kms

package
v1.12.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 31, 2023 License: Apache-2.0 Imports: 33 Imported by: 5

Documentation

Index

Constants

View Source
const (
	TypeIBM = "ibmkeyprotect"
	//nolint:gosec // IbmKeyProtectServiceApiKey is the IBM Key Protect service API key
	IbmKeyProtectServiceApiKey = "IBM_KP_SERVICE_API_KEY"
	//nolint:gosec // IbmKeyProtectInstanceIdKey is the IBM Key Protect instance id
	IbmKeyProtectInstanceIdKey = "IBM_KP_SERVICE_INSTANCE_ID"
	//nolint:gosec // IbmKeyProtectBaseUrlKey is the IBM Key Protect base url
	IbmKeyProtectBaseUrlKey = "IBM_KP_BASE_URL"
	//nolint:gosec // IbmKeyProtectTokenUrlKey is the IBM Key Protect token url
	IbmKeyProtectTokenUrlKey = "IBM_KP_TOKEN_URL"
)
View Source
const (
	//nolint:gosec // OsdEncryptionSecretNameKeyName is the key name of the Secret that contains the OSD encryption key
	OsdEncryptionSecretNameKeyName = "dmcrypt-key"

	//nolint:gosec // KMSTokenSecretNameKey is the key name of the Secret that contains the KMS authentication token,
	KMSTokenSecretNameKey = "token"
)
View Source
const (
	TypeKMIP = "kmip"

	KmipCACert           = "CA_CERT"
	KmipClientCert       = "CLIENT_CERT"
	KmipClientKey        = "CLIENT_KEY"
	KmipUniqueIdentifier = "UNIQUE_IDENTIFIER"

	// EtcKmipDir is kmip config dir.
	EtcKmipDir = "/etc/kmip"
)
View Source
const (
	// EtcVaultDir is vault config dir
	EtcVaultDir = "/etc/vault"
	// VaultSecretEngineKey is the type of secret engine used (kv, transit)
	VaultSecretEngineKey = "VAULT_SECRET_ENGINE"
	// VaultKVSecretEngineKey is a kv secret engine type
	VaultKVSecretEngineKey = "kv"
	// VaultTransitSecretEngineKey is a transit secret engine type
	VaultTransitSecretEngineKey = "transit"
)
View Source
const (

	// File names of the Secret value when mapping on the filesystem
	VaultCAFileName        = "vault.ca"
	VaultCertFileName      = "vault.crt"
	VaultKeyFileName       = "vault.key"
	KmipCACertFileName     = "ca.crt"
	KmipClientCertFileName = "client.crt"
	KmipClientKeyFileName  = "client.key"

	// File name for token file
	VaultFileName = "vault.token"
)
View Source
const (
	// Provider is the config name for the KMS provider type
	Provider = "KMS_PROVIDER"
)

Variables

View Source
var (

	// ErrIbmServiceApiKeyNotSet is returned when IBM_KP_SERVICE_API_KEY is not set
	ErrIbmServiceApiKeyNotSet = errors.Errorf("%s not set.", IbmKeyProtectServiceApiKey)
	// ErrIbmInstanceIdKeyNotSet is returned when IBM_KP_SERVICE_INSTANCE_ID is not set
	ErrIbmInstanceIdKeyNotSet = errors.Errorf("%s not set.", IbmKeyProtectInstanceIdKey)
)
View Source
var (
	ErrKMIPEndpointNotSet   = errors.Errorf("%s not set.", kmipEndpoint)
	ErrKMIPCACertNotSet     = errors.Errorf("%s not set.", KmipCACert)
	ErrKMIPClientCertNotSet = errors.Errorf("%s not set.", KmipClientCert)
	ErrKMIPClientKeyNotSet  = errors.Errorf("%s not set.", KmipClientKey)
)

