mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

KMS certificates for Encryption configuration page (#2380)

Browse Source 
- removed unused console certificate code in frontend
- fixed confirmation dialog not closing after submit form on encryption
page
- simplified kms mtls/ca certificates for tenant encryption
configuration

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
This commit is contained in:
Lenin Alevski
2022-10-19 12:32:08 -07:00
committed by GitHub
parent 5f07d45846
commit 6b6cfd10f1
19 changed files with 918 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
portal-ui/src/screens/Console/Common/TLSCertificate/TLSCertificate.tsx
View File

@@ -140,8 +140,11 @@ const TLSCertificate = ({
<span className="label">{`${certificates.length} Domain (s):`}</span>
</Box>
<List className={classes.certificatesList}>
{certificates.map((dom) => (
<ListItem className={classes.certificatesListItem}>
{certificates.map((dom, index) => (
<ListItem
key={`${dom}-${index}`}
className={classes.certificatesListItem}
>
<ListItemAvatar>
<LanguageIcon />
</ListItemAvatar>

116
portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption.tsx
View File

@@ -40,8 +40,10 @@ import {
} from "../../../../../utils/validationFunctions";
import SectionH1 from "../../../Common/SectionH1";
import {
addFileClientCert,
addFileServerCert,
addFileMinIOMTLSCert,
addFileKESServerCert,
addFileKMSCa,
addFileKMSMTLSCert,
isPageValid,
updateAddField,
} from "../createTenantSlice";
@@ -135,13 +137,18 @@ const Encryption = ({ classes }: IEncryptionProps) => {
const minioServerCertificates = useSelector(
(state: AppState) => state.createTenant.certificates.minioServerCertificates
);
const serverCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.serverCertificate
const kesServerCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.kesServerCertificate
);
const clientCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.clientCertificate
const minioMTLSCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.minioMTLSCertificate
);
const kmsMTLSCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.kmsMTLSCertificate
);
const kmsCA = useSelector(
(state: AppState) => state.createTenant.certificates.kmsCA
);
const enableCustomCerts = useSelector(
(state: AppState) => state.createTenant.fields.security.enableCustomCerts
);
@@ -231,22 +238,22 @@ const Encryption = ({ classes }: IEncryptionProps) => {
{
fieldKey: "serverKey",
required: !enableAutoCert,
value: serverCertificate.encoded_key,
value: kesServerCertificate.encoded_key,
},
{
fieldKey: "serverCert",
required: !enableAutoCert,
value: serverCertificate.encoded_cert,
value: kesServerCertificate.encoded_cert,
},
{
fieldKey: "clientKey",
required: !enableAutoCert,
value: clientCertificate.encoded_key,
value: minioMTLSCertificate.encoded_key,
},
{
fieldKey: "clientCert",
required: !enableAutoCert,
value: clientCertificate.encoded_cert,
value: minioMTLSCertificate.encoded_cert,
},
];
}
@@ -275,10 +282,10 @@ const Encryption = ({ classes }: IEncryptionProps) => {
dispatch,
enableAutoCert,
enableCustomCerts,
serverCertificate.encoded_key,
serverCertificate.encoded_cert,
clientCertificate.encoded_key,
clientCertificate.encoded_cert,
kesServerCertificate.encoded_key,
kesServerCertificate.encoded_cert,
minioMTLSCertificate.encoded_key,
minioMTLSCertificate.encoded_cert,
kesSecurityContext,
replicas,
]);
@@ -407,12 +414,12 @@ const Encryption = ({ classes }: IEncryptionProps) => {
<Grid item xs={12} style={{ marginBottom: 15 }}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Encryption Service Certificates
Encryption server certificates
</legend>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileServerCert({
addFileKESServerCert({
key: "key",
fileName: fileName,
value: encodedValue,
@@ -425,13 +432,13 @@ const Encryption = ({ classes }: IEncryptionProps) => {
name="serverKey"
label="Key"
error={validationErrors["serverKey"] || ""}
value={serverCertificate.key}
value={kesServerCertificate.key}
required={!enableAutoCert}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileServerCert({
addFileKESServerCert({
key: "cert",
fileName: fileName,
value: encodedValue,
@@ -444,7 +451,7 @@ const Encryption = ({ classes }: IEncryptionProps) => {
name="serverCert"
label="Cert"
error={validationErrors["serverCert"] || ""}
value={serverCertificate.cert}
value={kesServerCertificate.cert}
required={!enableAutoCert}
/>
</fieldset>
@@ -454,12 +461,13 @@ const Encryption = ({ classes }: IEncryptionProps) => {
<Grid item xs={12}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Mutual TLS authentication with MinIO
MinIO mTLS certificates (connection between MinIO and
the Encryption server)
</legend>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileClientCert({
addFileMinIOMTLSCert({
key: "key",
fileName: fileName,
value: encodedValue,
@@ -472,13 +480,13 @@ const Encryption = ({ classes }: IEncryptionProps) => {
name="clientKey"
label="Key"
error={validationErrors["clientKey"] || ""}
value={clientCertificate.key}
value={minioMTLSCertificate.key}
required={!enableAutoCert}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileClientCert({
addFileMinIOMTLSCert({
key: "cert",
fileName: fileName,
value: encodedValue,
@@ -491,12 +499,70 @@ const Encryption = ({ classes }: IEncryptionProps) => {
name="clientCert"
label="Cert"
error={validationErrors["clientCert"] || ""}
value={clientCertificate.cert}
value={minioMTLSCertificate.cert}
required={!enableAutoCert}
/>
</fieldset>
</Grid>
</Grid>
<Grid container className={classes.mutualTlsConfig}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
KMS mTLS certificates (connection between the Encryption
server and the KMS)
</legend>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileKMSMTLSCert({
key: "key",
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_key");
}}
accept=".key,.pem"
id="vault_key"
name="vault_key"
label="Key"
value={kmsMTLSCertificate.key}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileKMSMTLSCert({
key: "cert",
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_cert");
}}
accept=".cer,.crt,.cert,.pem"
id="vault_cert"
name="vault_cert"
label="Cert"
value={kmsMTLSCertificate.cert}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileKMSCa({
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_ca");
}}
accept=".cer,.crt,.cert,.pem"
id="vault_ca"
name="vault_ca"
label="CA"
value={kmsCA.cert}
/>
</fieldset>
</Grid>
</Fragment>
)}
<Grid item xs={12}>

