mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-22 01:20:39 +00:00
837424f7bb
This PR introduces a new Key Provider to support Azure Key Vault as a Key Management System (KMS) for Encryption at Rest. The core design principle is the same as in the AWS and GCP key providers - an externally provided Vault key that is used to protect local data encryption keys (a process known as "key wrapping"). In more detail, this patch series consists of: * Multiple Azure credential sources, offering a variety of authentication options (Service Principals, Managed Identities, environment variables, Azure CLI). * The Azure host - the Key Vault endpoint bridge. * The Azure Key Provider - the interface for the Azure host. * Unit tests using real Azure resources (credentials and Vault keys). * Log filtering logic to not expose sensitive data in the logs (plaintext keys, credentials, access tokens). This is part of the overall effort to support Azure deployments. Testing done: * Unit tests. * Manual test on an Azure VM with a Managed Identity. * Manual test with credentials from Azure CLI. * Manual test of `--azure-hosts` cmdline option. * Manual test of log filtering. Remaining items: - [x] Create necessary Azure resources for CI. - [x] Merge pipeline changes (https://github.com/scylladb/scylla-pkg/pull/5201). Closes https://github.com/scylladb/scylla-enterprise/issues/1077. New feature. No backport is needed. Closes scylladb/scylladb#23920 * github.com:scylladb/scylladb: docs: Document the Azure Key Provider test: Add tests for Azure Key Provider pylib: Add mock server for Azure Key Vault encryption: Define and enable Azure Key Provider encryption: azure: Delegate hosts to shard 0 encryption: Add Azure host cache encryption: Add config options for Azure hosts encryption: azure: Add override options encryption: azure: Add retries for transient errors encryption: azure: Implement init() encryption: azure: Implement get_key_by_id() encryption: azure: Add id-based key cache encryption: azure: Implement get_or_create_key() encryption: azure: Add credentials in Azure host encryption: azure: Add attribute-based key cache encryption: azure: Add skeleton for Azure host encryption: Templatize get_{kmip,kms,gcp}_host() encryption: gcp: Fix typo in docstring utils: azure: Get access token with default credentials utils: azure: Get access token from Azure CLI utils: azure: Get access token from IMDS utils: azure: Get access token with SP certificate utils: azure: Get access token with SP secret utils: rest: Add interface for request/response redaction logic utils: azure: Declare all Azure credential types utils: azure: Define interface for Azure credentials utils: Introduce base64url_{encode,decode}