From f163bed40d2e71e0a06e1bef4cc734f4ed42270b Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 1 Oct 2018 13:49:10 -0700 Subject: [PATCH] Add Vault support for custom CAs directory (#6527) --- cmd/crypto/vault.go | 23 ++++++++++++++++------- docs/kms/README.md | 7 ++++++- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/cmd/crypto/vault.go b/cmd/crypto/vault.go index 9a6059c4b..cf0be6967 100644 --- a/cmd/crypto/vault.go +++ b/cmd/crypto/vault.go @@ -28,8 +28,8 @@ import ( ) const ( - // VaultEndpointEnv Vault endpoint environment variable - VaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT" + // vaultEndpointEnv Vault endpoint environment variable + vaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT" // vaultAuthTypeEnv type of vault auth to be used vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE" // vaultAppRoleIDEnv Vault AppRole ID environment variable @@ -40,6 +40,10 @@ const ( vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION" // vaultKeyNameEnv Vault Encryption Key Name environment variable vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME" + + // vaultCAPath is the path to a directory of PEM-encoded CA + // cert files to verify the Vault server SSL certificate. + vaultCAPath = "MINIO_SSE_VAULT_CAPATH" ) var ( @@ -93,7 +97,7 @@ type VaultConfig struct { // been set func validateVaultConfig(c *VaultConfig) error { if c.Endpoint == "" { - return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", VaultEndpointEnv) + return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", vaultEndpointEnv) } if strings.ToLower(c.Auth.Type) != "approle" { return fmt.Errorf("Unsupported hashicorp vault auth type - %s", vaultAuthTypeEnv) @@ -110,7 +114,6 @@ func validateVaultConfig(c *VaultConfig) error { if c.Key.Version < 0 { return fmt.Errorf("Invalid value set in environment variable %s", vaultKeyVersionEnv) } - return nil } @@ -134,7 +137,7 @@ func getVaultAccessToken(client *vault.Client, appRoleID, appSecret string) (tok // variables and performs validations. func NewVaultConfig() (KMSConfig, error) { kc := KMSConfig{} - endpoint := os.Getenv(VaultEndpointEnv) + endpoint := os.Getenv(vaultEndpointEnv) roleID := os.Getenv(vaultAppRoleIDEnv) roleSecret := os.Getenv(vaultAppSecretIDEnv) keyName := os.Getenv(vaultKeyNameEnv) @@ -177,9 +180,15 @@ func NewVaultConfig() (KMSConfig, error) { // and gets a client token for future api calls. func NewVault(kmsConf KMSConfig) (KMS, error) { config := kmsConf.Vault - c, err := vault.NewClient(&vault.Config{ + vconfig := &vault.Config{ Address: config.Endpoint, - }) + } + if err := vconfig.ConfigureTLS(&vault.TLSConfig{ + CAPath: os.Getenv(vaultCAPath), + }); err != nil { + return nil, err + } + c, err := vault.NewClient(vconfig) if err != nil { return nil, err } diff --git a/docs/kms/README.md b/docs/kms/README.md index 8caeb7a00..2e4059b8f 100644 --- a/docs/kms/README.md +++ b/docs/kms/README.md @@ -14,7 +14,7 @@ Vault as Key Management System requires following to be configured in Vault - AppRole based authentication with read/update policy for transit backend. In particular, read and update policy are required for the generate data key endpoint and decrypt key endpoint. -### Environment variables +### 3. Environment variables You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS @@ -26,6 +26,11 @@ export MINIO_SSE_VAULT_KEY_NAME=my-minio-key minio server ~/export ``` +Optionally set `MINIO_SSE_VAULT_CAPATH` is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. +``` +export MINIO_SSE_VAULT_CAPATH=/home/user/custom-pems +``` + ### 4. Test your setup To test this setup, access the Minio server via browser or [`mc`](https://docs.minio.io/docs/minio-client-quickstart-guide). You’ll see the uploaded files are accessible from the all the Minio endpoints.