kms

package
v5.14.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 16, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// IbmKpSecretStorageName is KMS backend name
	IbmKpSecretStorageName = "ibmkeyprotect"
	// IbmServiceAPIKey is the service ID API Key
	IbmServiceAPIKey = "IBM_KP_SERVICE_API_KEY"
	// IbmInstanceIDKey is the Key Protect Service's Instance ID
	IbmInstanceIDKey = "IBM_KP_SERVICE_INSTANCE_ID"
	// IbmBaseURLKey is the Key Protect Service's Base URL
	IbmBaseURLKey = "IBM_KP_BASE_URL"
	// IbmTokenURLKey is the Key Protect Service's Token URL
	IbmTokenURLKey = "IBM_KP_TOKEN_URL"
)
View Source
const (
	KMIPEndpoint      = "KMIP_ENDPOINT"
	KMIPSecret        = "KMIP_CERTS_SECRET"
	KMIPUniqueID      = "UniqueIdentifier"
	KMIPTLSServerName = "TLS_SERVER_NAME"
	KMIPReadTimeOut   = "READ_TIMEOUT"
	KMIPWriteTimeOut  = "WRITE_TIMEOUT"
	KMPSecret         = "secret"
	KMIPCACERT        = "CA_CERT"
	KMIPCLIENTCERT    = "CLIENT_CERT"
	KMIPCLIENTKEY     = "CLIENT_KEY"
)

KMIP client config options

View Source
const (
	// KMIPSecretStorageName is KMS backend name
	KMIPSecretStorageName = "kmip"

	// KMIPDefaulReadTimeout is the default read network timeout
	KMIPDefaulReadTimeout = 10

	// KMIPDefaulWriteTimeout is the default write network timeout
	KMIPDefaulWriteTimeout = 10
)
View Source
const (
	VaultAddr       = "VAULT_ADDR"
	VaultCaCert     = "VAULT_CACERT"
	VaultClientCert = "VAULT_CLIENT_CERT"
	VaultClientKey  = "VAULT_CLIENT_KEY"
	VaultSkipVerify = "VAULT_SKIP_VERIFY"
	VaultToken      = "VAULT_TOKEN"
	RootSecretPath  = "NOOBAA_ROOT_SECRET_PATH"
)

Vault authentication config options

View Source
const (
	// ActiveRootKey - pointer to the current key name
	ActiveRootKey = "active_root_key"
)
View Source
const (
	Provider = "KMS_PROVIDER" // backend type configuration key
)

////////////////////////////////////////////////////////////////////////// ///////// KMS provides uniform access to several backend types /////////// //////////////////////////////////////////////////////////////////////////

Variables

This section is empty.

Functions

func NewIBMKpSecretStorage

func NewIBMKpSecretStorage(
	secretConfig map[string]interface{},
) (secrets.Secrets, error)

NewIBMKpSecretStorage is a constructor, returns a new instance of ibmKpSecretStorage

func NewKMIPSecretStorage added in v5.12.4

func NewKMIPSecretStorage(
	secretConfig map[string]interface{},
) (secrets.Secrets, error)

NewKMIPSecretStorage is a constructor, returns a new instance of KMIPSecretStorage

func RegisterDriver

func RegisterDriver(name string, ctor DriverCtor) error

RegisterDriver adds a new KMS driver

func StatusValid added in v5.13.0

func StatusValid(st corev1.ConditionStatus) bool

StatusValid returns true is the status is valid, false otherwise

Types

type Driver

type Driver interface {
	Path() string
	Name() string
	Config(connectionDetails map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)
	GetContext() map[string]string
	SetContext() map[string]string
	DeleteContext() map[string]string
	Version(k *KMS) Version
}

Driver is a backend type specific driver interface for libopenstorage/secrets framework

func NewDriver

func NewDriver(
	dType string,
	name string,
	namespace string,
	uid string,
) Driver

NewDriver returns a new instance of KMS driver identified by the supplied driver type.

func NewIBM

func NewIBM(
	name string,
	namespace string,
	uid string,
) Driver

NewIBM is IBM KP driver constructor

func NewK8S

func NewK8S(
	name string,
	namespace string,
	uid string,
) Driver

NewK8S is Kubernetes secret driver constructor

func NewKMIP added in v5.12.4

func NewKMIP(
	name string,
	namespace string,
	uid string,
) Driver

NewKMIP is KMIP driver constructor

func NewVault

func NewVault(
	name string,
	namespace string,
	uid string,
) Driver

NewVault is vault driver constructor

type DriverCtor

type DriverCtor func(
	name string,
	namespace string,
	uid string,
) Driver

DriverCtor is a Driver constructor function type

type IBM

type IBM struct {
	UID string // NooBaa system UID
}

IBM is a NooBaa root master key ibmKpSecretStorage driver

func (*IBM) Config

func (i *IBM) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)

Config returns ibmKpK8sSecret secret config

func (*IBM) DeleteContext

func (*IBM) DeleteContext() map[string]string

DeleteContext returns context used for secret delete operation

func (*IBM) GetContext

func (*IBM) GetContext() map[string]string

GetContext returns context used for secret get operation

func (*IBM) Name

func (i *IBM) Name() string

Name returns root key map key

func (*IBM) Path

func (i *IBM) Path() string

Path returns secret id

func (*IBM) SetContext

func (*IBM) SetContext() map[string]string

SetContext returns context used for secret set operation

func (*IBM) Version added in v5.13.0

func (*IBM) Version(kms *KMS) Version

Version returns the current driver KMS version either singlse string or map, i.e. rotating key

type K8S

type K8S struct {
	// contains filtered or unexported fields
}

K8S is a Kubernetes driver

func (*K8S) Config

func (k *K8S) Config(map[string]string, string, string) (map[string]interface{}, error)

Config returns this driver secret config

func (*K8S) DeleteContext

func (k *K8S) DeleteContext() map[string]string

DeleteContext returns context used for secret delete operation

func (*K8S) GetContext

func (k *K8S) GetContext() map[string]string

GetContext returns context used for secret get operation

func (*K8S) Name

func (*K8S) Name() string

Name returns root key map key

func (*K8S) Path

func (k *K8S) Path() string

Path returns the old format k8s secret name

func (*K8S) SetContext

func (k *K8S) SetContext() map[string]string

SetContext returns context used for secret set operation

func (*K8S) Version added in v5.13.0

func (k *K8S) Version(kms *KMS) Version

Version returns the driver version

type KMIP added in v5.12.4

type KMIP struct {
}

KMIP is a kmip driver

func (*KMIP) Config added in v5.12.4

func (*KMIP) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)

Config returns this driver secret config

func (*KMIP) DeleteContext added in v5.12.4

func (k *KMIP) DeleteContext() map[string]string

DeleteContext returns context used for secret delete operation

func (*KMIP) GetContext added in v5.12.4

func (k *KMIP) GetContext() map[string]string

GetContext returns context used for secret get operation

func (*KMIP) Name added in v5.12.4

func (k *KMIP) Name() string

Name returns root key map key

func (*KMIP) Path added in v5.12.4

func (k *KMIP) Path() string

Path return kv secret id

func (*KMIP) SetContext added in v5.12.4

func (k *KMIP) SetContext() map[string]string

SetContext returns context used for secret set operation

func (*KMIP) Version added in v5.13.0

func (k *KMIP) Version(kms *KMS) Version

Version returns the current driver KMS version either single string or map, i.e. rotating key

type KMIPSecretStorage added in v5.12.4

type KMIPSecretStorage struct {
	// contains filtered or unexported fields
}

KMIPSecretStorage is a KMIP backend Key Management Systems (KMS) which implements libopenstorage Secrets interface

func (*KMIPSecretStorage) Decrypt added in v5.12.4

func (*KMIPSecretStorage) Decrypt(
	secretID string,
	encryptedData string,
	keyContext map[string]string,
) (string, error)

Decrypt is no supported

func (*KMIPSecretStorage) DeleteSecret added in v5.12.4

func (k *KMIPSecretStorage) DeleteSecret(
	secretID string,
	keyContext map[string]string,
) error

DeleteSecret deletes the secret data associated with the supplied secretId.

func (*KMIPSecretStorage) Encrypt added in v5.12.4

func (*KMIPSecretStorage) Encrypt(
	secretID string,
	plaintTextData string,
	keyContext map[string]string,
) (string, error)

Encrypt is no supported

func (*KMIPSecretStorage) GetSecret added in v5.12.4

func (k *KMIPSecretStorage) GetSecret(
	secretID string,
	keyContext map[string]string,
) (map[string]interface{}, error)

GetSecret returns the secret data associated with the supplied secretId.

func (*KMIPSecretStorage) ListSecrets added in v5.12.4

func (*KMIPSecretStorage) ListSecrets() ([]string, error)

ListSecrets is no supported

func (*KMIPSecretStorage) PutSecret added in v5.12.4

func (k *KMIPSecretStorage) PutSecret(
	secretID string,
	plainText map[string]interface{},
	keyContext map[string]string,
) error

PutSecret will associate an secretId to its secret data provided in the arguments and store it into the secret backend

func (*KMIPSecretStorage) Rencrypt added in v5.12.4

func (*KMIPSecretStorage) Rencrypt(
	originalSecretID string,
	newSecretID string,
	originalKeyContext map[string]string,
	newKeyContext map[string]string,
	encryptedData string,
) (string, error)