40
portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption/GemaltoKMSAdd.tsx
View File

@@ -28,12 +28,7 @@ import {
wizardCommon,
} from "../../../../Common/FormComponents/common/styleLibrary";
import makeStyles from "@mui/styles/makeStyles";
import FileSelector from "../../../../Common/FormComponents/FileSelector/FileSelector";
import {
addFileGemaltoCa,
isPageValid,
updateAddField,
} from "../../createTenantSlice";
import { isPageValid, updateAddField } from "../../createTenantSlice";
import {
commonFormValidation,
IValidation,
@@ -56,9 +51,6 @@ const GemaltoKMSAdd = () => {
const encryptionTab = useSelector(
(state: AppState) => state.createTenant.fields.encryption.encryptionTab
);
const gemaltoCA = useSelector(
(state: AppState) => state.createTenant.certificates.gemaltoCA
);
const gemaltoEndpoint = useSelector(
(state: AppState) => state.createTenant.fields.encryption.gemaltoEndpoint
);
@@ -209,36 +201,6 @@ const GemaltoKMSAdd = () => {
</Grid>
</fieldset>
</Grid>
<Grid
item
xs={12}
style={{
marginBottom: 15,
}}
>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Custom CA Root certificate verification
</legend>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileGemaltoCa({
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("gemalto_ca");
}}
accept=".cer,.crt,.cert,.pem"
id="gemalto_ca"
name="gemalto_ca"
label="CA"
value={gemaltoCA.cert}
/>
</fieldset>
</Grid>
</Fragment>
);
};

72
portal-ui/src/screens/Console/Tenants/AddTenant/Steps/Encryption/VaultKMSAdd.tsx
View File

@@ -18,13 +18,7 @@ import React, { Fragment, useCallback, useEffect, useState } from "react";
import Grid from "@mui/material/Grid";
import InputBoxWrapper from "../../../../Common/FormComponents/InputBoxWrapper/InputBoxWrapper";
import FileSelector from "../../../../Common/FormComponents/FileSelector/FileSelector";
import {
addFileVaultCa,
addFileVaultCert,
isPageValid,
updateAddField,
} from "../../createTenantSlice";
import { isPageValid, updateAddField } from "../../createTenantSlice";
import { useSelector } from "react-redux";
import { AppState, useAppDispatch } from "../../../../../../store";
import { Theme } from "@mui/material/styles";
@@ -85,12 +79,6 @@ const VaultKMSAdd = () => {
const vaultPing = useSelector(
(state: AppState) => state.createTenant.fields.encryption.vaultPing
);
const vaultCertificate = useSelector(
(state: AppState) => state.createTenant.certificates.vaultCertificate
);
const vaultCA = useSelector(
(state: AppState) => state.createTenant.certificates.vaultCA
);
const [validationErrors, setValidationErrors] = useState<any>({});
@@ -278,64 +266,6 @@ const VaultKMSAdd = () => {
</Grid>
</fieldset>
</Grid>
<Grid container className={classes.mutualTlsConfig}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Mutual TLS authentication (optional)
</legend>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileVaultCert({
key: "key",
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_key");
}}
accept=".key,.pem"
id="vault_key"
name="vault_key"
label="Key"
value={vaultCertificate.key}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileVaultCert({
key: "cert",
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_cert");
}}
accept=".cer,.crt,.cert,.pem"
id="vault_cert"
name="vault_cert"
label="Cert"
value={vaultCertificate.cert}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
dispatch(
addFileVaultCa({
fileName: fileName,
value: encodedValue,
})
);
cleanValidation("vault_ca");
}}
accept=".cer,.crt,.cert,.pem"
id="vault_ca"
name="vault_ca"
label="CA"
value={vaultCA.cert}
/>
</fieldset>
</Grid>
<Grid
item
xs={12}

129
portal-ui/src/screens/Console/Tenants/AddTenant/createTenantSlice.ts
View File

