Skip to content

Add encryption/decryption logic #11110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lakshmimsft wants to merge 1 commit into from
Closed

Add encryption/decryption logic #11110

lakshmimsft wants to merge 1 commit into from
+2,716 −0

Conversation

@lakshmimsft
Copy link
Contributor

@lakshmimsft lakshmimsft commented Jan 28, 2026
edited
Loading

This pr introduces a encryption subsystem, providing the core encryption logic along with comprehensive tests. The main changes include the implementation of a ChaCha20-Poly1305-based encryption module, key provider interfaces and implementations (for both Kubernetes and in-memory usage), and thorough unit and integration tests to ensure reliability and correct behavior.
ref: design doc

Encryption functionality:

  • Implements the Encryptor type in encryption.go, providing methods for encrypting and decrypting data using ChaCha20-Poly1305 with support for associated data (AD) binding, and includes utility methods for key generation and encrypted data validation.

Key management:

  • Defines the KeyProvider interface and provides two implementations in keyprovider.go: KubernetesKeyProvider (retrieves keys from Kubernetes Secrets with configurable options) and InMemoryKeyProvider (for testing and development), along with error handling for key retrieval and validation.

Testing and validation:

  • Adds keyprovider_test.go with comprehensive tests for both key provider implementations, covering success and error cases.

Type of change

Fixes: #11071

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • [] Not applicable
  • A design document PR is created in the design-notes repository, if new APIs are being introduced.
    • Yes
    • [] Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • [] Not applicable
  • A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable
  • A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
    • Yes
    • Not applicable

@lakshmimsft lakshmimsft requested a review from sk593 January 28, 2026 08:24
@radius-functional-tests
Copy link

radius-functional-tests bot commented Jan 28, 2026
edited
Loading

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository lakshmimsft/radius-mainfork
Commit ref a6b4545
Unique ID func31ff26ffc4
Image tag pr-func31ff26ffc4
  • gotestsum 1.13.0
  • KinD: v0.29.0
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func31ff26ffc4
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func31ff26ffc4
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func31ff26ffc4
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-func31ff26ffc4
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func31ff26ffc4
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
@lakshmimsft lakshmimsft force-pushed the lakshmimsft/encryption branch from a6b4545 to f959e63 Compare January 28, 2026 17:27
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
@lakshmimsft lakshmimsft force-pushed the lakshmimsft/encryption branch from f959e63 to 3127633 Compare January 28, 2026 19:07
@lakshmimsft
Copy link
Contributor Author

lakshmimsft commented Jan 28, 2026

closing this PR from fork. created pr against radius repo: #11114

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sk593 sk593 Awaiting requested review from sk593

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Encryption/Decryption mechanism

1 participant

@lakshmimsft