mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support for GCP KMS configuration (#592)

Browse Source
This commit is contained in:
Lenin Alevski
2021-02-10 18:09:50 -08:00
committed by GitHub
parent cdadb05551
commit 940c7dc5bc
8 changed files with 867 additions and 307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
models/encryption_configuration.go
View File

@@ -40,6 +40,9 @@ type EncryptionConfiguration struct {
// client
Client *KeyPairConfiguration `json:"client,omitempty"`
// gcp
Gcp *GcpConfiguration `json:"gcp,omitempty"`
// gemalto
Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
@@ -68,6 +71,8 @@ func (m *EncryptionConfiguration) UnmarshalJSON(raw []byte) error {
Client *KeyPairConfiguration `json:"client,omitempty"`
Gcp *GcpConfiguration `json:"gcp,omitempty"`
Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
Image string `json:"image,omitempty"`
@@ -84,6 +89,8 @@ func (m *EncryptionConfiguration) UnmarshalJSON(raw []byte) error {
m.Client = dataAO1.Client
m.Gcp = dataAO1.Gcp
m.Gemalto = dataAO1.Gemalto
m.Image = dataAO1.Image
@@ -109,6 +116,8 @@ func (m EncryptionConfiguration) MarshalJSON() ([]byte, error) {
Client *KeyPairConfiguration `json:"client,omitempty"`
Gcp *GcpConfiguration `json:"gcp,omitempty"`
Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
Image string `json:"image,omitempty"`
@@ -122,6 +131,8 @@ func (m EncryptionConfiguration) MarshalJSON() ([]byte, error) {
dataAO1.Client = m.Client
dataAO1.Gcp = m.Gcp
dataAO1.Gemalto = m.Gemalto
dataAO1.Image = m.Image
@@ -155,6 +166,10 @@ func (m *EncryptionConfiguration) Validate(formats strfmt.Registry) error {
res = append(res, err)
}
if err := m.validateGcp(formats); err != nil {
res = append(res, err)
}
if err := m.validateGemalto(formats); err != nil {
res = append(res, err)
}
@@ -209,6 +224,24 @@ func (m *EncryptionConfiguration) validateClient(formats strfmt.Registry) error
return nil
}
func (m *EncryptionConfiguration) validateGcp(formats strfmt.Registry) error {
if swag.IsZero(m.Gcp) { // not required
return nil
}
if m.Gcp != nil {
if err := m.Gcp.Validate(formats); err != nil {
if ve, ok := err.(*errors.Validation); ok {
return ve.ValidateName("gcp")
}
return err
}
}
return nil
}
func (m *EncryptionConfiguration) validateGemalto(formats strfmt.Registry) error {
if swag.IsZero(m.Gemalto) { // not required

210
models/gcp_configuration.go Normal file
View File

@@ -0,0 +1,210 @@
// Code generated by go-swagger; DO NOT EDIT.
// This file is part of MinIO Console Server
// Copyright (c) 2021 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
package models
// This file was generated by the swagger tool.
// Editing this file might prove futile when you re-run the swagger generate command
import (
"github.com/go-openapi/errors"
"github.com/go-openapi/strfmt"
"github.com/go-openapi/swag"
"github.com/go-openapi/validate"
)
// GcpConfiguration gcp configuration
//
// swagger:model gcpConfiguration
type GcpConfiguration struct {
// secretmanager
// Required: true
Secretmanager *GcpConfigurationSecretmanager `json:"secretmanager"`
}
// Validate validates this gcp configuration
func (m *GcpConfiguration) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateSecretmanager(formats); err != nil {
res = append(res, err)
}
if len(res) > 0 {
return errors.CompositeValidationError(res...)
}
return nil
}
func (m *GcpConfiguration) validateSecretmanager(formats strfmt.Registry) error {
if err := validate.Required("secretmanager", "body", m.Secretmanager); err != nil {
return err
}
if m.Secretmanager != nil {
if err := m.Secretmanager.Validate(formats); err != nil {
if ve, ok := err.(*errors.Validation); ok {
return ve.ValidateName("secretmanager")
}
return err
}
}
return nil
}
// MarshalBinary interface implementation
func (m *GcpConfiguration) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *GcpConfiguration) UnmarshalBinary(b []byte) error {
var res GcpConfiguration
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}
// GcpConfigurationSecretmanager gcp configuration secretmanager
//
// swagger:model GcpConfigurationSecretmanager
type GcpConfigurationSecretmanager struct {
// credentials
Credentials *GcpConfigurationSecretmanagerCredentials `json:"credentials,omitempty"`
// endpoint
Endpoint string `json:"endpoint,omitempty"`
// project id
// Required: true
ProjectID *string `json:"project_id"`
}
// Validate validates this gcp configuration secretmanager
func (m *GcpConfigurationSecretmanager) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateCredentials(formats); err != nil {
res = append(res, err)
}
if err := m.validateProjectID(formats); err != nil {
res = append(res, err)
}
if len(res) > 0 {
return errors.CompositeValidationError(res...)
}
return nil
}
func (m *GcpConfigurationSecretmanager) validateCredentials(formats strfmt.Registry) error {
if swag.IsZero(m.Credentials) { // not required
return nil
}
if m.Credentials != nil {
if err := m.Credentials.Validate(formats); err != nil {
if ve, ok := err.(*errors.Validation); ok {
return ve.ValidateName("secretmanager" + "." + "credentials")
}
return err
}
}
return nil
}
func (m *GcpConfigurationSecretmanager) validateProjectID(formats strfmt.Registry) error {
if err := validate.Required("secretmanager"+"."+"project_id", "body", m.ProjectID); err != nil {
return err
}
return nil
}
// MarshalBinary interface implementation
func (m *GcpConfigurationSecretmanager) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *GcpConfigurationSecretmanager) UnmarshalBinary(b []byte) error {
var res GcpConfigurationSecretmanager
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}
// GcpConfigurationSecretmanagerCredentials gcp configuration secretmanager credentials
//
// swagger:model GcpConfigurationSecretmanagerCredentials
type GcpConfigurationSecretmanagerCredentials struct {
// client email
ClientEmail string `json:"client_email,omitempty"`
// client id
ClientID string `json:"client_id,omitempty"`
// private key
PrivateKey string `json:"private_key,omitempty"`
// private key id
PrivateKeyID string `json:"private_key_id,omitempty"`
}
// Validate validates this gcp configuration secretmanager credentials
func (m *GcpConfigurationSecretmanagerCredentials) Validate(formats strfmt.Registry) error {
return nil
}
// MarshalBinary interface implementation
func (m *GcpConfigurationSecretmanagerCredentials) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *GcpConfigurationSecretmanagerCredentials) UnmarshalBinary(b []byte) error {
var res GcpConfigurationSecretmanagerCredentials
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}

18
pkg/kes/kes.go
View File

@@ -113,11 +113,29 @@ type Gemalto struct {
KeySecure *GemaltoKeySecure `yaml:"keysecure,omitempty"`
}
type GcpCredentials struct {
ClientEmail string `yaml:"client_email"`
ClientID string `yaml:"client_id"`
PrivateKeyID string `yaml:"private_key_id"`
PrivateKey string `yaml:"private_key"`
}
type GcpSecretManager struct {
ProjectID string `yaml:"project_id"`
Endpoint string `yaml:"endpoint,omitempty"`
Credentials *GcpCredentials `yaml:"credentials,omitempty"`
}
type Gcp struct {
SecretManager *GcpSecretManager `yaml:"secretmanager,omitempty"`
}
type Keys struct {
Fs *Fs `yaml:"fs,omitempty"`
Vault *Vault `yaml:"vault,omitempty"`
Aws *Aws `yaml:"aws,omitempty"`
Gemalto *Gemalto `yaml:"gemalto,omitempty"`
Gcp *Gcp `yaml:"gcp,omitempty"`
}
type ServerConfig struct {