@@ -323,52 +323,29 @@ const initialState: ICreateTenant = {
encoded_cert: "",
},
],
consoleCaCertificates: [
{
id: Date.now().toString(),
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
],
consoleCertificate: {
id: "console_cert_pair",
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
serverCertificate: {
kesServerCertificate: {
id: "encryptionServerCertificate",
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
clientCertificate: {
minioMTLSCertificate: {
id: "encryptionClientCertificate",
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
vaultCertificate: {
id: "encryptionVaultCertificate",
kmsMTLSCertificate: {
id: "encryptionKMSMTLSCertificate",
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
vaultCA: {
id: "encryptionVaultCA",
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
},
gemaltoCA: {
id: "encryptionGemaltoCA",
kmsCA: {
id: "encryptionKMSCA",
key: "",
cert: "",
encoded_key: "",
@@ -656,91 +633,38 @@ export const createTenantSlice = createSlice({
);
}
},
addConsoleCertificate: (state, action: PayloadAction<CertificateFile>) => {
const consoleCert = state.certificates.consoleCertificate;
state.certificates.consoleCertificate = {
...consoleCert,
[action.payload.key]: action.payload.fileName,
[`encoded_${action.payload.key}`]: action.payload.value,
};
},
addConsoleCaCertificate: (state) => {
state.certificates.consoleCaCertificates.push({
id: Date.now().toString(),
key: "",
cert: "",
encoded_key: "",
encoded_cert: "",
});
},
addFileToConsoleCaCertificates: (
state,
action: PayloadAction<CertificateFile>
) => {
const consoleCaCertificates = state.certificates.consoleCaCertificates;
addFileKESServerCert: (state, action: PayloadAction<KeyFileValue>) => {
const encServerCert = state.certificates.kesServerCertificate;
state.certificates.consoleCaCertificates = consoleCaCertificates.map(
(item: KeyPair) => {
if (item.id === action.payload.id) {
return {
...item,
[action.payload.key]: action.payload.fileName,
[`encoded_${action.payload.key}`]: action.payload.value,
};
}
return item;
}
);
},
deleteConsoleCaCertificate: (state, action: PayloadAction<string>) => {
const consoleCACertsList = state.certificates.consoleCaCertificates;
if (consoleCACertsList.length > 1) {
state.certificates.consoleCaCertificates = consoleCACertsList.filter(
(item: KeyPair) => item.id !== action.payload
);
}
},
addFileServerCert: (state, action: PayloadAction<KeyFileValue>) => {
const encServerCert = state.certificates.serverCertificate;
state.certificates.serverCertificate = {
state.certificates.kesServerCertificate = {
...encServerCert,
[action.payload.key]: action.payload.fileName,
[`encoded_${action.payload.key}`]: action.payload.value,
};
},
addFileClientCert: (state, action: PayloadAction<KeyFileValue>) => {
const encClientCert = state.certificates.clientCertificate;
addFileMinIOMTLSCert: (state, action: PayloadAction<KeyFileValue>) => {
const encClientCert = state.certificates.minioMTLSCertificate;
state.certificates.clientCertificate = {
state.certificates.minioMTLSCertificate = {
...encClientCert,
[action.payload.key]: action.payload.fileName,
[`encoded_${action.payload.key}`]: action.payload.value,
};
},
addFileVaultCert: (state, action: PayloadAction<KeyFileValue>) => {
const encVaultCert = state.certificates.vaultCertificate;
addFileKMSMTLSCert: (state, action: PayloadAction<KeyFileValue>) => {
const encKMSTLSCert = state.certificates.kmsMTLSCertificate;
state.certificates.vaultCertificate = {
...encVaultCert,
state.certificates.kmsMTLSCertificate = {
...encKMSTLSCert,
[action.payload.key]: action.payload.fileName,
[`encoded_${action.payload.key}`]: action.payload.value,
};
},
addFileVaultCa: (state, action: PayloadAction<FileValue>) => {
const encVaultCA = state.certificates.vaultCA;
addFileKMSCa: (state, action: PayloadAction<FileValue>) => {
const encKMSCA = state.certificates.kmsCA;
state.certificates.vaultCA = {
...encVaultCA,
cert: action.payload.fileName,
encoded_cert: action.payload.value,
};
},
addFileGemaltoCa: (state, action: PayloadAction<FileValue>) => {
const encGemaltoCA = state.certificates.gemaltoCA;
state.certificates.gemaltoCA = {
...encGemaltoCA,
state.certificates.kmsCA = {
...encKMSCA,
cert: action.payload.fileName,
encoded_cert: action.payload.value,
};
@@ -1038,21 +962,16 @@ export const {
addCaCertificate,
deleteCaCertificate,
addFileToCaCertificates,
addConsoleCaCertificate,
deleteConsoleCaCertificate,
addFileToConsoleCaCertificates,
addKeyPair,
deleteKeyPair,
addFileToKeyPair,
addClientKeyPair,
deleteClientKeyPair,
addFileToClientKeyPair,
addConsoleCertificate,
addFileServerCert,
addFileClientCert,
addFileVaultCert,
addFileVaultCa,
addFileGemaltoCa,
addFileKESServerCert,
addFileMinIOMTLSCert,
addFileKMSMTLSCert,
addFileKMSCa,
resetAddTenantForm,
setKeyValuePairs,
setEnvVars,

98
portal-ui/src/screens/Console/Tenants/AddTenant/thunks/createTenantThunk.ts
View File

