minio/dockerscripts/docker-entrypoint.sh
Andreas Auernhammer 3455f786fa kms: encrypt IAM/config data with the KMS (#12041)
This commit changes the config/IAM encryption
process. Instead of encrypting config data
(users, policies etc.) with the root credentials
MinIO now encrypts this data with a KMS - if configured.

Therefore, this PR moves the MinIO-KMS configuration (via
env. variables) to a "top-level" configuration.
The KMS configuration cannot be stored in the config file
since it is used to decrypt the config file in the first
place.

As a consequence, this commit also removes support for
Hashicorp Vault - which has been deprecated anyway.

Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 09:51:09 -07:00

129 lines
4.0 KiB
Bash
Executable File

#!/bin/sh
#
# MinIO Cloud Storage, (C) 2019 MinIO, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# If command starts with an option, prepend minio.
if [ "${1}" != "minio" ]; then
if [ -n "${1}" ]; then
set -- minio "$@"
fi
fi
## Look for docker secrets at given absolute path or in default documented location.
docker_secrets_env_old() {
if [ -f "$MINIO_ACCESS_KEY_FILE" ]; then
ACCESS_KEY_FILE="$MINIO_ACCESS_KEY_FILE"
else
ACCESS_KEY_FILE="/run/secrets/$MINIO_ACCESS_KEY_FILE"
fi
if [ -f "$MINIO_SECRET_KEY_FILE" ]; then
SECRET_KEY_FILE="$MINIO_SECRET_KEY_FILE"
else
SECRET_KEY_FILE="/run/secrets/$MINIO_SECRET_KEY_FILE"
fi
if [ -f "$ACCESS_KEY_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then
if [ -f "$ACCESS_KEY_FILE" ]; then
MINIO_ACCESS_KEY="$(cat "$ACCESS_KEY_FILE")"
export MINIO_ACCESS_KEY
fi
if [ -f "$SECRET_KEY_FILE" ]; then
MINIO_SECRET_KEY="$(cat "$SECRET_KEY_FILE")"
export MINIO_SECRET_KEY
fi
fi
}
docker_secrets_env() {
if [ -f "$MINIO_ROOT_USER_FILE" ]; then
ROOT_USER_FILE="$MINIO_ROOT_USER_FILE"
else
ROOT_USER_FILE="/run/secrets/$MINIO_ROOT_USER_FILE"
fi
if [ -f "$MINIO_ROOT_PASSWORD_FILE" ]; then
SECRET_KEY_FILE="$MINIO_ROOT_PASSWORD_FILE"
else
SECRET_KEY_FILE="/run/secrets/$MINIO_ROOT_PASSWORD_FILE"
fi
if [ -f "$ROOT_USER_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then
if [ -f "$ROOT_USER_FILE" ]; then
MINIO_ROOT_USER="$(cat "$ROOT_USER_FILE")"
export MINIO_ROOT_USER
fi
if [ -f "$SECRET_KEY_FILE" ]; then
MINIO_ROOT_PASSWORD="$(cat "$SECRET_KEY_FILE")"
export MINIO_ROOT_PASSWORD
fi
fi
}
## Set KMS_MASTER_KEY from docker secrets if provided
docker_kms_encryption_env() {
if [ -f "$MINIO_KMS_SECRET_KEY_FILE" ]; then
KMS_SECRET_KEY_FILE="$MINIO_KMS_SECRET_KEY_FILE"
else
KMS_SECRET_KEY_FILE="/run/secrets/$MINIO_KMS_SECRET_KEY_FILE"
fi
if [ -f "$KMS_SECRET_KEY_FILE" ]; then
MINIO_KMS_SECRET_KEY="$(cat "$KMS_SECRET_KEY_FILE")"
export MINIO_KMS_SECRET_KEY
fi
}
## Legacy
## Set SSE_MASTER_KEY from docker secrets if provided
docker_sse_encryption_env() {
KMS_SECRET_KEY_FILE="/run/secrets/$MINIO_KMS_MASTER_KEY_FILE"
if [ -f "$KMS_SECRET_KEY_FILE" ]; then
MINIO_KMS_SECRET_KEY="$(cat "$KMS_SECRET_KEY_FILE")"
export MINIO_KMS_SECRET_KEY
fi
}
# su-exec to requested user, if service cannot run exec will fail.
docker_switch_user() {
if [ ! -z "${MINIO_USERNAME}" ] && [ ! -z "${MINIO_GROUPNAME}" ]; then
if [ ! -z "${MINIO_UID}" ] && [ ! -z "${MINIO_GID}" ]; then
groupadd -g "$MINIO_GID" "$MINIO_GROUPNAME" && \
useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
else
groupadd "$MINIO_GROUPNAME" && \
useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
fi
exec setpriv --reuid="${MINIO_USERNAME}" --regid="${MINIO_GROUPNAME}" --keep-groups "$@"
else
exec "$@"
fi
}
## Set access env from secrets if necessary.
docker_secrets_env_old
## Set access env from secrets if necessary.
docker_secrets_env
## Set kms encryption from secrets if necessary.
docker_kms_encryption_env
## Set sse encryption from secrets if necessary. Legacy
docker_sse_encryption_env
## Switch to user if applicable.
docker_switch_user "$@"