Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KMS-PKI Workers #3101

Merged
merged 9 commits into from
Mar 30, 2023
Merged

KMS-PKI Workers #3101

merged 9 commits into from
Mar 30, 2023

Conversation

jefferai
Copy link
Member

@jefferai jefferai commented Mar 19, 2023
edited

This adds a new mechanism for worker authentication that uses the
third-party arbitration of the original KMS flow by leveraging
recently-added capabilities in nodeenrollment to support a registration
wrapper. This allows for workers to be registered to the system with
just a name and a matching wrapper, while at the same time allowing
these workers to be used for private Vault access and multi-hop as they
contain per-worker encryption keys and support rotation.

Nodes using this mode will generate and rotate credentials in-memory
(using another recently added nodeenrollment capability) so will have a
new set of keys on every startup. This has the side effect of ensuring
that there is never a conflict or re-use of these credentials.

Note that the normal test worker flow was using the now-deprecated KMS
method; there is still a test that uses this (explicitly) but all other
tests using test workers that did not specify a specific PKI flow now
actually use this mechanism. This means there is fairly decent test
coverage in a general sense, plus the specific tests updated/added for
this feature.

In a follow-up PR I will add a new KMS type that can be used to have
distinct KMSes for upstream authentication vs. accepting from
downstream.

@jefferai jefferai added this to the 0.13.x milestone Mar 19, 2023
@jefferai jefferai force-pushed the jefferai-kms-workers-nodee branch 7 times, most recently from 94fb4ba to 13c1162 Compare March 20, 2023 17:49
@jefferai jefferai force-pushed the jefferai-kms-workers-nodee branch 3 times, most recently from 1ff1956 to cb78b76 Compare March 20, 2023 18:52
@jefferai jefferai marked this pull request as ready for review March 20, 2023 18:53
@jefferai jefferai changed the title [WIP] KMS-PKI Workers KMS-PKI Workers Mar 20, 2023
@jefferai jefferai changed the title KMS-PKI Workers [WIP] KMS-PKI Workers Mar 22, 2023
@jefferai jefferai changed the title [WIP] KMS-PKI Workers KMS-PKI Workers Mar 24, 2023
@jefferai
Add KMS-PKI authentication
b750167 
This adds a new mechanism for worker authentication that uses the
third-party arbitration of the original KMS flow by leveraging
recently-added capabilities in nodeenrollment to support a registration
wrapper. This allows for workers to be registered to the system with
just a name and a matching wrapper, while at the same time allowing
these workers to be used for private Vault access and multi-hop as they
contain per-worker encryption keys and support rotation.

Nodes using this mode will generate and rotate credentials in-memory
(using another recently added nodeenrollment capability) so will have a
new set of keys on every startup. This has the side effect of ensuring
that there is never a conflict or re-use of these credentials.

Note that the normal test worker flow was using the now-deprecated KMS
method; there is still a test that uses this (explicitly) but all other
tests using test workers that did not specify a specific PKI flow now
actually use this mechanism. This means there is fairly decent test
coverage in a general sense, plus the specific tests updated/added for
this feature.

In a follow-up PR I will add a new KMS type that can be used to have
distinct KMSes for upstream authentication vs. accepting from
downstream.
@jefferai
Fix worker auth kms in dev mode
b8bf467
@jefferai
Add downstream worker auth KMS (#3110)
57c095d 
This adds an alternate KMS that can be used to handle incoming
downstream connections for PKI-KMS registration. This can be specified
multiple times; because the upstream only needs to decrypt, we can
simply use a PooledWrapper and add each given KMS to the pool.
@jefferai
Address some review feedback
e5b9898
@jefferai
Address reviewf feedback
b91eb65
@jefferai
Modify test function worker tree
b2baf9d
@jefferai
Remove unneeded option and ensure AEAD key bytes is returned for work…
6814743 
…er auth in all cases
jimlambrt
jimlambrt approved these changes Mar 30, 2023
View reviewed changes
Copy link
Collaborator

@jimlambrt jimlambrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor question. looks great!

internal/daemon/controller/listeners.go Show resolved Hide resolved
@jefferai jefferai merged commit 163ce18 into main Mar 30, 2023
@jefferai jefferai deleted the jefferai-kms-workers-nodee branch March 30, 2023 20:20
johanbrandhorst pushed a commit that referenced this pull request May 31, 2023
@jimlambrt @jefferai
Manual oss merge / includes fix for oss target refactor (#332)
1531e36 
* KMS-PKI Workers (#3101)

This adds a new mechanism for worker authentication that uses the
third-party arbitration of the original KMS flow by leveraging
recently-added capabilities in nodeenrollment to support a registration
wrapper. This allows for workers to be registered to the system with
just a name and a matching wrapper, while at the same time allowing
these workers to be used for private Vault access and multi-hop as they
contain per-worker encryption keys and support rotation.

Nodes using this mode will generate and rotate credentials in-memory
(using another recently added nodeenrollment capability) so will have a
new set of keys on every startup. This has the side effect of ensuring
that there is never a conflict or re-use of these credentials.

Note that the normal test worker flow was using the now-deprecated KMS
method; there is still a test that uses this (explicitly) but all other
tests using test workers that did not specify a specific PKI flow now
actually use this mechanism. This means there is fairly decent test
coverage in a general sense, plus the specific tests updated/added for
this feature.

This also adds a new KMS type that can be used to have
distinct KMSes for upstream authentication vs. accepting from
downstream.

* refact: fix oss refactor of target repository for ent

* refact: more merge fixes

---------

Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@talanknight talanknight talanknight approved these changes

@jimlambrt jimlambrt jimlambrt approved these changes

@irenarindos irenarindos Awaiting requested review from irenarindos

Assignees
No one assigned
Labels
core/daemon core/server core docs/configuration website
Projects
None yet
Milestone
0.13.x
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jefferai @talanknight @irenarindos @jimlambrt