@@ -65,11 +65,10 @@ export const createTenantAsync = createAsyncThunk(
const minioServerCertificates = certificates.minioServerCertificates;
const minioClientCertificates = certificates.minioClientCertificates;
const minioCAsCertificates = certificates.minioCAsCertificates;
const serverCertificate = certificates.serverCertificate;
const clientCertificate = certificates.clientCertificate;
const vaultCertificate = certificates.vaultCertificate;
const vaultCA = certificates.vaultCA;
const gemaltoCA = certificates.gemaltoCA;
const kesServerCertificate = certificates.kesServerCertificate;
const minioMTLSCertificate = certificates.minioMTLSCertificate;
const kmsMTLSCertificate = certificates.kmsMTLSCertificate;
const kmsCA = certificates.kmsCA;
const rawConfiguration = fields.encryption.rawConfiguration;
const encryptionTab = fields.encryption.encryptionTab;
const enableEncryption = fields.encryption.enableEncryption;
@@ -346,13 +345,6 @@ export const createTenantAsync = createAsyncThunk(
switch (encryptionType) {
case "gemalto":
let gemaltoCAIntroduce = {};
if (gemaltoCA.encoded_cert !== "") {
gemaltoCAIntroduce = {
ca: gemaltoCA.encoded_cert,
};
}
insertEncrypt = {
gemalto: {
keysecure: {
@@ -362,9 +354,6 @@ export const createTenantAsync = createAsyncThunk(
domain: gemaltoDomain,
retry: parseInt(gemaltoRetry),
},
tls: {
...gemaltoCAIntroduce,
},
},
},
};
@@ -416,31 +405,6 @@ export const createTenantAsync = createAsyncThunk(
};
break;
case "vault":
let vaultKeyPair = null;
let vaultCAInsert = null;
if (
vaultCertificate.encoded_key !== "" &&
vaultCertificate.encoded_cert !== ""
) {
vaultKeyPair = {
key: vaultCertificate.encoded_key,
crt: vaultCertificate.encoded_cert,
};
}
if (vaultCA.encoded_cert !== "") {
vaultCAInsert = {
ca: vaultCA.encoded_cert,
};
}
let vaultTLS = null;
if (vaultKeyPair || vaultCAInsert) {
vaultTLS = {
tls: {
...vaultKeyPair,
...vaultCAInsert,
},
};
}
insertEncrypt = {
vault: {
endpoint: vaultEndpoint,
@@ -453,7 +417,6 @@ export const createTenantAsync = createAsyncThunk(
secret: vaultSecret,
retry: parseInt(vaultRetry),
},
...vaultTLS,
status: {
ping: parseInt(vaultPing),
},
@@ -464,27 +427,56 @@ export const createTenantAsync = createAsyncThunk(
let encryptionServerKeyPair: any = {};
let encryptionClientKeyPair: any = {};
let encryptionKMSCertificates: any = {};
// MinIO -> KES (mTLS certificates)
if (
clientCertificate.encoded_key !== "" &&
clientCertificate.encoded_cert !== ""
minioMTLSCertificate.encoded_key !== "" &&
minioMTLSCertificate.encoded_cert !== ""
) {
encryptionClientKeyPair = {
client: {
key: clientCertificate.encoded_key,
crt: clientCertificate.encoded_cert,
minio_mtls: {
key: minioMTLSCertificate.encoded_key,
crt: minioMTLSCertificate.encoded_cert,
},
};
}
// KES server certificates
if (
serverCertificate.encoded_key !== "" &&
serverCertificate.encoded_cert !== ""
kesServerCertificate.encoded_key !== "" &&
kesServerCertificate.encoded_cert !== ""
) {
encryptionServerKeyPair = {
server: {
key: serverCertificate.encoded_key,
crt: serverCertificate.encoded_cert,
server_tls: {
key: kesServerCertificate.encoded_key,
crt: kesServerCertificate.encoded_cert,
},
};
}
// KES -> KMS (mTLS certificates)
let kmsMTLSKeyPair = null;
let kmsCAInsert = null;
if (
kmsMTLSCertificate.encoded_key !== "" &&
kmsMTLSCertificate.encoded_cert !== ""
) {
kmsMTLSKeyPair = {
key: kmsMTLSCertificate.encoded_key,
crt: kmsMTLSCertificate.encoded_cert,
};
}
if (kmsCA.encoded_cert !== "") {
kmsCAInsert = {
ca: kmsCA.encoded_cert,
};
}
if (kmsMTLSKeyPair || kmsCAInsert) {
encryptionKMSCertificates = {
kms_mtls: {
...kmsMTLSKeyPair,
...kmsCAInsert,
},
};
}
@@ -498,6 +490,7 @@ export const createTenantAsync = createAsyncThunk(
image: kesImage,
...encryptionClientKeyPair,
...encryptionServerKeyPair,
...encryptionKMSCertificates,
...insertEncrypt,
},
};
@@ -583,7 +576,7 @@ export const createTenantAsync = createAsyncThunk(
idp: { ...dataIDP },
};
const response = createTenantCall(dataSend)
return createTenantCall(dataSend)
.then((resp) => {
return resp;
})
@@ -591,6 +584,5 @@ export const createTenantAsync = createAsyncThunk(
dispatch(setErrorSnackMessage(err));
return rejectWithValue(err);
});
return response;
}
);

440
portal-ui/src/screens/Console/Tenants/TenantDetails/TenantEncryption.tsx
View File

