mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63e1c554b732e51d5cfa0183ae983ba71e0cb9db
object-browser/pkg/kes/kes.go
Lenin Alevski ee8242d72a TLS with user provided certificates and KES support for MinIO (#213) 
This PR adds the following features:

- Allow user to provide its own keypair certificates for enable TLS in
  MinIO
- Allow user to configure data encryption at rest in MinIO with KES
- Removes JWT schema for login and instead Console authentication will use
  encrypted session tokens

Enable TLS between client and MinIO with user provided certificates

Instead of using AutoCert feature now the user can provide `cert` and
`key` via `tls` object, values must be valid `x509.Certificate`
formatted files encoded in `base64`

Enable encryption at rest configuring KES

User can deploy KES via Console/Operator by defining the encryption
object, AutoCert must be enabled or custom certificates for KES must be
provided, KES support 3 KMS backends: `Vault`, `AWS KMS` and `Gemalto`,
previous configuration of the KMS is necessary.

eg of body request for create-tenant

```
{
    "name": "honeywell",
    "access_key": "minio",
    "secret_key": "minio123",
    "enable_mcs": false,
    "enable_ssl": false,
    "service_name": "honeywell",
    "zones": [
        {
            "name": "honeywell-zone-1",
            "servers": 1,
            "volumes_per_server": 4,
            "volume_configuration": {
                "size": 256000000,
                "storage_class": "vsan-default-storage-policy"
            }
        }
    ],
    "namespace": "default",
    "tls": {
      "tls.crt": "",
      "tls.key": ""
    },
    "encryption": {
        "server": {
          "tls.crt": "",
          "tls.key": ""
        },
        "client": {
          "tls.crt": "",
          "tls.key": ""
        },
      "vault": {
        "endpoint": "http://vault:8200",
        "prefix": "",
        "approle": {
          "id": "",
          "secret": ""
        }
      }
    }
}
```
2020-07-30 17:49:56 -07:00

145 lines
3.7 KiB
Go
Raw Blame History

package kes
import (
"crypto/x509"
"encoding/pem"
"errors"
"time"
"github.com/minio/kes"
)
type TLSProxyHeader struct {
ClientCert string `yaml:"cert,omitempty"`
}
type TLSProxy struct {
Identities *[]kes.Identity `yaml:"identities,omitempty"`
Header *TLSProxyHeader `yaml:"header,omitempty"`
}
type TLS struct {
KeyPath string `yaml:"key,omitempty"`
CertPath string `yaml:"cert,omitempty"`
Proxy *TLSProxy `yaml:"proxy,omitempty"`
}
type Policy struct {
Paths []string `yaml:"paths,omitempty"`
Identities []kes.Identity `yaml:"identities,omitempty"`
}
type Expiry struct {
Any time.Duration `yaml:"any,omitempty"`
Unused time.Duration `yaml:"unused,omitempty"`
}
type Cache struct {
Expiry *Expiry `yaml:"expiry,omitempty"`
}
type Log struct {
Error string `yaml:"error,omitempty"`
Audit string `yaml:"audit,omitempty"`
}
type Fs struct {
Path string `yaml:"path,omitempty"`
}
type AppRole struct {
EnginePath string `yaml:"engine,omitempty"`
ID string `yaml:"id,omitempty"`
Secret string `yaml:"secret,omitempty"`
Retry time.Duration `yaml:"retry,omitempty"`
}
type VaultTLS struct {
KeyPath string `yaml:"key,omitempty"`
CertPath string `yaml:"cert,omitempty"`
CAPath string `yaml:"ca,omitempty"`
}
type VaultStatus struct {
Ping time.Duration `yaml:"ping,omitempty"`
}
type Vault struct {
Endpoint string `yaml:"endpoint,omitempty"`
EnginePath string `yaml:"engine,omitempty"`
Namespace string `yaml:"namespace,omitempty"`
Prefix string `yaml:"prefix,omitempty"`
AppRole *AppRole `yaml:"approle,omitempty"`
TLS *VaultTLS `yaml:"tls,omitempty"`
Status *VaultStatus `yaml:"status,omitempty"`
}
type AwsSecretManagerLogin struct {
AccessKey string `yaml:"accesskey"`
SecretKey string `yaml:"secretkey"`
SessionToken string `yaml:"token"`
}
type AwsSecretManager struct {
Endpoint string `yaml:"endpoint,omitempty"`
Region string `yaml:"region,omitempty"`
KmsKey string ` yaml:"kmskey,omitempty"`
Login *AwsSecretManagerLogin `yaml:"credentials,omitempty"`
}
type Aws struct {
SecretsManager *AwsSecretManager `yaml:"secretsmanager,omitempty"`
}
type GemaltoCredentials struct {
Token string `yaml:"token,omitempty"`
Domain string `yaml:"domain,omitempty"`
Retry time.Duration `yaml:"retry,omitempty"`
}
type GemaltoTLS struct {
CAPath string `yaml:"ca,omitempty"`
}
type GemaltoKeySecure struct {
Endpoint string `yaml:"endpoint,omitempty"`
Credentials *GemaltoCredentials `yaml:"credentials,omitempty"`
TLS *GemaltoTLS `yaml:"tls,omitempty"`
}
type Gemalto struct {
KeySecure *GemaltoKeySecure `yaml:"keysecure,omitempty"`
}
type Keys struct {
Fs *Fs `yaml:"fs,omitempty"`
Vault *Vault `yaml:"vault,omitempty"`
Aws *Aws `yaml:"aws,omitempty"`
Gemalto *Gemalto `yaml:"gemalto,omitempty"`
}
type ServerConfig struct {
Addr string `yaml:"address,omitempty"`
Root kes.Identity `yaml:"root,omitempty"`
TLS TLS `yaml:"tls,omitempty"`
Policies map[string]Policy `yaml:"policy,omitempty"`
Cache Cache `yaml:"cache,omitempty"`
Log Log `yaml:"log,omitempty"`
Keys Keys `yaml:"keys,omitempty"`
}
func ParseCertificate(cert []byte) (*x509.Certificate, error) {
for {
var certDERBlock *pem.Block
certDERBlock, cert = pem.Decode(cert)
if certDERBlock == nil {
break
}
if certDERBlock.Type == "CERTIFICATE" {
return x509.ParseCertificate(certDERBlock.Bytes)
}
}
return nil, errors.New("found no (non-CA) certificate in any PEM block")
}
Reference in New Issue View Git Blame Copy Permalink