kms: replace KES client implementation with minio/kes

This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and request retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
minio · May 3, 2021 · bb2e21a · bb2e21a
1 parent 6c8fddb
commit bb2e21a
Show file tree

Hide file tree

Showing 6 changed files with 498 additions and 503 deletions.
diff --git a/cmd/common-main.go b/cmd/common-main.go
@@ -40,12 +40,12 @@ import (
 	"github.com/minio/cli"
 	"github.com/minio/minio-go/v7/pkg/set"
 	"github.com/minio/minio/cmd/config"
-	"github.com/minio/minio/cmd/crypto"
 	xhttp "github.com/minio/minio/cmd/http"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
 	"github.com/minio/minio/pkg/certs"
 	"github.com/minio/minio/pkg/console"
+	"github.com/minio/minio/pkg/ellipses"
 	"github.com/minio/minio/pkg/env"
 	"github.com/minio/minio/pkg/handlers"
 	"github.com/minio/minio/pkg/kms"
@@ -361,18 +361,37 @@ func handleCommonEnvVars() {
 		}
 	}
 	if env.IsSet(config.EnvKESEndpoint) {
-		kesEndpoints, err := crypto.ParseKESEndpoints(env.Get(config.EnvKESEndpoint, ""))
+		var endpoints []string
+		for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") {
+			if strings.TrimSpace(endpoint) == "" {
+				continue
+			}
+			if !ellipses.HasEllipses(endpoint) {
+				endpoints = append(endpoints, endpoint)
+				continue
+			}
+			pattern, err := ellipses.FindEllipsesPatterns(endpoint)
+			if err != nil {
+				logger.Fatal(err, fmt.Sprintf("Invalid KES endpoint %q", endpoint))
+			}
+			for _, p := range pattern {
+				endpoints = append(rawEndpoints, p.Expand()...)
+			}
+		}
+		certificate, err := tls.LoadX509KeyPair(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""))
 		if err != nil {
-			logger.Fatal(err, "Unable to parse the KES endpoints inherited from the shell environment")
+			logger.Fatal(err, "Unable to load KES client certificate as specified by the shell environment")
 		}
-		KMS, err := crypto.NewKes(crypto.KesConfig{
-			Enabled:      true,
-			Endpoint:     kesEndpoints,
+		rootCAs, err := certs.LoadCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))
+		if err != nil {
+			logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
+		}
+
+		KMS, err := kms.NewWithConfig(kms.Config{
+			Endpoints:    endpoints,
 			DefaultKeyID: env.Get(config.EnvKESKeyName, ""),
-			CertFile:     env.Get(config.EnvKESClientCert, ""),
-			KeyFile:      env.Get(config.EnvKESClientKey, ""),
-			CAPath:       env.Get(config.EnvKESServerCA, globalCertsCADir.Get()),
-			Transport:    newCustomHTTPTransportWithHTTP2(&tls.Config{RootCAs: globalRootCAs}, defaultDialTimeout)(),
+			Certificate:  certificate,
+			RootCAs:      rootCAs,
 		})
 		if err != nil {
 			logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")