@@ -97,7 +97,7 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
useState<string>("");
const [encryptionEnabled, setEncryptionEnabled] = useState<boolean>(false);
const [encryptionType, setEncryptionType] = useState<string>("vault");
const [replicas, setReplicas] = useState<string>("2");
const [replicas, setReplicas] = useState<string>("1");
const [image, setImage] = useState<string>("");
const [refreshEncryptionInfo, setRefreshEncryptionInfo] =
useState<boolean>(false);
@@ -116,11 +116,12 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
const [enabledCustomCertificates, setEnabledCustomCertificates] =
useState<boolean>(false);
const [updatingEncryption, setUpdatingEncryption] = useState<boolean>(false);
const [serverTLSCertificateSecret, setServerTLSCertificateSecret] =
const [kesServerTLSCertificateSecret, setKesServerTLSCertificateSecret] =
useState<ICertificateInfo | null>(null);
const [mTLSCertificateSecret, setMTLSCertificateSecret] =
const [minioMTLSCertificateSecret, setMinioMTLSCertificateSecret] =
useState<ICertificateInfo | null>(null);
const [mTLSCertificate, setMTLSCertificate] = useState<KeyPair | null>(null);
const [minioMTLSCertificate, setMinioMTLSCertificate] =
useState<KeyPair | null>(null);
const [certificatesToBeRemoved, setCertificatesToBeRemoved] = useState<
string[]
>([]);
@@ -128,22 +129,18 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
const [isFormValid, setIsFormValid] = useState<boolean>(false);
const [showVaultAppRoleSecret, setShowVaultAppRoleSecret] =
useState<boolean>(false);
const [vaultClientCertificateSecret, setVaultClientCertificateSecret] =
const [kmsMTLSCertificateSecret, setKmsMTLSCertificateSecret] =
useState<ICertificateInfo | null>(null);
const [vaultCACertificateSecret, setVaultCACertificateSecret] =
const [kmsCACertificateSecret, setKMSCACertificateSecret] =
useState<ICertificateInfo | null>(null);
const [vaultClientCertificate, setVaultClientCertificate] =
useState<KeyPair | null>(null);
const [serverCertificate, setServerCertificate] = useState<KeyPair | null>(
const [kmsMTLSCertificate, setKmsMTLSCertificate] = useState<KeyPair | null>(
null
);
const [vaultCACertificate, setVaultCACertificate] = useState<KeyPair | null>(
const [kesServerCertificate, setKESServerCertificate] =
useState<KeyPair | null>(null);
const [kmsCACertificate, setKmsCACertificate] = useState<KeyPair | null>(
null
);
const [gemaltoCACertificateSecret, setGemaltoCACertificateSecret] =
useState<ICertificateInfo | null>(null);
const [gemaltoCACertificate, setGemaltotCACertificate] =
useState<KeyPair | null>(null);
const [validationErrors, setValidationErrors] = useState<any>({});
const cleanValidation = (fieldName: string) => {
setValidationErrors(clearValidationError(validationErrors, fieldName));
@@ -199,22 +196,22 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
{
fieldKey: "serverKey",
required: false,
value: serverCertificate?.encoded_key || "",
value: kesServerCertificate?.encoded_key || "",
},
{
fieldKey: "serverCert",
required: false,
value: serverCertificate?.encoded_cert || "",
value: kesServerCertificate?.encoded_cert || "",
},
{
fieldKey: "clientKey",
required: false,
value: mTLSCertificate?.encoded_key || "",
value: minioMTLSCertificate?.encoded_key || "",
},
{
fieldKey: "clientCert",
required: false,
value: mTLSCertificate?.encoded_cert || "",
value: minioMTLSCertificate?.encoded_cert || "",
},
];
}
@@ -345,14 +342,14 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
enabledCustomCertificates,
encryptionEnabled,
encryptionType,
serverCertificate?.encoded_key,
serverCertificate?.encoded_cert,
mTLSCertificate?.encoded_key,
mTLSCertificate?.encoded_cert,
vaultClientCertificate?.encoded_key,
vaultClientCertificate?.encoded_cert,
vaultCACertificate?.encoded_key,
vaultCACertificate?.encoded_cert,
kesServerCertificate?.encoded_key,
kesServerCertificate?.encoded_cert,
minioMTLSCertificate?.encoded_key,
minioMTLSCertificate?.encoded_cert,
kmsMTLSCertificate?.encoded_key,
kmsMTLSCertificate?.encoded_cert,
kmsCACertificate?.encoded_key,
kmsCACertificate?.encoded_cert,
securityContext,
vaultConfiguration,
awsConfiguration,
@@ -375,19 +372,12 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
if (resp.vault) {
setEncryptionType("vault");
setVaultConfiguration(resp.vault);
if (resp.vault.tls) {
setVaultClientCertificateSecret(resp.vault.tls.crt);
setVaultCACertificateSecret(resp.vault.tls.ca);
}
} else if (resp.aws) {
setEncryptionType("aws");
setAWSConfiguration(resp.aws);
} else if (resp.gemalto) {
setEncryptionType("gemalto");
setGemaltoConfiguration(resp.gemalto);
if (resp.gemalto.keysecure.tls) {
setGemaltoCACertificateSecret(resp.gemalto.keysecure.tls.ca);
}
} else if (resp.gcp) {
setEncryptionType("gcp");
setGCPConfiguration(resp.gcp);
@@ -402,14 +392,18 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
if (resp.securityContext) {
setSecurityContext(resp.securityContext);
}
if (resp.server || resp.mtls_client) {
if (resp.server_tls || resp.minio_mtls || resp.kms_mtls) {
setEnabledCustomCertificates(true);
}
if (resp.server) {
setServerTLSCertificateSecret(resp.server);
if (resp.server_tls) {
setKesServerTLSCertificateSecret(resp.server_tls);
}
if (resp.mtls_client) {
setMTLSCertificateSecret(resp.mtls_client);
if (resp.minio_mtls) {
setMinioMTLSCertificateSecret(resp.minio_mtls);
}
if (resp.kms_mtls) {
setKmsMTLSCertificateSecret(resp.kms_mtls.crt);
setKMSCACertificateSecret(resp.kms_mtls.ca);
}
setRefreshEncryptionInfo(false);
})
@@ -430,20 +424,17 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
...certificatesToBeRemoved,
certificateInfo.name,
]);
if (certificateInfo.name === serverTLSCertificateSecret?.name) {
setServerTLSCertificateSecret(null);
if (certificateInfo.name === kesServerTLSCertificateSecret?.name) {
setKesServerTLSCertificateSecret(null);
}
if (certificateInfo.name === mTLSCertificateSecret?.name) {
setMTLSCertificateSecret(null);
if (certificateInfo.name === minioMTLSCertificateSecret?.name) {
setMinioMTLSCertificateSecret(null);
}
