Add Vault support for custom CAs directory (#6527)

master
Harshavardhana 6 years ago committed by GitHub
parent b4772849f9
commit f163bed40d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 23
      cmd/crypto/vault.go
  2. 7
      docs/kms/README.md

@ -28,8 +28,8 @@ import (
) )
const ( const (
// VaultEndpointEnv Vault endpoint environment variable // vaultEndpointEnv Vault endpoint environment variable
VaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT" vaultEndpointEnv = "MINIO_SSE_VAULT_ENDPOINT"
// vaultAuthTypeEnv type of vault auth to be used // vaultAuthTypeEnv type of vault auth to be used
vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE" vaultAuthTypeEnv = "MINIO_SSE_VAULT_AUTH_TYPE"
// vaultAppRoleIDEnv Vault AppRole ID environment variable // vaultAppRoleIDEnv Vault AppRole ID environment variable
@ -40,6 +40,10 @@ const (
vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION" vaultKeyVersionEnv = "MINIO_SSE_VAULT_KEY_VERSION"
// vaultKeyNameEnv Vault Encryption Key Name environment variable // vaultKeyNameEnv Vault Encryption Key Name environment variable
vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME" vaultKeyNameEnv = "MINIO_SSE_VAULT_KEY_NAME"
// vaultCAPath is the path to a directory of PEM-encoded CA
// cert files to verify the Vault server SSL certificate.
vaultCAPath = "MINIO_SSE_VAULT_CAPATH"
) )
var ( var (
@ -93,7 +97,7 @@ type VaultConfig struct {
// been set // been set
func validateVaultConfig(c *VaultConfig) error { func validateVaultConfig(c *VaultConfig) error {
if c.Endpoint == "" { if c.Endpoint == "" {
return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", VaultEndpointEnv) return fmt.Errorf("Missing hashicorp vault endpoint - %s is empty", vaultEndpointEnv)
} }
if strings.ToLower(c.Auth.Type) != "approle" { if strings.ToLower(c.Auth.Type) != "approle" {
return fmt.Errorf("Unsupported hashicorp vault auth type - %s", vaultAuthTypeEnv) return fmt.Errorf("Unsupported hashicorp vault auth type - %s", vaultAuthTypeEnv)
@ -110,7 +114,6 @@ func validateVaultConfig(c *VaultConfig) error {
if c.Key.Version < 0 { if c.Key.Version < 0 {
return fmt.Errorf("Invalid value set in environment variable %s", vaultKeyVersionEnv) return fmt.Errorf("Invalid value set in environment variable %s", vaultKeyVersionEnv)
} }
return nil return nil
} }
@ -134,7 +137,7 @@ func getVaultAccessToken(client *vault.Client, appRoleID, appSecret string) (tok
// variables and performs validations. // variables and performs validations.
func NewVaultConfig() (KMSConfig, error) { func NewVaultConfig() (KMSConfig, error) {
kc := KMSConfig{} kc := KMSConfig{}
endpoint := os.Getenv(VaultEndpointEnv) endpoint := os.Getenv(vaultEndpointEnv)
roleID := os.Getenv(vaultAppRoleIDEnv) roleID := os.Getenv(vaultAppRoleIDEnv)
roleSecret := os.Getenv(vaultAppSecretIDEnv) roleSecret := os.Getenv(vaultAppSecretIDEnv)
keyName := os.Getenv(vaultKeyNameEnv) keyName := os.Getenv(vaultKeyNameEnv)
@ -177,9 +180,15 @@ func NewVaultConfig() (KMSConfig, error) {
// and gets a client token for future api calls. // and gets a client token for future api calls.
func NewVault(kmsConf KMSConfig) (KMS, error) { func NewVault(kmsConf KMSConfig) (KMS, error) {
config := kmsConf.Vault config := kmsConf.Vault
c, err := vault.NewClient(&vault.Config{ vconfig := &vault.Config{
Address: config.Endpoint, Address: config.Endpoint,
}) }
if err := vconfig.ConfigureTLS(&vault.TLSConfig{
CAPath: os.Getenv(vaultCAPath),
}); err != nil {
return nil, err
}
c, err := vault.NewClient(vconfig)
if err != nil { if err != nil {
return nil, err return nil, err
} }

@ -14,7 +14,7 @@ Vault as Key Management System requires following to be configured in Vault
- AppRole based authentication with read/update policy for transit backend. In particular, read and update policy - AppRole based authentication with read/update policy for transit backend. In particular, read and update policy
are required for the generate data key endpoint and decrypt key endpoint. are required for the generate data key endpoint and decrypt key endpoint.
### Environment variables ### 3. Environment variables
You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS You'll need the Vault endpoint, AppRole ID, AppRole SecretID, encryption key-ring name before starting Minio server with Vault as KMS
@ -26,6 +26,11 @@ export MINIO_SSE_VAULT_KEY_NAME=my-minio-key
minio server ~/export minio server ~/export
``` ```
Optionally set `MINIO_SSE_VAULT_CAPATH` is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
```
export MINIO_SSE_VAULT_CAPATH=/home/user/custom-pems
```
### 4. Test your setup ### 4. Test your setup
To test this setup, access the Minio server via browser or [`mc`](https://docs.minio.io/docs/minio-client-quickstart-guide). You’ll see the uploaded files are accessible from the all the Minio endpoints. To test this setup, access the Minio server via browser or [`mc`](https://docs.minio.io/docs/minio-client-quickstart-guide). You’ll see the uploaded files are accessible from the all the Minio endpoints.

Loading…
Cancel
Save