add minio/keys KMS integration (#8631)

This commit adds support for the minio/kes KMS. See: https://github.com/minio/kes In particular you can configure it as KMS by: - `export MINIO_KMS_KES_ENDPOINT=` // Server URL - `export MINIO_KMS_KES_KEY_FILE=` // TLS client private key - `export MINIO_KMS_KES_CERT_FILE=` // TLS client certificate - `export MINIO_KMS_KES_CA_PATH=` // Root CAs issuing server cert - `export MINIO_KMS_KES_KEY_NAME=` // The name of the (default) master key
2025-11-09 13:39:46 -05:00 · 2019-12-13 21:57:11 +01:00
parent 471a3a650a
commit c3d4c1f584
9 changed files with 723 additions and 87 deletions
--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@@ -50,7 +50,8 @@ func initHelp() {
 		config.PolicyOPASubSys:      opa.DefaultKVS,
 		config.RegionSubSys:         config.DefaultRegionKVS,
 		config.CredentialsSubSys:    config.DefaultCredentialKVS,
-		config.KmsVaultSubSys:       crypto.DefaultKVS,
+		config.KmsVaultSubSys:       crypto.DefaultVaultKVS,
+		config.KmsKesSubSys:         crypto.DefaultKesKVS,
 		config.LoggerWebhookSubSys:  logger.DefaultKVS,
 		config.AuditWebhookSubSys:   logger.DefaultAuditKVS,
 	}
@@ -96,6 +97,10 @@ func initHelp() {
 			Key:         config.KmsVaultSubSys,
 			Description: "enable external HashiCorp Vault key management service",
 		},
+		config.HelpKV{
+			Key:         config.KmsKesSubSys,
+			Description: "enable external MinIO key encryption service",
+		},
 		config.HelpKV{
 			Key:             config.LoggerWebhookSubSys,
 			Description:     "send server logs to webhook endpoints",
@@ -177,7 +182,8 @@ func initHelp() {
 		config.IdentityOpenIDSubSys: openid.Help,
 		config.IdentityLDAPSubSys:   xldap.Help,
 		config.PolicyOPASubSys:      opa.Help,
-		config.KmsVaultSubSys:       crypto.Help,
+		config.KmsVaultSubSys:       crypto.HelpVault,
+		config.KmsKesSubSys:         crypto.HelpKes,
 		config.LoggerWebhookSubSys:  logger.Help,
 		config.AuditWebhookSubSys:   logger.HelpAudit,
 		config.NotifyAMQPSubSys:     notify.HelpAMQP,
@@ -245,22 +251,21 @@ func validateConfig(s config.Config) error {
 		}
 	}
 	{
-		kmsCfg, err := crypto.LookupConfig(s[config.KmsVaultSubSys][config.Default])
+		kmsCfg, err := crypto.LookupConfig(s, globalCertsCADir.Get())
 		if err != nil {
 			return err
 		}
-		if kmsCfg.Vault.Enabled {
-			// Set env to enable master key validation.
-			// this is needed only for KMS.
-			env.SetEnvOn()

-			if _, err = crypto.NewKMS(kmsCfg); err != nil {
-				return err
-			}
+		// Set env to enable master key validation.
+		// this is needed only for KMS.
+		env.SetEnvOn()

-			// Disable merging env values for the rest.
-			env.SetEnvOff()
+		if _, err = crypto.NewKMS(kmsCfg); err != nil {
+			return err
 		}
+
+		// Disable merging env values for the rest.
+		env.SetEnvOff()
 	}

 	if _, err := openid.LookupConfig(s[config.IdentityOpenIDSubSys][config.Default],
@@ -350,7 +355,7 @@ func lookupConfigs(s config.Config) (err error) {
 		}
 	}

-	kmsCfg, err := crypto.LookupConfig(s[config.KmsVaultSubSys][config.Default])
+	kmsCfg, err := crypto.LookupConfig(s, globalCertsCADir.Get())
 	if err != nil {
 		return fmt.Errorf("Unable to setup KMS config: %w", err)
 	}