-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Review Only] Autoseal OSS port (#757)
* Port awskms autoseal * Rename files * WIP autoseal * Fix protobuf conflict * Expose some structs to properly allow encrypting stored keys * Update awskms with the latest changes * Add KeyGuard implementation to abstract encryption/decryption of keys * Fully decouple seal.Access implementations from sealwrap structs * Add extra line to proto files, comment update * Update seal_access_entry.go * govendor sync * Add endpoint info to configureAWSKMSSeal * Update comment * Refactor structs * Update make proto * Remove remove KeyGuard, move encrypt/decrypt to autoSeal * Add rest of seals, update VerifyRecoveryKeys, add deps * Fix some merge conflicts via govendor updates * Rename SealWrapEntry to EncryptedBlobInfo * Remove barrier type upgrade check in oss * Add key to EncryptedBlobInfo proto * Update barrierTypeUpgradeCheck signature
- Loading branch information
Showing
65 changed files
with
29,804 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package seal | ||
|
||
import ( | ||
"github.com/hashicorp/errwrap" | ||
log "github.com/hashicorp/go-hclog" | ||
"github.com/hashicorp/vault/command/server" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/vault" | ||
"github.com/hashicorp/vault/vault/seal/alicloudkms" | ||
) | ||
|
||
func configureAliCloudKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) { | ||
kms := alicloudkms.NewSeal(logger) | ||
kmsInfo, err := kms.SetConfig(config.Seal.Config) | ||
if err != nil { | ||
// If the error is any other than logical.KeyNotFoundError, return the error | ||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { | ||
return nil, err | ||
} | ||
} | ||
autoseal := vault.NewAutoSeal(kms) | ||
if kmsInfo != nil { | ||
*infoKeys = append(*infoKeys, "Seal Type", "AliCloud KMS Region", "AliCloud KMS KeyID") | ||
(*info)["Seal Type"] = config.Seal.Type | ||
(*info)["AliCloud KMS Region"] = kmsInfo["region"] | ||
(*info)["AliCloud KMS KeyID"] = kmsInfo["kms_key_id"] | ||
if domain, ok := kmsInfo["domain"]; ok { | ||
*infoKeys = append(*infoKeys, "AliCloud KMS Domain") | ||
(*info)["AliCloud KMS Domain"] = domain | ||
} | ||
} | ||
return autoseal, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package seal | ||
|
||
import ( | ||
"github.com/hashicorp/errwrap" | ||
log "github.com/hashicorp/go-hclog" | ||
"github.com/hashicorp/vault/command/server" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/vault" | ||
"github.com/hashicorp/vault/vault/seal/awskms" | ||
) | ||
|
||
func configureAWSKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) { | ||
kms := awskms.NewSeal(logger) | ||
kmsInfo, err := kms.SetConfig(config.Seal.Config) | ||
if err != nil { | ||
// If the error is any other than logical.KeyNotFoundError, return the error | ||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { | ||
return nil, err | ||
} | ||
} | ||
autoseal := vault.NewAutoSeal(kms) | ||
if kmsInfo != nil { | ||
*infoKeys = append(*infoKeys, "Seal Type", "AWS KMS Region", "AWS KMS KeyID") | ||
(*info)["Seal Type"] = config.Seal.Type | ||
(*info)["AWS KMS Region"] = kmsInfo["region"] | ||
(*info)["AWS KMS KeyID"] = kmsInfo["kms_key_id"] | ||
if endpoint, ok := kmsInfo["endpoint"]; ok { | ||
*infoKeys = append(*infoKeys, "AWS KMS Endpoint") | ||
(*info)["AWS KMS Endpoint"] = endpoint | ||
} | ||
} | ||
return autoseal, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
package seal | ||
|
||
import ( | ||
"github.com/hashicorp/errwrap" | ||
log "github.com/hashicorp/go-hclog" | ||
"github.com/hashicorp/vault/command/server" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/vault" | ||
"github.com/hashicorp/vault/vault/seal/azurekeyvault" | ||
) | ||
|
||
func configureAzureKeyVaultSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) { | ||
kv := azurekeyvault.NewSeal(logger) | ||
kvInfo, err := kv.SetConfig(config.Seal.Config) | ||
if err != nil { | ||
// If the error is any other than logical.KeyNotFoundError, return the error | ||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { | ||
return nil, err | ||
} | ||
} | ||
autoseal := vault.NewAutoSeal(kv) | ||
if kvInfo != nil { | ||
*infoKeys = append(*infoKeys, "Seal Type", "Azure Environment", "Azure Vault Name", "Azure Key Name") | ||
(*info)["Seal Type"] = config.Seal.Type | ||
(*info)["Azure Environment"] = kvInfo["environment"] | ||
(*info)["Azure Vault Name"] = kvInfo["vault_name"] | ||
(*info)["Azure Key Name"] = kvInfo["key_name"] | ||
} | ||
return autoseal, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package seal | ||
|
||
import ( | ||
"github.com/hashicorp/errwrap" | ||
log "github.com/hashicorp/go-hclog" | ||
"github.com/hashicorp/vault/command/server" | ||
"github.com/hashicorp/vault/logical" | ||
"github.com/hashicorp/vault/vault" | ||
"github.com/hashicorp/vault/vault/seal/gcpckms" | ||
) | ||
|
||
func configureGCPCKMSSeal(config *server.Config, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) { | ||
kms := gcpckms.NewSeal(logger) | ||
kmsInfo, err := kms.SetConfig(config.Seal.Config) | ||
if err != nil { | ||
// If the error is any other than logical.KeyNotFoundError, return the error | ||
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) { | ||
return nil, err | ||
} | ||
} | ||
autoseal := vault.NewAutoSeal(kms) | ||
if kmsInfo != nil { | ||
*infoKeys = append(*infoKeys, "Seal Type", "GCP KMS Project", "GCP KMS Region", "GCP KMS Key Ring", "GCP KMS Crypto Key") | ||
(*info)["Seal Type"] = config.Seal.Type | ||
(*info)["GCP KMS Project"] = kmsInfo["project"] | ||
(*info)["GCP KMS Region"] = kmsInfo["region"] | ||
(*info)["GCP KMS Key Ring"] = kmsInfo["key_ring"] | ||
(*info)["GCP KMS Crypto Key"] = kmsInfo["crypto_key"] | ||
} | ||
return autoseal, nil | ||
} |
Oops, something went wrong.
3d1f0d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why/how is this commit related to PR #757 (Add support for etcd over TLS) ?
github is relating them somehow and I'm confused. Could someone explain? Thanks
3d1f0d7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@richard-mauri This was related to an internal issue tracker that GH picked up as another issue. It is safe to ignore.