TLS with user provided certificates and KES support for MinIO (#213)

This PR adds the following features: - Allow user to provide its own keypair certificates for enable TLS in MinIO - Allow user to configure data encryption at rest in MinIO with KES - Removes JWT schema for login and instead Console authentication will use encrypted session tokens Enable TLS between client and MinIO with user provided certificates Instead of using AutoCert feature now the user can provide `cert` and `key` via `tls` object, values must be valid `x509.Certificate` formatted files encoded in `base64` Enable encryption at rest configuring KES User can deploy KES via Console/Operator by defining the encryption object, AutoCert must be enabled or custom certificates for KES must be provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`, previous configuration of the KMS is necessary. eg of body request for create-tenant ``` { "name": "honeywell", "access_key": "minio", "secret_key": "minio123", "enable_mcs": false, "enable_ssl": false, "service_name": "honeywell", "zones": [ { "name": "honeywell-zone-1", "servers": 1, "volumes_per_server": 4, "volume_configuration": { "size": 256000000, "storage_class": "vsan-default-storage-policy" } } ], "namespace": "default", "tls": { "tls.crt": "", "tls.key": "" }, "encryption": { "server": { "tls.crt": "", "tls.key": "" }, "client": { "tls.crt": "", "tls.key": "" }, "vault": { "endpoint": "http://vault:8200", "prefix": "", "approle": { "id": "", "secret": "" } } } } ```
2020-07-30 17:49:56 -07:00
parent 88b697f072
commit ee8242d72a
25 changed files with 2965 additions and 388 deletions
--- a/restapi/client.go
+++ b/restapi/client.go
@@ -26,8 +26,8 @@ import (
 	"github.com/minio/console/models"
 	"github.com/minio/console/pkg/acl"
 	"github.com/minio/console/pkg/auth"
-	xjwt "github.com/minio/console/pkg/auth/jwt"
 	"github.com/minio/console/pkg/auth/ldap"
+	xjwt "github.com/minio/console/pkg/auth/token"
 	mc "github.com/minio/mc/cmd"
 	"github.com/minio/mc/pkg/probe"
 	"github.com/minio/minio-go/v7"
@@ -125,7 +125,7 @@ func (c mcClient) watch(ctx context.Context, options mc.WatchOptions) (*mc.Watch
 }

 // ConsoleCredentials interface with all functions to be implemented
-// by mock when testing, it should include all needed consoleCredentials.Credentials api calls
+// by mock when testing, it should include all needed consoleCredentials.Login api calls
 // that are used within this project.
 type ConsoleCredentials interface {
 	Get() (credentials.Value, error)
@@ -137,12 +137,12 @@ type consoleCredentials struct {
 	consoleCredentials *credentials.Credentials
 }

-// implements *Credentials.Get()
+// implements *Login.Get()
 func (c consoleCredentials) Get() (credentials.Value, error) {
 	return c.consoleCredentials.Get()
 }

-// implements *Credentials.Expire()
+// implements *Login.Expire()
 func (c consoleCredentials) Expire() {
 	c.consoleCredentials.Expire()
 }
@@ -217,14 +217,14 @@ func newConsoleCredentials(accessKey, secretKey, location string) (*credentials.

 // GetClaimsFromJWT decrypt and returns the claims associated to a provided jwt
 func GetClaimsFromJWT(jwt string) (*auth.DecryptedClaims, error) {
-	claims, err := auth.JWTAuthenticate(jwt)
+	claims, err := auth.SessionTokenAuthenticate(jwt)
 	if err != nil {
 		return nil, err
 	}
 	return claims, nil
 }

-// getConsoleCredentialsFromSession returns the *consoleCredentials.Credentials associated to the
+// getConsoleCredentialsFromSession returns the *consoleCredentials.Login associated to the
 // provided jwt, this is useful for running the Expire() or IsExpired() operations
 func getConsoleCredentialsFromSession(claims *models.Principal) *credentials.Credentials {
 	return credentials.NewStaticV4(claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken)