kms: replace KES client implementation with minio/kes (#12207)

This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2025-11-08 21:24:55 -05:00 · 2021-05-11 03:15:11 +02:00
parent 1692bab609
commit d8eb7d3e15
21 changed files with 350 additions and 998 deletions
--- a/cmd/common-main.go
+++ b/cmd/common-main.go
@@ -40,12 +40,12 @@ import (
 	"github.com/minio/cli"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/cmd/config"
-	"github.com/minio/minio/cmd/crypto"
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
 	"github.com/minio/minio/pkg/certs"
 	"github.com/minio/minio/pkg/console"
+	"github.com/minio/minio/pkg/ellipses"
 	"github.com/minio/minio/pkg/env"
 	"github.com/minio/minio/pkg/handlers"
 	"github.com/minio/minio/pkg/kms"
@@ -361,18 +361,37 @@ func handleCommonEnvVars() {
 		}
 	}
 	if env.IsSet(config.EnvKESEndpoint) {
-		kesEndpoints, err := crypto.ParseKESEndpoints(env.Get(config.EnvKESEndpoint, ""))
-		if err != nil {
-			logger.Fatal(err, "Unable to parse the KES endpoints inherited from the shell environment")
+		var endpoints []string
+		for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") {
+			if strings.TrimSpace(endpoint) == "" {
+				continue
+			}
+			if !ellipses.HasEllipses(endpoint) {
+				endpoints = append(endpoints, endpoint)
+				continue
+			}
+			patterns, err := ellipses.FindEllipsesPatterns(endpoint)
+			if err != nil {
+				logger.Fatal(err, fmt.Sprintf("Invalid KES endpoint %q", endpoint))
+			}
+			for _, lbls := range patterns.Expand() {
+				endpoints = append(endpoints, strings.Join(lbls, ""))
+			}
 		}
-		KMS, err := crypto.NewKes(crypto.KesConfig{
-			Enabled:      true,
-			Endpoint:     kesEndpoints,
+		certificate, err := tls.LoadX509KeyPair(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""))
+		if err != nil {
+			logger.Fatal(err, "Unable to load KES client certificate as specified by the shell environment")
+		}
+		rootCAs, err := certs.GetRootCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))
+		if err != nil {
+			logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
+		}
+
+		KMS, err := kms.NewWithConfig(kms.Config{
+			Endpoints:    endpoints,
 			DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
-			CertFile:     env.Get(config.EnvKESClientCert, ""),
-			KeyFile:      env.Get(config.EnvKESClientKey, ""),
-			CAPath:       env.Get(config.EnvKESServerCA, globalCertsCADir.Get()),
-			Transport:    newCustomHTTPTransportWithHTTP2(&tls.Config{RootCAs: globalRootCAs}, defaultDialTimeout)(),
+			Certificate:  certificate,
+			RootCAs:      rootCAs,
 		})
 		if err != nil {
 			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")