if (certificateInfo.name === vaultClientCertificateSecret?.name) {
setVaultClientCertificateSecret(null);
if (certificateInfo.name === kmsMTLSCertificateSecret?.name) {
setKmsMTLSCertificateSecret(null);
}
if (certificateInfo.name === vaultCACertificateSecret?.name) {
setVaultCACertificateSecret(null);
}
if (certificateInfo.name === gemaltoCACertificateSecret?.name) {
setGemaltoCACertificateSecret(null);
if (certificateInfo.name === kmsCACertificateSecret?.name) {
setKMSCACertificateSecret(null);
}
};
@@ -452,15 +443,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
let insertEncrypt = {};
switch (encryptionType) {
case "gemalto":
let gemaltoCAIntroduce = {};
if (gemaltoCACertificate?.encoded_cert) {
gemaltoCAIntroduce = {
tls: {
ca: gemaltoCACertificate?.encoded_cert,
},
};
}
insertEncrypt = {
gemalto: {
keysecure: {
@@ -474,7 +456,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
gemaltoConfiguration?.keysecure?.credentials?.retry
),
},
...gemaltoCAIntroduce,
},
},
};
@@ -543,31 +524,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
};
break;
case "vault":
let vaultKeyPair = null;
let vaultCAInsert = null;
if (
vaultClientCertificate?.encoded_key &&
vaultClientCertificate?.encoded_cert
) {
vaultKeyPair = {
key: vaultClientCertificate?.encoded_key,
crt: vaultClientCertificate?.encoded_cert,
};
}
if (vaultCACertificate?.encoded_cert) {
vaultCAInsert = {
ca: vaultCACertificate?.encoded_cert,
};
}
let vaultTLS = null;
if (vaultKeyPair || vaultCAInsert) {
vaultTLS = {
tls: {
...vaultKeyPair,
...vaultCAInsert,
},
};
}
insertEncrypt = {
vault: {
endpoint: vaultConfiguration?.endpoint || "",
@@ -580,7 +536,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
secret: vaultConfiguration?.approle?.secret || "",
retry: parseInt(vaultConfiguration?.approle?.retry),
},
...vaultTLS,
status: {
ping: parseInt(vaultConfiguration?.status?.ping),
},
@@ -591,24 +546,57 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
let encryptionServerKeyPair: any = {};
let encryptionClientKeyPair: any = {};
let encryptionKMSCertificates: any = {};
if (mTLSCertificate?.encoded_key && mTLSCertificate?.encoded_cert) {
// MinIO -> KES (mTLS certificates)
if (
minioMTLSCertificate?.encoded_key &&
minioMTLSCertificate?.encoded_cert
) {
encryptionClientKeyPair = {
client: {
key: mTLSCertificate?.encoded_key,
crt: mTLSCertificate?.encoded_cert,
minio_mtls: {
key: minioMTLSCertificate?.encoded_key,
crt: minioMTLSCertificate?.encoded_cert,
},
};
}
if (serverCertificate?.encoded_key && serverCertificate?.encoded_cert) {
// KES server certificates
if (
kesServerCertificate?.encoded_key &&
kesServerCertificate?.encoded_cert
) {
encryptionServerKeyPair = {
server: {
key: serverCertificate?.encoded_key,
crt: serverCertificate?.encoded_cert,
server_tls: {
key: kesServerCertificate?.encoded_key,
crt: kesServerCertificate?.encoded_cert,
},
};
}
// KES -> KMS (mTLS certificates)
let kmsMTLSKeyPair = null;
let kmsCAInsert = null;
if (kmsMTLSCertificate?.encoded_key && kmsMTLSCertificate?.encoded_cert) {
kmsMTLSKeyPair = {
key: kmsMTLSCertificate?.encoded_key,
crt: kmsMTLSCertificate?.encoded_cert,
};
}
if (kmsCACertificate?.encoded_cert) {
kmsCAInsert = {
ca: kmsCACertificate?.encoded_cert,
};
}
if (kmsMTLSKeyPair || kmsCAInsert) {
encryptionKMSCertificates = {
kms_mtls: {
...kmsMTLSKeyPair,
...kmsCAInsert,
},
};
}
const dataSend = {
raw: editRawConfiguration ? encryptionRawConfiguration : "",
secretsToBeDeleted: certificatesToBeRemoved || [],
@@ -617,6 +605,7 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
image: image,
...encryptionClientKeyPair,
...encryptionServerKeyPair,
...encryptionKMSCertificates,
...insertEncrypt,
};
if (!updatingEncryption) {
@@ -647,9 +636,9 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
{}
)
.then(() => {
fetchEncryptionInfo();
setConfirmOpen(false);
setUpdatingEncryption(false);
fetchEncryptionInfo();
})
.catch((err: ErrorResponseHandler) => {
setUpdatingEncryption(false);
@@ -915,92 +904,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
value={vaultConfiguration?.approle?.retry || ""}
/>
</Grid>
<Grid item xs={12}>
<SectionTitle>Vault Certificates (optional)</SectionTitle>
</Grid>
<Grid item xs={12}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Mutual TLS authentication with Vault (optional)
</legend>
{vaultClientCertificateSecret ? (
<TLSCertificate
certificateInfo={vaultClientCertificateSecret}
onDelete={() =>
removeCertificate(vaultClientCertificateSecret)
}
/>
) : (
<Fragment>
<FileSelector
onChange={(encodedValue, fileName) =>
setVaultClientCertificate({
encoded_key: encodedValue || "",
id: vaultClientCertificate?.id || "",
key: fileName || "",
cert: vaultClientCertificate?.cert || "",
encoded_cert:
vaultClientCertificate?.encoded_cert || "",
})
}
accept=".key,.pem"
id="vault_key"
name="vault_key"
label="Key"
value={vaultClientCertificate?.key || ""}
/>
<FileSelector
onChange={(encodedValue, fileName) =>
setVaultClientCertificate({
encoded_key:
vaultClientCertificate?.encoded_key || "",
id: vaultClientCertificate?.id || "",
key: vaultClientCertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
})
}
accept=".cer,.crt,.cert,.pem"
id="vault_cert"
name="vault_cert"
label="Cert"
value={vaultClientCertificate?.cert || ""}
/>
</Fragment>
)}
</fieldset>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Vault CA certificate (optional)
</legend>
{vaultCACertificateSecret ? (
<TLSCertificate
certificateInfo={vaultCACertificateSecret}
onDelete={() =>
removeCertificate(vaultCACertificateSecret)
}
/>
) : (
<FileSelector
onChange={(encodedValue, fileName) =>
setVaultCACertificate({
encoded_key:
vaultCACertificate?.encoded_key || "",
id: vaultCACertificate?.id || "",
key: vaultCACertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
})
}
accept=".cer,.crt,.cert,.pem"
id="vault_ca"
name="vault_ca"
label="CA"
value={vaultCACertificate?.cert || ""}
/>
)}
</fieldset>
</Grid>
<Grid item xs={12}>
<SectionTitle>Status</SectionTitle>
</Grid>
@@ -1494,45 +1397,6 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
