Add Cloud KMS based secret storage

------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=147791972
2026-04-19 15:55:21 +00:00 · 2017-02-16 17:55:19 -08:00
parent ab6e7b177a
commit be30ecdf66
24 changed files with 2255 additions and 0 deletions
--- a/java/google/registry/config/RegistryConfig.java
+++ b/java/google/registry/config/RegistryConfig.java
@@ -867,6 +867,24 @@ public final class RegistryConfig {
      return config.registryPolicy.greetingServerId;
    }

+    /**
+     * The name to use for the Cloud KMS KeyRing containing encryption keys for Nomulus secrets.
+     *
+     * @see <a
+     *     href="https://cloud.google.com/kms/docs/reference/rest/v1beta1/projects.locations.keyRings#KeyRing">projects.locations.keyRings</a>
+     */
+    @Provides
+    @Config("cloudKmsKeyRing")
+    public static String provideCloudKmsKeyRing(RegistryConfigSettings config) {
+      return config.kms.keyringName;
+    }
+
+    @Provides
+    @Config("cloudKmsProjectId")
+    public static String provideCloudKmsProjectId(RegistryConfigSettings config) {
+      return config.kms.projectId;
+    }
+
    @Provides
    @Config("customLogicFactoryClass")
    public static String provideCustomLogicFactoryClass(RegistryConfigSettings config) {
--- a/java/google/registry/config/RegistryConfigSettings.java
+++ b/java/google/registry/config/RegistryConfigSettings.java
@@ -31,6 +31,7 @@ public class RegistryConfigSettings {
  public Misc misc;
  public Rdap rdap;
  public Braintree braintree;
+  public Kms kms;

  /** Configuration options that apply to the entire App Engine project. */
  public static class AppEngine {
@@ -78,6 +79,12 @@ public class RegistryConfigSettings {
    public int baseOfyRetryMillis;
  }

+  /** Configuration for Cloud KMS. */
+  public static class Kms {
+    public String keyringName;
+    public String projectId;
+  }
+
  /** Configuration for caching. */
  public static class Caching {
    public int singletonCacheRefreshSeconds;
--- a/java/google/registry/config/files/default-config.yaml
+++ b/java/google/registry/config/files/default-config.yaml
@@ -182,3 +182,11 @@ braintree:
  # currency). For example, one entry might be:
  #   USD: accountIdUsingUSD
  merchantAccountIdsMap: {}
+
+kms:
+  # GCP project containing the KMS keyring. Should only be used for KMS in
+  # order to keep a simple locked down IAM configuration.
+  projectId: registry-kms-project-id
+  # The name to use for the Cloud KMS KeyRing which will store encryption keys
+  # for Nomulus secrets.
+  keyringName: nomulus