allow resetting and reapply config on broken clusters (#12554)

Bonus: remove kms_kes as sub-system, since its ENV only. - also fixes a crash with etcd cluster without KMS configured and also if KMS decryption is missing.
2025-12-05 15:22:28 -05:00 · 2021-06-24 16:24:12 -07:00
parent fe49d03fd8
commit 8d1bc65757
7 changed files with 18 additions and 42 deletions
--- a/cmd/config-encrypted.go
+++ b/cmd/config-encrypted.go
@@ -97,15 +97,17 @@ func migrateIAMConfigsEtcdToEncrypted(ctx context.Context, client *etcd.Client)
 		if !utf8.Valid(data) {
 			pdata, err := madmin.DecryptData(globalActiveCred.String(), bytes.NewReader(data))
 			if err != nil {
-				pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
-					minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
-				})
-				if err != nil {
+				if GlobalKMS != nil {
 					pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
-						minioMetaBucket: string(kv.Key),
+						minioMetaBucket: path.Join(minioMetaBucket, string(kv.Key)),
 					})
 					if err != nil {
-						return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
+						pdata, err = config.DecryptBytes(GlobalKMS, data, kms.Context{
+							minioMetaBucket: string(kv.Key),
+						})
+						if err != nil {
+							return fmt.Errorf("Decrypting IAM config failed %w, possibly credentials are incorrect", err)
+						}
 					}
 				}
 			}