error={validationErrors["gemalto_retry"] || ""}
/>
</Grid>
<Grid
item
xs={12}
style={{
marginBottom: 15,
}}
>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Custom CA Root certificate verification
</legend>
{gemaltoCACertificateSecret ? (
<TLSCertificate
certificateInfo={gemaltoCACertificateSecret}
onDelete={() =>
removeCertificate(gemaltoCACertificateSecret)
}
/>
) : (
<FileSelector
onChange={(encodedValue, fileName) =>
setGemaltotCACertificate({
encoded_key:
gemaltoCACertificate?.encoded_key || "",
id: gemaltoCACertificate?.id || "",
key: gemaltoCACertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
})
}
accept=".cer,.crt,.cert,.pem"
id="gemalto_ca"
name="gemalto_ca"
label="CA"
value={gemaltoCACertificate?.cert || ""}
/>
)}
</fieldset>
</Grid>
</Fragment>
)}
</Fragment>
@@ -1558,26 +1422,26 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
<Grid item xs={12}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
KES server TLS Certificates (optional)
Encryption server certificates
</legend>
{serverTLSCertificateSecret ? (
{kesServerTLSCertificateSecret ? (
<TLSCertificate
certificateInfo={serverTLSCertificateSecret}
certificateInfo={kesServerTLSCertificateSecret}
onDelete={() =>
removeCertificate(serverTLSCertificateSecret)
removeCertificate(kesServerTLSCertificateSecret)
}
/>
) : (
<Fragment>
<FileSelector
onChange={(encodedValue, fileName) => {
setServerCertificate({
setKESServerCertificate({
encoded_key: encodedValue || "",
id: serverCertificate?.id || "",
id: kesServerCertificate?.id || "",
key: fileName || "",
cert: serverCertificate?.cert || "",
cert: kesServerCertificate?.cert || "",
encoded_cert:
serverCertificate?.encoded_cert || "",
kesServerCertificate?.encoded_cert || "",
});
cleanValidation("serverKey");
}}
@@ -1585,14 +1449,15 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
id="serverKey"
name="serverKey"
label="Key"
value={serverCertificate?.key}
value={kesServerCertificate?.key}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
setServerCertificate({
encoded_key: serverCertificate?.encoded_key || "",
id: serverCertificate?.id || "",
key: serverCertificate?.key || "",
setKESServerCertificate({
encoded_key:
kesServerCertificate?.encoded_key || "",
id: kesServerCertificate?.id || "",
key: kesServerCertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
});
@@ -1602,7 +1467,7 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
id="serverCert"
name="serverCert"
label="Cert"
value={serverCertificate?.cert}
value={kesServerCertificate?.cert}
/>
</Fragment>
)}
@@ -1611,25 +1476,27 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
<Grid item xs={12}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
Mutual TLS authentication with MinIO (optional)
MinIO mTLS certificates (connection between MinIO and the
Encryption server)
</legend>
{mTLSCertificateSecret ? (
{minioMTLSCertificateSecret ? (
<TLSCertificate
certificateInfo={mTLSCertificateSecret}
certificateInfo={minioMTLSCertificateSecret}
onDelete={() =>
removeCertificate(mTLSCertificateSecret)
removeCertificate(minioMTLSCertificateSecret)
}
/>
) : (
<Fragment>
<FileSelector
onChange={(encodedValue, fileName) => {
setMTLSCertificate({
setMinioMTLSCertificate({
encoded_key: encodedValue || "",
id: mTLSCertificate?.id || "",
id: minioMTLSCertificate?.id || "",
key: fileName || "",
cert: mTLSCertificate?.cert || "",
encoded_cert: mTLSCertificate?.encoded_cert || "",
cert: minioMTLSCertificate?.cert || "",
encoded_cert:
minioMTLSCertificate?.encoded_cert || "",
});
cleanValidation("clientKey");
}}
@@ -1637,14 +1504,15 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
id="clientKey"
name="clientKey"
label="Key"
value={mTLSCertificate?.key}
value={minioMTLSCertificate?.key}
/>
<FileSelector
onChange={(encodedValue, fileName) => {
setMTLSCertificate({
encoded_key: mTLSCertificate?.encoded_key || "",
id: mTLSCertificate?.id || "",
key: mTLSCertificate?.key || "",
setMinioMTLSCertificate({
encoded_key:
minioMTLSCertificate?.encoded_key || "",
id: minioMTLSCertificate?.id || "",
key: minioMTLSCertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
});
@@ -1654,12 +1522,90 @@ const TenantEncryption = ({ classes }: ITenantEncryption) => {
id="clientCert"
name="clientCert"
label="Cert"
value={mTLSCertificate?.cert}
value={minioMTLSCertificate?.cert}
/>
</Fragment>
)}
</fieldset>
</Grid>
<Grid item xs={12}>
<fieldset className={classes.fieldGroup}>
<legend className={classes.descriptionText}>
KMS mTLS certificates (connection between the Encryption
server and the KMS)
</legend>
{kmsMTLSCertificateSecret ? (
<TLSCertificate
certificateInfo={kmsMTLSCertificateSecret}
onDelete={() =>
removeCertificate(kmsMTLSCertificateSecret)
}
/>
) : (
<Fragment>
<FileSelector
onChange={(encodedValue, fileName) => {
setKmsMTLSCertificate({
encoded_key: encodedValue || "",
id: kmsMTLSCertificate?.id || "",
key: fileName || "",
cert: kmsMTLSCertificate?.cert || "",
encoded_cert:
kmsMTLSCertificate?.encoded_cert || "",
});
}}
accept=".key,.pem"
id="kms_mtls_key"
name="kms_mtls_key"
label="Key"
value={kmsMTLSCertificate?.key}
/>
<FileSelector
onChange={(encodedValue, fileName) =>
setKmsMTLSCertificate({
encoded_key:
kmsMTLSCertificate?.encoded_key || "",
id: kmsMTLSCertificate?.id || "",
key: kmsMTLSCertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
})
}
accept=".cer,.crt,.cert,.pem"
id="kms_mtls_cert"
name="kms_mtls_cert"
label="Cert"
value={kmsMTLSCertificate?.cert || ""}
/>
</Fragment>
)}
{kmsCACertificateSecret ? (
<TLSCertificate
certificateInfo={kmsCACertificateSecret}
onDelete={() =>
removeCertificate(kmsCACertificateSecret)
}
/>
) : (
<FileSelector
onChange={(encodedValue, fileName) =>
setKmsCACertificate({
encoded_key: kmsCACertificate?.encoded_key || "",
id: kmsCACertificate?.id || "",
key: kmsCACertificate?.key || "",
cert: fileName || "",
encoded_cert: encodedValue || "",
})
}
accept=".cer,.crt,.cert,.pem"
id="kms_mtls_ca"
name="kms_mtls_ca"
label="CA"
value={kmsCACertificate?.cert || ""}
/>
)}
</fieldset>
</Grid>
</Fragment>
)}
<Grid item xs={12}>

