mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TLS with user provided certificates and KES support for MinIO (#213)

Browse Source 
This PR adds the following features:

- Allow user to provide its own keypair certificates for enable TLS in
  MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
  encrypted session tokens

Enable TLS between client and MinIO with user provided certificates

Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`

Enable encryption at rest configuring KES

User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.

eg of body request for create-tenant

```
{
    "name": "honeywell",
    "access_key": "minio",
    "secret_key": "minio123",
    "enable_mcs": false,
    "enable_ssl": false,
    "service_name": "honeywell",
    "zones": [
        {
            "name": "honeywell-zone-1",
            "servers": 1,
            "volumes_per_server": 4,
            "volume_configuration": {
                "size": 256000000,
                "storage_class": "vsan-default-storage-policy"
            }
        }
    ],
    "namespace": "default",
    "tls": {
      "tls.crt": "",
      "tls.key": ""
    },
    "encryption": {
        "server": {
          "tls.crt": "",
          "tls.key": ""
        },
        "client": {
          "tls.crt": "",
          "tls.key": ""
        },
      "vault": {
        "endpoint": "http://vault:8200",
        "prefix": "",
        "approle": {
          "id": "",
          "secret": ""
        }
      }
    }
}
```
This commit is contained in:
Lenin Alevski
2020-07-30 17:49:56 -07:00
committed by GitHub
parent 88b697f072
commit ee8242d72a
25 changed files with 2965 additions and 388 deletions
Download Patch File Download Diff File Expand all files Collapse all files

