Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of keyring: support external KMS for key encryption key (KEK) into release/1.8.x #23620

Merged
merged 2 commits into from
Jul 18, 2024
Merged

Backport of keyring: support external KMS for key encryption key (KEK) into release/1.8.x #23620

merged 2 commits into from
Jul 18, 2024

Conversation

hc-github-team-nomad-core
Copy link
Contributor

Backport

This PR is auto-generated from #23580 to be assessed for backporting due to the inclusion of the label backport/1.8.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@tgross
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/nomad/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

In Nomad 1.4.0, we shipped support for encrypted Variables and signed Workload Identities, but the key material is protected only by a AEAD encrypting the KEK. Add support for Vault transit encryption and external KMS from major cloud providers. The servers call out to the external service to decrypt each key in the on-disk keystore.

Ref: https://hashicorp.atlassian.net/browse/NET-10334
Fixes: #14852

Notes for reviewers:

Overview of commits

@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Jul 18, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@tgross
keyring: support external KMS for key encryption key (KEK) (#23580)
8a62a3e 
In Nomad 1.4.0, we shipped support for encrypted Variables and signed Workload
Identities, but the key material is protected only by a AEAD encrypting the
KEK. Add support for Vault transit encryption and external KMS from major cloud
providers. The servers call out to the external service to decrypt each key in
the on-disk keystore.

Ref: https://hashicorp.atlassian.net/browse/NET-10334
Fixes: #14852
@tgross tgross force-pushed the backport/keyring-external-kms/presently-rapid-salmon branch from 3a5b925 to 8a62a3e Compare July 18, 2024 13:46
@tgross tgross marked this pull request as ready for review July 18, 2024 13:46
@tgross
deps: update go-kms-wrapping and Azure SDK
003c198 
I'm pulling this out to a shared PR between the two, because it'll make
backporting easier.

Closes: #23621
Closes: #23589
@tgross tgross mentioned this pull request Jul 18, 2024
Merged
@tgross tgross merged commit 7785e45 into release/1.8.x Jul 18, 2024
19 checks passed
@tgross tgross deleted the backport/keyring-external-kms/presently-rapid-salmon branch July 18, 2024 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross approved these changes

Assignees

@tgross tgross

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hc-github-team-nomad-core @tgross