kms: add support for KES API keys and switch to KES Go SDK (#16617)

Signed-off-by: Andreas Auernhammer <hi@aead.dev>
2025-11-07 21:02:58 -05:00 · 2023-02-14 16:19:20 +01:00
parent 31188e9327
commit 74887c7372
17 changed files with 118 additions and 71 deletions
--- a/internal/config/constants.go
+++ b/internal/config/constants.go
@@ -69,13 +69,14 @@ const (

 	EnvKMSSecretKey      = "MINIO_KMS_SECRET_KEY"
 	EnvKMSSecretKeyFile  = "MINIO_KMS_SECRET_KEY_FILE"
-	EnvKESEndpoint       = "MINIO_KMS_KES_ENDPOINT"
-	EnvKESEnclave        = "MINIO_KMS_KES_ENCLAVE"
-	EnvKESKeyName        = "MINIO_KMS_KES_KEY_NAME"
-	EnvKESClientKey      = "MINIO_KMS_KES_KEY_FILE"
-	EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD"
-	EnvKESClientCert     = "MINIO_KMS_KES_CERT_FILE"
-	EnvKESServerCA       = "MINIO_KMS_KES_CAPATH"
+	EnvKESEndpoint       = "MINIO_KMS_KES_ENDPOINT"     // One or multiple KES endpoints, separated by ','
+	EnvKESEnclave        = "MINIO_KMS_KES_ENCLAVE"      // Optional "namespace" within a KES cluster - not required for stateless KES
+	EnvKESKeyName        = "MINIO_KMS_KES_KEY_NAME"     // The default key name used for IAM data and when no key ID is specified on a bucket
+	EnvKESAPIKey         = "MINIO_KMS_KES_API_KEY"      // Access credential for KES - API keys and private key / certificate are mutually exclusive
+	EnvKESClientKey      = "MINIO_KMS_KES_KEY_FILE"     // Path to TLS private key for authenticating to KES with mTLS - usually prefer API keys
+	EnvKESClientPassword = "MINIO_KMS_KES_KEY_PASSWORD" // Optional password to decrypt an encrypt TLS private key
+	EnvKESClientCert     = "MINIO_KMS_KES_CERT_FILE"    // Path to TLS certificate for authenticating to KES with mTLS - usually prefer API keys
+	EnvKESServerCA       = "MINIO_KMS_KES_CAPATH"       // Path to file/directory containing CA certificates to verify the KES server certificate

 	EnvEndpoints  = "MINIO_ENDPOINTS"   // legacy
 	EnvWorm       = "MINIO_WORM"        // legacy