Add Vault support for custom CAs directory (#6527)

6 years ago · f163bed40d
parent b4772849f9
commit f163bed40d
2 changed files with 22 additions and 8 deletions
--- a/cmd/crypto/vault.go
+++ b/cmd/crypto/vault.go
@ -28,8 +28,8 @@ import (
 )

 const (
-	// VaultEndpointEnv Vault endpoint environment variable
-	VaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT"
+	// vaultEndpointEnv Vault endpoint environment variable
+	vaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT"
 	// vaultAuthTypeEnv type of vault auth to be used
 	vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE"
 	// vaultAppRoleIDEnv  Vault AppRole ID environment variable
@ -40,6 +40,10 @@ const (
 	vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION"
 	// vaultKeyNameEnv Vault Encryption Key Name environment variable
 	vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME"
+
+	// vaultCAPath is the path to a directory of PEM-encoded CA
+	// cert files to verify the Vault server SSL certificate.
+	vaultCAPath = "MINIO_SSE_VAULT_CAPATH"
 )

 var (
@ -93,7 +97,7 @@ type VaultConfig struct {
 // been set
 func validateVaultConfig(c *VaultConfig) error {
 	if c.Endpoint == "" {
-		return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", VaultEndpointEnv)
+		return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", vaultEndpointEnv)
 	}
 	if strings.ToLower(c.Auth.Type) != "approle" {
 		return fmt.Errorf("Unsupported hashicorp vault auth type - %s", vaultAuthTypeEnv)
@ -110,7 +114,6 @@ func validateVaultConfig(c *VaultConfig) error {
 	if c.Key.Version < 0 {
 		return fmt.Errorf("Invalid value set in environment variable %s", vaultKeyVersionEnv)
 	}
-
 	return nil
 }

@ -134,7 +137,7 @@ func getVaultAccessToken(client *vault.Client, appRoleID, appSecret string) (tok
 // variables and performs validations.
 func NewVaultConfig() (KMSConfig, error) {
 	kc := KMSConfig{}
-	endpoint := os.Getenv(VaultEndpointEnv)
+	endpoint := os.Getenv(vaultEndpointEnv)
 	roleID := os.Getenv(vaultAppRoleIDEnv)
 	roleSecret := os.Getenv(vaultAppSecretIDEnv)
 	keyName := os.Getenv(vaultKeyNameEnv)
@ -177,9 +180,15 @@ func NewVaultConfig() (KMSConfig, error) {
 // and gets a client token for future api calls.
 func NewVault(kmsConf KMSConfig) (KMS, error) {
 	config := kmsConf.Vault
-	c, err := vault.NewClient(&vault.Config{
+	vconfig := &vault.Config{
 		Address: config.Endpoint,
-	})
+	}
+	if err := vconfig.ConfigureTLS(&vault.TLSConfig{
+		CAPath: os.Getenv(vaultCAPath),
+	}); err != nil {
+		return nil, err
+	}
+	c, err := vault.NewClient(vconfig)
 	if err != nil {
 		return nil, err
 	}
--- a/docs/kms/README.md
+++ b/docs/kms/README.md
@ -14,7 +14,7 @@ Vault as Key Management System requires following to be configured in Vault
 - AppRole based authentication with read/update policy for transit backend. In particular, read and update policy
  are required for the generate data key endpoint and decrypt key endpoint.

-### Environment variables
+### 3. Environment variables

 You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS

@ -26,6 +26,11 @@ export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
 minio server ~/export
 ```

+Optionally set `MINIO_SSE_VAULT_CAPATH` is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
+```
+export MINIO_SSE_VAULT_CAPATH=/home/user/custom-pems
+```
+
 ### 4. Test your setup

 To test this setup, access the Minio server via browser or [`mc`](https://docs.minio.io/docs/minio-client-quickstart-guide). You’ll see the uploaded files are accessible from the all the Minio endpoints.