621
portal-ui/bindata_assetfs.go
View File

File diff suppressed because one or more lines are too long

110
portal-ui/src/screens/Console/Tenants/ListTenants/AddTenant.tsx
View File

@@ -182,6 +182,7 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
const [awsAccessKey, setAWSAccessKey] = useState<string>("");
const [awsSecretKey, setAWSSecretKey] = useState<string>("");
const [awsToken, setAWSToken] = useState<string>("");
const [vaultEndpoint, setVaultEndpoint] = useState<string>("");
const [vaultEngine, setVaultEngine] = useState<string>("");
const [vaultNamespace, setVaultNamespace] = useState<string>("");
@@ -191,6 +192,12 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
const [vaultSecret, setVaultSecret] = useState<string>("");
const [vaultRetry, setVaultRetry] = useState<string>("0");
const [vaultPing, setVaultPing] = useState<string>("0");
const [gcpProjectID, setGcpProjectID] = useState<string>("");
const [gcpEndpoint, setGcpEndpoint] = useState<string>("");
const [gcpClientEmail, setGcpClientEmail] = useState<string>("");
const [gcpClientID, setGcpClientID] = useState<string>("");
const [gcpPrivateKeyID, setGcpPrivateKeyID] = useState<string>("");
const [gcpPrivateKey, setGcpPrivateKey] = useState<string>("");
const [ecParityChoices, setECParityChoices] = useState<Opts[]>([]);
const [cleanECChoices, setCleanECChoices] = useState<string[]>([]);
const [nodes, setNodes] = useState<string>("4");
@@ -834,6 +841,17 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
];
}
if (encryptionType === "gcp") {
encryptionValidation = [
...encryptionValidation,
{
fieldKey: "gcp_project_id",
required: true,
value: gcpProjectID,
},
];
}
if (encryptionType === "aws") {
encryptionValidation = [
...encryptionValidation,
@@ -913,6 +931,7 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
gemaltoToken,
gemaltoDomain,
gemaltoRetry,
gcpProjectID,
]);
const clearValidationError = (fieldKey: string) => {
@@ -1069,6 +1088,22 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
},
};
break;
case "GCP":
insertEncrypt = {
gcp: {
secretmanager: {
project_id: gcpProjectID,
endpoint: gcpEndpoint,
credentials: {
client_email: gcpClientEmail,
client_id: gcpClientID,
private_key_id: gcpPrivateKeyID,
private_key: gcpPrivateKey,
},
},
},
};
break;
case "vault":
let vaultKeyPair = null;
let vaultCA = null;
@@ -1975,6 +2010,7 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
{ label: "Vault", value: "vault" },
{ label: "AWS", value: "aws" },
{ label: "Gemalto", value: "gemalto" },
{ label: "GCP", value: "gcp" },
]}
/>
</Grid>
@@ -2253,6 +2289,80 @@ const AddTenant = ({ classes }: IAddTenantProps) => {
</Grid>
</React.Fragment>
)}
{encryptionType === "gcp" && (
<React.Fragment>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_project_id"
name="gcp_project_id"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpProjectID(e.target.value);
clearValidationError("gcp_project_id");
}}
label="Project ID"
value={gcpProjectID}
error={validationErrors["gcp_project_id"] || ""}
required
/>
</Grid>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_endpoint"
name="gcp_endpoint"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpEndpoint(e.target.value);
}}
label="Endpoint"
value={gcpEndpoint}
/>
</Grid>
<h5>Credentials</h5>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_client_email"
name="gcp_client_email"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpClientEmail(e.target.value);
}}
label="Client Email"
value={gcpClientEmail}
/>
</Grid>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_client_id"
name="gcp_client_id"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpClientID(e.target.value);
}}
label="Client ID"
value={gcpClientID}
/>
</Grid>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_private_key_id"
name="gcp_private_key_id"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpPrivateKeyID(e.target.value);
}}
label="Private Key ID"
value={gcpPrivateKeyID}
/>
</Grid>
<Grid item xs={12}>
<InputBoxWrapper
id="gcp_private_key"
name="gcp_private_key"
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setGcpPrivateKey(e.target.value);
}}
label="Private Key"
value={gcpPrivateKey}
/>
</Grid>
</React.Fragment>
)}
{encryptionType === "aws" && (
<React.Fragment>
<Grid item xs={12}>