634
restapi/embedded_spec.go
View File

@@ -1860,6 +1860,51 @@ func init() {
}
}
},
"awsConfiguration": {
"type": "object",
"required": [
"secretsmanager"
],
"properties": {
"secretsmanager": {
"type": "object",
"required": [
"endpoint",
"region",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"accesskey",
"secretkey"
],
"properties": {
"accesskey": {
"type": "string"
},
"secretkey": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"kmskey": {
"type": "string"
},
"region": {
"type": "string"
}
}
}
}
},
"bucket": {
"type": "object",
"required": [
@@ -1987,6 +2032,10 @@ func init() {
"type": "boolean",
"default": true
},
"encryption": {
"type": "object",
"$ref": "#/definitions/encryptionConfiguration"
},
"image": {
"type": "string"
},
@@ -2006,6 +2055,10 @@ func init() {
"service_name": {
"type": "string"
},
"tls": {
"type": "object",
"$ref": "#/definitions/tlsConfiguration"
},
"zones": {
"type": "array",
"items": {
@@ -2036,6 +2089,59 @@ func init() {
}
}
},
"encryptionConfiguration": {
"type": "object",
"properties": {
"aws": {
"type": "object",
"$ref": "#/definitions/awsConfiguration"
},
"client": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"gemalto": {
"type": "object",
"$ref": "#/definitions/gemaltoConfiguration"
},
"image": {
"type": "string"
},
"master_key": {
"type": "string"
},
"server": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"vault": {
"type": "object",
"$ref": "#/definitions/vaultConfiguration"
}
}
},
"error": {
"type": "object",
"required": [
@@ -2051,6 +2157,56 @@ func init() {
}
}
},
"gemaltoConfiguration": {
"type": "object",
"required": [
"keysecure"
],
"properties": {
"keysecure": {
"type": "object",
"required": [
"endpoint",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"token",
"domain"
],
"properties": {
"domain": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"tls": {
"type": "object",
"required": [
"ca"
],
"properties": {
"ca": {
"type": "string"
}
}
}
}
}
}
},
"group": {
"type": "object",
"properties": {
@@ -2788,6 +2944,21 @@ func init() {
}
}
},
"tlsConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"updateGroupRequest": {
"type": "object",
"required": [
@@ -2867,6 +3038,58 @@ func init() {
}
}
},
"vaultConfiguration": {
"type": "object",
"required": [
"endpoint",
"approle"
],
"properties": {
"approle": {
"type": "object",
"required": [
"id",
"secret"
],
"properties": {
"engine": {
"type": "string"
},
"id": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"secret": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"engine": {
"type": "string"
},
"namespace": {
"type": "string"
},
"prefix": {
"type": "string"
},
"status": {
"type": "object",
"properties": {
"ping": {
"type": "integer",
"format": "int64"
}
}
}
}
},
"zone": {
"type": "object",
"required": [
@@ -4853,6 +5076,61 @@ func init() {
}
},
"definitions": {
"AwsConfigurationSecretsmanager": {
"type": "object",
"required": [
"endpoint",
"region",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"accesskey",
"secretkey"
],
"properties": {
"accesskey": {
"type": "string"
},
"secretkey": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"kmskey": {
"type": "string"
},
"region": {
"type": "string"
}
}
},
"AwsConfigurationSecretsmanagerCredentials": {
"type": "object",
"required": [
"accesskey",
"secretkey"
],
"properties": {
"accesskey": {
"type": "string"
},
"secretkey": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"CreateTenantResponseConsole": {
"type": "object",
"properties": {
@@ -4864,6 +5142,108 @@ func init() {
}
}
},
"EncryptionConfigurationClient": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"EncryptionConfigurationServer": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"GemaltoConfigurationKeysecure": {
"type": "object",
"required": [
"endpoint",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"token",
"domain"
],
"properties": {
"domain": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"tls": {
"type": "object",
"required": [
"ca"
],
"properties": {
"ca": {
"type": "string"
}
}
}
}
},
"GemaltoConfigurationKeysecureCredentials": {
"type": "object",
"required": [
"token",
"domain"
],
"properties": {
"domain": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"token": {
"type": "string"
}
}
},
"GemaltoConfigurationKeysecureTLS": {
"type": "object",
"required": [
"ca"
],
"properties": {
"ca": {
"type": "string"
}
}
},
"NodeSelectorTermMatchExpressionsItems0": {
"description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
"type": "object",
@@ -4959,6 +5339,37 @@ func init() {
}
}
},
"VaultConfigurationApprole": {
"type": "object",
"required": [
"id",
"secret"
],
"properties": {
"engine": {
"type": "string"
},
"id": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"secret": {
"type": "string"
}
}
},
"VaultConfigurationStatus": {
"type": "object",
"properties": {
"ping": {
"type": "integer",
"format": "int64"
}
}
},
"ZoneAffinityNodeAffinity": {
"description": "Describes node affinity scheduling rules for the pod.",
"type": "object",
@@ -5221,6 +5632,51 @@ func init() {
}
}
},
"awsConfiguration": {
"type": "object",
"required": [
"secretsmanager"
],
"properties": {
"secretsmanager": {
"type": "object",
"required": [
"endpoint",
"region",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"accesskey",
"secretkey"
],
"properties": {
"accesskey": {
"type": "string"
},
"secretkey": {
"type": "string"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"kmskey": {
"type": "string"
},
"region": {
"type": "string"
}
}
}
}
},
"bucket": {
"type": "object",
"required": [
@@ -5348,6 +5804,10 @@ func init() {
"type": "boolean",
"default": true
},
"encryption": {
"type": "object",
"$ref": "#/definitions/encryptionConfiguration"
},
"image": {
"type": "string"
},
@@ -5367,6 +5827,10 @@ func init() {
"service_name": {
"type": "string"
},
"tls": {
"type": "object",
"$ref": "#/definitions/tlsConfiguration"
},
"zones": {
"type": "array",
"items": {
@@ -5397,6 +5861,59 @@ func init() {
}
}
},
"encryptionConfiguration": {
"type": "object",
"properties": {
"aws": {
"type": "object",
"$ref": "#/definitions/awsConfiguration"
},
"client": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"gemalto": {
"type": "object",
"$ref": "#/definitions/gemaltoConfiguration"
},
"image": {
"type": "string"
},
"master_key": {
"type": "string"
},
"server": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"vault": {
"type": "object",
"$ref": "#/definitions/vaultConfiguration"
}
}
},
"error": {
"type": "object",
"required": [
@@ -5412,6 +5929,56 @@ func init() {
}
}
},
"gemaltoConfiguration": {
"type": "object",
"required": [
"keysecure"
],
"properties": {
"keysecure": {
"type": "object",
"required": [
"endpoint",
"credentials"
],
"properties": {
"credentials": {
"type": "object",
"required": [
"token",
"domain"
],
"properties": {
"domain": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"token": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"tls": {
"type": "object",
"required": [
"ca"
],
"properties": {
"ca": {
"type": "string"
}
}
}
}
}
}
},
"group": {
"type": "object",
"properties": {
@@ -6083,6 +6650,21 @@ func init() {
}
}
},
"tlsConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"updateGroupRequest": {
"type": "object",
"required": [
@@ -6162,6 +6744,58 @@ func init() {
}
}
},
"vaultConfiguration": {
"type": "object",
"required": [
"endpoint",
"approle"
],
"properties": {
"approle": {
"type": "object",
"required": [
"id",
"secret"
],
"properties": {
"engine": {
"type": "string"
},
"id": {
"type": "string"
},
"retry": {
"type": "integer",
"format": "int64"
},
"secret": {
"type": "string"
}
}
},
"endpoint": {
"type": "string"
},
"engine": {
"type": "string"
},
"namespace": {
"type": "string"
},
"prefix": {
"type": "string"
},
"status": {
"type": "object",
"properties": {
"ping": {
"type": "integer",
"format": "int64"
}
}
}
}
},
"zone": {
"type": "object",
"required": [