@ -28,8 +28,8 @@ import (
)
)
const (
const (
// V aultEndpointEnv Vault endpoint environment variable
// v aultEndpointEnv Vault endpoint environment variable
V aultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT"
v aultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT"
// vaultAuthTypeEnv type of vault auth to be used
// vaultAuthTypeEnv type of vault auth to be used
vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE"
vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE"
// vaultAppRoleIDEnv Vault AppRole ID environment variable
// vaultAppRoleIDEnv Vault AppRole ID environment variable
@ -40,6 +40,10 @@ const (
vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION"
vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION"
// vaultKeyNameEnv Vault Encryption Key Name environment variable
// vaultKeyNameEnv Vault Encryption Key Name environment variable
vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME"
vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME"
// vaultCAPath is the path to a directory of PEM-encoded CA
// cert files to verify the Vault server SSL certificate.
vaultCAPath = "MINIO_SSE_VAULT_CAPATH"
)
)
var (
var (
@ -93,7 +97,7 @@ type VaultConfig struct {
// been set
// been set
func validateVaultConfig ( c * VaultConfig ) error {
func validateVaultConfig ( c * VaultConfig ) error {
if c . Endpoint == "" {
if c . Endpoint == "" {
return fmt . Errorf ( "Missing hashicorp vault endpoint - %s is empty" , V aultEndpointEnv)
return fmt . Errorf ( "Missing hashicorp vault endpoint - %s is empty" , v aultEndpointEnv)
}
}
if strings . ToLower ( c . Auth . Type ) != "approle" {
if strings . ToLower ( c . Auth . Type ) != "approle" {
return fmt . Errorf ( "Unsupported hashicorp vault auth type - %s" , vaultAuthTypeEnv )
return fmt . Errorf ( "Unsupported hashicorp vault auth type - %s" , vaultAuthTypeEnv )
@ -110,7 +114,6 @@ func validateVaultConfig(c *VaultConfig) error {
if c . Key . Version < 0 {
if c . Key . Version < 0 {
return fmt . Errorf ( "Invalid value set in environment variable %s" , vaultKeyVersionEnv )
return fmt . Errorf ( "Invalid value set in environment variable %s" , vaultKeyVersionEnv )
}
}
return nil
return nil
}
}
@ -134,7 +137,7 @@ func getVaultAccessToken(client *vault.Client, appRoleID, appSecret string) (tok
// variables and performs validations.
// variables and performs validations.
func NewVaultConfig ( ) ( KMSConfig , error ) {
func NewVaultConfig ( ) ( KMSConfig , error ) {
kc := KMSConfig { }
kc := KMSConfig { }
endpoint := os . Getenv ( V aultEndpointEnv)
endpoint := os . Getenv ( v aultEndpointEnv)
roleID := os . Getenv ( vaultAppRoleIDEnv )
roleID := os . Getenv ( vaultAppRoleIDEnv )
roleSecret := os . Getenv ( vaultAppSecretIDEnv )
roleSecret := os . Getenv ( vaultAppSecretIDEnv )
keyName := os . Getenv ( vaultKeyNameEnv )
keyName := os . Getenv ( vaultKeyNameEnv )
@ -177,9 +180,15 @@ func NewVaultConfig() (KMSConfig, error) {
// and gets a client token for future api calls.
// and gets a client token for future api calls.
func NewVault ( kmsConf KMSConfig ) ( KMS , error ) {
func NewVault ( kmsConf KMSConfig ) ( KMS , error ) {
config := kmsConf . Vault
config := kmsConf . Vault
c , err := vault . NewClient ( & vault . Config {
vconfig := & vault . Config {
Address : config . Endpoint ,
Address : config . Endpoint ,
} )
}
if err := vconfig . ConfigureTLS ( & vault . TLSConfig {
CAPath : os . Getenv ( vaultCAPath ) ,
} ) ; err != nil {
return nil , err
}
c , err := vault . NewClient ( vconfig )
if err != nil {
if err != nil {
return nil , err
return nil , err
}
}