Migrate all backend at .minio.sys/config to encrypted backend (#8474)

- Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2025-12-05 23:33:13 -05:00 · 2019-11-01 15:53:16 -07:00
parent fa325665b1
commit d28bcb4f84
15 changed files with 510 additions and 43 deletions
--- a/cmd/gateway-common.go
+++ b/cmd/gateway-common.go
@@ -23,7 +23,6 @@ import (
 	"github.com/minio/minio/cmd/config"
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
-	"github.com/minio/minio/pkg/auth"
 	"github.com/minio/minio/pkg/env"
 	"github.com/minio/minio/pkg/hash"
 	xnet "github.com/minio/minio/pkg/net"
@@ -373,15 +372,14 @@ func parseGatewaySSE(s string) (gatewaySSE, error) {
 }

 // handle gateway env vars
-func handleGatewayEnvVars() {
-	accessKey := env.Get(config.EnvAccessKey, "")
-	secretKey := env.Get(config.EnvSecretKey, "")
-	cred, err := auth.CreateCredentials(accessKey, secretKey)
-	if err != nil {
-		logger.Fatal(config.ErrInvalidCredentials(err),
+func gatewayHandleEnvVars() {
+	// Handle common env vars.
+	handleCommonEnvVars()
+
+	if !globalActiveCred.IsValid() {
+		logger.Fatal(config.ErrInvalidCredentials(nil),
 			"Unable to validate credentials inherited from the shell environment")
 	}
-	globalActiveCred = cred

 	gwsseVal := env.Get("MINIO_GATEWAY_SSE", "")
 	if len(gwsseVal) != 0 {