Functions

func BackendVersion added in v1.7.1

func BackendVersion(ctx context.Context, clusterdContext *clusterd.Context, namespace string, secretConfig map[string]string) (string, error)

func ConfigEnvsToMapString

func ConfigEnvsToMapString() map[string]string

ConfigEnvsToMapString returns all the env variables in map from a known KMS

func ConfigToEnvVar added in v1.8.3

func ConfigToEnvVar(spec cephv1.ClusterSpec) []v1.EnvVar

ConfigToEnvVar populates the kms config as env variables

func GenerateOSDEncryptionSecretName

func GenerateOSDEncryptionSecretName(pvcName string) string

GenerateOSDEncryptionSecretName generate the Kubernetes Secret name of the encrypted key

func GetParam

func GetParam(kmsConfig map[string]string, param string) string

GetParam returns the value of the KMS config option

func InitKMIP added in v1.10.2

func InitKMIP(config map[string]string) (*kmipKMS, error)

InitKKMIP initializes the KMIP KMS.

func InitKeyProtect added in v1.8.3

func InitKeyProtect(config map[string]string) (*kp.Client, error)

InitKeyProtect initializes the KeyProtect KMS. With native go client directly "github.com/IBM/keyprotect-go-client"

func InitVault

func InitVault(ctx context.Context, context *clusterd.Context, namespace string, config map[string]string) (secrets.Secrets, error)

InitVault inits the secret store

func KMIPVolumeAndMount added in v1.10.2

func KMIPVolumeAndMount(tokenSecretName string) (v1.Volume, v1.VolumeMount)

func SetTokenToEnvVar

func SetTokenToEnvVar(ctx context.Context, clusterdContext *clusterd.Context, tokenSecretName, provider, namespace string) error

SetTokenToEnvVar sets a KMS token as an env variable

func ValidateConnectionDetails

func ValidateConnectionDetails(ctx context.Context, clusterdContext *clusterd.Context, kms *cephv1.KeyManagementServiceSpec, ns string) error

ValidateConnectionDetails validates mandatory KMS connection details

func VaultSecretVolumeAndMount added in v1.8.0

func VaultSecretVolumeAndMount(kmsVaultConfigFiles map[string]string, tokenSecretName string) []v1.VolumeProjection

VaultSecretVolumeAndMount return the volume and matching volume mount for mounting the vault secrets into /etc/vault

func VaultVolumeAndMount

func VaultVolumeAndMount(kmsVaultConfigFiles map[string]string, tokenSecretName string) (v1.Volume, v1.VolumeMount)

VaultVolumeAndMount returns Vault volume and volume mount

func VaultVolumeAndMountWithCustomName added in v1.10.0

func VaultVolumeAndMountWithCustomName(kmsVaultConfigFiles map[string]string, tokenSecretName, customName string) (v1.Volume, v1.VolumeMount)

Types

type Config

type Config struct {
	Provider string

	ClusterInfo *cephclient.ClusterInfo
	// contains filtered or unexported fields
}

Config is the generic configuration for the KMS

func NewConfig

func NewConfig(context *clusterd.Context, clusterSpec *cephv1.ClusterSpec, clusterInfo *cephclient.ClusterInfo) *Config

NewConfig returns the selected KMS

func (*Config) DeleteSecret

func (c *Config) DeleteSecret(secretName string) error

DeleteSecret deletes an encrypted key from a KMS

func (*Config) GetSecret

func (c *Config) GetSecret(secretName string) (string, error)

GetSecret returns an encrypted key from a KMS

func (*Config) IsIBMKeyProtect added in v1.8.3

func (c *Config) IsIBMKeyProtect() bool

IsIBMKeyProtect determines whether the configured KMS is IBM Key Protect

func (*Config) IsK8s

func (c *Config) IsK8s() bool

IsK8s determines whether the configured KMS is Kubernetes

func (*Config) IsKMIP added in v1.10.2

func (c *Config) IsKMIP() bool

IsKMIP determines whether the configured KMS is KMIP.

func (*Config) IsVault

func (c *Config) IsVault() bool

IsVault determines whether the configured KMS is Vault

func (*Config) PutSecret

func (c *Config) PutSecret(secretName, secretValue string) error

PutSecret writes an encrypted key in a KMS

func (*Config) UpdateSecret added in v1.11.2

func (c *Config) UpdateSecret(secretName, secretValue string) error

UpdateSecret updates the encrypted key in a KMS

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL