com/spf13/pflag v1.0.6 github.com/stretchr/testify v1.10.0 go.uber.org/zap v1.27.0 - google.golang.org/grpc v1.72.2 + google.golang.org/grpc v1.79.3 k8s.io/kms v0.35.0 ) @@ -36,10 +36,10 @@ require ( github.com/prometheus/common v0.62.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect go.uber.org/multierr v1.10.0 // indirect - golang.org/x/net v0.47.0 // indirect - golang.org/x/sys v0.38.0 // indirect - golang.org/x/text v0.31.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect - google.golang.org/protobuf v1.36.8 // indirect + golang.org/x/net v0.48.0 // indirect + golang.org/x/sys v0.39.0 // indirect + golang.org/x/text v0.32.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/protobuf v1.36.10 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index ce656062..978522be 100644 --- a/go.sum +++ b/go.sum @@ -68,36 +68,38 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= -go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= -go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= -go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= -go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= -go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= -go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= -golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= -golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= -golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= -golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= -google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= -google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= +golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From 4a8834f062196b9c656bb5b5bbe98c9f720ffa5b Mon Sep 17 00:00:00 2001 From: Dheeraj Mohan Date: Wed, 15 Apr 2026 20:49:16 +0000 Subject: [PATCH 12/18] fix: failing cloudbuild due to stale gcb image, update to use latest --- cloudbuild.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudbuild.yaml b/cloudbuild.yaml index c5f93b41..bb8d9bc1 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -5,7 +5,7 @@ options: dynamic_substitutions: true steps: - - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d' + - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20260205-38cfa9523f' entrypoint: make env: - REPO=us-central1-docker.pkg.dev/k8s-staging-images/aws-encryption-provider From d216cc024f2dbfeaccc6585b593b91d1a9a3532d Mon Sep 17 00:00:00 2001 From: Dheeraj Mohan Date: Tue, 28 Apr 2026 19:09:45 +0000 Subject: [PATCH 13/18] fix: add health check timeouts --- pkg/cloud/mock.go | 45 ++++++++++++++++++++++++++++++++++ pkg/plugin/plugin.go | 5 ++-- pkg/plugin/plugin_test.go | 23 ++++++++++++++++++ pkg/plugin/plugin_v2.go | 6 +++-- pkg/plugin/plugin_v2_test.go | 47 ++++++++++++++++++++++++++++++++++++ 5 files changed, 122 insertions(+), 4 deletions(-) diff --git a/pkg/cloud/mock.go b/pkg/cloud/mock.go index 339e122e..2614fbb3 100644 --- a/pkg/cloud/mock.go +++ b/pkg/cloud/mock.go @@ -16,6 +16,7 @@ package cloud import ( "context" "sync" + "time" "github.com/aws/aws-sdk-go-v2/service/kms" ) @@ -46,6 +47,10 @@ type KMSMock struct { defaultDecOut *kms.DecryptOutput defaultDecErr error + // Delay for simulating slow responses + encryptDelay time.Duration + decryptDelay time.Duration + // Conditional rules (evaluated in order) encryptRules []EncryptRule decryptRules []DecryptRule @@ -113,7 +118,27 @@ func (m *KMSMock) ClearRules() *KMSMock { return m } +// SetEncryptDelay sets a delay for Encrypt calls +func (m *KMSMock) SetEncryptDelay(d time.Duration) *KMSMock { + m.mutex.Lock() + defer m.mutex.Unlock() + m.encryptDelay = d + return m +} + func (m *KMSMock) Encrypt(ctx context.Context, params *kms.EncryptInput, optFns ...func(*kms.Options)) (*kms.EncryptOutput, error) { + m.mutex.RLock() + delay := m.encryptDelay + m.mutex.RUnlock() + + if delay > 0 { + select { + case <-time.After(delay): + case <-ctx.Done(): + return nil, ctx.Err() + } + } + m.mutex.RLock() defer m.mutex.RUnlock() @@ -128,7 +153,27 @@ func (m *KMSMock) Encrypt(ctx context.Context, params *kms.EncryptInput, optFns return m.defaultEncOut, m.defaultEncErr } +// SetDecryptDelay sets a delay for Decrypt calls +func (m *KMSMock) SetDecryptDelay(d time.Duration) *KMSMock { + m.mutex.Lock() + defer m.mutex.Unlock() + m.decryptDelay = d + return m +} + func (m *KMSMock) Decrypt(ctx context.Context, params *kms.DecryptInput, optFns ...func(*kms.Options)) (*kms.DecryptOutput, error) { + m.mutex.RLock() + delay := m.decryptDelay + m.mutex.RUnlock() + + if delay > 0 { + select { + case <-time.After(delay): + case <-ctx.Done(): + return nil, ctx.Err() + } + } + m.mutex.RLock() defer m.mutex.RUnlock() diff --git a/pkg/plugin/plugin.go b/pkg/plugin/plugin.go index dc10ab88..dd48e103 100644 --- a/pkg/plugin/plugin.go +++ b/pkg/plugin/plugin.go @@ -91,8 +91,9 @@ func newPlugin( func (p *V1Plugin) Health() error { recent, err := p.healthCheck.isRecentlyChecked() if !recent { - - _, err = p.Encrypt(context.Background(), &pb.EncryptRequest{Plain: []byte("foo")}) + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + _, err = p.Encrypt(ctx, &pb.EncryptRequest{Plain: []byte("foo")}) p.healthCheck.RecordErr(err) if err != nil { zap.L().Warn("health check failed", zap.Error(err)) diff --git a/pkg/plugin/plugin_test.go b/pkg/plugin/plugin_test.go index 71eeb7a0..1ac93efd 100644 --- a/pkg/plugin/plugin_test.go +++ b/pkg/plugin/plugin_test.go @@ -392,3 +392,26 @@ func TestHealthManyRequests(t *testing.T) { } } } + +func TestHealthTimeout(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + c.SetEncryptResp("foo", nil) + c.SetEncryptDelay(6 * time.Second) // longer than 5s timeout + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := New(key, c, nil, sharedHealthCheck) + + err := p.Health() + + if err == nil { + t.Fatal("expected timeout error, got nil") + } + if !errors.Is(err, context.DeadlineExceeded) && !strings.Contains(err.Error(), "context deadline exceeded") { + t.Fatalf("expected deadline exceeded error, got: %v", err) + } +} diff --git a/pkg/plugin/plugin_v2.go b/pkg/plugin/plugin_v2.go index 2d83aa7d..7beb184f 100644 --- a/pkg/plugin/plugin_v2.go +++ b/pkg/plugin/plugin_v2.go @@ -90,13 +90,15 @@ func newPluginV2( func (p *V2Plugin) Health() error { recent, err := p.healthCheck.isRecentlyChecked() if !recent { - encResult, err := p.Encrypt(context.Background(), &pb.EncryptRequest{Plaintext: []byte("foo")}) + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + encResult, err := p.Encrypt(ctx, &pb.EncryptRequest{Plaintext: []byte("foo")}) p.healthCheck.RecordErr(err) if err != nil { zap.L().Warn("health check failed at encryption", zap.Error(err)) return err } - _, err = p.Decrypt(context.Background(), &pb.DecryptRequest{Ciphertext: encResult.Ciphertext}) + _, err = p.Decrypt(ctx, &pb.DecryptRequest{Ciphertext: encResult.Ciphertext}) p.healthCheck.RecordErr(err) if err != nil { zap.L().Warn("health check failed at decryption", zap.Error(err)) diff --git a/pkg/plugin/plugin_v2_test.go b/pkg/plugin/plugin_v2_test.go index df9c94b6..912bcb3a 100644 --- a/pkg/plugin/plugin_v2_test.go +++ b/pkg/plugin/plugin_v2_test.go @@ -444,3 +444,50 @@ func TestHealthManyRequestsV2(t *testing.T) { } } } + +func TestHealthTimeoutV2(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + c.SetEncryptResp("foo", nil) + c.SetEncryptDelay(6 * time.Second) // longer than 5s timeout + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := NewV2(key, c, nil, sharedHealthCheck) + + err := p.Health() + + if err == nil { + t.Fatal("expected timeout error, got nil") + } + if !errors.Is(err, context.DeadlineExceeded) && !strings.Contains(err.Error(), "context deadline exceeded") { + t.Fatalf("expected deadline exceeded error, got: %v", err) + } +} + +func TestHealthDecryptTimeoutV2(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + c.SetEncryptResp("foo", nil) + c.SetDecryptResp("foo", nil) + c.SetDecryptDelay(6 * time.Second) // longer than 5s timeout + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := NewV2(key, c, nil, sharedHealthCheck) + + err := p.Health() + + if err == nil { + t.Fatal("expected timeout error, got nil") + } + if !errors.Is(err, context.DeadlineExceeded) && !strings.Contains(err.Error(), "context deadline exceeded") { + t.Fatalf("expected deadline exceeded error, got: %v", err) + } +} From 6fc33a3d4f9100c3ceb66e0f3a4de41d2569a8cf Mon Sep 17 00:00:00 2001 From: Dheeraj Mohan Date: Tue, 28 Apr 2026 19:53:04 +0000 Subject: [PATCH 14/18] fix: golint dependency failure --- hack/verify-golint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/verify-golint.sh b/hack/verify-golint.sh index 5d6a7c9a..babf823d 100755 --- a/hack/verify-golint.sh +++ b/hack/verify-golint.sh @@ -22,7 +22,7 @@ go version if ! which golangci-lint > /dev/null; then echo "Cannot find golangci-lint. Installing golangci-lint..." - GO111MODULE=on go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.2 + GO111MODULE=on go install -v github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 fi $(go env GOPATH)/bin/golangci-lint run --timeout=10m From fbc150d1a365b346cd18f246d9a62896da9654da Mon Sep 17 00:00:00 2001 From: Caiden Borrego Date: Tue, 28 Apr 2026 21:03:57 +0000 Subject: [PATCH 15/18] Bumping gorunner image tag in Dockerfile for CVE mitigation --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 25046621..73fbd15e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ # See the License for the specific language governing permissions and # limitations under the License. ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.9-gcc -ARG BASE_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.18.0-eks-1-35-latest +ARG BASE_IMAGE=public.ecr.aws/eks-distro-build-tooling/go-runner:v0.18.0-go-1.25.9.2023 FROM --platform=$BUILDPLATFORM ${BUILDER} AS build WORKDIR /go/src/sigs.k8s.io/aws-encryption-provider From 82174011743aebd49910f4314bcdc8d8e09e26c0 Mon Sep 17 00:00:00 2001 From: Pratyush0912 Date: Wed, 29 Apr 2026 18:26:10 +0000 Subject: [PATCH 16/18] Fix index-out-of-bounds panic on empty ciphertext in Decrypt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit V1Plugin.Decrypt() and V2Plugin.Decrypt() both access the first byte of the ciphertext slice for storage version prefix detection without verifying the slice is non-empty. An empty or nil ciphertext causes an unrecovered panic that crashes the entire aws-encryption-provider process, making Kubernetes Secrets unavailable until pod restart. Add len() == 0 guards to both V1 and V2 Decrypt paths, returning a clean gRPC error instead of panicking. Add unit tests for both paths. Security: High — unauthenticated crash via Unix socket gRPC call --- pkg/plugin/plugin.go | 5 ++++ pkg/plugin/plugin_test.go | 46 ++++++++++++++++++++++++++++++++++++ pkg/plugin/plugin_v2.go | 5 ++++ pkg/plugin/plugin_v2_test.go | 46 ++++++++++++++++++++++++++++++++++++ 4 files changed, 102 insertions(+) diff --git a/pkg/plugin/plugin.go b/pkg/plugin/plugin.go index dd48e103..d5d85219 100644 --- a/pkg/plugin/plugin.go +++ b/pkg/plugin/plugin.go @@ -15,6 +15,7 @@ package plugin import ( "context" + "errors" "fmt" "time" @@ -177,6 +178,10 @@ func (p *V1Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb zap.L().Debug("starting decrypt operation") startTime := time.Now() + + if len(request.Cipher) == 0 { + return nil, errors.New("invalid empty ciphertext") + } if string(request.Cipher[0]) == kmsplugin.StorageVersion { request.Cipher = request.Cipher[1:] } diff --git a/pkg/plugin/plugin_test.go b/pkg/plugin/plugin_test.go index 1ac93efd..97f3f7da 100644 --- a/pkg/plugin/plugin_test.go +++ b/pkg/plugin/plugin_test.go @@ -415,3 +415,49 @@ func TestHealthTimeout(t *testing.T) { t.Fatalf("expected deadline exceeded error, got: %v", err) } } + +func TestDecryptEmptyCipher(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + ctx := context.Background() + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := New(key, c, nil, sharedHealthCheck) + + dReq := &pb.DecryptRequest{Cipher: []byte{}} + _, err := p.Decrypt(ctx, dReq) + + if err == nil { + t.Fatal("expected error for empty ciphertext, got nil") + } + if !strings.Contains(err.Error(), "invalid empty ciphertext") { + t.Fatalf("expected 'invalid empty ciphertext' error, got: %v", err) + } +} + +func TestDecryptNilCipher(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + ctx := context.Background() + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := New(key, c, nil, sharedHealthCheck) + + dReq := &pb.DecryptRequest{Cipher: nil} + _, err := p.Decrypt(ctx, dReq) + + if err == nil { + t.Fatal("expected error for nil ciphertext, got nil") + } + if !strings.Contains(err.Error(), "invalid empty ciphertext") { + t.Fatalf("expected 'invalid empty ciphertext' error, got: %v", err) + } +} diff --git a/pkg/plugin/plugin_v2.go b/pkg/plugin/plugin_v2.go index 7beb184f..2da99a80 100644 --- a/pkg/plugin/plugin_v2.go +++ b/pkg/plugin/plugin_v2.go @@ -15,6 +15,7 @@ package plugin import ( "context" + "errors" "fmt" "time" @@ -181,6 +182,10 @@ func (p *V2Plugin) Decrypt(ctx context.Context, request *pb.DecryptRequest) (*pb zap.L().Debug("starting decrypt operation") startTime := time.Now() + + if len(request.Ciphertext) == 0 { + return nil, errors.New("invalid empty ciphertext") + } storageVersion := kmsplugin.KMSStorageVersion(request.Ciphertext[0]) switch storageVersion { case kmsplugin.KMSStorageVersionV2: diff --git a/pkg/plugin/plugin_v2_test.go b/pkg/plugin/plugin_v2_test.go index 912bcb3a..9108bea4 100644 --- a/pkg/plugin/plugin_v2_test.go +++ b/pkg/plugin/plugin_v2_test.go @@ -491,3 +491,49 @@ func TestHealthDecryptTimeoutV2(t *testing.T) { t.Fatalf("expected deadline exceeded error, got: %v", err) } } + +func TestDecryptEmptyCiphertextV2(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + ctx := context.Background() + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := NewV2(key, c, nil, sharedHealthCheck) + + dReq := &pb.DecryptRequest{Ciphertext: []byte{}} + _, err := p.Decrypt(ctx, dReq) + + if err == nil { + t.Fatal("expected error for empty ciphertext, got nil") + } + if !strings.Contains(err.Error(), "invalid empty ciphertext") { + t.Fatalf("expected 'invalid empty ciphertext' error, got: %v", err) + } +} + +func TestDecryptNilCiphertextV2(t *testing.T) { + zap.ReplaceGlobals(zap.NewExample()) + + c := &cloud.KMSMock{} + ctx := context.Background() + + sharedHealthCheck := NewSharedHealthCheck(DefaultHealthCheckPeriod, DefaultErrcBufSize) + go sharedHealthCheck.Start() + defer sharedHealthCheck.Stop() + + p := NewV2(key, c, nil, sharedHealthCheck) + + dReq := &pb.DecryptRequest{Ciphertext: nil} + _, err := p.Decrypt(ctx, dReq) + + if err == nil { + t.Fatal("expected error for nil ciphertext, got nil") + } + if !strings.Contains(err.Error(), "invalid empty ciphertext") { + t.Fatalf("expected 'invalid empty ciphertext' error, got: %v", err) + } +} From a97aa70247f948c56c9a3a28af0e7dd677d1ae2b Mon Sep 17 00:00:00 2001 From: Ganesh Putta Date: Fri, 1 May 2026 17:20:13 +0000 Subject: [PATCH 17/18] 1.36.0 dependency update --- .go-version | 2 +- Dockerfile | 4 ++-- go.mod | 14 +++++++------- go.sum | 32 ++++++++++++++++---------------- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.go-version b/.go-version index 0e0c284d..c7c3f333 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.25.9 +1.26.2 diff --git a/Dockerfile b/Dockerfile index 73fbd15e..8383952b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,8 +8,8 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.25.9-gcc -ARG BASE_IMAGE=public.ecr.aws/eks-distro-build-tooling/go-runner:v0.18.0-go-1.25.9.2023 +ARG BUILDER=public.ecr.aws/eks-distro-build-tooling/golang:1.26.2-gcc +ARG BASE_IMAGE=public.ecr.aws/eks-distro-build-tooling/go-runner:v0.18.0-go-1.26.2.2023 FROM --platform=$BUILDPLATFORM ${BUILDER} AS build WORKDIR /go/src/sigs.k8s.io/aws-encryption-provider diff --git a/go.mod b/go.mod index 8f4b81ce..9c201877 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module sigs.k8s.io/aws-encryption-provider -go 1.25.9 +go 1.26.2 require ( github.com/aws/aws-sdk-go-v2 v1.39.2 @@ -13,7 +13,7 @@ require ( github.com/stretchr/testify v1.10.0 go.uber.org/zap v1.27.0 google.golang.org/grpc v1.79.3 - k8s.io/kms v0.35.0 + k8s.io/kms v0.36.0 ) require ( @@ -36,10 +36,10 @@ require ( github.com/prometheus/common v0.62.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect go.uber.org/multierr v1.10.0 // indirect - golang.org/x/net v0.48.0 // indirect - golang.org/x/sys v0.39.0 // indirect - golang.org/x/text v0.32.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect - google.golang.org/protobuf v1.36.10 // indirect + golang.org/x/net v0.49.0 // indirect + golang.org/x/sys v0.40.0 // indirect + golang.org/x/text v0.33.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect + google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 978522be..3654bcd1 100644 --- a/go.sum +++ b/go.sum @@ -70,14 +70,14 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= -go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= -go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c= +go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE= go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= -go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= -go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw= +go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg= go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -86,24 +86,24 @@ go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= -golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= +golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= -google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= -google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= -google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI= +google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/kms v0.35.0 h1:/x87FED2kDSo66csKtcYCEHsxF/DBlNl7LfJ1fVQs1o= -k8s.io/kms v0.35.0/go.mod h1:VT+4ekZAdrZDMgShK37vvlyHUVhwI9t/9tvh0AyCWmQ= +k8s.io/kms v0.36.0 h1:DPy0VDWi6hCgFMgzV5cNuSDrIROMRcJpTZ1GnB+D368= +k8s.io/kms v0.36.0/go.mod h1:g91diTD9h0oJCCHkTb00krlF+Qm5HTnkWLi9Q/TpRoc= From e299e2be3365772c4b456cf77bb4b3a2005d7f01 Mon Sep 17 00:00:00 2001 From: Bharani Ujjaini Kempaiah Date: Wed, 6 May 2026 20:20:44 +0000 Subject: [PATCH 18/18] Add XKS proxy communication failure to UserInduced errors Categorize 'AWS KMS cannot communicate with the external key store proxy' error message as KMSErrorTypeUserInduced in the KMSInternalException case. Added corresponding test case. --- pkg/kmsplugin/kms.go | 3 ++- pkg/kmsplugin/kms_test.go | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/kmsplugin/kms.go b/pkg/kmsplugin/kms.go index 530d0aeb..16dad889 100644 --- a/pkg/kmsplugin/kms.go +++ b/pkg/kmsplugin/kms.go @@ -105,7 +105,8 @@ func ParseError(err error) (errorType KMSErrorType) { } // Sometimes this error message is returned as part of KMSInvalidStateException or KMSInternalException case (&kmstypes.KMSInternalException{}).ErrorCode(): - if strings.Contains(ae.ErrorMessage(), "AWS KMS rejected the request because the external key store proxy did not respond in time. Retry the request. If you see this error repeatedly, report it to your external key store proxy administrator") { + if strings.Contains(ae.ErrorMessage(), "AWS KMS rejected the request because the external key store proxy did not respond in time. Retry the request. If you see this error repeatedly, report it to your external key store proxy administrator") || + strings.Contains(ae.ErrorMessage(), "AWS KMS cannot communicate with the external key store proxy") { return KMSErrorTypeUserInduced } } diff --git a/pkg/kmsplugin/kms_test.go b/pkg/kmsplugin/kms_test.go index 21087dd3..e57672e4 100644 --- a/pkg/kmsplugin/kms_test.go +++ b/pkg/kmsplugin/kms_test.go @@ -113,6 +113,11 @@ func TestParseError(t *testing.T) { err: &mockAPIError{code: (&types.KMSInternalException{}).ErrorCode(), message: "AWS KMS rejected the request because the external key store proxy did not respond in time. Retry the request. If you see this error repeatedly, report it to your external key store proxy administrator"}, expected: KMSErrorTypeUserInduced, }, + { + name: "KMSInternalException with external key store proxy communication failure", + err: &mockAPIError{code: (&types.KMSInternalException{}).ErrorCode(), message: "AWS KMS cannot communicate with the external key store proxy"}, + expected: KMSErrorTypeUserInduced, + }, { name: "KMSInternalException with other message", err: &mockAPIError{code: (&types.KMSInternalException{}).ErrorCode(), message: "Some other internal error"},