19
restapi/admin_tenants_helper.go
View File

@@ -489,6 +489,25 @@ func createOrReplaceKesConfigurationSecrets(ctx context.Context, clientSet K8sCl
}
}
}
} else if encryptionCfg.Gcp != nil {
// Initialize GCP
kesConfig.Keys.Gcp = &kes.Gcp{
SecretManager: &kes.GcpSecretManager{},
}
// GCP basic kesConfiguration
if encryptionCfg.Gcp.Secretmanager != nil {
kesConfig.Keys.Gcp.SecretManager.ProjectID = *encryptionCfg.Gcp.Secretmanager.ProjectID
kesConfig.Keys.Gcp.SecretManager.Endpoint = encryptionCfg.Gcp.Secretmanager.Endpoint
// GCP credentials
if encryptionCfg.Gcp.Secretmanager.Credentials != nil {
kesConfig.Keys.Gcp.SecretManager.Credentials = &kes.GcpCredentials{
ClientEmail: encryptionCfg.Gcp.Secretmanager.Credentials.ClientEmail,
ClientID: encryptionCfg.Gcp.Secretmanager.Credentials.ClientID,
PrivateKeyID: encryptionCfg.Gcp.Secretmanager.Credentials.PrivateKeyID,
PrivateKey: encryptionCfg.Gcp.Secretmanager.Credentials.PrivateKey,
}
}
}
}
imm := true
// if mTLSCertificates contains elements we create the kubernetes secret

134
restapi/embedded_spec.go
View File

@@ -3688,6 +3688,10 @@ func init() {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
},
"gcp": {
"type": "object",
"$ref": "#/definitions/gcpConfiguration"
},
"gemalto": {
"type": "object",
"$ref": "#/definitions/gemaltoConfiguration"
@@ -3722,6 +3726,45 @@ func init() {
}
}
},
"gcpConfiguration": {
"type": "object",
"required": [
"secretmanager"
],
"properties": {
"secretmanager": {
"type": "object",
"required": [
"project_id"
],
"properties": {
"credentials": {
"type": "object",
"properties": {
"client_email": {
"type": "string"
},
"client_id": {
"type": "string"
},
"private_key": {
"type": "string"
},
"private_key_id": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"project_id": {
"type": "string"
}
}
}
}
},
"gemaltoConfiguration": {
"type": "object",
"required": [
@@ -8640,6 +8683,54 @@ func init() {
}
}
},
"GcpConfigurationSecretmanager": {
"type": "object",
"required": [
"project_id"
],
"properties": {
"credentials": {
"type": "object",
"properties": {
"client_email": {
"type": "string"
},
"client_id": {
"type": "string"
},
"private_key": {
"type": "string"
},
"private_key_id": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"project_id": {
"type": "string"
}
}
},
"GcpConfigurationSecretmanagerCredentials": {
"type": "object",
"properties": {
"client_email": {
"type": "string"
},
"client_id": {
"type": "string"
},
"private_key": {
"type": "string"
},
"private_key_id": {
"type": "string"
}
}
},
"GemaltoConfigurationKeysecure": {
"type": "object",
"required": [
@@ -9721,6 +9812,10 @@ func init() {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
},
"gcp": {
"type": "object",
"$ref": "#/definitions/gcpConfiguration"
},
"gemalto": {
"type": "object",
"$ref": "#/definitions/gemaltoConfiguration"
@@ -9755,6 +9850,45 @@ func init() {
}
}
},
"gcpConfiguration": {
"type": "object",
"required": [
"secretmanager"
],
"properties": {
"secretmanager": {
"type": "object",
"required": [
"project_id"
],
"properties": {
"credentials": {
"type": "object",
"properties": {
"client_email": {
"type": "string"
},
"client_id": {
"type": "string"
},
"private_key": {
"type": "string"
},
"private_key_id": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"project_id": {
"type": "string"
}
}
}
}
},
"gemaltoConfiguration": {
"type": "object",
"required": [

29
swagger.yml
View File

@@ -3205,6 +3205,9 @@ definitions:
vault:
type: object
$ref: "#/definitions/vaultConfiguration"
gcp:
type: object
$ref: "#/definitions/gcpConfiguration"
vaultConfiguration:
type: object
@@ -3316,6 +3319,32 @@ definitions:
ca:
type: string
gcpConfiguration:
type: object
required:
- secretmanager
properties:
secretmanager:
type: object
required:
- project_id
properties:
project_id:
type: string
endpoint:
type: string
credentials:
type: object
properties:
client_email:
type: string
client_id:
type: string
private_key_id:
type: string
private_key:
type: string
createTenantResponse:
type: object
properties: