Skip to content

Release 2023-02-15T14-54-37Z
Compare
Choose a tag to compare
@minio-trusted minio-trusted released this 16 Feb 15:14
· 95 commits to master since this release
2023-02-15T14-54-37Z
8ce403b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release Notes

Versioning

The KES server and CLI now follow a rolling release versioning scheme instead of semantic versioning. The KES version is now derived from the git commit timestamp. It has the following form: YYY-MM-DDThh-mm-ssZ.

The KES Go SDK has been moved to its own repository (minio/kes-go) and continuous to follow semantic versioning.

API Keys

KES now supports API keys for authentication. API keys are short secret keys that map to a TLS private/public key pair, and therefore, can be used for mTLS authentication. Hence, each API key also has an identity.

API key:    kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc
Identity:   3ecfcdf38fcbe141ae26a1030f81e96b753365a46760ae6b578698a97c59fd22

Clients can use API keys instead of TLS certificates (private key / certificate file) which should simplify credential handling in a majority of cases. The KES CLI supports API keys by setting the KES_API_KEY env. variable. For example:

export KES_SERVER=https://play.min.io:7373/
export KES_API_KEY=kes:v1:AD9E7FSYWrMD+VjhI6q545cYT9YOyFxZb7UnjEepYDRc

SIGHUP Reloads

A KES edge server now supports hot configuration reloads by listening for the SIGHUP signal on unix systems. When receiving a SIGHUP signal, the KES server reloads its configuration file (e.g. loads TLS configuration, sets up policies, connects to the specified key store, etc.) in the background. When it has reloaded the new configuration successfully, it swaps the previous and the new one.

Therefore, reloading the server configuration happens atomically and instantaneously. Clients will not experience any service interruption.

KES Keystore

Now, a edge KES server can use a stateful KES server as persistent key store. This can be configured in the keystore section.

  # Configuration for storing keys on a KES server.
  kes:
    endpoint: 
    - ""           # The endpoint (or list of endpoints) to the KES server(s)
    enclave: ""    # An optional enclave name. If empty, the default enclave will be used
    tls:           # The KES mTLS authentication credentials - i.e. client certificate.
      cert: ""     # Path to the TLS client certificate for mTLS authentication
      key: ""      # Path to the TLS client private key for mTLS authentication
      ca: ""       # Path to one or multiple PEM root CA certificates

Security

The KES binary is now build with Go 1.20.1. This fixes two CVEs in the net/http and crypto/tls standard library package that affect KES:

  • CVE-2022-41723
    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of
    service from a small number of small requests.
  • CVE-2022-41724
    Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when
    attempting to construct responses.

What's Changed

  • reload server configuration on SIGHUP by @aead in #327
  • add support for API keys by @aead in #328
  • update CI and release build to Go 1.20 by @aead in #329
  • keystore: add support for KES<->KES setup by @aead in #326
  • remove top-level SDK code by @aead in #331
  • build(deps): bump github.com/aws/aws-sdk-go from 1.33.0 to 1.34.0 by @dependabot in #330
  • update to Go 1.20.1 by @aead in #332

Full Changelog: v0.22.3...2023-02-15T14-54-37Z

Contributors

aead and dependabot
Assets 34