30
portal-ui/src/screens/Console/Tenants/types.ts
View File

@@ -55,11 +55,6 @@ export interface ITenantSecurityResponse {
securityContext: ISecurityContext;
}
export interface IVaultTLS {
crt: ICertificateInfo;
ca: ICertificateInfo;
}
export interface IVaultAppRole {
engine: string;
id: string;
@@ -78,17 +73,11 @@ export interface IVaultConfiguration {
prefix: string;
approle: IVaultAppRole;
status: IVaultStatus;
tls: IVaultTLS;
}
export interface IGemaltoTLS {
ca: ICertificateInfo;
}
export interface IKeysecureConfiguration {
endpoint: string;
credentials: IGemaltoCredentials;
tls: IGemaltoTLS;
}
export interface IGemaltoConfiguration {
@@ -100,8 +89,12 @@ export interface ITenantEncryptionResponse {
image: string;
replicas: string;
securityContext: ISecurityContext;
server: ICertificateInfo;
mtls_client: ICertificateInfo;
server_tls: ICertificateInfo;
minio_mtls: ICertificateInfo;
kms_mtls: {
crt: ICertificateInfo;
ca: ICertificateInfo;
};
vault?: IVaultConfiguration;
aws?: IAWSConfig;
gemalto?: IGemaltoConfiguration;
@@ -113,13 +106,10 @@ export interface ICertificatesItems {
minioServerCertificates: KeyPair[];
minioClientCertificates: KeyPair[];
minioCAsCertificates: KeyPair[];
consoleCaCertificates: KeyPair[];
consoleCertificate: KeyPair;
serverCertificate: KeyPair;
clientCertificate: KeyPair;
vaultCertificate: KeyPair;
vaultCA: KeyPair;
gemaltoCA: KeyPair;
kesServerCertificate: KeyPair;
minioMTLSCertificate: KeyPair;
kmsMTLSCertificate: KeyPair;
kmsCA: KeyPair;
}
export interface IFieldStore {