From 9cd9f5a0b3ad006f2fde6132748892016cf3e62a Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Thu, 13 May 2021 20:13:31 +0200 Subject: [PATCH] check that we can reach KES server and that the default key exists (#12291) This commit adds a check to the MinIO server setup that verifies that MinIO can reach KES, if configured, and that the default key exists. If the default key does not exist it will create it automatically. Signed-off-by: Andreas Auernhammer --- cmd/common-main.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cmd/common-main.go b/cmd/common-main.go index 95d93f6a1..ee30e1886 100644 --- a/cmd/common-main.go +++ b/cmd/common-main.go @@ -38,6 +38,7 @@ import ( "github.com/fatih/color" dns2 "github.com/miekg/dns" "github.com/minio/cli" + "github.com/minio/kes" "github.com/minio/minio-go/v7/pkg/set" "github.com/minio/minio/cmd/config" xhttp "github.com/minio/minio/cmd/http" @@ -387,15 +388,24 @@ func handleCommonEnvVars() { logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))) } + var defaultKeyID = env.Get(config.EnvKESKeyName, "") KMS, err := kms.NewWithConfig(kms.Config{ Endpoints: endpoints, - DefaultKeyID: env.Get(config.EnvKESKeyName, ""), + DefaultKeyID: defaultKeyID, Certificate: certificate, RootCAs: rootCAs, }) if err != nil { logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment") } + + // We check that the default key ID exists or try to create it otherwise. + // This implicitly checks that we can communicate to KES. We don't treat + // a policy error as failure condition since MinIO may not have the permission + // to create keys - just to generate/decrypt data encryption keys. + if err = KMS.CreateKey(defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) { + logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment") + } GlobalKMS = KMS } if tiers := env.Get("_MINIO_DEBUG_REMOTE_TIERS_IMMEDIATELY", ""); tiers != "" {