kms: add support for KES API keys and switch to KES Go SDK (#16617)

Signed-off-by: Andreas Auernhammer <hi@aead.dev>

internal/kms/identity-manager.go

@@ -20,7 +20,7 @@ package kms
 import (
 	"context"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 )
 
 // IdentityManager is the generic interface that handles KMS identity operations

internal/kms/kes.go

@@ -26,7 +26,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 	"github.com/minio/pkg/certs"
 )
 
@@ -52,6 +52,11 @@ type Config struct {
 	// a cryptographic operation.
 	DefaultKeyID string
 
+	// APIKey is an credential provided by env. var.
+	// to authenticate to a KES server. Either an
+	// API key or a client certificate must be specified.
+	APIKey kes.APIKey
+
 	// Certificate is the client TLS certificate
 	// to authenticate to KMS via mTLS.
 	Certificate *certs.Certificate
@@ -74,12 +79,26 @@ func NewWithConfig(config Config) (KMS, error) {
 	endpoints := make([]string, len(config.Endpoints)) // Copy => avoid being affect by any changes to the original slice
 	copy(endpoints, config.Endpoints)
 
-	client := kes.NewClientWithConfig("", &tls.Config{
-		MinVersion:         tls.VersionTLS12,
-		Certificates:       []tls.Certificate{config.Certificate.Get()},
-		RootCAs:            config.RootCAs,
-		ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
-	})
+	var client *kes.Client
+	if config.APIKey != nil {
+		cert, err := kes.GenerateCertificate(config.APIKey)
+		if err != nil {
+			return nil, err
+		}
+		client = kes.NewClientWithConfig("", &tls.Config{
+			MinVersion:         tls.VersionTLS12,
+			Certificates:       []tls.Certificate{cert},
+			RootCAs:            config.RootCAs,
+			ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
+		})
+	} else {
+		client = kes.NewClientWithConfig("", &tls.Config{
+			MinVersion:         tls.VersionTLS12,
+			Certificates:       []tls.Certificate{config.Certificate.Get()},
+			RootCAs:            config.RootCAs,
+			ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
+		})
+	}
 	client.Endpoints = endpoints
 
 	var bulkAvailable bool
@@ -101,6 +120,9 @@ func NewWithConfig(config Config) (KMS, error) {
 		bulkAvailable: bulkAvailable,
 	}
 	go func() {
+		if config.Certificate == nil || config.ReloadCertEvents == nil {
+			return
+		}
 		for {
 			var prevCertificate tls.Certificate
 			certificate, ok := <-config.ReloadCertEvents

internal/kms/key-manager.go

@@ -20,7 +20,7 @@ package kms
 import (
 	"context"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 )
 
 // KeyManager is the generic interface that handles KMS key operations

internal/kms/kms.go

@@ -23,7 +23,7 @@ import (
 	"encoding/json"
 
 	jsoniter "github.com/json-iterator/go"
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 )
 
 // KMS is the generic interface that abstracts over

internal/kms/policy-manager.go

@@ -20,7 +20,7 @@ package kms
 import (
 	"context"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 )
 
 // PolicyManager is the generic interface that handles KMS policy] operations

internal/kms/single-key.go

@@ -33,7 +33,7 @@ import (
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/chacha20poly1305"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 	"github.com/minio/minio/internal/hash/sha256"
 )
 

internal/kms/status-manager.go

@@ -20,7 +20,7 @@ package kms
 import (
 	"context"
 
-	"github.com/minio/kes"
+	"github.com/minio/kes-go"
 )
 
 // StatusManager is the generic interface that handles KMS status operations