Rencrypt is no supported

func (*KMIPSecretStorage) String added in v5.12.4

func (*KMIPSecretStorage) String() string

String representation of this implementation

type KMS

type KMS struct {
	secrets.Secrets        // secrets interface
	Version                // KMS backend version, single secret or rotating/map
	Type            string // backend system type, k8s, vault & ibm are supported
	// contains filtered or unexported fields
}

KMS implements SingleSecret interface using backend implementation of secrets.Secrets interface and using backend type specific driver

func NewKMS

func NewKMS(connectionDetails map[string]string, tokenSecretName, name, namespace, uid string) (*KMS, error)

NewKMS creates a new secret KMS client or returns error otherwise

type SecretReconciler added in v5.13.0

type SecretReconciler interface {
	ReconcileSecretString(val string) error
	ReconcileSecretMap(val map[string]string) error
}

SecretReconciler is interface exposed and implemented by the System reconciler The Version interface implementation is reponsible to call the appropriate method: either string or map

type SecretStorage added in v5.13.0

type SecretStorage interface {
	// Get the secret string/map from KMS
	Get() error

	// Set active master root key secret value in KMS
	Set(value string) error

	// Delete the secret string/map from KMS
	Delete() error

	// Reconcile secret data with system reconciler
	// expose secret data to NooBaa pods
	Reconcile(r SecretReconciler) error
}

SecretStorage represents a key secret storage several backend types are implemented, more types could be added

type Vault

type Vault struct {
	UID string // NooBaa system UID
}

Vault is a vault driver

func (*Vault) Config

func (*Vault) Config(config map[string]string, tokenSecretName, namespace string) (map[string]interface{}, error)

Config returns this driver secret config

func (*Vault) DeleteContext

func (v *Vault) DeleteContext() map[string]string

DeleteContext returns context used for secret delete operation

func (*Vault) GetContext

func (v *Vault) GetContext() map[string]string

GetContext returns context used for secret get operation

func (*Vault) Name

func (v *Vault) Name() string

Name returns root key map key

func (*Vault) Path

func (v *Vault) Path() string

Path return vault's kv secret id

func (*Vault) SetContext

func (v *Vault) SetContext() map[string]string

SetContext returns context used for secret set operation

func (*Vault) Version added in v5.13.0

func (*Vault) Version(kms *KMS) Version

Version returns the current driver KMS version either single string or map, i.e. rotating key

type Version added in v5.13.0

type Version interface {
	SecretStorage
	Upgrade() error
}

Version extracts version specific code for two existing KMS models: single secret and rotating secret, a.k.a. map Those two flavors implement KMS SecretStorage interface

type VersionBase added in v5.13.0

type VersionBase struct {
	// contains filtered or unexported fields
}

VersionBase contains the base fields of both string and map models of the KMS

type VersionRotatingSecret added in v5.13.0

type VersionRotatingSecret struct {
	VersionBase
	// contains filtered or unexported fields
}

VersionRotatingSecret implements SecretStorage interface for the rotating root master key modeled as map

func (*VersionRotatingSecret) Delete added in v5.13.0

func (v *VersionRotatingSecret) Delete() error

Delete implements SecretStorage interface for the secret map, i.e. rotating master root key

func (*VersionRotatingSecret) Get added in v5.13.0

func (v *VersionRotatingSecret) Get() error

Get implements SecretStorage interface for the secret map, i.e. rotating master root key

func (*VersionRotatingSecret) Reconcile added in v5.13.0

Reconcile sets the secret map, i.e. rotating master root key with the system reconciler

func (*VersionRotatingSecret) Set added in v5.13.0

func (v *VersionRotatingSecret) Set(val string) error

Set implements SecretStorage interface for the secret map, i.e. rotating master root key

func (*VersionRotatingSecret) Upgrade added in v5.13.0

func (v *VersionRotatingSecret) Upgrade() error

Upgrade implements SecretStorage interface for the secret map, i.e. rotating master root key

type VersionSingleSecret added in v5.13.0

type VersionSingleSecret VersionBase

VersionSingleSecret implements Version interface for the single string KMS secret

func (*VersionSingleSecret) Delete added in v5.13.0

func (v *VersionSingleSecret) Delete() error

Delete implements SecretStorage interface for single string secret

func (*VersionSingleSecret) Get added in v5.13.0

func (v *VersionSingleSecret) Get() error

Get implements SecretStorage interface for single string secret

func (*VersionSingleSecret) Reconcile added in v5.13.0

func (v *VersionSingleSecret) Reconcile(r SecretReconciler) error

Reconcile sets the single string master root key with the system reconciler

func (*VersionSingleSecret) Set added in v5.13.0

func (v *VersionSingleSecret) Set(val string) error

Set implements SecretStorage interface for single string secret

func (*VersionSingleSecret) Upgrade added in v5.13.0

func (v *VersionSingleSecret) Upgrade() error

Upgrade implements SecretStorage interface for single string secret

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL