Tags: PankajWorks/kes
Tags
proxy: fix invalid check to enable authentication This commit fixes a bug in the server initialization w.r.t. requiring TLS certificate verification of TLS proxies. Currently, the certificate of the TLS proxy is not validated by default / when `--auth` is not set to `off`. However, this has no direct security impact since a TLS proxy has to be explicitly configured and its public key has to be pinned. This commit fixes this by always enabling TLS certificate validation for TLS proxies unless `--auth=off` has been specified.
rename the KES client env. variables for the client key and cert This commit renames the client env. variables used to specify the client certificate and private key. Before, the CLI client expected: ``` export KES_CLIENT_TLS_CERT_FILE=<cert> export KES_CLIENT_TLS_KEY_FILE=<key> ``` Now, the CLI client expects: ``` export KES_CLIENT_CERT=<cert> export KES_CLIENT_KEY=<key> ``` The reason for this change is that the previous env. variables are quite verbose and look odd compared to the `KES_SERVER` variable. The new variables are more compact and don't require boilerplate typing. It has been considered to have a fallback - like if `KES_CLIENT_CERT` is not present look for `KES_CLIENT_TLS_CERT_FILE`. However, it seems worse to have a deprecated fallback that gets removed at some point in time. A clean cut seems better here.
add support for config file identity templates This commit adds support for config file templates such that an identity in the config file can be overwritten by a config file: ```yaml root: ${ROOT_ID} policy: my-policy: paths: - /v1/key/create/my-key identities: - 6d56ee07446b7f11ad3b52d3cfd90942ad636c01288d3652a29fa0647919a3b2 - ${MY_APP_ID} ``` The above config snippet would compile to an actual config where the root identity would be replaced by the $ROOT_ID env. variable. Similarly, there would be two identities assigned to the `my-policy` policy: - 6d56ee07446b7f11ad3b52d3cfd90942ad636c01288d3652a29fa0647919a3b2 - The value of $MY_APP_ID This templating approach has some adv. compared to allowing overwriting arbitrary config file entries: - A user/admin providing the config file can control what can be customized by an executing system (K8S). The user/admin still specifies how the general setup should look like. - Only certain aspects of the config are "dynamic" - e.g. identities. Whether e.g. audit logging to STDOUT is enabled should not really be configured via an env. variable.
remove the restriction of only supporting HTTP/2 This commit allows clients to connect to the KES server via any HTTP protocol (again). This commit basically reverts b74bb38. The reason for restriction to HTTP/2-only was the potential addition of stream APIs for encryption and decryption. However, nginx does not support HTTP/2 for backend connections. See: https://trac.nginx.org/nginx/ticket/923 Therefore, it would not be possible to run a KES server behind a nginx proxy since the nginx would not be able to connect to KES. Further, this commit fixes 3 typos in the reference config file.
build a versioned KES binary in docker container This commit uses the `release` command added by 08be13b to build a binary with release information when building the docker image. This can be verified by running: ``` docker build - < Dockerfile ``` and then ``` docker run <container-id> -v ```
add release cmd to build versioned binaries with docker This commit adds a release command that fetches release information (i.e. versions) about the `github.com/minio/kes` module from a Go proxy. With this command it is possible to add release information to the KES binary during compilation - without any extra dependencies (e.g. curl and jq). The general idea is to first install the release command via `go install github.com/minio/kes/cmd/release` and then run: ``` go install -ldflags "-s -w -X main.version=$(release)" github.com/minio/kes/cmd/kes ``` This commit does not update the Dockerfile since we have to release this change first such that `go install github.com/minio/kes/cmd/release` succeeds.
aws-kms: honor error log configuration This commit fixes a bug when initializing AWS-KMS. Before, the error log was not passed to the AWS-KMS client such that if the client would log a error message it would always be written to the STDOUT/STDERR - regardless what was specified in the config file. However, this bug does not affect any (official) release because it has been introduced by 817a824.
PreviousNext